Blog Cell Phone Forensics CelleBrite iPhone Forensics Malware MFC 2012 Mobile Forensic Conference 2012 Mobile Forensics Tablet PC forensics

Android & iPhone’s Growing Malware Problem – MFC 2012

Wednesday mornings keynote speaker was Chet Hosmer. Mr. Hosmer is the Chief Scientist at Wetstone Allen. The realm of digital and network security has changed dramatically. Think back to before smart phone devices, as a network security manager. You only had to worry about the network locally within your firewall. With the boom of smartphones and mobile workforces the realm of protecting your companies data and infrastructure has grown to be almost uncontrollable.

The latest corporate buzz word is BYOD (Bring Your Own Device). When you have a BYOD policy within a company you are allowing more uncertainty into the work place by allowing unknown devices to access your systems, email, and confidential documents. You do not know what OS the device is running, what applications are installed, if encryption is enabled, or if the device is already compromised. As a network administrator you can try to control everything within your firewall, but how do you control a mobile worker with their own personal device?

Infected smartphones is not new. Today Android OS devices lead the industry in this epidemic. They lead this epidemic because they are an open sourced OS and because their App Marketplace relies on users vetting out bad applications. When dealing with iPhones you have a OS that is proprietary and leaves the public guessing as to what the 10+ million lines of code really are. Having these 10+ million lines of code confidential protects (somewhat) Apple iPhones from giving hackers exploits in their OS.  By no means am I saying iPhone users do not need to worry about malware or trojans, because they do and it has happened.

iPhone recently had a hot selling app called Flashlight. The actual flashlight didn’t really do anything special, but people were paying for the app anyways. It took 4 weeks for Apple to realize that this app was a Fake app and people were buying it because it provided users a tethering options via a Trojan exploit into the iOS.

Android had a major outbreak of malware recently that was found in 100’s of apps. Google Bouncer found some of them, but its easy to look at the data and realize it didn’t vet them all. Some of these apps that were infected were Dice Roller, Chess, Super Ringtone Maker, Best Password Safe, Advanced Compass Leveler, Piano, Quick Delete Contacts, and many more. This specific exploits in these apps used RATC (rage against the cage). RATC allows the malware to be installed and install unwanted apps or steal data. Here is how RATC works:

1. Finds dbug server (adb_server) & process ID

2. Kills adb_server (auto restart)

3. Server auto restarts and beings to execute root access.

4. RATC races to reduce the number of allowed processes in the adb_server.

5. Two system calls are made:

A. setgid (AID_Shell)

B. setuid (AID_Shell)

Within step 5 the calls fail. This exploit is here because the programmer never checked to see if the calls would give a return value. Mr. Hosmer made this statement: ” Programers that do not check return values equal dinosaurs because they become extinct.” A Android OS code line was the exploit and it was found when these two calls were made when the adb_server was rebooting and accessing root.  When this failed it would leave the system running in root and give the malware free reign.

Below are a few malware, trojan, and fake apps that have been found with in mobile OS devices.

BASSBRID – Trogan – Set up to steel personal data

JIFAKE.F – Trojan – Version of Jimm Mobile ICQ Client. This would set up SMS messages to send to a premium service and charge the user $4-$6 per message on their bill. This was the first malware known to be installed by having the user scan a QR Code.

BATTSTATUS – Fake App – Sent personal data to remote servers.

Ginger Master – Root exploit

Rabbiddog.A – Malware – Sends SMS messages to all of your contacts the following message ” I take pleasure in hurting small animals, just thought you should know.”

Not discussed by Mr. Hosmer was the availability of Spyware. I am not referring to Spyware that is downloaded like a virus, but Spyware that can be purchased by someone and installed on to a phone for monitoring or calls, texting, location, email, and web history. This is a teaser for a future blog post, but I have had several cases within the past few months where Spy software was purchased and installed onto a target smartphone. It is out there and it is VERY powerful. The scariest parts is that you will never know its there with the naked eye.

Here are some of my final thoughts on this situation. The growth of malware and trojans on mobiles phones is growing at a rapid pace and no OS is going to be completely safe. When a corporation is concerned over classified information or intellectual property the policy of “bring your own device” should be shelved and the company should provide devices that can be managed by the network IT guys. This allows you to manage which APPs are downloaded, what information is stored on the device, and it gives you the ability to wipe the device if it is lost of stolen. Each OS has its benefits and both have their minuses. I think their will always be a need for open sourced mobility to accelerate innovation in mobility. With acceleration comes risk and the need to manage and assess those risks.

Blog Cell Phone Forensics GPS Forensics iPhone Forensics Location Data Forensics MFC 2012 Mobile Forensic Conference 2012 Mobile Forensics

iPhone Forensics / Location Information – MFC 2012

Don’t Try Hiding Where You Have Been If You Use An iPhone!

Terry McGuire, of CMD Labs, went over some test data he had acquired in relation to location data on his iPhone and TomTom GPS. If you are familiar with the forensic examination of these two devices this maybe an overview, but you make learn something too. Terry activated a new number with a iPhone to obtain new data between his trip from VA to SC for the Mobile Forensic Conference 2012. Within the iPhone there are 3 main files that the maps/directions will be stored in and these can be found under mobile/library/maps:




If you are unfamiliar with what a .plist is, it is simply means property list. You can obtain these files and view them with a plist editor or even just a hex editor. In the bookmarks.plist file the data contains is just that, bookmarked locations within your maps app. You have have bookmarked address for home, work, school, or a favorite restaurant you went to a few month ago. Within the directions.plist file you will find the actual data for a trip. It will give you the turn by turn directions along with date and time stamps (usually, not always). You must be aware though that even if a location is mapped out and the directions are shown in the directions.plist file does not automatically mean the trip was made. Someone could have entered the address for directions and canceled them without ever making a trip. This information should be used to corroborate other evidence you have. Within the history.plist you will find a list of past trips, but only the starting and ending spots will appear here.

When dealing with photos on the device you can find location data in the metadata. The pictures/videos can be found in the 100APPLE folder. This is located under the DCIM and holds all of the USER interacted pictures and videos. This will not include any cached photos from the web. This is a nice folder to look at when you don’t want to deal with the parsed pictures that include buttons, caches, and what not. The metadata within theses user interacted pictures and videos is rather accurate. Terry took a photo the night before at a local restaurant and than showed the location data within that image. It was dead on.

Within the iPhone you can also find cell tower data. This data will not tell you exactly where each call was made, but it will give you a list of towers that the phone, you’re investigating, has picked up on. So, if I am sitting in Myrtle Beach right now using “tower 1” my iPhone will show that, but it will also show about 5-10 other towers that I drove by or that it already knows are near me. This could be helpful when added to other pieces of evidence or putting someone at a specific spot. The  storage for this information is different in the iPhone 3G/3GS and iPhone 4. Here are the files where this data is held:

3G/3GS – Cells.plist, H-Cells.plist, and H-wifi.plist

4 – data/root/library/caches/locationd/consolidated.db

4 w/ 5.1.1 iOS – data/root/library/caches/locationd/cache_encryptedA.db

As of now the cache_encryptedA.db file is no longer backed up with the phone when connected to the PC. So when examining an iPhone backup with 5.1.1 iOS you will no longer see that database file with the cell tower data.

Something very interesting about a specific APP that some of you may user regarding location sharing. Foursquare saves your location information for places you have never even been. (I have not had the chance to personally test this, but per Terry he tired and tested this on his device). Foursquare will save location information for nearby spots and could give the examiner false presumptions about the whereabouts of a suspect. Be aware of this for your investigations.

TomTom GPS forensics seems to be pretty straight forward. The TomTom can be acquired with Cellebrite and examined with it. TomTom will store this specific data (some early versions saved a TON more):

Fixes – Locations

Journeys – Trip Info

Locations – Home addresses or saved address

other data (depending on if they used it to save photos or what not)
Until next time! Thanks!