Pod Ranger 2012 Episode 1 –
The PODRanger discusses with Lee Reiber, his history, mobile forensics and AccessData’s Mobile Phone Examiner Plus
Catagories
Pod Ranger 2012 Episode 1 –
The PODRanger discusses with Lee Reiber, his history, mobile forensics and AccessData’s Mobile Phone Examiner Plus
First, A BIG THANK YOU to Techno and Mobile Forensics Conference. I have been a part of the MFC/MFW since it’s inception and it continues to excite. I thank the TrainingCo for allowing me to speak, banter and often incite riots with this notion of forensic processes. IMHO the MFC, aka MFW, has been reborn with the help from the TrainingCo; spurring it to become a conference for mobile forensics and the growth of the premise of creating sound practices and tools in my industry. If I can offer one comment expressed to me personally by attendees and not my words:
“I wish vendors would stop the sales pitch in presentations and offer information that can make them accomplished examiners in mobile forensics”
Again, this was a quote from an individual but an expression personally to me by attendees. I completely agree, and as I am sure people know I am associated with both MFI and AccessData, but my MFC talk, and for the most part all my other talks contained information an examiner can take and use ANY tool in their arsenal to accomplish the goal. Yes, I had other vendors in my talks and did not deny them from attending (you know who you are). I believe it is not for me to decide or dictate what tool they use, but offer solutions.
Also, I thank my ghost writer for techno stories and also my new PODcast man, PODRanger for starting something he probably wishes he should not have started. (Yes I will now be in audio soon…)
Thanks, Lee aka @Celldet
Yesterday @Celldet was also busy with another class, but this time on SmartDevices. Concentration first on what a Smart Device in the mobile sense and the fact that it is really just a mobile computer. The black and white line of differences between a mobile device and it’s storage capacity, computing ability and applications of yesterday really does not exist today. The only difference between the device is the examination forensically of them by todays examiners. The point, it appeared, was to describe the data held on a computer is no different to a mobile phone so it would seem we can harvest far more pieces of data that we currently do as examiners. So the quest was on.
@Celldet busted out @AccessData FTK 4 and also MPE+ to walk the student through the many artifacts in both Android and iOS filesystems. Like a cooking show the physical images of both and iOS iPhone 4 running iOS 5.1 and an Android’s userpartition.yaffs2 HTC Hero had been obtained previously by MPE+ and then processed in FTK 4. The attendees then were taken through the filesystem looking at the beautiful display of SQLite databases into FTK’s cool html. From the spotlight, to the SMS and into the application area. Each SQLite database a treasure trove of userdata; from settings to stored data. Then the new MPE+ iOS and Android Parsers were unleashed.
At first, the attendees (at least I did) thought this was some sort of sadistic trick. We had previously and methodically negotiated the filesystem in FTK for this great data and @Celldet is now going to show us MPE+ now automates the process! The payback was the image he wanted to use was not on his computer so he had to use his own iPhone 4 image. Paybacks! The image was imported and mounted immediately which is a new feature of MPE+ 4.8. MPE+ now mounts filetypes like AD1, E01, yaffs, yaffs2, ext, fat, ext4, ext3, dd and compressed folders just like FTK Imager or FTK.
So once the iOS image was mounted @Celldet simply went to the tools menu and selected parser and iOS; selected the folder to parse and let it run. A few seconds later capabilities like email, mms, contacts, sms, calendar, notes, webkit, browser, notes and more appeared for selection. @Celldet selected all and the collected data filled the datagrid. Same thing was done with the Android device, a simple point to the mounted image and selection of the caps you want! Amazing.
What had to be flashing through many of the attendee’s swirling domes would be the fact that they could now bring in images created from other programs and run the powerful parsers against them and uncover even more pieces of data.
@Celldet ended showing a “not released” parser that the readers will have to wait for the official release or next blog…… Simply put, game changer…Until then.
As part of the Techno Security/Mobile Forensics Conference this year @Celldet did a presentation of Android Malware. The 50 minute condensed soon-to-be-MFI one day training course @Celldet explained this presso was going to be a “teaser”. The session covered a little Android overview of operation versions from the dessert family. With names like GingerBread and Ice Cream Sandwich who could go wrong. With Androids quasi JIT (Just in Time) type of application debugging and application available code in the application packages or APK files the attendees received an overview of how these packages interact in the sandboxed world of an Android device.
@Celldet moved into the proliferation of malware typically exacerbated by the delivery mechanism; aka Google Play and other third party application distribution points. The malware typically encountered can steal and transmit the device information to include IMEI numbers, contacts and much more; the primary motivation is monetary gain by selling the information obtained, targeting advertising and bot nets.
The most talked about portion of the talk-lab was when the attendees were exposed to the two methods of Malware examination, static and dynamic. Attendees were introduced to free tools that allowed them to step through android apk code to uncover permissions that might not necessarily be permissions typically seen in a “gaming” application. Permissions like “this SMS service will cost you” when the application is installed is Cut The Rope.
The pinnacle moment came when attendees watched as an actual android running a 2.2 version of Android was compromised unknowingly by playing a fun game. Looking at the captured logs of TCP traffic after playing the game on the android device showed the device was contacting and sending information to a server in the country of China. And the crowd goes wild.
As @Celldet likes to say “That’s what Iam talking about….”
Three day MFI SmartDevice course wrapped up at MFC today with @kevindelong at the helm. This originally designed “online course” has been one of the most poplular MFI courses and has moved to also be a live course. SmartDevices covers forensic methods fo iOS, Android and Windows Mobile devices. The next live SmartDevice class will be in the UK, but you can still get the online version monthly. Jump to mobileforensicsinc(dot)come for more class dates and times.
Some of the feedback from the three-day course in Myrtle Beach has been amazing. Here are some comments received:
The class was excellent, it really helps to learn more about iOS and Android devices, how to get around certain security settings, where to find the information, how SQLite db are set up and how to parse the data.
Excellent course, Excellent instructor.
Thank you @kevindelong for keeping MFI on the top of mobile forensic training companies.
MFC Conference Myrtle Beach
We are hoping you are attending the Mobile Forensics Conference next week.
We dont want you to miss the great classes we will be having and the great product showcase.
Take a look at the classes we are offering:
Sunday 6/3/2012
MPE+ and AME Bootcamp – 9:00 AM to 4:30 PM
FREE COURSE – Register on same Day
This course provides the knowledge and skills necessary to conduct a mobile phone investigation using MPE+. Students will gain hands-on experience with cell phone imaging and analysis of mobile devices and SIM cards commonly associated with mobile phone investigations. Students will also be exposed to general mobile forensics concepts to include: networks, proper handling of evidence and collection. Students will also be able to take the AME certification at the conclusion of the course.
The AME credential demonstrates your proficiency with Mobile Phone Examiner Plus as well as a general knownledge on process, cellular networks, technology and procedure.
Tuesday 6/5/2012
Mobile Device Malware: Android Investigation- 10:00 AM to 10:50 AM
Malware on computers can infect, transmit and “sell” our personal data. Malware can also be used to “blame” and cast doubt on collected evidence in a computer examination. Why then are we not scanning for these items when conducting a mobile device exam? In this course we will first look at the malware epidemic on the Android platform and what information you could be “giving away”. We will move into methods on how collect and detect this type of threat on the Android device during your collections.
Tuesday 6/5/2012
Digital Dumpster Diving- 11:00:AM to 11:50 PM
What happens to that data when you turn in your old cellphone? Are you sure you removed it all. Simply doing a factory reset might not be enough.
In this presentation Lee Reiber will present a case study that he conducted after purchasing cellular phones from several reselling outlets known to us all and some not. We will look at the methods used, the types of data recovered and possible ways to protect your data from the Digital Dumpster Diver.
Tuesday 6/5/2012
Digital Domination: The age of smartphones- 3:30PM to 5:20 PM
Unfortunately the forensic examination of a mobile phone has taken a backseat to “push-button” forensics. With smart phones now dominating the market, reliance on the “easy button” presents an even greater risk of missing critical evidence.
In this presentation we will not only discuss the currently available applications on the mobile forensic scene, but will also discuss what we might be missing, especially when examining smart phones.
Do mobile forensic examination tools miss data?
Yes, and it is the responsibility of the examiner – not the tool – to ensure thorough forensic analysis.
During this presentation, attendees will learn where a lot of tools fall short, and they will learn how to compensate for this shortfall with forensic analysis best practices. Knowing the limitations of your technology and best practices in forensic analysis will arm you with the knowledge you need to overcome the challenges presented by the ever-increasing number of smart devices you’re encountering.
More
Mobile Forensics Inc. Booth
All Conference
Stop by and See Lee Reiber at the MFI Booth. Get the low down on the training courses, MPE+, MPE+ Investigator and the MPE+ Tablet. Get a test drive of the NEW MPE+ Tablet that will be around the booth
If you have not seen the video on the MPE+ Tablet on the AccessData site. Please check it out
AccessData Party- Wastin’ Away Again in Margaritaville
Tuesday 6/5/2012
8:00 PM to 10:00 PM
Once again AcessData will be hosting THE party of the conference at Margaritaville.
Get your invite at the AccessData Booth. There are a limited number so do not get left out!
AccessData will be providing bus transportation to/from Margaritaville
MFI Training Classes
As always please checkout our full lineup of classes outside of MFC.
We have a full line of online and classroom classes. Our classes instruct on Android, iOS, Blackberry, Windows Mobile, Basic Mobile Phone Forensics, Advanced Mobile Forensics, GPS Devices and more. Please jump to the site to see dates, times and availablities
more
The MPE+ Investigator from AccessData Group can be downloaded from the AccessData website and I wanted to talk about the functionality and to explain what this product is really about. First, let me explain what MPE+ Investigator is touted as.
MPE+ Investigator was originally birthed to allow users to download a FREE version of the MPE+ Software from AccessData to evaluate and “decide before you buy” on its usefulness in the lab. What is also can be utilized for are, in my opinion, the better uses of the tool; a review platform and a MPE+ Tablet companion.
I am going to take a look at the software in this blog and how I think “Investigator” can substantiate these claims.
MPE+ Investigator-
Investigator only allows users to open files that are created with the full MPE+ tool, or AccessData’s AD1 format. If you are familiar with MPE+ then you will see that the interface is really the same, with a few differences of course one being a different icon. Items omitted for Investigator include:
For this blog I did bring in an iPhone 4 that had been collected with MPE+ with its physical extraction capability.
Investigator Startup-
When starting MPE+ Investigator you are greeted by the startup dialog letting you know you are running MPE+ Investigator. Pressing OK then takes you to the mobile device dialog. Here you can preview the supported devices list by selecting the makes and the models. Only limitation is the images displayed are not loaded or are you able to perform a collection. Pressing the connect button gives you a dialog reminding you need the full MPE+ to perform this action.
As I said I was going to further analyze or preview the data collected by MPE+, an iOS device. Doing this you simply select the import AD1 image on the toolbar and are asked to locate the image.
As the AD1 imports into Investigator the Dataviews are immediately populated and you notice a progress bar rolling along. What is nice is you can begin working into the data while the filesystem is parsing. This is really nice if the filesystem contains thousand’s of additional files. Investigator 4.7.0.44 does not mount the images as AccessData’s FTK or FTK Imager so the importing of the AD1 is slower.
NOTE: Version 4.8.0 that is due for release in three weeks (second week of May 2012) will mount an AD1 created by MPE+ effortlessly as Imager and FTK currently do. So from testing I was told 3 Gb images mount in about 2 seconds when importing!
The DataView in MPE+ Investigator will display differently for each type of device you import. No cookie cutter views for each and every mobile device; the data depends on the data types supported. I really like this data dynamic idea, since a lot of tools are pretty static with showing contacts, sms, and call logs for each and every model even if they are not supported.
To help out with threading conversations, organizing workspace and more I can click on columns for each data type to sort and also click-and-hold to move the columns around. All areas can be moved, floated and organized as well. Just like the full MPE+ version.
MPE+ collects many file systems from multiple device types across many platforms. What does this mean? Well, it means there will be a ton of other items that are in the file system that maybe were not parsed. Using MPE+ Investigator you can data carve these items in the simple to use data carver.
The reporting of the data is also a part of Investigator. Not only reporting, but you can create your own investigator information easily and it will save over starts of Investigator. In this pane you can include additional information or items about the image that will be included in the generated report.
Creating a report is easy; simply select the items you would like to report on and click either PDF or RTF. You can also export the data to CSV format to include in third party analytical software. In the current 4.7.0.44 release of MPE+ Investigator you cannot individually select items to be reported but I know the next release, 4.8.0, will. This will mean you can individually select and then report on only the selected items. I think this feature will be great for those reports where only 5 SMS or emails need to be included in the legal brief instead of having to include all 23,000 others. The reports are generated and ready for review.
MPE+ Investigator is much more than just an AccessData demo product MPE+. Investigator is a tool that allows:
Accessdata has brought another FREE tool to the forensic community that will revolutionize how we view mobile data. All you really need is an AD1 file that is created by MPE+.
You can go to accessdata[dot]com and the download page to grab a copy of MPE+ Investigator. Also, sample images should be posted in the same area so you can test drive Investigator for yourself!
Of the many things that I have been working on in between the AccessData Roadshow stops I thought I would throw out some tidbits that might be of interest to the mobile phone people. FTK4 as well as a version of FTKimager (soon to be released) allow mounting of YAFFS (Yet Another Flash File System) and YAFFS2! It is a pretty cool addition because it allows the DD image created with a physical extraction of an Android device by AccessData’s MPE+ (Mobile Phone Examiner PLUS) to be mounted. That includes partitions like cache, system, sd, userdata and many others. With these images mounted you now have applications, email, browsers and more at your finger tips.
How about analyzing these images for malware? FTKImager allows you to mount ANY AD1 as a drive where you can run any scanners against it to your heart’s content. Also, with the release of FTK there is also and add-on called Cerberus. The tool works on the code, not on a computed hash or signature of the malware. It got me thinking about finally an automated solution to the onslaught of malware Android is seeing. With Cerberus you get ratings on the likelihood of malicious code inside of the package: so no more hunting for signatures or building signatures for some of this malware that is out in the wild. With mobile devices it is hard enough to keep up with the release of the device let alone malicious code. I think it is huge step in the right direction and I hope to see Android Malware added soon.
As I listened to a message on sustainability this weekend I contemplated the sustainability of mobile forensics. From the start of Mobile Forensics Inc., to the purchase of MFI, to the growth of MFI there has always been a drive for sustainability. This does not come from training examiners to be black and white and to utilize a single tool solution like some would prefer; no, this comes from being the fuel. Like I always say, if a company says that they are the only tool needed for mobile phone forensics don’t buy anything from them. There is not a one tool solution…period
By fuel I am referring to MFI’s focus of raising free thinkers. In order to accomplish this MFI attempts by fueling an examiner’s desire to look outside the box, look at tools as just that, tools, and putting “examiner” into mobile examiner. Move away from the companies alleging their tool is the only tool on the market and allow students to make an informed decision by giving them the fuel to allow them to move forward independently. MFI has always used the term “vendor neutral” but now other companies have taken that mantra so I want to again break away and call MFI a Training Fuel Company.
Fuel is used to power our vehicles, run our computers, power our lights and now our training brains. By imparting knowledge on cellular forensics (not tool forensics) we fuel the examiner to think for themselves, to choose a tool or tools that fit their needs and arm them with the knowledge to be self sustaining.
There is nothing better than receiving feedback from students after attending our course describing that they utilized the knowledge they departed with to solve a case that no tool on this earth could have solved independently. Quite simply, the information the examiner received fueled their focus as well as examination practices. Now the examiner becomes self sustaining, not spoon feed. This is and will always be the goal of Mobile Forensics Inc. If you have taken a Mobile Forensics Inc course, I thank you and hope that the information you departed with was immediately useful to you as an examiner. If you have not been to a MFI course yet, I hope to see you at one soon.
I thought in this day and age what better than receiving another form letter! Ok I will spare you the details but without you guys Mobile Forensics Inc and AccessData could not be the number one training company for digital forensics.
There are a ton of new courses, locations and software updates coming your way in 2012. Keep checking the mobileforensicsinc.com and accessdata.com site.
We hope to see you in a mobile training course soon.
So please have a wonderful holiday season and again thank you all for your support!