Top Banner
By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong
26
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

By Alessandro Disfano, Gianluigi Me, Francesco Pace

11/08/2013 Fri.Daun Jeong

Page 2: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Introduction

Definition of Anti-forensics

The Android Operating System

Android Anti-forensics

Experiments

Conclusion

Page 3: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Anti-forensics techniques applied to mobiles devices

Test for effectiveness of such techniques vs. both the cursory examination of the device and some acquisition tools

Trend Uptick in the use of Anti-forensics Confined in the classic forensics

environment⇒ The instance of some common AF techniques to Android mobile devices

Page 4: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Any attempts to compromise the availability or usefulness of evidence in the forensic process. The availability of evidence can be

compromised by preventing its creation, hiding its existence and by manipulating the evidence.

The usefulness can be compromised by deleting the evidence or by tampering its integrity.

Page 5: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

1. Destroying Evidence: Destruction of evidence in order to make it unusable.

2. Hiding Evidence: Decreasing the visibility of the evidence

⇒ Both 1 and 2 processes can make other evidence

3. Eliminating Evidence Sources: Preventing Evidence Creation

4. Counterfeiting Evidence: Creating a fake version of evidence.

Page 6: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.
Page 7: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.
Page 8: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Application & Sandboxes: Android binds any running application to

a secure Sandbox which cannot interfere with any other application.

User IDs and Permissions: Android manages each application as a

different Linux user. Includes <uses-permission> tags in

application’s Android manifest.xml.

Page 9: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

1. Current Android Forensics Techniques & Tools

2. Instantiating Anti-forensics

3. The Evidence Export Process

4. The Evidence Import Process

5. The Evidence Destruction Process

Page 10: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

1. Android Debug Bridge (ADB)A tool provided with Android SDK which allows

the interaction between the mobile device and a remote station.

2. Nandroid BackupNandroid is a set of tools supporting the

backup and restore capabilities for rooted Android devices.

Support the full NAND flash memory imaging which can be performed by a special boot mode.

Page 11: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

3. Physical Imaging by ddThe dd tool allows the byte-level physical

imaging of Unix files and can be applied to regular files and to devices files as well because of the availability of a Unix-like command shell.

4. Commercial ToolsCommercial Tools: Parabon corporation, Micro

Systemation, Celle brite.Open Source Tools: Mobile Internal Acquisition

Tool.

Page 12: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

5. Serial Commands over USBCapabilities to eavesdrop the data

conveyed over-the-wire.

6. Simulated SD cardTo use a modified update file in order to

avoid the destruction of internal memory data and to provide kernel-level tools to support the acquisition of data.

Page 13: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

7. Softeware ApplicationApplications that are able to explore, read,

and mirror the contents stored by the File System even for the internal memory storage volume.

Page 14: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Exploiting android features Strong Linux process & User management

policies

A private folder : A directory that is inaccessible for any other applications Private folders in internal memory are hard to examine

because of isolation and physical imaging

Anti-forensics by a common application: Evidence Export/Import/Destruction Process

Page 15: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

1) Android Destroying Evidence: Text messages, The browser bookmark, Call log⇒ Deletion of Related Database

2) Android Hiding Evidence: Multimedia files ⇒ Move them into internal storage (private folder)

3) Android Eliminating Evidence Sources: Multimedia Messages (MMSs)⇒ Modify identifiers to be invisible to end-user

4) Android Counterfeiting Evidence: Contact Information⇒ Modify flag & related number

Page 16: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Restore the previous state of the device.

The private storage of the evidence Organize the exported evidence using set of

common files in the private folder A XML-style file(export.xml) is responsible

for the storage of all evidence A number of files of various format are

imported by the removable memory card.

Page 17: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

How to reconstruct the evidence?

Fully Automated Evidence Reconstruction: AFDroid1) Private folder inspection2) export.xml file processing▪ Related DB & table▪ The connection DB

3) Other file processing

Page 18: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Internal Memory & Data Recovery It is still incomplete to acquire the image of

internal memory. (JTAG)

Fully Automated Process⇒ Uninstall of AFDroid All the related data are logically deleted by

the FS. Can avoid human errors. Reduces time.

Page 19: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Objectives : To test the strength of the Evidence

Export/ Destruction process in relation to the tools that are currently able to acquire a snapshot of the internal memory of the target device.

Used devices : Samsung Galaxy i7500 device equipped

with the Android 1.5 S 아 . Used acquisition tools

: Paraben Device Seizure/Nandroid/MIAT

Page 20: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Experimental Workflows1) Evidence export process▪ First imaging with Nandroid tool▪ Execution of AFDroid▪ Acquisition with MIAT tool▪ Second imaging with Nandroid tool

2) Evidence destruction process▪ First imaging with Nandroid tool▪ Execution of AFDroid▪ Second imaging with Nandroid tool▪ Uninstall of the AFDroid▪ Acquisition with the MIAT tool▪ Third imaging with the Nandroid tool

Page 21: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Cursory examination of the SMS/MMS database before and after the EEP. The entire se of SMS/MMS message is emptied .

Page 22: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

The Nandroid tool and MIAT tool can recover all the evidence that has been previously exported in the private folder

Page 23: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

A large amount of the multimedia data can negatively affect the duration of the process.

It is realistic to suppose that just reduced amount of such data can be exported into the private folder because of the limited capacity of the current internal memory.

Page 24: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

When the application is uninstalled and the EDP completed, private folder is removed including all the stored contents.

After that, neither the Nandroid nor the MIAT tools were able to recover the deleted data.

Page 25: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Current and Future Work 1. Improving the AFDroid application▪ To selectively choose the target evidence▪ The expansion of the kinds of target evidence

2. Expanding the compatibility to other operating system ▪ Windows Moble, Symbian.

Page 26: By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.

Android Anti-Forensics Through a Local Paradigm. Alessandro Distefano, Gianluigi Me and Francesco Pace, Digital Investigation 7 (2010) s83-s94.