Forensic Blogs

An aggregator for digital forensics blogs

by

Mobile Forensics Update 1

Introduction

Frequent readers of this blog will not be surprised to see a new iteration of the Mobile Forensics project. This semester, we are focused specifically on social media apps on Android devices. For the purposes of this project, we have defined social media as any app that allows people to communicate, chat, interact, or exchange information. Most applications that will fit this definition are categorized on the Google Play store as “social”.

This year our devices are two LG G6’s and, as in past projects, the team will be taking advantage of Cellebrite’s UFED 4PC and Android Debug Bridge (ADB) to extract information from the app files. Additionally, we will be investigating if there is any difference between the data collected and stored on Android version 7 and Android version 8.

Current Progress

So far we have created processes and templates for organized data generation. After narrowing down which applications we want to look at, we decided the first application we will be pulling data from is Snapchat. We have been practicing rooting devices and pulling the data to figure out what we will look for on the devices. We need to root the devices to be able to get the information off the apps and look under the hood of them. Our LG G6 devices have just arrived, and we are preparing them for data generation.

Conclusion

After prepping our devices, we will download  Snapchat and start creating data by sending snaps to the LCDI Snapchat. We will then use the app for a day before we pull information off of it. The more we use the app, the more information we could potentially acquire. When we do a pull, we will analyze all the data we have and once that is complete, we will move on to the next application, Telegram.

Stay tuned for more updates to come and follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Mobile Forensics Update 1 appeared first on The Leahy Center for Digital Investigation.

by

Smartphones: The Nexus of Evidentiary Data from Social Media to IoT

Introduction

As a first year cybersecurity student, my application to the OpenText Enfuse conference felt like a long shot. Additionally, seeing how I am a cybersecurity major and the conference is mainly focused on digital forensics, I wasn’t sure how much of the content I would be able to understand. Despite this, I was selected and feel that I learned a significant amount of new information. The session that was most informative to me was “Smartphones: The Nexus of Evidentiary Data from Social Media to IoT” given by Amber Schroader.

 

 

Amber Schroader

Smartphones and Social Media

Amber Schroader is the President, CEO and Founder of the Parabon Corporation, a leading company in the field of forensics for mobile devices, smartphones, computers, email, gaming systems ,and the cloud. Despite her vast experience in a variety of forensic technology, her Enfuse talk focused solely on smartphones. She began the session by laying out three topics she intended to cover. The first: the hurdles of smartphone forensics. The second: the location of valuable data. The third: how smartphones interact with IoT Her presentation was engaging, at times humorous, and heavily aided by actual data she took from her children’s phones. This included logs of Tinder conversations and other text messaging apps. All in all, for a talk on a somewhat complex process, I felt I was able to understand most of the information despite my lack of experience.

 

Conclusion

Enfuse was a great experience for me. I was able to meet and network with many industry professionals and I believe I learned a significant amount and gained a better understanding of what digital forensics really is.

To learn more about the LCDI take a look at our Facebook or Twitter pages or send an email to lcdi@champlain.edu.

 

The post Smartphones: The Nexus of Evidentiary Data from Social Media to IoT appeared first on The Leahy Center for Digital Investigation.

by

Mobile App Analysis Part 5

Mobile App

Introduction

The Mobile Application Forensics team is beginning to wind down on application analysis, and have started working on their final report. So far, both the iOS team and Android team worked on Open Whisper Systems’s Signal, an end-to-end encryption chat app, and Bumble, a new mobile dating app. The iOS team then did analysis on The Weather Channel app, and are now finishing analysis on Tumblr. The Android team began work on Facebook Lite and Facebook Messenger Lite, and are starting data generation for Strava, a run and cycling tracking social app.

In this week’s blog, the iOS team will showcase their findings for The Weather Channel app, and the Android team will showcase their findings so far for Facebook Lite, and Messenger Lite.

Analysis iOS

The iOS team conducted data analysis on The Weather Channel app this week and were able to find user account information, and user location data. Within The Weather Channel app, under the com.weather.TWCiPadMax/Library/PrivateDocuments folder, the iOS team found a database titled WXUPSService.coredata which contained 12 tables. The tables we will focus on for this blog post are ZCD_WXUPSDEMOGRAPHICS and ZCD_WXPUSPLOCATION.

User account information

Within the ZCD_WXUPSDEMOGRAPHICS table, we found user account information such as the user’s age range (ZAGERANGE column), email associated with the account (ZEMAIL column), user’s first name and last name (ZFIRSTNAME column and ZLASTNAME column), user’s gender (ZGENDER column), username on the account (ZUSERNAME column), and much more. Below, is an image of the ZCD_WXUPSDEMOGRAPHICS table within the WXUPSService.coredata database, showing the user account information we found for The Weather Channel app.         

Weather 

User location data

Within the ZCD_WXPUSPLOCATION table, we found Latitude and Longitude coordinates to locations our user was the last time the app ran in that location, and any locations the user saved on their app. Within the ZCD_WXPUSPLOCATION table, we also found the name of the city the user was in (ZCITYNAME column), the country the user was in (ZCOUNTRYCODE column), and the elevation the user was at the time the The Weather Channel app called out (ZELEVATION column). Below, is an image of the  ZCD_WXPUSPLOCATION table, showing the cities, along with their country codes and county names, the user saved on The Weather Channel app.  

Weather

Within the com.weather.TWCiPadMax/Library/Preferences folder, we found a pList titled com.weather.TWCiPadMax.plist which contained settings information for the first time The Weather Channel app was used. As you can see in the image below, the pList showed us the Longitude and Latitude coordinates, and city, where the app was first used.  

Weather

Android

The Android team conducted data analysis on Facebook Lite, and Facebook Messenger Lite this week. We were able to recover a lot of information in regards to; user account and user activity information on both apps. For this blog post, we will be focusing on Facebook Messenger Lite, specifically on the messages sent and received through the Facebook Messenger Lite app. In order to create a realistic messaging scenario, we decided to send two images, one video, and an emoji, to see if we could recover all the media sent through this app, on top of the text messages themselves.  

Within the com.facebook.mlite/databases exist two databases, core.db and omnistore.db. core.db stores a plethora of tables, the most important being the messages table. Within the messages table, we were able to find all the messages Joseph Mitchell (the account on the Nexus 5x) sent. This included the locations of any images Joseph sent from the Nexus 5x, and internet links to images and videos Aaron Guirre sent.

Image received by Nexus

During data generation, we had Aaron send Joseph an image of a question mark. The way Aaron got this image was by downloading it from the internet, and then sending it to Joseph through the desktop version of Facebook. When looking through the messages table within the core.db database, we found a link that seems to be pointing us to a facebook server which, when we followed the link, showed us the image Aaron sent to Joseph. Below, is an image of the messages table within the core.db database showing the message Aaron sent, as well as the media_playable_url column showing the link that took us to the image sent by Aaron.

Mobile App

As you can see on the image above, under the media_playable_url column, we got a url that points to a Facebook server which contains the image Aaron sent to Joseph.

Video received by Nexus

Just like the image we received from Aaron, we found a url that points to a Facebook server that allowed us to download the video sent by Aaron. Below, is an image of the messages table within the core.db database showing us that a video was sent, and the media_playable_url column showing the link that took us to the video Aaron sent.

Mobile App

Image sent from Nexus

During data generation, we had Joseph send Aaron an image of a security camera from the Nexus 5x mobile device. Unlike the message we received from Aaron, we did not get a URL, but, instead, got an absolute path to where the image was stored on the Nexus 5x mobile device. As you can see below, we got an absolute path under the media_playable_url column to the image Joseph sent to Aaron from the Nexus 5x mobile device.

Mobile App

Emoji sent Nexus 5x

As you can see in the image below, the emoji sent by Joseph to Aaron appears as a box in the db browser.

Mobile App

When we copied the text out and placed it in an Emoji keyboard (https://emojikeyboard.org/), we were able to see what emoji Joseph sent to Aaron through Facebook Messenger Lite. Below, is an image of what the online Emoji keyboard we used translated through the text Joseph sent to Aaron.   

The Emoji seen above is the exact Emoji Joseph sent to Aaron.

Messages sent to and from Facebook Lite Messenger

Through the messages table in the core.db database, we were able to recover all the messages ever sent and received through Joseph’s Facebook account. The reason we were able to recover all the messages ever sent was because Facebook imports all the messages ever sent from the main Facebook app to the Messenger app once the user installs it. Because we are using a lite version of the Messenger app, we did not expect all the messages to be present within the core.db database.

Within the messages table, we were able to find user ID information, and a link to the user image, the timestamp information in respect to the actual message, if the message was a multimedia message (we were able to see what type of multimedia message it was under the attachment_meme_type column), and a link or absolute path to the multimedia message sent.   

Conclusion

As the iOS team finishes data analysis on Tubmlr, and the Android team finishes analysis on Facebook Lite, Facebook Messenger Lite, and Strava, we hope to show all of our results in a detailed report that will be released later this semester.

Questions or comments? Please share with us in the comment section below! You can also reach out to our Twitter and Facebook or email us at lcdi@champlain.edu.

The post Mobile App Analysis Part 5 appeared first on The Leahy Center for Digital Investigation.