Saturday, July 27, 2019

DIGITAL FORENSICS:The Art of iPhone Acquisition

DIGITAL FORENSICS:The Art of iPhone Acquisition

By July 9th, 2019 by Vladimir Katalov
We all know how much important data is stored in modern smartphones, making them an excellent source of evidence. However, data preservation and acquisition are not as easy as they sound. There is no silver bullet or “fire and forget” solutions to solve cases or extract evidence on your behalf. In this article, which is loosely based on our three-day training program, we will describe the proper steps in the proper order to retain and extract as much data from the iPhone as theoretically possible.
The first steps: data preservation
Probably the most important step is data preservation. You have to make sure that the iPhone will remain in the same state, and that no data is be modified (or lost) while the device is in your possession. Here is what you’ll need to do:
  1. Activate Airplane mode, if possible (it is usually possible even if the device is locked)
  2. Check and manually disable, if necessary, the Wi-Fi and Bluetooth toggles (these may be left on even in Airplane mode if the user enabled Wi-Fi once in that mode)
  3. Connect the phone to a power bank
  4. Use a Lightning adapter to prevent USB Restricted mode from being activated (for devices running iOS 11.4.1 only; iOS 12 and 13 may restrict USB immediately)
  5. If you have a Faraday bag handy, place the phone along with the adapter and charger into the Faraday bag
Why: we are trying to prevent self-discharge of the phone. If the phone is fully discharged, it may turn off. Once the iPhone is turned off, you’ll have to deal with the BFU (Before First Unlock) state, which limits your options severely compared to the AFU (After First Unlock) state. Even if the phone has a passcode set, it is much easier to break the passcode in AFU mode compared to BFU. Breaking the passcode, however, requires the lightning port to be operational, and here is what the adapter for. Finally, there is a risk the the phone will be remotely locked or wiped if it remains connected to the network.
Sounds simple? Not at all! You’ll have to handle the iPhone with utter care, or else…
  1. If the iPhone is equipped with a fingerprint sensor, don’t touch the Touch ID reader! Else you’ll be wasting one of the five attempts to unlock the phone with a fingerprint. If you need to check whether the phone is locked or not, use the side button instead (top button on some models).
  2. If it’s the newer ‘X’ model, don’t look at the Face ID sensor. When you pick up the phone, the Face ID system immediately starts looking for a face. If a face is detected, it then attempts to identify the face. If identification returns a negative result, you have just wasted one of the five attempts to unlock the phone with the suspect’s face. It’s not new, and this exact thing happened during Apple’s very own presentation of the original iPhone X: Apple Says Face ID Didn’t Fail Onstage During iPhone X Keynote
  3. Be aware of the various expiration rules of the iPhone’s biometric identification subsystem. More in our old article on Fingerprint unlock.
  4. Be aware of the S.O.S. mode and its consequences. Once the Power button (Sleep/Wake) is pressed five times in rapid succession, or once the user holds both the Sleep/Wake button and one of the volume keys for a few seconds, the iPhone displays an “Emergency” menu. This menu presents various options including an option to cancel. Regardless of the option chosen (including the Cancel button), iOS will temporarily disable Touch ID (Face ID) and require the user to enter a passcode in order to unlock the device. In addition, the USB Restricted Mode will be activated immediately once the S.O.S. mode is invoked.
  5. If you forget to enable Airplane mode and disable the Wi-Fi and Bluetooth networks toggles (and/or place the iPhone into a Faraday bag), this may happen:
    • BBC News: Cambridgeshire, Derbyshire, Nottingham, and Durham police “don’t know how people wiped them.“ (9.Oct.14)
    • Darvel Walker, Morristown wiped his iPhone remotely, charged with tampering with evidence (7.Apr.15)
Not just the iPhone
Given proper authority, make sure to collect not only the smartphone itself but also all computers (laptops and desktops) that belong to the same owner, or any computers that iPhone probably has been connected to in the past. Flash drives and external drives may sometimes help, too. Collect all companion devices such as the Apple Watch and Apple TV.
Why: computers (and external storage devices) may contain valuable information that may help to get access to locked phones, access iCloud data and more.
Collecting evidence
Of course, you need to identify the seized device. It is quite easy to look at the phone model printed on the back cover (and then use Apple web site to find out what’s that), but you can also use software such as Elcomsoft iOS Forensic Toolkit (the “I” command) to extract comprehensive information about the device. If you have lockdown records handy (extracted from the user’s computer to which the iPhone has been paired to), you’ll be able to extract the most comprehensive set of information.
How to deal with a locked iPhone
If the iPhone is locked, you’ll have to break the passcode in order to extract evidence. There are several ways to break the passcode:
  • GrayKey from GrayShift (costly; available only for LEA in selected countries; offline solution; according to manufacturer, supports all versions of iOS)
  • Cellebrite UFED Premium (about the same as above, speaking of iPhone unlocking; supports up to iPhone 8/8 Plus/iPhone X generation; newer models must be sent in to CAS)
  • Cellebrite Advanced Services (or CAS; also seems to be limited to LEA; you will have to send the device to Cellebrite to unlock or extract the data)
The only budget solution available to everyone is logical acquisition using lockdown/pairing records that can be sometimes found on computers the device has been connected to. See Acquisition of a Locked iPhone with a Lockdown Record for this method. We published multiple updates to this topic though, including the lockdown records validity period and USB restricted mode).
Logical acquisition
Logical acquisition is the safest and easiest extraction method that does not change anything on the device (except for the last backup date) while still returning most of the data. The extraction is not limited to the backup. You can also obtain extended device information, extract media files (including music and lots of metadata), shared files, debug and diagnostics logs, and shared files. Some information about logical extraction is available in Demystifying Advanced Logical Acquisition, but there is more in our blog.
There are two issues with backup extraction though.
  1. The backup may be password-protected. Since iOS 11, one can reset the backup password; however, this operation a) requires to enter the passcode on the device (so you must know it), and b) deletes some evidence. Refer to The Most Unusual Things about iPhone Backups for details.
  2. The backup may not be password-protected. Now, are wining here? Didn’t we just complain about password-protected backups? The thing is, local backups that aren’t protected with a password contain less information compared to backups that are encrypted with a password. Can’t we just set a temporary backup password like we always did in iOS Forensic Toolkit? The other thing is, iOS 13 requires you to enter the lock screen password on the iPhone you’re attempting to back up. If you don’t know the passcode, you won’t be able to change the backup password.
Physical acquisition
Some very important data never makes it to device backups. If possible, one should always attempt the full file system acquisition. This was possible for all versions of iOS 11 and some versions of iOS 12 (at this time, up to and including iOS 12.1.2). See Step by Step Guide to iOS Jailbreaking and Physical Acquisition for details, but make sure to read Forensic Implications of iOS Jailbreaking too.
However, before you go for the file extraction and jailbreak the device, make sure to perform logical acquisition first. File system acquisition is not that risky, but the jailbreak can make too many modifications to the file system of the device to be considered “forensically sound”. The rootless jailbreak is even safer than conventional jailbreaks since it does not modify the system partition; however, it offers limited device support. You can read about the differences between conventional and rootless jailbreaks in our article Forensic Implications of iOS Jailbreaking, which also raises a very important issue of how you sign the jailbreak IPA when sideloading it to the device. Signing an IPA file requires a valid Apple account. We recommend using an Apple account enrolled in Apple’s Developer Program for reasons described in the article mentioned above.
Jailbreaking, things to be aware of:
  • Conventional (classic) jailbreaks are invasive. They modify the system partition and break OTA updates. Clean removal questionable.
  • Rootless jailbreak is cleaner; does not remount system partition; does not break OTA updates; can be removed (almost) completely.
  • Installing a jailbreak requires sideloading an IPA file. The IPA must be signed before iOS will agree to run it.
  • Signing the IPA requires an Apple account. If you use a regular Apple account, you will need to allow the device connect to an Apple server in order to verify the signature (which poses a risk).
  • If you use a Developer account to sign the jailbreak IPA, the iPhone can remain offline. Be aware of Developer account restrictions concerning the maximum number of devices.
Important: you can extract both the user’s Apple ID password and the device backup password from a jailbroken device. If you followed the guide and made a local backup before jailbreaking, this is the point where you can decrypt the backup.
Currently, public jailbreaks exist for all devices and all versions of iOS 11 and all devices running iOS 12.0 through 12.1.2. RootlessJB is available for all devices except A12 devices (the iPhone Xs/Xs Max/Xr generation).
Cloud acquisition
Cloud acquisition becomes the most important acquisition method. Its advantages are:
  1. No need for the device itself: it works even if the device is lost or broken.
  2. From the cloud, you may be able to obtain even more data than available on the device itself. Many people use more than one Apple device, and they all sync (or back up) some data to the cloud.
  3. The cloud may contain data that has been already deleted from the device(s).
  4. Cloud acquisition is extremely fast.
There is actually a lot we can share about iCloud acquisition. We were the first who implemented iCloud backups downloading several years ago, and we are still the first here, extracting much more data from iCloud than any other vendor. Here is what we can get:
  • iCloud backups (including those from accounts with Two-Factor Authentication on latest version of iOS; the first and only in the industry)
  • iCloud Drive (full content, including third-party app data not available by any other means)
  • iCloud Photos
  • FileVault2 recovery token
  • iCloud keychain
  • Health data (including data protected with “p2p encryption”)
  • Messages (iMessage and SMS; not included in backups if sync is enabled)
More data categories are on the way, including Screen Time and Home.
The major problem of cloud acquisition is that you need proper authentication credentials. You will need the user’s Apple ID and password, plus the second authentication factor (if 2FA is enabled). Alternatively, parts of iCloud data can be access with authentication tokens that can be extracted from the iPhone itself, Windows or Mac computer from which the iCloud account has been accessed.
Final thoughts
There were too many points we just couldn’t cover in a single article, or two articles, or even three. Want to know more? Attend our training course!
There’s more to iPhone analysis than acquisition. Data extraction is only the first step followed by data analysis and reporting. We have a tool for that (Elcomsoft Phone Viewer), but it only provides basic analysis and reporting. You may need a third-party tool or several tools with more advanced features.

Credit :
https://blog.elcomsoft.com/2019/07/the-art-of-iphone-acquisition

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud



Friday, July 26, 2019

Digital Forensics: Acquiring Memory with Magnet RAM Capture

Digital Forensics: Acquiring Memory with Magnet RAM Capture



วัตถุประสงค์การทดสอบ

  •      ทำการเก็บรวบรวมพยานหลักฐาน ในหน่วยความจำ Memory
  •      ทำการค้นหาข้อมูลในหน่วยความจำ Memory


เครื่องมือที่ใช้

  • Magnet RAM Capture
  • X-way Forensics

  • Notebook windows OS Ram 8 GB


ทำการทดสอบในเครื่องคอมพิวเตอร์ โดยการเข้า website  และ Email  เพื่อให้ข้อมูลบันทึกใน Memory 



Forensics Tool Download
1. ทำการ Download Magnet RAM Capture  เอาไว้ใน Flash Drive และ เชื่อมต่อFlash Drive กับคอมพิวเตอร์และ Run โปรแกรมบนเครื่องคอมพิวเตอร์ที่ต้องการเก็บข้อมูลหน่วยความจำ Memory


2.ทำการกด I Accept

Magnet Forensics


3.  เลื่อกที่สำเนาเก็บข้อมูล save  บน Flash Drive   และกด Start    เพื่อเริ่มเก็บข้อมูล

ข้อมูลที่บันทึกอยู่ในหน่วยความจำ memory หรือ ข้อมูลในแรม (RAM)
RAM CAPTURE



4.  ไฟล์ที่ได้ MagnetRAMCapture.raw

MagnetRAMCapture.raw
5.  ใช้โปรแกรม X-Way Forensics   ในการวิเคราะห์  raw ไฟล์   (MagnetRAMCapture.raw)

X-Way Forensics 

6. ใช้คำสั่ง Find Text  บนโปรแกรม X-Way Forensics  ตามด้วยคำที่ต้องการค้นหา  เช่น *.com
Find Text
7. ผลลัพธ์ที่ได้จากการค้นหา    พบ url website และ email address
Search Hits

สรุปผลการทดสอบ

  • เราสามารถใช่เครื่องมือ Magnet RAM Capture  ในการเก็บข้อมูลหน่วยความจำได้ Memory
  • เราสามารถใช้ X-Way Forensics  ในการค้นหาข้อมูลและวิเคราะห์ข้อมูลจาก raw ไฟล์


ที่มา :


หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud
 #hash value  #MD5

Saturday, July 13, 2019

DIGITAL FORENSICS:Steganography tools

DIGITAL FORENSICS:Steganography  tools


Steganography - A list of useful tools and resources

Steganography is hiding a file or a message inside of another file , there are many fun steganography CTF challenges out there where the flag is hidden in an image , audio file or even other types of files. Here is a list of the most tools I use and some other useful resources.
Note : This list will be updated regularly , feel free to pm if you have any suggestions

Tools

Steghide

Steghide is a steganography program that hides data in various kinds of image and audio files , only supports these file formats : JPEG, BMP, WAV and AU. but it’s also useful for extracting embedded and encrypted data from other files.
It can be installed with apt however the source can be found on github.
Useful commands:
steghide info file : displays info about a file whether it has embedded data or not.
steghide extract -sf file : extracts embedded data from a file

Foremost

Foremost is a program that recovers files based on their headers , footers and internal data structures , I find it useful when dealing with png images.
It can be installed with apt however the source can be found on github.
Useful commands:
foremost -i file : extracts data from the given file.

Stegsolve

Sometimes there is a message or a text hidden in the image itself and in order to view it you need to apply some color filters or play with the color levels. You can do it with GIMP or Photoshop or any other image editing software but stegsolve made it easier. it’s a small java tool that applies many color filters on images. Personally i find it very useful
You can get it from github

Strings

Strings is a linux tool that displays printable strings in a file. That simple tool can be very helpful when solving stego challenges. Usually the embedded data is password protected or encrypted and sometimes the password is actaully in the file itself and can be easily viewed by using strings
It’s a default linux tool so you don’t need to install anything.
Useful commands:
strings file : displays printable strings in the given file.

Exiftool

Sometimes important stuff is hidden in the metadata of the image or the file , exiftool can be very helpful to view the metadata of the files.
You can get it from here
Useful commands:
exiftool file : shows the metadata of the given file

Exiv2

A tool similar to exiftool.
It can be installed with apt however the source can be found on github.
Official website
Useful commands:
exiv2 file : shows the metadata of the given file

Binwalk

Binwalk is a tool for searching binary files like images and audio files for embedded files and data.
It can be installed with apt however the source can be found on github.
Useful commands:
binwalk file : Displays the embedded data in the given file
binwalk -e file : Displays and extracts the data from the given file

Zsteg

zsteg is a tool that can detect hidden data in png and bmp files.
to install it : gem install zsteg , The source can be found on github
Useful commands:
zsteg -a file : Runs all the methods on the given file
zsteg -E file : Extracts data from the given payload (example : zsteg -E b4,bgr,msb,xy name.png)

Wavsteg

WavSteg is a python3 tool that can hide data and files in wav files and can also extract data from wav files.
You can get it from github
Useful commands:
python3 WavSteg.py -r -s soundfile -o outputfile : extracts data from a wav sound file and outputs the data into a new file

Sonic visualizer

Sonic visualizer is a tool for viewing and analyzing the contents of audio files, however it can be helpful when dealing with audio steganography. You can reveal hidden shapes in audio files.
Offical Website

Web Tools

Unicode Text Steganography

A web tool for unicode steganography , it can encode and decode text.

npiet online

an online interpreter for piet. piet is an esoteric language , programs in piet are images. read more about piet here

dcode.fr

Sometimes when solving steganography challenges you will need to decode some text. dcode.fr has many decoders for a lot of ciphers and can be really helpful.

Bruteforcers

StegCracker

A tool that bruteforces passwords using steghide

Fcrackzip

Sometimes the extracted data is a password protected zip , this tool bruteforces zip archives.
It can be installed with apt however the source can be found on github.
Useful commands:
fcrackzip -u -D -p wordlist.txt file.zip : bruteforces the given zip file with passwords from the given wordlist
หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ


#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD #ฝึกทำLAB #CTF

Digital Forensics:CDIC2024

Digital Forensics:CDIC2024    งานสัมมนาประจำปีด้านความมั่นคงปลอดภัยไซเบอร์  27-28 พฤศจิกายน 2567 ณ Grand Hall ไบเทค บางนา วันนี้แอดแวะมางาน ...