1 00:00:00,990 --> 00:00:03,390 Hello and welcome back to our official circus series. 2 00:00:03,690 --> 00:00:07,500 This is the forensics using Kelly Lennox section. 3 00:00:07,500 --> 00:00:09,540 We're going to talk about mobile device forensics. 4 00:00:10,080 --> 00:00:16,380 We're getting into why forensics are important and a lot of the tools that Kelly comes built with. 5 00:00:19,610 --> 00:00:22,910 Ah, for forensics though they can be used for other things as well. 6 00:00:23,690 --> 00:00:28,670 There are many command line tools available to us and we'll get into all that and. 7 00:00:31,260 --> 00:00:35,220 This is our outline or table of contents. 8 00:00:35,970 --> 00:00:41,580 So many of the tutorials on Android forensics are kind of dated, so just because a tool is here today, 9 00:00:41,580 --> 00:00:42,630 it may be gone tomorrow. 10 00:00:43,050 --> 00:00:43,990 So just be aware of that. 11 00:00:44,010 --> 00:00:50,310 It's not that there's anything wrong with all of that, but sometimes the tools don't get updated. 12 00:00:50,310 --> 00:00:55,650 And there are there are several commercial industry standard tools, but those are not the subject of 13 00:00:55,650 --> 00:00:56,730 the discussion today. 14 00:00:57,960 --> 00:00:59,350 So why? 15 00:00:59,370 --> 00:01:00,470 For mobile forensics? 16 00:01:00,480 --> 00:01:07,050 Well, mobile devices in criminal investigations and similar activities has been present for many years. 17 00:01:07,680 --> 00:01:14,850 The forensic methods study in mobile devices is relatively new, based back to the early 2000, but 18 00:01:14,850 --> 00:01:22,350 many of the same ideas that police and law enforcement used to find information out on people that would 19 00:01:23,010 --> 00:01:26,670 be doing nefarious activities can be gleaned from mobile devices. 20 00:01:26,700 --> 00:01:33,570 So I want to talk about some of the different things, the data points and information you can get from 21 00:01:33,570 --> 00:01:34,530 mobile devices. 22 00:01:36,140 --> 00:01:37,400 And how to extract that. 23 00:01:41,060 --> 00:01:42,200 This is our chapter flow. 24 00:01:42,680 --> 00:01:45,020 Keep in mind, this is a generic chapter flow. 25 00:01:45,030 --> 00:01:50,720 There will be a few more things here than just this, but we will talk about the Android Debug Bridge. 26 00:01:50,720 --> 00:01:56,330 We will look at a few other tools like Autopsy and iOS analyzer. 27 00:01:56,330 --> 00:02:00,320 We'll look at Android Studio, look at the DEDI Tool. 28 00:02:03,290 --> 00:02:05,810 So let's talk about a few things now. 29 00:02:06,140 --> 00:02:09,080 What kind of information can you get from a mobile device? 30 00:02:09,110 --> 00:02:10,370 That's important to understand. 31 00:02:10,700 --> 00:02:19,400 Before you get into forensics in general, so you can get not only subscriber information, you can 32 00:02:19,400 --> 00:02:24,710 get IMEI numbers, which is the international mobile equipment identifier. 33 00:02:25,490 --> 00:02:32,690 That number can essentially allow you to access many other things. 34 00:02:33,230 --> 00:02:36,420 It allows you to a uniquely identify that device on the network. 35 00:02:36,440 --> 00:02:40,370 Many times you have to give your cell phone provider and IMEI number. 36 00:02:41,750 --> 00:02:48,410 For example, on Samsung phones, you can get the IMEI number by typing star LB zero £6. 37 00:02:49,970 --> 00:02:50,510 So what? 38 00:02:50,600 --> 00:02:51,380 What else can you get? 39 00:02:51,380 --> 00:02:51,830 You can get. 40 00:02:52,100 --> 00:02:53,510 Date time, information. 41 00:02:53,510 --> 00:02:54,200 You can get into. 42 00:02:54,200 --> 00:03:00,200 Settings you could mess with the person's files, their phone book, their contact information, their 43 00:03:00,200 --> 00:03:00,790 calendar. 44 00:03:00,800 --> 00:03:02,150 See where they might be going. 45 00:03:02,540 --> 00:03:07,940 Try and build a profile of if you're doing a forensic acquisition of this and you're going to be trying 46 00:03:07,940 --> 00:03:11,360 to recreate who might have gained access to the device. 47 00:03:12,230 --> 00:03:19,610 And mobile operating systems are becoming more complex and being more and more advanced and like computers. 48 00:03:19,610 --> 00:03:25,040 And they're largely in many cases, replacing traditional computing systems. 49 00:03:25,640 --> 00:03:30,080 We now have Chromebooks that run Android apps. 50 00:03:30,080 --> 00:03:39,080 We have even the ability to hook an Android phone into a docking station and have it essentially function 51 00:03:39,080 --> 00:03:39,860 like a computer. 52 00:03:42,240 --> 00:03:53,970 The computer also has incoming and outgoing text messages, call logs, missed calls, email your photos, 53 00:03:53,970 --> 00:03:59,890 your Facebook, your Google photos, your iCloud, any recordings you might have made. 54 00:03:59,910 --> 00:04:00,270 Of course. 55 00:04:00,270 --> 00:04:01,680 Multimedia messages. 56 00:04:02,310 --> 00:04:06,030 Instant messaging, web browsing activities. 57 00:04:07,220 --> 00:04:09,320 Location information where you went. 58 00:04:15,000 --> 00:04:16,830 Also geolocation data. 59 00:04:18,810 --> 00:04:24,600 When you take pictures with your phone, unless you explicitly turn it off, it tags your location. 60 00:04:25,290 --> 00:04:27,810 Cell phones can be a treasure trove of information. 61 00:04:31,940 --> 00:04:35,810 Mobile devices tend to require specialized tools to extract the data. 62 00:04:36,110 --> 00:04:40,550 Although Kelly Lennox does have a lot of those tools for working with mobile devices. 63 00:04:42,590 --> 00:04:47,870 There are many other specialized tools in the market which can be utilized as well. 64 00:04:49,820 --> 00:04:56,900 So let's talk briefly about a case study where mobile devices were one of the major focuses, those 65 00:04:56,900 --> 00:05:00,500 that have not been following the news recently. 66 00:05:02,030 --> 00:05:10,610 We have a technical report from the Dark Carousel campaign, one of the larger cyberespionage campaigns 67 00:05:10,610 --> 00:05:11,090 to date. 68 00:05:12,800 --> 00:05:18,860 And this report contains details on more than 90 indicators of compromise, including 11 different Android 69 00:05:18,860 --> 00:05:19,520 malware. 70 00:05:20,180 --> 00:05:28,520 26 desktop malware across Windows, Mac, Linux, as well as domain based indicators of compromise, 71 00:05:29,180 --> 00:05:31,700 also some social engineering and many other things. 72 00:05:32,060 --> 00:05:38,510 So we just briefly look at this cyber espionage of a global scale report and some of the key findings. 73 00:05:39,230 --> 00:05:45,140 And you can scroll down and you can see some of the different data that was obtained, not only on domains, 74 00:05:45,140 --> 00:05:51,710 email addresses, but look at the exfiltrated data, the call information, SMS information, call records, 75 00:05:51,710 --> 00:05:54,650 contacts, installed applications. 76 00:05:56,370 --> 00:06:01,140 Corporate information messaging apps, WhatsApp, Telegram, Skype. 77 00:06:01,770 --> 00:06:09,480 So not only were they able to hide their evidence, over almost 60% of the 81 gigabytes of data they 78 00:06:09,480 --> 00:06:12,630 extracted came from mobile devices. 79 00:06:13,320 --> 00:06:15,090 That's an astonishing amount of data. 80 00:06:15,090 --> 00:06:21,090 And if you look at the countries that this occurred in, so so it's an important to understand that. 81 00:06:23,040 --> 00:06:23,760 Mobile device. 82 00:06:23,760 --> 00:06:27,510 Forensics is here to stay and it's going to be here for a very long time. 83 00:06:32,470 --> 00:06:35,350 So let's talk about digital forensics and the terms of Callie Lennox. 84 00:06:36,540 --> 00:06:42,750 Kellie Lennox provides a live forensic mode so you can boot into essentially a live operating system. 85 00:06:42,750 --> 00:06:50,880 This was introduced around the time when Kelly had just evolved out of Backtrack Lennox. 86 00:06:52,470 --> 00:06:54,270 Kelly Lennox is widely available. 87 00:06:54,780 --> 00:07:01,200 Many users already can download Kelly or have bootable thumb drives, so forensics is just one component 88 00:07:01,230 --> 00:07:02,910 of Kelly Lennox. 89 00:07:04,110 --> 00:07:10,170 And it's easy to make it convenient, actually a popular tool for forensics as well. 90 00:07:10,170 --> 00:07:14,160 If you don't have any other commercial tools, it's a great option to start with. 91 00:07:19,320 --> 00:07:21,330 So let's talk about the Android Debug Bridge. 92 00:07:21,330 --> 00:07:26,040 But before we do that, we need to understand what it is. 93 00:07:26,040 --> 00:07:27,480 Well, why we're starting with Android. 94 00:07:27,480 --> 00:07:29,730 Because of the open nature of Android. 95 00:07:30,060 --> 00:07:36,240 Android is a very versatile platform and then it's designed to be more open. 96 00:07:36,510 --> 00:07:40,380 It's easier to root to gain administrative access to them. 97 00:07:41,670 --> 00:07:45,150 So definitely spend some time with the forensic section. 98 00:07:45,150 --> 00:07:46,740 It's definitely worth your time. 99 00:07:47,610 --> 00:07:56,310 And it's a big part of becoming a certified pen tester because if you can't pick up the what actually 100 00:07:56,310 --> 00:08:02,550 occurred, then it's a very difficult road to hoe. 101 00:08:08,590 --> 00:08:11,500 So why don't you make a copy and you copy your drive? 102 00:08:11,860 --> 00:08:14,230 Then you're going to want to look for. 103 00:08:16,640 --> 00:08:17,540 Making a copy. 104 00:08:17,540 --> 00:08:23,630 Of course, there are tools, forensic, duplicate, or things you can buy that will make your job a 105 00:08:23,630 --> 00:08:24,530 little bit easier. 106 00:08:25,520 --> 00:08:29,360 But Kelly, Linux has a lot of tools built in with it. 107 00:08:33,910 --> 00:08:36,510 A lot of command line to some of the gooey tools. 108 00:08:39,860 --> 00:08:46,730 So in summary, we talked about how we on this live distro, whether the virtual distro makes it quick 109 00:08:46,730 --> 00:08:48,530 and easy to put Kelly right on the job. 110 00:08:48,950 --> 00:08:51,380 It has a lot of the most popular forensic tools. 111 00:08:52,070 --> 00:08:59,270 We looked at the Android Debug Bridge and being able to communicate with the device we looked at and 112 00:08:59,270 --> 00:09:04,700 there were different ways you can push and pull things from the device, how you can install applications. 113 00:09:05,330 --> 00:09:12,140 You get a very robust Unix shell with which you can run commands. 114 00:09:12,980 --> 00:09:14,120 When you start the client. 115 00:09:14,150 --> 00:09:16,490 It checks if there's a server that's already running. 116 00:09:17,260 --> 00:09:19,400 If there is not, it starts the server process. 117 00:09:19,940 --> 00:09:28,310 The iPhone analyzer allows you to forensically examine or recover data from the iOS device without modifying 118 00:09:28,310 --> 00:09:28,430 it. 119 00:09:28,460 --> 00:09:32,540 We also looked at the DV tool and the CFD tool. 120 00:09:34,730 --> 00:09:36,560 So now let's do some practice questions. 121 00:09:37,040 --> 00:09:39,170 What are the components of ADB? 122 00:09:40,820 --> 00:09:41,450 A client? 123 00:09:41,450 --> 00:09:41,960 A Daimon? 124 00:09:41,960 --> 00:09:42,560 A server. 125 00:09:43,490 --> 00:09:44,150 A client. 126 00:09:44,150 --> 00:09:45,590 A server and firewall. 127 00:09:47,120 --> 00:09:47,690 A client. 128 00:09:47,690 --> 00:09:49,010 A firewall and a daimon. 129 00:09:52,900 --> 00:09:54,850 Or a demon, a server and a firewall. 130 00:10:08,870 --> 00:10:10,100 Correct answer is. 131 00:10:11,500 --> 00:10:13,270 A client, a daimon and a server. 132 00:10:14,920 --> 00:10:15,440 Number two. 133 00:10:15,460 --> 00:10:20,380 What local port does the ADB or the Android debug bridge server bind to? 134 00:10:28,360 --> 00:10:30,070 Is it a 5050? 135 00:10:35,510 --> 00:10:36,360 The 80. 136 00:10:41,960 --> 00:10:45,500 C four, four, three or D 5037. 137 00:10:51,290 --> 00:10:54,650 The answer is D 5037. 138 00:11:06,110 --> 00:11:06,980 I number three. 139 00:11:07,700 --> 00:11:22,940 What does the 80 B command to list the devices attached a TV ADB devices dash l c adb dev or d adb dash 140 00:11:22,940 --> 00:11:23,390 h. 141 00:11:25,680 --> 00:11:27,480 Answer is b a d. 142 00:11:27,480 --> 00:11:27,690 B. 143 00:11:27,690 --> 00:11:29,100 Devices dash l. 144 00:11:40,390 --> 00:11:41,450 Let's look at number four. 145 00:11:41,470 --> 00:11:45,040 What is the command to install an app file on the device attached? 146 00:11:46,300 --> 00:11:48,010 ADB Kill apk. 147 00:11:48,550 --> 00:11:50,620 ADB Shell apk. 148 00:11:52,030 --> 00:11:57,400 ADB Install apk or adb apk. 149 00:12:00,610 --> 00:12:03,640 Answer a c adb install apk. 150 00:12:14,710 --> 00:12:18,730 So number five, what is the command that's used for backing up of an Android device? 151 00:12:22,160 --> 00:12:32,060 Is it a ADB backup apk that shared dash all dash f me adb backup and then the file name. 152 00:12:35,090 --> 00:12:36,620 See ADB backup. 153 00:12:48,580 --> 00:12:51,520 Or D none of the above. 154 00:12:53,530 --> 00:12:54,800 The answer is a. 155 00:12:58,550 --> 00:13:03,740 So we spoke briefly about forensics because forensics and mobile devices are linked. 156 00:13:04,130 --> 00:13:08,330 And because of the open nature of Android, it's easier to work with forensic tools on Android that 157 00:13:08,330 --> 00:13:13,040 there are some tools that work for both Android and iOS. 158 00:13:23,850 --> 00:13:26,910 And these are some of the different summary of what we talked about. 159 00:13:27,510 --> 00:13:28,650 So we talked about. 160 00:13:30,960 --> 00:13:32,280 Different forensics tools. 161 00:13:32,280 --> 00:13:34,320 We talked about the Android Debug Bridge. 162 00:13:35,340 --> 00:13:37,680 There's some of the tools, the DV command. 163 00:13:37,680 --> 00:13:40,590 We looked at how to imaging how to image a disk. 164 00:13:41,430 --> 00:13:44,670 These are some of the different acronyms we looked at. 165 00:13:47,960 --> 00:13:55,070 And I want to briefly show a couple of other tools that are out there before we conclude this module. 166 00:13:57,020 --> 00:14:00,080 So there's a couple of tools from a company called Now Secure. 167 00:14:00,890 --> 00:14:04,730 One of these is called Friday, Friday. 168 00:14:05,060 --> 00:14:11,480 It's a dynamic instrumentation tool kit for developers, reverse engineers and security researchers. 169 00:14:12,170 --> 00:14:14,180 You can actually install it in Kali. 170 00:14:15,110 --> 00:14:16,490 It's pretty easy to do. 171 00:14:18,290 --> 00:14:28,940 Either stupid or you have to be rude to install Freida as tools. 172 00:14:29,690 --> 00:14:34,250 And it's important to have some kind of a reverse engineering tool kit. 173 00:14:36,630 --> 00:14:37,530 At your disposal. 174 00:14:37,530 --> 00:14:39,510 There's a lot out there, especially with forensics. 175 00:14:39,510 --> 00:14:45,120 If you're potentially get a piece of malware or something you need to analyze, it'll be important that 176 00:14:45,120 --> 00:14:46,890 you understand how to work with that. 177 00:14:47,670 --> 00:14:53,220 So Friday, it takes a little bit of time to install, but the nice thing about it is that it is a very 178 00:14:53,220 --> 00:14:56,070 robust tool at that script table. 179 00:14:56,400 --> 00:14:59,070 It works on multiple operating systems. 180 00:14:59,700 --> 00:15:07,290 It's completely free software, and it allows for deep analysis of mobile apps at scale. 181 00:15:10,300 --> 00:15:11,620 So once it's installed. 182 00:15:17,320 --> 00:15:24,970 So you can load in files, you can load in scripts, you can connect to USB devices, connect to remote 183 00:15:24,970 --> 00:15:25,660 servers. 184 00:15:26,200 --> 00:15:27,550 It's very, very powerful. 185 00:15:27,910 --> 00:15:31,810 And we'll probably look at this tool in future iterations. 186 00:15:33,040 --> 00:15:36,340 There's one other tool called Raid Array, 187 00:15:40,270 --> 00:15:43,720 and it's not necessarily install it by calling it by default. 188 00:15:50,910 --> 00:15:53,100 It's a portable rehearsing framework. 189 00:15:54,870 --> 00:15:58,560 That can disassemble for many different platforms. 190 00:16:00,890 --> 00:16:01,760 If you want to. 191 00:16:02,060 --> 00:16:03,950 They've changed the name to Arcon. 192 00:16:04,370 --> 00:16:07,820 If you want to run it on Linux. 193 00:16:09,480 --> 00:16:11,820 You can you can also try it in the cloud. 194 00:16:17,840 --> 00:16:20,900 You'll have to do it via source code. 195 00:16:20,900 --> 00:16:21,920 You have to compile it. 196 00:16:23,520 --> 00:16:29,550 There's the different builds for whether you're building from source or whether you're building on Android. 197 00:16:30,030 --> 00:16:34,080 So you'll just clone the GitHub repository for this tool. 198 00:16:41,960 --> 00:16:42,890 And we'll clone it. 199 00:16:43,940 --> 00:16:45,210 And I'll take a little while. 200 00:16:45,230 --> 00:16:50,510 Once you're done, then you'll run the installer script and then you'll have a portable reverse engineering 201 00:16:50,510 --> 00:16:52,940 framework at your disposal. 202 00:16:55,290 --> 00:16:56,850 It has many different meanings. 203 00:16:56,850 --> 00:17:00,270 There's even a version that combines Freida with it. 204 00:17:02,260 --> 00:17:06,190 So I hope you enjoyed this series. 205 00:17:08,750 --> 00:17:12,590 Appreciate your time and we'll see you guys in the next course. 206 00:17:13,220 --> 00:17:13,670 Thank you.