Last week, I had an excellent time attending SANS FOR585 – Advanced smart phone forensics. The course content and instruction were awesome! Also, I made a few friends along the way. This is all to say that, if you have an opportunity to take this course, I highly recommend it. Not only will you benefit from the course content, and delivery, but you will also have an opportunity to network with classmates. Networking facilitates the exchange of ideas, to include those relating to techniques, tools, and cautionary tales. Tidbits of information from colleagues can prove useful down the line, during an examination.
Personally, here are a few things I’m excited about, and ready to move on, when I return to my lab:
- Database inspection using external tools (e.g. SQL Expert is my personal favorite)
- Using familiar tools with my new SIFT VM
- Tool: Hindsight
- Purpose – Chrome history parsing
- Tool: Plaso
- Purpose: Creating timelines from physical images
- Tool: Timeline Explorer
- Visualizing Plaso generated CSV files
- Tool: Hasher
- Purpose: Easily calculating hash values (drag and drop)
- Tool: Hindsight
- Organizing casework and workflows
One of the core concepts taught in FOR585 is simply, dig deeper. I guess you can dig all the way down to hex level, and this definitely has its place in mobile forensics. However, I’ll start by emphasizing SQL database inspection via a database viewer. The virtual machine I received with course enrollment, has DB Browser for SQLite preinstalled. In class, students used this tool, to load databases extracted from mobile devices, and to query database tables using SQL statements. Prior to class, I constantly Googled for statement examples, to fit my needs in the lab (and I’ll continue to do so). However, after the course, I feel a bit more comfortable writing statements (still using Google as an aide).
For statement examples, I usually start at this site for help, and more recently (today), I found this site. If neither site floats your boat, Googling something like “SQL statement examples” will yield a list of other sites. If you want a hard copy resource, there’s Paul Sanderson’s SQLite Forensics. I purchased this book at the beginning of the summer, and have yet to really dig-in. It’s on the to-do list, though.
Digging into databases should provide you with a sense of control, more so than only using a forensic tool to parse database contents. You can view raw data, and research any of the fields in the database, which give rise to concern. And, if there is no concern, and you want to validate the output from your tool, database inspection can provide that type of validation. Ideally, it would be nice if our tools did everything correctly, all the time. Such is not the case. So, the sooner you become comfortable with a technique, such as database inspection, the more in-control you’ll feel with findings. If you’re comfortable with working (or even viewing) Excel spreadsheets, you may find it less painful than you think, to inspect databases in the raw.
The VM I received as part of course enrollment, is pretty cool! It’s setup with some great tools, and can be customized to fit one’s personal needs. I’ve added Ryan Benson’s Hindsight (for a tidy method of parsing Chrome), Plaso (for adding some timeline-spice to the mix), Eric Zimmerman’s Timeline Explorer and Hasher applications.
I think Hindsight’s output does a great job of displaying Chrome related data. It overlays different data sources found within Chrome (e.g. autofill, cache, page visits), and can present the output in an Excel spreadsheet (even in color-coded fashion). There is a way to create a database-output, but I have no experience using this feature.
I’ve used Hindsight on previous occasions, and was happy with the results each time. Given familiarity with the tool, I installed it into my VM to complete a few FOR585 lab. In particular, I used it to parse Chrome data from an iOS extraction, and it did a great job! If you’re a visual person, or just want very organized data representation, take a look at this tool. You won’t regret it.
Visualizing with a timeline
With respect to Plaso, I’ve had some great results using this tool in the past. In particular, it helped me visualize data from an Android device (physical image). The output supplemented what I obtained from my forensic tools. I believe it’s always good to have another set of eyes (so to speak).
In general, timelines can help you hone in on key items, and I use Plaso for this specific purpose. More to the point, I find it helpful when trying to tie pieces of a case together (perhaps those occurring over a period of time). For example, let’s say you’re trying to investigate the way in which photos (stored on a cloud service linked to the phone), mutated into a “hidden” state (locally on the phone). Timeline creation can assist with the isolation of individual events (e.g. photo access, cloud service access, “hidden” state creation), and piece them together.
Some of the other tools I installed in my VM were Eric Zimmerman’s Timeline Explorer and Hasher applications. Timeline Explorer can ingest a Plaso generated CSV file, and display data in spreadsheet-form. Thereafter, the tool can be used to drill-down on the data, for detailed analysis. I have not used the tool to ingest other CSV files, but Eric’s tool intro indicates this is possible. On that note, brain-dump:
To-Do: Dump a Cellebrite-generated CSV into Timeline explorer (maybe from the Timeline or Call log category), and see what I get. If positive results, then repeat with CSV file containing two or more data sets (different phones).
Forensic tool timeline – alternative method
Visualizing different data sets, using a single forensic tool, may be difficult. This can be a function of a few things – the tool’s capabilities (e.g. user interface is not intuitive, or absence of built-in analytical tools like link analysis (e.g. vendor charges extra for this feature). In the past, I’ve exported different data sets to CSV format, and imported them into i2 Analyst Notebook (AN). This is an incredible tool, and I only use a few of its features for link analysis purposes. If you don’t have access to this tool, check with your local resources, such as an intelligence/fusion center, or some other entity that performs analytics.
If i2 AN is not an option, you can export your data to CSV format (assuming your tool allows this), import each data set to Excel, and color code the data. Repeat this step for each data set. Make sure columns are formatted appropriately, and extra characters have been stripped from your data fields (e.g. apostrophes sometimes make it into timestamp fields). Once these steps are complete, it is necessary to merge all data into a single spreadsheet. After doing so, sorting your data based on the timestamp column, brings your device activity into chronological order. More over, given you’ve color coded different data sets, you may be able to uncover key events.
I have found this technique helpful, while searching for intersections among text messages, between two subjects, who share a common third party. There are other applications for this process, I’m sure. Excel does a great job of opening the CSVs. As stated above, there are a few things you need to consider while opening your CSV files, such as the need to clean-up certain timestamps (e.g. removing timezone adjustments ‘UTC-4’). Lastly, there is always the need to color-code each data set, to allow one’s eyes to make an easy distinction between device data. I think this is one of the most significant enhancements you can make to your data (to make it more pleasing to a stakeholder – technical or otherwise).
Swinging back around – Cases and Workflows
So, back to my bullet points listed above. Just hours after finishing class on the last day, I started to map out some ideas related to mobile forensics. I’m big on visual representations of thoughts and processes, so I used XMind to create my visuals. I want to share it with anyone working cases, or simply needs a kick start, for their own purposes. The map isn’t complete, and your mileage may vary due to a few things, such as legal constraints, organizational policies, and tool availability. Disclaimer – the mind map is not ground breaking information. It is simply a collection of items, which can be used to refocus a busy-mind.
One point I will emphasize is the importance of data verification. This can be done by way of a backup plan. The plan may involve some of the individual tools in the FOR585 class (e.g. DB Viewer), or a secondary forensic tool in your own lab – it’s really up to you. I would say it’s even beneficial to reach out to co-workers, and colleagues in other organizations, to determine whether they came up with results similar to those you are trying to verify. Additionally, reviewing previous work done by others in the digital forensics community, is equally as helpful. Here are some of the resources I consult, when I want to start looking for guidance on particular subjects (be it an Android or iOS-related question):
- BlackBag Technologies
- Smarter Forensics (Heather Mahalik’s blog)
- Android related
- Gillware Forensics (Cindy Murphy’s blog)
- Magnet (Christopher Vance – has some recorded stuff you can access if you follow links through Magnet)
Whatever the backup plan, data verification is key. Dig deep, verify, and use a second set of eyes, to guide your findings.
I want to note the importance of revisiting Internet resources you may have saved. In my particular case, I need to revisit a Youtube video created by Kevin Delong on the topic of using Hashcat against iTunes encryption passwords. Here is his excellent guide. Coincidentally, Kevin referenced this guide in a semi-recent tweet, and it popped up in my feed. He may have been listening to my thoughts – I wonder if his ears were ringing. Maybe? No, probably not. That aside, I’ve re-visited saved resources on numerous occasions, and always learn something new. Here are some of my resources:
- David Cowen – Forensic Lunch
- Eriz Zimmerman – Plumbing the depths – Windows registry internals
- Eric Zimmerman – Plumbing the depths – Shellbags
- Harlan Carvey – Lateral Movement
- Andrew Hoog – A Geek’s guide to digital forensics
- Brian Carrier – Categories of digital forensic investigation techniques
- Sarah Edwards – iOS Location forensics
Lastly, I’ll touch on scoping casework. Asking questions is an inherent part of analyzing data. Formulating good questions at the front-end of an investigation, will save time on the back-end. Personally, formulating questions leads me to visualize my casework as a set of goals, and their sub-tasks. Please look at the mind map above, and you’ll see this part of my thinking toward the left-hand side. It’s subsequently integrated in the analysis process (right-hand side of diagram).
My next post is going to focus on the ideas of organizing casework, some of the tools I use to accomplish this ginormous task, and inspirations outside of digital forensics. If you have any questions or comments on the ideas I’ve shared above, please leave them in the comments section, or reach out to me directly. Thanks for stopping by!