YURY_CHEMERKIN__CYBER_CRIME_FORUM_2012.pdf
YuryChemerkin
10 views
13 slides
Jul 26, 2024
Slide 1 of 13
1
2
3
4
5
6
7
8
9
10
11
12
13
About This Presentation
Presentation by Yury Chemerkin at the South East European Regional Forum on Cybersecurity and Cybercrime 2012. Covers mobile forensics techniques, data types, acquisition methods, and challenges for BlackBerry devices.
Slide Content
STATE-OF-ART OF MOBILE FORENSICS
YURY CHEMERKIN
SOUTH EAST EUROPEAN REGIONAL FORUM ON CYBERSECURITY AND CYBERCRIME 2012
YURY CHEMERKIN
SOUTH EAST EUROPEAN REGIONAL FORUM ON CYBERSECURITY AND CYBERCRIME 2012
METHODS
PHYSICAL ACQUISITION TECHNIQUE IS A BIT-BY-
BIT COPY OF AN ENTIRE PHYSICAL STORE
LOGICAL ACQUISITION TECHNIQUE IS A BIT-BY-BIT
COPY OF LOGICAL STORAGE
MANUAL ACQUISITION TECHNIQUE IS UI
UTILIZING TO GET PICTURES OF DATA FROM THE
SCREEN.
DATA TYPES
ALL AVAILABLE TYPES
ADDRESS BOOK/MESSAGES,
GEO/FILES/PASSWORD… ETC
METHODS
COMMERCIALLYFORENSIC SOFTWARE TOOLS
MANAGE WITH FULL COPY OF THE DEVICE DATA
BACKUPIS FULL COPY OF DEVICE BY
NATIVE/VENDOR TOOLS OR APIs
SCREENSHOT EXTRACTIONIS EASY IMPLEMENTED
AND SOFTLY FOR THE RUN-DOWN BATTERY THAN
PHOTO/VIDEO CAMERA
DATA TYPES
UNKNOWN IS MISSED THROUGH IGNORANCE
SAVED MESSAGES/IMs
SOLIDDBFILESREDUCERAWACQUISITION
FORENSICS ACQUISITION METHODS
METHODOLOGY REALITY
PHYSICAL ACQUISITION TECHNIQUE IS A BIT-BY-
BIT COPY OF AN ENTIRE PHYSICAL STORE
LOGICAL ACQUISITION TECHNIQUE IS A BIT-BY-BIT
COPY OF LOGICAL STORAGE
MANUAL ACQUISITION TECHNIQUE IS UI
UTILIZING TO GET PICTURES OF DATA FROM THE
SCREEN.
DATA TYPES
ALL AVAILABLE TYPES
ADDRESS BOOK/MESSAGES,
GEO/FILES/PASSWORD… ETC
METHODS
COMMERCIALLYFORENSIC SOFTWARE TOOLS
MANAGE WITH FULL COPY OF THE DEVICE DATA
BACKUPIS FULL COPY OF DEVICE BY
NATIVE/VENDOR TOOLS OR APIs
SCREENSHOT EXTRACTIONIS EASY IMPLEMENTED
AND SOFTLY FOR THE RUN-DOWN BATTERY THAN
PHOTO/VIDEO CAMERA
DATA TYPES
UNKNOWN IS MISSED THROUGH IGNORANCE
SAVED MESSAGES/IMs
SOLIDDBFILESREDUCERAWACQUISITION
FORENSICS ACQUISITION METHODS
METHODOLOGY REALITY
TRADITION
GOAL:
PREVENTING DEVICE FROM ANY CHANGES INCL.
MALWARE TRIGGERS
SOLUTION:
AIRPLANE MODE, FARADAY CAGE OR SIMILAR
SOME LIVE CASES PREVENT SYNC
LAST CENTURY
COMPLEXITY FACTOR:
HANDY BLACKBERRY GUI (A COUPLE CLICKS)
OVERLADEN ANDROID GUI (VIA MENU
SETTINGS…)
ANDROID HOTKEYS DEPEND ON VENDOR
NETWORK AND OTA ISOLATION
GOAL:
PREVENTING DEVICE FROM ANY CHANGES INCL.
MALWARE TRIGGERS
SOLUTION:
AIRPLANE MODE, FARADAY CAGE OR SIMILAR
SOME LIVE CASES PREVENT SYNC
LAST CENTURY
COMPLEXITY FACTOR:
HANDY BLACKBERRY GUI (A COUPLE CLICKS)
OVERLADEN ANDROID GUI (VIA MENU
SETTINGS…)
ANDROID HOTKEYS DEPEND ON VENDOR
NETWORK AND OTA ISOLATION
BLACKBERRY SMARTPHONE–PROPR. PUSH +
EXCHANGE
BLACKBERRY TABLET–IMAP4, POP3 + EXCHANGE
ACTIVESYNC
ANDROID–GOOGLE SYNC, IDLE, IMAP4, POP3 +
EXCHANGE ACTIVESYNC
BLACKBERRY SMARTPHONE –TRUE PUSH IF
ONLINE, QUICKLY RETRIEVE DATA IF WAS OFFLINE
BLACKBERRY TABLET –INTERRUPTS BY STANDBY
AND NETWORK, PASSWORD ASKING, LOST THE
NON-INBOX/SENT FOLDER DATA IF WAS OFFLINE
ANDROID –INTERRUPTS BY STANDBY AND
NETWORK, PASSWORD ASKING, LOST THE NON-
INBOX/SENT FOLDER DATA IF WAS OFFLINE
“PUSH” TECHNOLOGY
DIFFERENCE BY IMPLEMENTATION (PROTOCOL):DIFFERENCE BY REALIZATION (USER EXPERIENCE):
EXCHANGE
BLACKBERRY TABLET–IMAP4, POP3 + EXCHANGE
ACTIVESYNC
ANDROID–GOOGLE SYNC, IDLE, IMAP4, POP3 +
EXCHANGE ACTIVESYNC
BLACKBERRY SMARTPHONE –TRUE PUSH IF
ONLINE, QUICKLY RETRIEVE DATA IF WAS OFFLINE
BLACKBERRY TABLET –INTERRUPTS BY STANDBY
AND NETWORK, PASSWORD ASKING, LOST THE
NON-INBOX/SENT FOLDER DATA IF WAS OFFLINE
ANDROID –INTERRUPTS BY STANDBY AND
NETWORK, PASSWORD ASKING, LOST THE NON-
INBOX/SENT FOLDER DATA IF WAS OFFLINE
“PUSH” TECHNOLOGY
DIFFERENCE BY IMPLEMENTATION (PROTOCOL):DIFFERENCE BY REALIZATION (USER EXPERIENCE):
BLACKBERRY
ASCII PRINTABLE CHARACTERS –NOT ACCESSIBLE
CUSTOM CASES –WALLETS, DEVICE PASSWORD
(ELCOMSOFT)
ANDROID
PATTERN LOCK –NEED ROOT ACCESS
PIN –NEED ROOT ACCESS
ASCII PRINTABLE CHARACTERS –NEED ROOT
ACCESS
PASSWORD PROTECTION
AN ACCESS BY DESIGN DESPITE THE SECURITY IMPROVEMENTS
ASCII PRINTABLE CHARACTERS –NOT ACCESSIBLE
CUSTOM CASES –WALLETS, DEVICE PASSWORD
(ELCOMSOFT)
ANDROID
PATTERN LOCK –NEED ROOT ACCESS
PIN –NEED ROOT ACCESS
ASCII PRINTABLE CHARACTERS –NEED ROOT
ACCESS
PASSWORD PROTECTION
AN ACCESS BY DESIGN DESPITE THE SECURITY IMPROVEMENTS
ELCOMSOFT SOLUTION FOR BLACKBERRY
BACKUP DATA, WALLET
DEVICE PASSWORD
PATTERN & PASSWORD LOCK VIA ROOT FILE
ACCESS (ANDROID)
GESTURE.KEY, PC.KEY
TOUCH THE SCREEN TO PREVENT PASSWORD
LOCKING
PREVENTION THE SCREEN LOCKING THROUGH THE
APIs (ANDROID)
SCALED BUTTON PREVIEW VIA SCREENSHOT
(ALMOST ALL/SETTINGS)
ASTERISKS HIDING DEALY (ALMOST ALL/SETTINGS)
DESKTOP SYNCHRONIZATION (BLACKBERRY)
FAKE WINDOW TO MISLEAD (ALL)
PASSWORD EXTRACTION AND BYPASSING
DEAD FORENSICS SOLUTION LIVE FORENSICS SOLUTIONS
BACKUP DATA, WALLET
DEVICE PASSWORD
PATTERN & PASSWORD LOCK VIA ROOT FILE
ACCESS (ANDROID)
GESTURE.KEY, PC.KEY
TOUCH THE SCREEN TO PREVENT PASSWORD
LOCKING
PREVENTION THE SCREEN LOCKING THROUGH THE
APIs (ANDROID)
SCALED BUTTON PREVIEW VIA SCREENSHOT
(ALMOST ALL/SETTINGS)
ASTERISKS HIDING DEALY (ALMOST ALL/SETTINGS)
DESKTOP SYNCHRONIZATION (BLACKBERRY)
FAKE WINDOW TO MISLEAD (ALL)
PASSWORD EXTRACTION AND BYPASSING
DEAD FORENSICS SOLUTION LIVE FORENSICS SOLUTIONS
PASSWORD EXTRACTION AND BYPASSING
GOAL–GATHERING LOGS, DUMPS, BACKUP,
OTHER DATA
SOLUTION–SDK TOOLS OR SIMILAR
DATA:
LOGSINCL.Wi-Fi,DUMPS,EXEMODULES,
SCREENSHOTS,DEVICEINFO(BLACKBERRY)
SPECIALLOGGINGMECHANISMINCL.EVENTS,
CREDENTIALS,FAILURES(ANDROID)
BACKUP:
GRANULATEDDATA+WALLET(BBSMARTPHONE)
APPDATA,MEDIA,SETTING(BBTABLET)
THIRD-PARTYSOLUTIONSDESPITEOFNATIVE
BACKUPAPIs(ANDROID)
DEVICE INFORMATION
PHYSICAL ADDRESS: E8:XX:XX:XX:XX:XX
DEVICE OS: BLACKBERRY PLAYBOOK OS
DEVICE PIN: 500XXXXX | OS VERSION: 2.0.1.668
IP ADDRESS: 192.168.1.31 | SUBNET MASK:
255.255.255.0
DEFAULT GATEWAY: 192.168.1.1
PRIMARY DNS: 192.168.1.1 | PROXY IP/PORT:
WI-FI INFORMATION
STATUS:CONNECTED | SECURITYTYPE:WPA2 PERS
PROFILE NAME: XXXX | SSID: XXXX
SIGNAL LEVEL: -41 DBM | TYPE: 802.11G/N
CONNECTION DATA RATE: 65 MBPS
CLASSIC FORENSICS
DEALING WITH EXPIRATION DEVICE & NETWORK LOG EXAMPLES
OTHER DATA
SOLUTION–SDK TOOLS OR SIMILAR
DATA:
LOGSINCL.Wi-Fi,DUMPS,EXEMODULES,
SCREENSHOTS,DEVICEINFO(BLACKBERRY)
SPECIALLOGGINGMECHANISMINCL.EVENTS,
CREDENTIALS,FAILURES(ANDROID)
BACKUP:
GRANULATEDDATA+WALLET(BBSMARTPHONE)
APPDATA,MEDIA,SETTING(BBTABLET)
THIRD-PARTYSOLUTIONSDESPITEOFNATIVE
BACKUPAPIs(ANDROID)
DEVICE INFORMATION
PHYSICAL ADDRESS: E8:XX:XX:XX:XX:XX
DEVICE OS: BLACKBERRY PLAYBOOK OS
DEVICE PIN: 500XXXXX | OS VERSION: 2.0.1.668
IP ADDRESS: 192.168.1.31 | SUBNET MASK:
255.255.255.0
DEFAULT GATEWAY: 192.168.1.1
PRIMARY DNS: 192.168.1.1 | PROXY IP/PORT:
WI-FI INFORMATION
STATUS:CONNECTED | SECURITYTYPE:WPA2 PERS
PROFILE NAME: XXXX | SSID: XXXX
SIGNAL LEVEL: -41 DBM | TYPE: 802.11G/N
CONNECTION DATA RATE: 65 MBPS
CLASSIC FORENSICS
DEALING WITH EXPIRATION DEVICE & NETWORK LOG EXAMPLES
EXIF DATA
CAMERA MAKE
RIM/BLACKBERRY/ANDROID
/HTC
CAMERA MODEL
DEVICE MODEL
OTHER EXIF DATA
EXPOSURE,
DIAPHRAGM OPENING,
FLASH, EXIF VERSION
GEO DATA
MEDIA FILE NAMES
IMG20120103-XXXX
GEO TAG AS CITY LIKE “MOSKVA”
VOICE NOTES
VN-20120319-XXXX.AMR / M4A
WHERE “20120319” IS DATE WITH
YYYY-MM-DD FORMATTING
VID-YYYYMMDD-XXXXXX.3GP /
MP4
CLASSIC FORENSICS
ANY DELAY LEAVE US FAR BEHIND
CAMERA MAKE
RIM/BLACKBERRY/ANDROID
/HTC
CAMERA MODEL
DEVICE MODEL
OTHER EXIF DATA
EXPOSURE,
DIAPHRAGM OPENING,
FLASH, EXIF VERSION
GEO DATA
MEDIA FILE NAMES
IMG20120103-XXXX
GEO TAG AS CITY LIKE “MOSKVA”
VOICE NOTES
VN-20120319-XXXX.AMR / M4A
WHERE “20120319” IS DATE WITH
YYYY-MM-DD FORMATTING
VID-YYYYMMDD-XXXXXX.3GP /
MP4
CLASSIC FORENSICS
ANY DELAY LEAVE US FAR BEHIND
PRIVATE DATA -THROUGH THE API ONLY
BLACKBERRY CONTACT -EMAILS, CALL & RECENT
HISTORY, LINKING WITH SOCIAL NETWORKS, ETC.
ANDROID CONTACT -SQL DB PER VCARD, FB,
TWITTER…
MEDIA DATA -THROUGH API, SD-CARD
VOICE NOTES, SCREENSHOTS, CAMERAS, SQL DB…
EXIF, FILENAME OFTEN INCLUDES EXIF & GEO
MESSAGES AND IM CHATS-API, SD-CARD
IMs DOES NOT ENCRYPTED (BLACKBERRY/ALL)
| SENDER ID | RECIPIENT ID | DATE | DATA
STORED IN SHARED FOLDERS INSTEAD SANDBOX
(BLACKBERRY)
MESSAGE DATA STORED IN SQL DB INCL. MMS
MEDIA ON “/DATA/DATA” PATH
/COM.ANDROID.PROVIDERS.TELEPHONY
/COM.FACEBOOK/FB.DB
CLIPBOARD
PASSWORD HAPPENS
WALLET DOES NOT PROTECT COPIED PASSWORD
GETCLIPBOARD(), GETDATA(), GETTEXT()
LIVE FORENSICS
DEVICE LIFE CYCLE IS MORE THAN ITS SOFTWARECOVERS DEAD CASES IN REAL-TIME
BLACKBERRY CONTACT -EMAILS, CALL & RECENT
HISTORY, LINKING WITH SOCIAL NETWORKS, ETC.
ANDROID CONTACT -SQL DB PER VCARD, FB,
TWITTER…
MEDIA DATA -THROUGH API, SD-CARD
VOICE NOTES, SCREENSHOTS, CAMERAS, SQL DB…
EXIF, FILENAME OFTEN INCLUDES EXIF & GEO
MESSAGES AND IM CHATS-API, SD-CARD
IMs DOES NOT ENCRYPTED (BLACKBERRY/ALL)
| SENDER ID | RECIPIENT ID | DATE | DATA
STORED IN SHARED FOLDERS INSTEAD SANDBOX
(BLACKBERRY)
MESSAGE DATA STORED IN SQL DB INCL. MMS
MEDIA ON “/DATA/DATA” PATH
/COM.ANDROID.PROVIDERS.TELEPHONY
/COM.FACEBOOK/FB.DB
CLIPBOARD
PASSWORD HAPPENS
WALLET DOES NOT PROTECT COPIED PASSWORD
GETCLIPBOARD(), GETDATA(), GETTEXT()
LIVE FORENSICS
DEVICE LIFE CYCLE IS MORE THAN ITS SOFTWARECOVERS DEAD CASES IN REAL-TIME
LIVE FORENSICS
LACK OF SIMULATION ENVIRONMENTS
THE MODERN SECURITY TREND IS APP WORLD INSTALLATION WAY
INFORMATION IS OUT-DATED RAPIDLY WHILE THE AMOUNT LEAVES US MISSING MORE
PASSWORD AND ENCRYPTION ARE A LONG-TERM PROBLEM
LIVE SOLUTIONS PREVENT AND SOLVE ISOLATION ISSUES
FILES ARE STORED IN DEFAULT LOCATION ON SHORT TIME AFTER EVENT
LIMITED CASES FOR DEAD OR LIVE FORENSICS SOLUTIONS
SOME DEAD CASES ARE HANDY BY LIVE AND VICE VERSA NOT TO MISS OPPORTUNITY FOR EACH OTHER
CONCLUSION
DEAD AND LIVE FORENSICS BECOME WELL-ESTABLISHED BUT...
THE MODERN SECURITY TREND IS APP WORLD INSTALLATION WAY
INFORMATION IS OUT-DATED RAPIDLY WHILE THE AMOUNT LEAVES US MISSING MORE
PASSWORD AND ENCRYPTION ARE A LONG-TERM PROBLEM
LIVE SOLUTIONS PREVENT AND SOLVE ISOLATION ISSUES
FILES ARE STORED IN DEFAULT LOCATION ON SHORT TIME AFTER EVENT
LIMITED CASES FOR DEAD OR LIVE FORENSICS SOLUTIONS
SOME DEAD CASES ARE HANDY BY LIVE AND VICE VERSA NOT TO MISS OPPORTUNITY FOR EACH OTHER
CONCLUSION
DEAD AND LIVE FORENSICS BECOME WELL-ESTABLISHED BUT...
THANK YOU
YURY CHEMERKIN
HAKIN9 MAGAZINE REPRESENTATIVE
YURY CHEMERKIN
HAKIN9 MAGAZINE REPRESENTATIVE
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 10
- Slides 13
- Age 512 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
43 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
46 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
42 views
14
Fertility awareness methods for women in the society
Isaiah47
40 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
38 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
41 views