Open Source Mobile Device Forensics
Heather Mahalik
2014, Basis Technology
�Device Acquisition
iOS Devices
Android Devices
Zdziarski Methods
Boot Rom
Vulnerability Exploits
Custom Ramdisk via
SSH
The iPhone Data
Protection Tools
iTunes
viaLogical
ADB Backup
OSAF Toolkit
Santoku
DD
Not supported for all
devices
JTAG/Chip-off
2014, Basis Technology
�Considerations
How old is the
device?
Is the device locked?
Is the device
damaged?
Are you Law
Enforcement?
2014, Basis Technology
�Android Memory Capture
LiME (Linux Memory
Extractor)
First tool to support full
memory captures of
Android smartphones!
TCP dump or saved to
SD card
Uses ADB
2014, Basis Technology
�Analytical Toolsto Name a Few
Android Devices
iOS Devices
iPhone Backup Analyzer
iExplorer
iBackupBot
Scalpel
SQLite Browser
Plist Editor
WhatsApp Extract
Contacts.sqlite and
ChatStorage.sqlite
Manual examination
Customized scripts
Autopsy
Android Module
WhatsApp Extract
wa.db and msgstore.db
Scalpel
SQLite Browser
Hex Editor
Anything capable of mounting
EXT
FTK Imager
Customized scripts
Manual examination
2014, Basis Technology
�Reality Check!
Commercial tools are expensive
They still miss data
They dont parse third party applications
completely
They omit relevant databases when extracting
data
They dont support all devices
Open Source tools
See above!
2014, Basis Technology
�Example iOS Examination
/private/var/mobile/library/Spotlight/com.apple.mobilesms/
smssearchindex.sqlite
Provides SMS message data
Active and deleted messages
Should be compared to sms.db
May show traces of attachments (metadata)
*Not commonly parsed by any tool!
2014, Basis Technology
�Autopsy
GUI built on The Sleuth Kit
Next version (v3.1.1) will include Android
module
Customizable
Complete analytical platform
Android dumps can be loaded as normal disk
images or file folders
2014, Basis Technology
�Android Examination
2014, Basis Technology
�Examining Contacts
Parsed from Contacts2.db file
Raw_contacts and ABPerson
2014, Basis Technology
10
�Examining the Raw Contacts (1)
2014, Basis Technology
11
�Examining the Raw Contacts (2)
2014, Basis Technology
12
�Parsing Messages and Chats
Parses messages and chats from SMS, MMS
and some third party applications
2014, Basis Technology
13
�Encoding Built into Autopsy
Encryption vs. Encoding
Base64 decoder built into Autopsy Android
module
2014, Basis Technology
14
�Geolocation Support
Google Maps, Browser, Cache and EXIF
location parsing
2014, Basis Technology
15
�Geolocation Reporting
2014, Basis Technology
16
�Examining Multimedia Files
EXIF Parser
Graphics and Videos
2014, Basis Technology
17
�Recovering Deleted SQLite Data
Active files shown in viewer
Deleted must be examined/recovered in Hex
2014, Basis Technology
18
�Custom Scripts
Mari DeGrazias SQLite Parser
2014, Basis Technology
19
�References, Sources and Suggested Reading
http://www.zdziarski.com/blog/wpcontent/uploads/2013/05/iOS-ForensicInvestigative-Methods.pdf
www.az4n6.blogspot.com
https://viaforensics.com/blog/
http://www.sleuthkit.org/
Practical Mobile Forensics Bommisetty,
Mahalik, Tamma
www.smarterforensics.com
https://code.google.com/p/lime-forensics/
2014, Basis Technology
20
�Questions
Heather Mahalik
Basis Technology
www.basistech.com
[email protected]
Twitter: @heathermahalik
2014, Basis Technology
21
