cmdLabs » Embedded Systems Analysis http://blog.cmdlabs.com Mon, 26 Sep 2011 15:29:17 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 Winner of the DFRWS2011 Forensics Challenge Announced http://blog.cmdlabs.com/2011/09/26/winner-of-the-dfrws2011-forensic-challenge-announced/ http://blog.cmdlabs.com/2011/09/26/winner-of-the-dfrws2011-forensic-challenge-announced/#comments Mon, 26 Sep 2011 15:24:01 +0000 Eoghan Casey http://blog.cmdlabs.com/?p=385
This year Eoghan Casey worked with Tim Vidas at Carnegie Mellon University and Matthew Geiger at CERT to create the DFRWS Forensics Challenge in an effort to advance forensic analysis of Android mobile devices. The winners of the challenge were Ivo Pooters, Steffen Moorrees and Pascal Arends from Fox-IT. Their submission provides a suite of utilities written in Python for extracting information from data acquired from Flash memory on Android devices. Complete results are posted on the DFRWS Web site.


The scenarios for the DFRWS 2011 Forensics Challenge were two seemingly unrelated crimes that turned out to be tightly linked with each other. The first scenario was a suspicious death and the goal of the investigation was to determine whether the victim killed himself or was murdered. The second scenario was an intellectual property theft case and the goal of the investigation was to document any evidence that intellectual property was stolen and to support termination of the suspected insider.


An interesting outcome of the challenge was that using dd to acquire data from the Android device in Scenario 1 did not copy the important information in out-of-band (OOB) areas of the YAFFS2 file system. As a result, it was not possible to reconstruct the file system. However, contestants were still able to carve out usable content from this data.


The winning submission provides a technical analysis of data structures found in memory dump from Android mobile devices and provides an Android analysis toolkit that extracts specific items and formats them in a report. Using this toolkit to perform a forensic examination of a full NAND dump of a YAFFS2 file system (such as in Scenario 2 of the DFRWS 2011 Forensics Challenge) first requires the file system to be mounted under Linux as an emulated Flash device (using nandsim).


A sample of the information extracted by the winners from the SQLite database located on the Android device in Scenario 2 (mtd8\data\com.android.providers.telephony\databases\mmssms.db) is provided here:

Address date/time (UTC) read type body
shandra@cheerful.com 05/06/2011 01:34:55 AM True in (Nearby! Coming for my beer) Hey Yob, I am closing in on Fat Heads. See ya soon.
sms.dynadel@gmail.com 05/06/2011 05:53:30 PM True in Reminder, planned IT outage this weekend. This maintenance window will start at 3 PM today and continue for approx 48 hours.
sms.dynadel@gmail.com 05/06/2011 05:55:16 PM True in This effects external services such as website, email, webmail, and the ftp server. Use the secondary email access and helpdesk # for emergencies
shandra@cheerful.com 05/07/2011 11:39:16 PM True in (Save me!) If Luke asks, I’m going out with you to dinner, OK?
I just can’t face Mr. Smooth tonight.
Shandra
6245 05/07/2011 11:44:27 PM True out Sure thing. Do you know where the wine loft is?
6245 05/07/2011 11:54:37 PM True out I ran into some friends at the double wide, meetup at 8:30 or so?
6245 05/07/2011 11:56:53 PM True out Or you can walk down Carson and join us


Much more information was extracted from both Android devices as detailed in the reports, which include an impressive graphical reconstruction of events.

]]> http://blog.cmdlabs.com/2011/09/26/winner-of-the-dfrws2011-forensic-challenge-announced/feed/ 0 Handbook of Digital Forensics and Investigation Released http://blog.cmdlabs.com/2010/02/03/handbook-of-digital-forensics-and-investigation-released/ http://blog.cmdlabs.com/2010/02/03/handbook-of-digital-forensics-and-investigation-released/#comments Wed, 03 Feb 2010 19:23:39 +0000 Eoghan Casey http://blog.cmdlabs.com/?p=130 At long last and with the help of many talented experts, I have put together a new Handbook. This book provides an advanced reference for conducting digital investigations and performing forensic examinations. The first part of the book provides comprehensive methodologies and practical tips from experienced practitioners in the areas of forensic analysis, electronic discovery and intrusion investigation. The second part of the book delves into technical aspects of digital evidence on computers, networks, and embedded systems. The technologies covered include Windows, UNIX, and Macintosh computers, cellular telephones and other mobile devices, networks and mobile telecommunications technology.


The Network Investigations chapter written by cmdLabs personnel is available in PDF form upon request.


F-Response is giving a copy of the Handbook with purchase of their tool:
Buy F-Response, Get a copy of The Handbook of Digital Forensics and Investigation



Handbook

My deepest thanks to the contributors: Cory Altheide (Mandiant) – Christopher Daywalt (cmdLabs) – Andrea de Donno (Lepta) – Dario Forte (DFLabs) – James Holley (Ernst & Young) – Andy Johnson (University of Maryland, Baltimore County) – Ronald van der Knijff (Netherlands Forensic Institute) – Anthony Kokocinski (CSC) – Paul Luehr (Stroz Friedberg) – Terrance Maguire (cmdLabs) – Ryan Pittman (US Army) – Curtis Rose (Curtis W. Rose & Associates) – Joseph Schwerha (TraceEvidence) – Dave Shaver (US Army) – Jessica Reust Smith (Stroz Friedberg).

]]> http://blog.cmdlabs.com/2010/02/03/handbook-of-digital-forensics-and-investigation-released/feed/ 1