Penetration testing

Video Tutorial - Paraben E3 Platform and Mobile Phone Forensics

June 29, 2018 by


Chris S., InfoSec Institute: Hello and welcome to today's weekly video from Infosec Institute. This week we'll be doing something a little bit different. we've been talking about career paths and security awareness and today we'll be doing a demonstration for you. In today's video. Amber Schroeder, CEO and founder of Paraben Corporation will be demonstrating a specific aspect of Paraben's E3 platform. Paraben's E3 platform was designed to allow any individual to gather data, digital data intelligence for a variety of different sources. Those sources include computers, local email, networking email, Internet data, cloud storage, smartphone and IoT devices. The E3 platform is a forensic-grade system that produces data that is verifiable and ready for court. From IT administration to forensic examiners, the E3 platform was designed to help optimize your time working with digital data so that you can gather what is needed quickly.

Amber, I believe for today's demo that you'll be using the E3 platform to demonstrate how we can gather details from apps found on a smart device?

Amber Schroader, CEO of Paraben: That's correct. We're gonna focus on that in the cloud.

CS: Okay. So then without further ado, Amber, thank you for being here. And I will let you take it away.

AS: Okay. Well thank you so much for having me. I'm going to walk you through E3 when it comes to doing it with smartphones. I did a little bit of magic ahead of time as I went through when I obviously acquired the device. Then I want to go through a specific function of it. In the future if you want to do one where I can show you how we actually acquire a device and be happy to do that as well.

So when you go through and you actually do it, we've got a couple of different pains that you deal with. This is our tree view associated with it. This is our main information view associated with the data that we get through it. And then we'll have details view over here and just like I'm old school, I like to keep handwritten bookmarks, we also have an electronic bookmark section here.

Since we're looking specifically at apps, I'm going to focus in on that particular section. So as I look at my tree view over here, I'll see my file system. I'll see authentication data, which I'll talk about later, things like call history, media, SMS and MMS, things that are very typical to a smartphone. I can tell when I highlight my model here that I have an Android device when I look at the properties in our far right over here. And so that was kind of my obvious steps of the basics of when I see.

When I look at the properties of it, it's going to tell me who my carrier are. Important information, like the MZ, the IDI, etc. Whether or not there's a sim card present. Little things like that can help you kind of where your next steps in evidence gonna come from.

Since we're looking at apps, if we pull up our installed applications, one of the things we like to do is kind of give you a directory listing of all the applications that are on the device. It's a really easy way to kind of ... It tells you a lot about your users or your suspects because you'll spend 90% of your time on your device in an application. So we see all the different applications that they have installed. We have 56 total apps that we need to look at.

So when we look at apps, we have two ways we want to look at it. We have it as parse data, which you'll see the top of the list here, and then we have unparsed information. There are millions of different apps out on the Internet so obviously it's an impossibility to parse a hundred percent of them. We do a lot of it based on popularity and those are the ones we focus on.

So if I went to look at those, I can go and click on my parse data. I'm going to see application data in my tree view and then I immediately see my different apps over here. So let's look at a really popular one of Instagram. I'm going to open it up and I see my account. It tells me my user ID, screen name that they have as far as my suspect goes and then whether or not the device is actually currently logged in. So there's some good base information about just the account and then I can look under here and say, "Okay, so what is the different media associated with it?" And go ... okay, I've got a whole bunch of different options checked associated with this media. So I did an OCR beforehand, I indexed it, I scanned it for malware and then I sorted it into a category. Then I have the ability to navigate to the individual file for this media, open it and see what that is.

You'll see that as you go through a couple of these, we're going to pull out a bunch of them, hang on. So here we have again a bunch of different parse files. This is the cache media. We have 599 of those. And then we also, because it's Instagram, we have potential conversations. Now in this one, you see we don't have any data come up here and the reason we don't have any data to come up here is there haven't been any conversations that Ben Para has had using the Instagram app. So I might get a cursory view of this and go, "Okay, let me check to my next one."

I've got Snapchat. So let's see what he has associated with Snapchat. Almost every time you're going to get the account information because each app of course has different account access associated with it. So this is always the first point I look at with my app. Then I look at are they talking to any of the other people that I wanted to interact with or I was investigating? And Snapchat is the primary function to receive snaps. So I'd want to see what they've received and who they've received them from. Looks like he's received a lot of them from team Snapchat, which makes sense. This is one of our practice devices. So they're getting a lot of them from the default app versus individuals, but then if I see his send snaps, I see that he is working with gwonderwoman1 and the status is then pending for having opened on the other side. Then last again we have chats.

So every app kinda has a structure. What I do in an app analysis is, I'll look it up in the app store first, see what the app is about, what its primary function is and that's going to tell me what I should be seeing here. So Snapchat is to send information back and forth with other users. It's a messaging app. So I know I'm going to have the information going back and forth. It supports graphics and it also supports texts. So I should see those two things represented. This is one of those important times though whenever I see these types of apps were doing a function such as OCR is critical because you can always overlay text on top of images and I want to make sure that I still get that text in my analysis. So when I do a text search, I can still find that information, so we're going to close that one out and let's look at a separate section of these apps.

So now I know some of my parsed apps I have. So one of the things that I might have, if I were looking at this from the perspective of an IT administrator side is, I'd want to know what potential risk it is within my organization to have these devices with their apps. So kind of what is my probability of having malware on them?

So one of the ways that we do that is we actually rank out the apps for whether or not they're highly suspect, suspect or low suspect. You'll see them in this list here, kind of going back and forth, and we have the perfect example on top. So this is in Android, we have Google here. So my number two and Google Play Services, Google Play Store, they're highly suspect. What makes an app suspect by our ranking system is the level of access that it has.

So if I were to scroll to the right here, you see a bunch of ones and zeros or one being a yes, zero being a no, you start seeing how many of those apps have that are ones. That means they have a high level of access and to each one of these different areas within the actual device. So that's telling me what my potential risk would come from these devices. It's a great way to do a quick risk assessment.

The other thing that does it is actually looking at the source. So when we look at the source, if we go and went to review things that have unknown, that will be an immediate concern for me because it means it didn't come from a place that is known, it wasn't coming from the play market, it might come from a separate area associated with it. And here's an example, TalkBack, which is a default app on there. Why is it low suspect but came from unknown? It kind of gives me that initial area to start poking around and saying, "Does this make sense?"

Everyone always thinks with computer forensics or smartphone forensics that I'm going to stay 100 percent of my tool. I don't. I go out all the time and look out information on the different apps that I have, the version of the app, what was functioning in that version of the app to make sure that the data I'm seeing matches up.

So next, if I go back to my installed application list here, I have a whole bunch of stuff that's unparsed and there are a lot of apps on here. They have an Amazon Echo device because they have an Amazon Alexa. We see a couple other different things and then scroll down a little bit. So they're on Pandora, they do Pinterest. They have Telegram and TextNow. They have a translate application. And so those are all things that I'm going to find interesting, but my tool wasn't perfect so it didn't go through unparsed TextNow.

I know it's an imaging tool and messaging tool, sorry, messaging tool so I went to look at that data. So all I have to do is go from this column, which is raw application data and what it's going to do is it's going to take me through the navigation of the file system instead of me manually having to go and find where it does TextNow lead to? And you can see as I scroll over here, the huge variety of information that shows in the Android file system that I can click here and find that structure that the tool just took me to.

So I have a couple different things I want to look for. So I had a cache associated with my app. That's gonna tell me, okay, what is this doing associated with it? So I'm looking. I'm like okay just basic records and some images associated with it. If I want to look at those images, I can highlight them and see them where they're going to actually show. See? On the other side. There we go. There's the TextNow logo, and then the big thing I want to do because every app, so I have TextNow is, going to have a database associated with it. So within those databases, I'm going to look at my SQLite databases. There's a couple of different ways that I can do that. In this one, I just navigated with the file system and I can sort this column and I see all my SQLite databases.

I have the TextNow database that seems very logical to look there for information. I can double click and now I have a couple of different things. So I've opened the TextNow database, I have the SQLite, here are the different tables.

This is where I like to remind people what value it is to full-text index when you go through and do different things. So for conversations here, what a great way to look at every app out there. I always joke about this because conversations is what you'll typically see in a SQLite file, but you might be searching for let me find all the messages. Well the message isn't going to come up if the name of the table is Conversations. So what can I say? That's an extra little hint of things you should make sure that you're lookIng for when you're doing it.

The other things I want to look at is I have Caller ID in here and I happened to pick something that didn't have a whole lot of data in it. Yeah, they didn't have a whole lot of information associated with using it, but it does tell me the primary areas I want to go to. Let's go back and see if we can find another app that actually has some data in it.

So as I wanna go and navigate back, I can go back to my installed apps and hit my list and see what else I might have in here. So here's one. So we have Gmail. Of course everyone has a Gmail. Actually I think even my 99 year-old grandmother has an Gmail account. So there's a good chance I'm going to find some information in it. So we start at the top again. So let's look at the cache.

First thing I find in a cache associated with Gmail, I see their Gmail account. That's great. That's more information than I had before. So I know I can search for this and that's probably going to lead me along my way so I can pull that out. I can copy that path or I could actually just bookmark it right here and say, "I want to bookmark what his email address is." So let's go from there. And we know we want to look at databases because that's what most apps are. I've got them sorted by their SQLite again and now I have a bunch of information here. So I had suggestions, email provider body, the mail stores for Ben Para that's like, "Okay, well that looks the optimistic. Let me go there." and it's empty. And I'm like, "Why is it empty? I know he has a Gmail. He has an Android device. I should see it within some of these. Why am I not getting any information?" Something as simple as just noticing that the database that should have data doesn't have any information is a great way for you to say, "Okay, I might have an app that's storing it in a different direction."

So we want to keep this a little short and sweet, but I said I would go back to it. So one of the things that we look for in Paraben is we collect what's called authentication data. Authentication data is when they have data that actually allows them to go and have a cloud authentication occur. So what I do with this data is I have all of these keys associated with my suspect. I'm going to right click on it and I'm going to choose to export it. I'm going to just export it to my desktop just to keep it easy here for the demonstration. And now I'm going to do a cloud import, which is also still built into our tool. And I'm gonna add that authentication data file.

The reason I'd have to actually add it separately as to having it automatically done, is I'm essentially adding new evidence to my case because I'm going to query the cloud to be able to capture this information. So immediately I see, look at all the keys that he had authenticated to you so it makes sense. Here's his Google mail or his Gmail and it looks like it's cloud-based. So that's why I didn't see anything, what I navigated to the app manually.

Now I want to authenticate it and see if all of his keys work. So I choose to authenticate. You have to be connected to the internet to have that happen. It looks like all of his keys did authenticate and work and I'm going to hit continue. So now I have a couple different options. A lot of times in corporate and even in law enforcement, I will have to have a date range of what I'm allowed to get because I'm now talking to the cloud. I'm not working with my local device.

In this case because we're just demonstrating it, we're going to take everything because why wouldn't we? You can go through and actually isolate certain things. As you can see is this area will change based on what I'm highlighting. Then I'm going to choose to import this information. As it imports it, I'm using those keys, just like a spare key to a house. I'm opening the door and I'm collecting that information out of it. So it's going to do that for a couple of these different keys in here and collect that information.

So to make it faster, because it's obviously playing quite a bit of information with each one, I'm going to start my process. It's going to complain just a little bit because it's like, "Why would you want to stop me?" and I'm going to take you over here.

So I have my second thing, which is my Android cloud, which was all the cloud authentication I pulled and I just did it ahead of time again. And I have a couple of different choices associated with it. So this is Ben Para's Twitter account. There we go. That's where it's closing out my thread. Sorry. And now I'm going to look at my profile. So here is again closing the thread, here is all the information associated with it. My tree view updated with those threads I had started. Hang on. So here's the profile information associated with his Twitter. How many tweets? He has not tweeted a lot. So obviously that's not something I probably want to look a whole lot into, but why wouldn't I want to look into his Facebook? Absolutely, because he's probably spent a lot of time there.

So I have different information I can get from Facebook, from Bob and Ben talking to one another on here, which you'll see all of their heys back and forth, literally, hey and hi. Their profile information associated with Ben and the fact that he really only has one friend, which is Bob, which Ben obviously needs to work on making more friends with Facebook. When you see his newsfeed associated with it, all of that is also acquired from the cloud and then any of the conversations that he had associated with it as well.

So as you can see, there's actually a lot of data you can get from apps and it's not as hard as a lot of people think it is. It's more of remembering how that app is functioning. So I wanna go back to my installed application list.

So as we look at a variety of different things, we can see Kik. That's a good one for messaging. We see different conversations that are happening in there, the contacts that they have associated with it. Ben and Bob are talking there. Now here's another thing that we see is, we also see the word recovered. Recovered is what you see as your common methodology for data that might've been made as inactive associated with the account. So we're able to recover it as part of forensics.

If you look at something like internet browsers, so this is Firefox, we get to see the different titles, the URL, their search history associated with it -- evidently, they wanted donuts to go to a movie that was Star Wars and watch another trailer. So you see a variety of different things. The same as you would see on the desktop. We're going to see that in the mobile as well. It's just you get a larger variety and having to understand a huge variety of different apps.

So we have things like Whispers and understanding how that social network works. And again, the best suggestion I have is to always go and check out the app store, read the summary on it, because that's going to help you before you start looking at the data. But as far as looking at apps within Paraben's tool, which is part of the E3 platform, which can go for either just mobiles or it can go through all types of digital data, we try to make it as easy as possible. We give you an index of all the different apps in there and then we navigate you to the parsed or unparsed data. So there's not anything that you feel you should be missing.

We do always recommend that you look at both the actual data here for a parsing. And then you still have the link to the raw data. So you cross-verify. Forensics is a lot of cross verification. So that's always an important thing to do.

The last thing is just to give you a different perspective on these apps real quick, which is using this order. So this order is a way that we look at all the data on the device and logical categories. So you've heard me saying with apps over and over again, databases. Well, because of that, there's actually a database category because SQLite is probably one of the most popular database formats now on the planet. So this gives you all of your SQLite databases and any other databases that existed on this particular device and sorts them into a separate category. Our sort is just a different way to look at all of it instead of having to navigate through the file system or use a convenient installed app to view. This is a way to look at each individual piece of data, whether it's databases or you'll see graphics here, and you'll be able to see the variety of all the different graphics that they have on their device.

So just a different perspective on how you can look at the information, whether it's shorted or wanting to navigate through a tree view or looking through an installed application list, you have a lot of different options associated with how to look at apps on a smartphone. You even could go up and authenticate into the cloud.

So thank you very much for having me, and I hope that this has enlightened others on how to look at installed applications using the E3 platform.