SlideShare a Scribd company logo

BYOM Build Your Own Methodology (in Mobile Forensics)

Reality Net System Solutions
Reality Net System Solutions

Life Has No Ctrl Alt Del Mattia Epifani

Technology
1 of 29
Download to read offline
BYOM Build Your Own Methodology (in Mobile Forensics) 24 APRIL 2020 SOMEWHERE ONLINE…
BYOM (BUILD YOUR OWN METHODOLOGY) NEEDS Knowledge Tools Training/Updates Workflow Case history Standardization
KNOWLEDGE Mobile OS Architecture (Android and iOS) Versions Security Rooting/Jailbreaking Encryption Partitions layout Cloud File system(s) EXT4 APFS exFAT FAT32 HFS+ F2FS JFFS2/YAFFS2 File format SQLite Plist XML Protobuf Realm Programming Python SQL Powershell Forensic Acquisition Methods Manual Logical Backup File System Physical Cloud
SUGGESTED READINGS MOBILE OS AND SECURITY BOOKS Android Internals by Jonathan Levin Android Security Internals by Nikolay Elenkov Mac OS X and iOS Internals: to the Apple’s Core by Jonathan Levin Hacking and Securing iOS Applications by Jonathan Zdziarski The Mobile Application Hacker’s Handbook by Shaun Colley and others iOS Hacker’s Handbook by Stefen Esser and others Android Hacker’s Handbook by Joshua Drake and others Hacking Exposed Mobile by Neil Bergman and others
SUGGESTED READINGS FILE SYSTEMS File System Forensic Analysis by Brian Carrier EXT https://ext4.wiki.kernel.org/ APFS https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf exFAT https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification FAT32 http://www.cs.fsu.edu/~cop4610t/assignments/project3/spec/fatspec.pdf HFS+ https://developer.apple.com/library/archive/technotes/tn/tn1150.html
SUGGESTED READINGS FILE FORMAT SQLite Forensics by Paul Sanderson SQLite https://www.sqlite.org/ Plist https://web.archive.org/web/20090225194402/http://developer.apple.com/documentation/Cocoa/Conceptual/PropertyLists/Introduction/chapter_1_section_1.html Protobuf https://developers.google.com/protocol-buffers/docs/reference/proto3-spec Realm https://realm.io/
SUGGESTED READINGS MOBILE FORENSICS BOOKS iPhone and iOS Forensics by Andrew Hogg Android Forensics by Andrew Hogg Practical Mobile Forensics by Rohit Tamma, Oleg Skulkin and Heather Mahalik Mobile Forensics Investigations by Lee Reiber Seeking the Truth from Mobile Evidence by John Bair Mobile Forensics – Advanced Investigative Services by Oleg Afonin and Vladimir Katalov Learning Android Forensics by Rohit Tamma, Oleg Skulkin and Donnie Tindall Learning iOS Forensics by Mattia Epifani and Pasquale Stirparo
COMMERCIAL TOOLS Mobile Forensics Tools Belkasoft Blackbag Cellebrite Elcomsoft Grayshift Guidance Mobile Forensics Tools Magnet Forensics MobilEdit MSAB Oxygen Forensics Paraben SecureView Digital Forensics Tools AccessData Guidance X-Ways Sanderson Forensic
OPEN/FREE/SHAREWARE TOOLS ADB https://developer.android.com/studio/releases/platform-tools Libimobiledevice https://www.libimobiledevice.org/ Autopsy https://www.sleuthkit.org/autopsy/ Andriller https://www.andriller.com/ APOLLO https://github.com/mac4n6/APOLLO ALEAPP https://github.com/abrignoni/ALEAPP iLEAPP https://github.com/abrignoni/iLEAPP iBackup Bot https://www.icopybot.com/itunes-backup-manager.htm ArtEx https://www.doubleblak.com/software.php?app=ArtEx MobileRevelator https://github.com/bkerler/MR
TOOLS FOR SPECIFIC FILE FORMAT Plist Editor Pro https://www.icopybot.com/plist-editor.htm DB Browser for SQLite https://sqlitebrowser.org/ Realm Studio https://realm.io/products/realm-studio/ SQLite Miner https://github.com/threeplanetssoftware/sqlite_miner SQLite Deleted Parser https://github.com/mdegrazia/SQLite-Deleted-Records-Parser Sysdiagnose Scripts https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts MobileRevelator https://github.com/bkerler/MR
HARDWARE Flasher Boxes Octoplus Pro Box Z3X Box Furious Gold ORT Box ATF Box Flasher Boxes Medusa Pro Chimera Tool NCK Dongle UFS Turbo Box Miracle Box Unlocking Tools XPIN Clip MFC Dongle BST Dongle Others Faraday Bags VR-Table Coded
Mobile Device Forensics and Analysis (MDFA) Digital Forensics Discord Group XDA Developers Online Meetings COMMUNITY
This Week in 4N6 https://thisweekin4n6.com/ About DFIR https://aboutdfir.com/ DFIR Training https://www.dfir.training/ Forensic Focus https://www.forensicfocus.com/ UPDATES
Sarah Edwards https://www.mac4n6.com Heather Mahalik https://smarterforensics.com Mattia Epifani http://mattiaep.blogspot.com Adrian Leong http://cheeky4n6monkey.blogspot.com Alexis Brignoni https://abrignoni.blogspot.com Jon B https://www.ciofecaforensics.com Mari DeGrazia http://az4n6.blogspot.com Andrew Hoog https://www.hack42labs.com Ian Whiffin http://doubleblak.com/blogs.php Josh Hickman https://thebinaryhick.blog BLOGS
SANS FOR 585 Smartphone Forensic Analysis In-Depth Vendor training • https://articles.forensicfocus.com/2020/04/13/industry- roundup-online-digital-forensics-training/ TRAINING
WORKFLOW https://digital-forensics.sans.org/media/DFIR-Smartphone-Forensics-Poster.pdf
BEST PRACTICES FOR MOBILE DEVICE EVIDENCE COLLECTION, PRESERVATION AND ACQUISTION https://www.swgde.org/
INTAKE Is it turned on or off? (If it is on) Is it disconnected from external networks? (If it is on) Is it protected with a passcode/pattern lock? External physical state? (Ok/Broken/Damaged/Destroyed) When was the device seized? Did the user/suspect provided any code? Does it contain SIM Card(s) and/or SD Card(s)?
IDENTIFICATION First step: what is that?? Some methods to identify devices • IMEI • Model number • Serial number Where/how to find the IMEI number? • Packaging box • Rear of the device • Under the battery • In the SIM card tray • *#06# • Android Settings -> About Phone -> Status -> IMEI Information • iPhone Settings -> General -> IMEI
IDENTIFICATION Check device information http://www.imei.info/ https://numberingplans.com/ http://phonedb.net/ http://www.imeipro.info/ Check device warranty status Samsung https://support- ca.samsung.com/secaew/consumer/ca/findwarranty/warrantyinfo Apple https://checkcoverage.apple.com/ Huawei https://consumer.huawei.com/us/support/warranty-query/ Oppo https://oppo-au.custhelp.com/app/products/warranty_status Xiaomi https://www.mi.com/en/verify/#/en/tab/imei Lenovo/Motorola https://support.lenovo.com/warrantylookup
IDENTIFICATION (IMEI.INFO)
PREPARATION DEFINE THE EXTRACTION METHOD Check your «Case History» [NEXT SLIDE] Check what was requested during the intake •If you need just only a specific SMS/Picture/WhatsApp chat, do you really need to acquire everything? Check support by your Mobile Forensics Toolkit(s) Ask the community Check for custom recoveries/engineering bootloader/flasher boxes Verify support by specific external services Identify specific vulnerabilities A physical approach is feasible? Think outside the box… •Cloud •Local backup •Provider requests •Connected/synced devices (Smartwatch, Smart TV, Home Assistants, …)
CASE HISTORY Start building it ASAP! Learn from your experience and errors • When • Device brand and model • Device chipset brand and model • Used tool / tecnhique • Obtained acquisition • Lock bypass (yes/no) • Encryption (yes/no) • Case reference • Person • Result • Notes
CHECK SUPPORT BY TOOLS https://www.digitalforensiccompass.com/
ANALYSIS Parsing with different tools has pros and cons ☺ Pros • Different support for different OS/Apps • Verifying the results Cons • Processing time • Duplication • Cost Often you need to add manual parsing and investigation! • SQL queries • Parsing scripts
ANALYSIS
ANALYSIS
STANDARDIZATION Cyber-investigation Analysis Standard Expression (CASE) is a community-developed specification language https://caseontology.org/ It is intended to serve the needs of the broadest possible range of cyber-investigation domains, including digital forensic science The primary motivation for CASE is interoperability - to advance the exchange of cyber-investigation information between tools and organizations.
CREDITS AND CONTACTS @RN Team Mattia Epifani Francesco Picasso Claudia Meda Fabio Massimo Ceccarelli mattia.epifani@realitynet.it @mattiaep

Recommended

The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS ForensicsReality Net System Solutions
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 

Recommended

The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS ForensicsReality Net System Solutions
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case StudyMyAssignmenthelp.com
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
What Happens When You Press that Button?
What Happens When You Press that Button?What Happens When You Press that Button?
What Happens When You Press that Button?Cellebrite
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSReality Net System Solutions
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Computer forensic
Computer forensicComputer forensic
Computer forensicSinggih Prasetya
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics Avinash Mavuru
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniDr Raghu Khimani
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Hard Disk Encryptions
Hard Disk EncryptionsHard Disk Encryptions
Hard Disk Encryptionsn|u - The Open Security Community
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxGaganvirKaur
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 

More Related Content

What's hot

Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
What Happens When You Press that Button?
What Happens When You Press that Button?What Happens When You Press that Button?
What Happens When You Press that Button?Cellebrite
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics Avinash Mavuru
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniDr Raghu Khimani
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxGaganvirKaur
 

What's hot (20)

Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case Study
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
What Happens When You Press that Button?
What Happens When You Press that Button?What Happens When You Press that Button?
What Happens When You Press that Button?
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu Khimani
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Hard Disk Encryptions
Hard Disk EncryptionsHard Disk Encryptions
Hard Disk Encryptions
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptx
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 

Similar to BYOM Build Your Own Methodology (in Mobile Forensics)

Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTinovex GmbH
 
Apache mobilefilter 4-03
Apache mobilefilter 4-03Apache mobilefilter 4-03
Apache mobilefilter 4-03Idel Fuschini
 
200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? Blueboxer2014
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingAmmar WK
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Fixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World RomaniaFixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World RomaniaChristian Heilmann
 
Android Flash Development
Android Flash DevelopmentAndroid Flash Development
Android Flash DevelopmentStephen Chin
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesReality Net System Solutions
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Create Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS StudioCreate Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS StudioGuilhem Ensuque
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And SecurityJames Wernicke
 

Similar to BYOM Build Your Own Methodology (in Mobile Forensics) (20)

Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Building aosp
Building aospBuilding aosp
Building aosp
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
 
Apache mobilefilter 4-03
Apache mobilefilter 4-03Apache mobilefilter 4-03
Apache mobilefilter 4-03
 
200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds?
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Fixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World RomaniaFixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World Romania
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
 
Android Flash Development
Android Flash DevelopmentAndroid Flash Development
Android Flash Development
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android Devices
 
Lange
LangeLange
Lange
 
Mobile security
Mobile securityMobile security
Mobile security
 
Create Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS StudioCreate Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
Create Cross-Platform Native Mobile Apps in Flex with ELIPS Studio
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And Security
 

More from Reality Net System Solutions

iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Reality Net System Solutions
 

More from Reality Net System Solutions (10)

Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400
 
iOS Forensics a costo zero
iOS Forensics a costo zeroiOS Forensics a costo zero
iOS Forensics a costo zero
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret Zone
 
Forensicating the Apple TV
Forensicating the Apple TVForensicating the Apple TV
Forensicating the Apple TV
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Acquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOSAcquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOS
 
Life on Clouds: a forensics overview
Life on Clouds: a forensics overviewLife on Clouds: a forensics overview
Life on Clouds: a forensics overview
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
 
ReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunitiesReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunities
 
Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

BYOM Build Your Own Methodology (in Mobile Forensics)

  • 1. BYOM Build Your Own Methodology (in Mobile Forensics) 24 APRIL 2020 SOMEWHERE ONLINE…
  • 2. BYOM (BUILD YOUR OWN METHODOLOGY) NEEDS Knowledge Tools Training/Updates Workflow Case history Standardization
  • 3. KNOWLEDGE Mobile OS Architecture (Android and iOS) Versions Security Rooting/Jailbreaking Encryption Partitions layout Cloud File system(s) EXT4 APFS exFAT FAT32 HFS+ F2FS JFFS2/YAFFS2 File format SQLite Plist XML Protobuf Realm Programming Python SQL Powershell Forensic Acquisition Methods Manual Logical Backup File System Physical Cloud
  • 4. SUGGESTED READINGS MOBILE OS AND SECURITY BOOKS Android Internals by Jonathan Levin Android Security Internals by Nikolay Elenkov Mac OS X and iOS Internals: to the Apple’s Core by Jonathan Levin Hacking and Securing iOS Applications by Jonathan Zdziarski The Mobile Application Hacker’s Handbook by Shaun Colley and others iOS Hacker’s Handbook by Stefen Esser and others Android Hacker’s Handbook by Joshua Drake and others Hacking Exposed Mobile by Neil Bergman and others
  • 5. SUGGESTED READINGS FILE SYSTEMS File System Forensic Analysis by Brian Carrier EXT https://ext4.wiki.kernel.org/ APFS https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf exFAT https://docs.microsoft.com/en-us/windows/win32/fileio/exfat-specification FAT32 http://www.cs.fsu.edu/~cop4610t/assignments/project3/spec/fatspec.pdf HFS+ https://developer.apple.com/library/archive/technotes/tn/tn1150.html
  • 6. SUGGESTED READINGS FILE FORMAT SQLite Forensics by Paul Sanderson SQLite https://www.sqlite.org/ Plist https://web.archive.org/web/20090225194402/http://developer.apple.com/documentation/Cocoa/Conceptual/PropertyLists/Introduction/chapter_1_section_1.html Protobuf https://developers.google.com/protocol-buffers/docs/reference/proto3-spec Realm https://realm.io/
  • 7. SUGGESTED READINGS MOBILE FORENSICS BOOKS iPhone and iOS Forensics by Andrew Hogg Android Forensics by Andrew Hogg Practical Mobile Forensics by Rohit Tamma, Oleg Skulkin and Heather Mahalik Mobile Forensics Investigations by Lee Reiber Seeking the Truth from Mobile Evidence by John Bair Mobile Forensics – Advanced Investigative Services by Oleg Afonin and Vladimir Katalov Learning Android Forensics by Rohit Tamma, Oleg Skulkin and Donnie Tindall Learning iOS Forensics by Mattia Epifani and Pasquale Stirparo
  • 8. COMMERCIAL TOOLS Mobile Forensics Tools Belkasoft Blackbag Cellebrite Elcomsoft Grayshift Guidance Mobile Forensics Tools Magnet Forensics MobilEdit MSAB Oxygen Forensics Paraben SecureView Digital Forensics Tools AccessData Guidance X-Ways Sanderson Forensic
  • 9. OPEN/FREE/SHAREWARE TOOLS ADB https://developer.android.com/studio/releases/platform-tools Libimobiledevice https://www.libimobiledevice.org/ Autopsy https://www.sleuthkit.org/autopsy/ Andriller https://www.andriller.com/ APOLLO https://github.com/mac4n6/APOLLO ALEAPP https://github.com/abrignoni/ALEAPP iLEAPP https://github.com/abrignoni/iLEAPP iBackup Bot https://www.icopybot.com/itunes-backup-manager.htm ArtEx https://www.doubleblak.com/software.php?app=ArtEx MobileRevelator https://github.com/bkerler/MR
  • 10. TOOLS FOR SPECIFIC FILE FORMAT Plist Editor Pro https://www.icopybot.com/plist-editor.htm DB Browser for SQLite https://sqlitebrowser.org/ Realm Studio https://realm.io/products/realm-studio/ SQLite Miner https://github.com/threeplanetssoftware/sqlite_miner SQLite Deleted Parser https://github.com/mdegrazia/SQLite-Deleted-Records-Parser Sysdiagnose Scripts https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts MobileRevelator https://github.com/bkerler/MR
  • 11. HARDWARE Flasher Boxes Octoplus Pro Box Z3X Box Furious Gold ORT Box ATF Box Flasher Boxes Medusa Pro Chimera Tool NCK Dongle UFS Turbo Box Miracle Box Unlocking Tools XPIN Clip MFC Dongle BST Dongle Others Faraday Bags VR-Table Coded
  • 12. Mobile Device Forensics and Analysis (MDFA) Digital Forensics Discord Group XDA Developers Online Meetings COMMUNITY
  • 13. This Week in 4N6 https://thisweekin4n6.com/ About DFIR https://aboutdfir.com/ DFIR Training https://www.dfir.training/ Forensic Focus https://www.forensicfocus.com/ UPDATES
  • 14. Sarah Edwards https://www.mac4n6.com Heather Mahalik https://smarterforensics.com Mattia Epifani http://mattiaep.blogspot.com Adrian Leong http://cheeky4n6monkey.blogspot.com Alexis Brignoni https://abrignoni.blogspot.com Jon B https://www.ciofecaforensics.com Mari DeGrazia http://az4n6.blogspot.com Andrew Hoog https://www.hack42labs.com Ian Whiffin http://doubleblak.com/blogs.php Josh Hickman https://thebinaryhick.blog BLOGS
  • 15. SANS FOR 585 Smartphone Forensic Analysis In-Depth Vendor training • https://articles.forensicfocus.com/2020/04/13/industry- roundup-online-digital-forensics-training/ TRAINING
  • 17. BEST PRACTICES FOR MOBILE DEVICE EVIDENCE COLLECTION, PRESERVATION AND ACQUISTION https://www.swgde.org/
  • 18. INTAKE Is it turned on or off? (If it is on) Is it disconnected from external networks? (If it is on) Is it protected with a passcode/pattern lock? External physical state? (Ok/Broken/Damaged/Destroyed) When was the device seized? Did the user/suspect provided any code? Does it contain SIM Card(s) and/or SD Card(s)?
  • 19. IDENTIFICATION First step: what is that?? Some methods to identify devices • IMEI • Model number • Serial number Where/how to find the IMEI number? • Packaging box • Rear of the device • Under the battery • In the SIM card tray • *#06# • Android Settings -> About Phone -> Status -> IMEI Information • iPhone Settings -> General -> IMEI
  • 20. IDENTIFICATION Check device information http://www.imei.info/ https://numberingplans.com/ http://phonedb.net/ http://www.imeipro.info/ Check device warranty status Samsung https://support- ca.samsung.com/secaew/consumer/ca/findwarranty/warrantyinfo Apple https://checkcoverage.apple.com/ Huawei https://consumer.huawei.com/us/support/warranty-query/ Oppo https://oppo-au.custhelp.com/app/products/warranty_status Xiaomi https://www.mi.com/en/verify/#/en/tab/imei Lenovo/Motorola https://support.lenovo.com/warrantylookup
  • 22. PREPARATION DEFINE THE EXTRACTION METHOD Check your «Case History» [NEXT SLIDE] Check what was requested during the intake •If you need just only a specific SMS/Picture/WhatsApp chat, do you really need to acquire everything? Check support by your Mobile Forensics Toolkit(s) Ask the community Check for custom recoveries/engineering bootloader/flasher boxes Verify support by specific external services Identify specific vulnerabilities A physical approach is feasible? Think outside the box… •Cloud •Local backup •Provider requests •Connected/synced devices (Smartwatch, Smart TV, Home Assistants, …)
  • 23. CASE HISTORY Start building it ASAP! Learn from your experience and errors • When • Device brand and model • Device chipset brand and model • Used tool / tecnhique • Obtained acquisition • Lock bypass (yes/no) • Encryption (yes/no) • Case reference • Person • Result • Notes
  • 24. CHECK SUPPORT BY TOOLS https://www.digitalforensiccompass.com/
  • 25. ANALYSIS Parsing with different tools has pros and cons ☺ Pros • Different support for different OS/Apps • Verifying the results Cons • Processing time • Duplication • Cost Often you need to add manual parsing and investigation! • SQL queries • Parsing scripts
  • 28. STANDARDIZATION Cyber-investigation Analysis Standard Expression (CASE) is a community-developed specification language https://caseontology.org/ It is intended to serve the needs of the broadest possible range of cyber-investigation domains, including digital forensic science The primary motivation for CASE is interoperability - to advance the exchange of cyber-investigation information between tools and organizations.
  • 29. CREDITS AND CONTACTS @RN Team Mattia Epifani Francesco Picasso Claudia Meda Fabio Massimo Ceccarelli mattia.epifani@realitynet.it @mattiaep