contact@cmdlabs.com
443-451-7330
Home Company Services Resources Contact Us Blog
Posts Tagged ‘NAND’
Winner of the DFRWS2011 Forensics Challenge Announced
Monday, Sep 26th, 2011
Posted By Eoghan Casey


This year Eoghan Casey worked with Tim Vidas at Carnegie Mellon University and Matthew Geiger at CERT to create the DFRWS Forensics Challenge in an effort to advance forensic analysis of Android mobile devices. The winners of the challenge were Ivo Pooters, Steffen Moorrees and Pascal Arends from Fox-IT. Their submission provides a suite of utilities written in Python for extracting information from data acquired from Flash memory on Android devices. Complete results are posted on the DFRWS Web site.


The scenarios for the DFRWS 2011 Forensics Challenge were two seemingly unrelated crimes that turned out to be tightly linked with each other. The first scenario was a suspicious death and the goal of the investigation was to determine whether the victim killed himself or was murdered. The second scenario was an intellectual property theft case and the goal of the investigation was to document any evidence that intellectual property was stolen and to support termination of the suspected insider.


An interesting outcome of the challenge was that using dd to acquire data from the Android device in Scenario 1 did not copy the important information in out-of-band (OOB) areas of the YAFFS2 file system. As a result, it was not possible to reconstruct the file system. However, contestants were still able to carve out usable content from this data.


The winning submission provides a technical analysis of data structures found in memory dump from Android mobile devices and provides an Android analysis toolkit that extracts specific items and formats them in a report. Using this toolkit to perform a forensic examination of a full NAND dump of a YAFFS2 file system (such as in Scenario 2 of the DFRWS 2011 Forensics Challenge) first requires the file system to be mounted under Linux as an emulated Flash device (using nandsim).


A sample of the information extracted by the winners from the SQLite database located on the Android device in Scenario 2 (mtd8\data\com.android.providers.telephony\databases\mmssms.db) is provided here:

Address date/time (UTC) read type body
shandra@cheerful.com 05/06/2011 01:34:55 AM True in (Nearby! Coming for my beer) Hey Yob, I am closing in on Fat Heads. See ya soon.
sms.dynadel@gmail.com 05/06/2011 05:53:30 PM True in Reminder, planned IT outage this weekend. This maintenance window will start at 3 PM today and continue for approx 48 hours.
sms.dynadel@gmail.com 05/06/2011 05:55:16 PM True in This effects external services such as website, email, webmail, and the ftp server. Use the secondary email access and helpdesk # for emergencies
shandra@cheerful.com 05/07/2011 11:39:16 PM True in (Save me!) If Luke asks, I’m going out with you to dinner, OK?
I just can’t face Mr. Smooth tonight.
Shandra
6245 05/07/2011 11:44:27 PM True out Sure thing. Do you know where the wine loft is?
6245 05/07/2011 11:54:37 PM True out I ran into some friends at the double wide, meetup at 8:30 or so?
6245 05/07/2011 11:56:53 PM True out Or you can walk down Carson and join us


Much more information was extracted from both Android devices as detailed in the reports, which include an impressive graphical reconstruction of events.

(No Comments)
Winner of the DFRWS2010 Forensic Challenge Announced
Monday, Aug 30th, 2010
Posted By Eoghan Casey

This year Eoghan Casey collaborated with the Netherlands Forensic Institute to create the DFRWS Forensic Challenge in an effort to advance forensic analysis of Flash memory in mobile devices. The winner of the challenge was Solal Jacob who used the open source Digital Forensic Framework, and provides some new modules specifically for parsing memory dumps of Sony Ericsson K800i devices. Complete results are posted on the DFRWS Web site.


The scenario for the DFRWS2010 Forensic Challenge involves an arms dealer named Monsieur Victor (a.k.a. “The General”) who was apprehended in the Netherlands and threw Sony Ericsson K800i in a nearby canal. The Netherlands Forensic Institute acquired data from NAND and NOR chips in the water damaged mobile device using Memory toolkit. The goal of the challenge is to recover leads relating to front companies, bank accounts and cohorts.


The winning submission provides a technical analysis of data structures found in memory dump from a Sony Ericsson K800i mobile device and provides DFF plug-ins that recover wear-leveling tables, enabling a forensic analyst to reconstruct the flash abstraction layer as shown here.




Once the desired state of memory has been reconstructed, the DFF tool can be used to interpret the partition table and file systems on the mobile device as shown here.



The resulting logical view show metadata associated with files and folders, including deleted items.



In addition, digital photographs recovered from mobile device memory can be previewed using the DFF as shown here.


An interesting outcome of the challenge was that several contestants were able to extract substantial amounts of information from the physical memory dumps without understanding the logical arrangement of blocks or the file system. The implication is that, once full physical dumps of NAND and/or NOR memory are obtained from a mobile device, simple text extraction and file carving techniques can provide significant amounts of useful information, including deleted data.



A logical acquisition created using Microsystemation’s XRY mobile device forensic tool is now available to facilitate further development such as interpretation of foreign characters. As an example, the logical view of SMS messages on the device used in the DFRWS2010 Forensic Challenge is shown here.


(1 Comment)
Categories
Recent Posts
Tags
Home  |   Company   |   Services   |  Resources  |  Contact us   |   Blog © 2012 cmdLabs. All Rights Reserved