Open source Android forensics: An HTCIA student charter project

March 8, 2012

We always like to hear about the cool new projects our students are engaging in, so we were excited to see University of Cincinnati student charter president Shadi Dibbini post on our Facebook page:

When we saw the site osaf-community.org, we definitely wanted to talk more with Shadi about his team’s project!

HTCIA: How did you get the idea for Open Source Android Forensics? How long have you been working on it thus far?

SD: My team started working on this project at the beginning of the school year, late September, and it has to be completed by the beginning of May. In May, we will be presenting at the University of Cincinnati’s Tech Expo event. The Tech Expo is a showcase of senior design projects from IT students, and students from other programs. The event is entirely open to the public, so feel free to come down and check out all the cool projects.

I came up with the idea of Open Source Android Forensics (OSAF) because I really enjoy forensics, and I have been a smartphone enthusiast for the past 8 years. A little off topic here, but believe it or not, I used to buy a new smartphone every three months so that I can have the best device that’s currently out on the market… I learned pretty fast that I was wasting my money, so I quit buying that many phones.

Besides the fact I enjoy forensics and smartphones, what caught my eye a few years ago, during the rise and popularity of Android, was the fact that Google does not have a vetting procedure for the applications that are published on the market. Google is smart by allowing any publisher to rapidly release applications without having to wait or gain approval (cough..cough..Apple)… however, Apple is smart by vetting applications to protect their users.

In recent news though, Google did come up with a new application security scanner called “Bouncer” after realizing that they did have a huge issue with Android malware. Back in Q3 2011, there was a report that had stated that malicious Android apps have risen 473% in about a year or so… that is a lot of malware.

This report pretty much sparked my ingenuity for coming up with the OSAF project. The OSAF project was initially going to be just the OSAF-Toolkit, a Linux OS that has been injected with all the latest Android application analysis software, but I wanted more than that. I wanted to not only create a application ripping toolkit, I wanted to create a community where anyone interested in Android malware analysis can have a one stop shop for any information they need.

I want people to stop at our site before any other site, and  I want people to collaborate with each other, share new techniques and methodologies, and share their findings after they have ripped apart an application (hence the threat index).

Another honorable mention is that my team is currently working on documentation on how to perform analysis against any application. This is an A-Z guide of what tools to use, how to use them, what to look for during static/dynamic analysis and etc… We do not want to give people a toolkit and say, “here you go, figure it out yourself” like many other projects have done.

HTCIA: What need does your research and site fill that others were missing?

SD: Not to be cocky or anything, but the entirely “FREE” price point for a toolkit, documentation and a collaborative work environment is argument enough that our site is better than the rest. I see other companies/sites charging a lot of money for training, certifications, information and etc.

I, at one point, wanted to take some certifications in forensics and information security, but the training and certifications were just way too much money for a college undergrad to afford. So I looked at this project from a college kid’s perspective… If it’s free, it’s for me… That’s why we decided to name the project OSAF. We wanted every aspect of it to be entirely open source.

HTCIA: How many people are working on the project?

SD: There are 4 of us IT seniors, including myself, working on the project right now. I couldn’t have picked a better team for this project. They are very smart and dedicated individuals wanting to make this project the best it can be. I think the reason why we are so dedicated as a team is because the project itself is very fun and unique. I feel like we are pioneers in this sort of work because I can’t find any site online that is dedicate to creating an entire environment dedicated to android malware analysis.

HTCIA: What are your goals for the site over the long term?

SD: I want the OSAF project to be well recognized in the forensics and malware analysis community. I eventually want to get more people on board to help analyze applications, maintain the site and answer any questions people may have. One day, I hope companies will be knocking on our door asking if they can sponsor us, in order to help fund and build the project, while keeping it 100% free of charge.

HTCIA: How long have you been a student HTCIA member? How long have the other students been?

SD: I am actually the founder and President of the University of Cincinnati’s HTCIA student chapter. I started the student chapter back in May 2011. I think we have a little over 20 student members (a mix of IT, IS and Criminal Justice students) in our chapter so far, but I have been getting a lot of email lately about new students interested in joining the chapter.

My team members for this project are not student members of HTCIA sadly. I would like for them to be members, but we only have 3 more months of school before we graduate. I will definitely get them to become full HTCIA members upon graduation.

HTCIA: Anything else you want to mention about the project?

SD: I just want people to know about us and the goals of our project. We can agree that the web is entirely too large right? I feel like it is hard for start-up sites, like us, to make it big these days unless they provide content that interests a vast majority of people, or if the site provides a service that interests organizations.

We want OSAF to be a site that provides both content and services of interest. Organizations, and the general public, have to realize that mobile malware is not going to magically disappear any time soon. Criminals will eventually get more crafty in the way they embed malicious code into applications; who knows, maybe to the point where the malicious codes circumvents the Android permissions mechanism.

That’s where OSAF has an advantage over anyone else. Anyone can ask OSAF to analyze an application, a community member will perform analysis, give the analysis report/results to the OSAF admins for review, then the OSAF admins will publish the finding on the threat index. Ripping apart applications is the only real way to find Android malware, because we all know how well Android “Anti-Virus” works.

Find and bookmark osaf-community.org, and keep an eye out for the site’s development, currently slated for completion in May! Shadi says that the toolkit is currently available online for download, and the malware analysis documentation will be complete in May as well.

Image: victoriawhite2010 via Flickr

Advertisements

February for HTCIA: Chapter meetings and other notable events

February 3, 2012

Whether you’re local to our chapters or traveling to their cities, we welcome your participation in our training and education. We’ve got four upcoming special events as well as regular chapter meetings this month:

HTCIA Chapter Meetings

February 7

HTCIA Ottawa will present “Inclusion of Forensic Video Analysis Within an Agency’s Digital Forensic Program” in Russell’s Lounge at the Ottawa Police Association from 5:30-8 p.m. Jeff Spivack, an IAI Board Certified Forensic Video Examiner, will demonstrate how forensic multimedia analysts obtain investigative leads and actionable intelligence from files that might otherwise be discarded.

Spivack has worked as a Forensic Multimedia Analyst with the Las Vegas Metropolitan Police Department, and has been accepted as an expert witness in courts throughout the U.S. In addition to conducting case work, Jeff is also Cognitech, Inc.’s Forensic Video Software Certification Instructor, and Senior Instructor of Video Forensics for Forensic Data Recovery, Inc., Cognitech’s Canadian affiliate.

For more information and to register, see the Ottawa HTCIA website. Non-HTCIA members are welcome for a guest fee of $15.00.

Also on February 7, our Southern California chapter will be holding a joint meeting with ISACA Los Angeles. A dinner meeting at Monterey Hill Restaurant (3700 W Ramona Blvd., Monterey Park, CA), the presentation, a computer forensics case study, will run from 5:30-8:30 p.m.

Guidance Software’s head of Risk Management, Andy Spruill, will provide his first-hand account of the landmark Victor Stanley, Inc. v. Creative Pipe, Inc. the intellectual property theft case that spawned not one, but two, landmark legal decisions in the world of digital forensics and eDiscovery. To register, please visit ISACA LA’s website.

February 9

Atlanta HTCIA will present “Forensics in your PJs” from 7:30-9:30 a.m. A breakfast meeting at American InterContinental University in Dunwoody, Georgia, the meeting will show you how to use various resources and tools on the internet to gather data. From Facebook to blogs what you can learn while sitting in your PJs!

Speaker Buffy Christie is Senior Director of Equifax Global Security.  Buffy has a BS in Criminal Justice, Forensic Science.  She is a CFE (Certified Fraud Examiner)  and is President of the Southeastern IAFCI (International Association of Financial Crimes Investigators).

To register for this event, visit Atlanta HTCIA’s EventBrite page.

February 10

Texas Gulf Coast HTCIA will meet from 1:00-3:00 p.m. at the FBI Greater Houston Regional Computer Forensics Laboratory. Those planning to attend will need to be vetted by the FBI prior to the meeting. In order to attend, contact Ms. Julie Campbell, Receptionist, Pathway Forensics (713.301.3380) and provide her with your name, DOB and DL#. Chapter members should also RSVP to the Evite invitation that was sent to the e-mail account on file with HTCIA International.

February 14

Midwest HTCIA is offering an Android forensics and software demo by Christopher Triplett, Sr. Forensic Engineer of viaForensics. From 8:30-11:30 a.m., Mr. Triplett will cover Android File Systems, Android Forensic Analysis Techniques, and a demonstration of viaForensics’ viaExtract product.

Midwest HTCIA’s chapter meetings are located in Oakbrook Terrace, IL at the ICE office (16th floor, Oakbrook Terrace Tower).

February 15

Minnesota HTCIA will meet in the Ridgedale Library, RHR West Room in Minnetonka.

February 16

Member Mike Wilkinson’s monthly DFIR Online Meetup will feature Peter Coons and John Clingerman providing e-discovery case studies , along with Jonathan Rajewski speaking on “N unaqf ba (cra/cncre) rkrepvfr va onfvp pelcgbybtl/pelcgnanylfvf”… or, “A hands on (pen/paper) exercise in basic cryptology/cryptanalysis.” Join in at 8:00 p.m.!

February 17

Washington state HTCIA will be meeting between 10am-12pm. Topic and speaker both TBD.

February 21

Central Valley HTCIA will be meeting at 12:00 noon at the Stanislaus County Sheriff’s Office, 250 East Hackett Road in Modesto, CA. Tentative topics are a presentation on TOR by Cullen Byrne, and an update on the group Anonymous by an FBI representative. Lunch to be provided.

Austin HTCIA, meanwhile, will meet from 1:30 to 3pm at the REJ Building. Rick Andrews will be going over navigation in EnCase v7. Come with questions!

February 22

Atlantic Canada HTCIA will meet from 5:30-7:30 p.m. with Jan Cox from Oracle presenting on the topic of SQL injection, among other things. An update on the chapter’s conference planning efforts will also take place.

February 24

From 11:00 A.M. – 3:00 P.M. at University Hall, Room 465 (51 Goodman Dr. in Cincinnati), Ohio HTCIA will be offering a presentation on Incident Response: Live Memory Capture and Analysis. Presenter Justin Hall has 15 years of experience in the information technology field and has spent the last seven focused on information security.

Mr. Hall is currently a security architect for CBTS, a technology services provider in the Cincinnati area – consulting with the firm’s enterprise customers in developing vulnerability management, incident response, and endpoint & network defense programs. He is a frequent speaker at information security community events, a SANS mentor, and holds a GCIH, GCFA and GPEN.

Following Mr. Hall’s presentation, lunch will be provided and the chapter’s business meeting conducted.

Also on Friday, our Kentucky chapter will meet at 1:oopm at Boone County Sheriff’s Office. Tom Webster will present about Internet Evidence Finder.

February 29

San Diego HTCIA will meet at the Admiral Baker Clubhouse in San Diego. Lunch will be served at 11:30, with the presentation (yet to be determined) running from 12:00-1:00 p.m. HTCIA members are also welcome to attend the 10 a.m. board meeting that day.

Lunch is free for all current members, $20 for guests, and $35 for new members with completed  HTCIA membership forms. RSVP is required, so please RSVP ASAP to treasurer@htcia-sd.org! This will assist in planning for seating and food requirements.

Northern California HTCIA will also be meeting on February 29. Topic and location to be determined.

Special Training Events

February 6-11: SANS COINS event coming to Los Angeles!

Rob Lee’s newest SANS course, FOR408 Computer Forensic Investigations-Windows In-Depth will be in sunny Los Angeles, CA February 6-11. Taught by Mark Gonyea, FOR408 focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

FOR408 will include a SANS Investigative Forensic Toolkit (SIFT) Essentials with a Tableau Write Block Acquisition Kit and a course DVD loaded with case examples, tools, and documentation. HTCIA members can save an additional 10% off tuition when you enter Discount Code “COINS10”! Full course information and registration info is available at http://www.sans.org/los-angeles-2012-cs/

February 15

ISSA Ottawa and Women in Defence & Security will be co hosting a National Capital Security Partners’ Forum Event featuring Marene Allison, VP & CISO of Johnson and Johnson. The opening speaker will be Rennie Marcoux, Assistant Secretary to the Cabinet (PCO); the closing speaker will be Carol Osler, VP Physical Security TD Bank. For more information and to register, see http://www1.carleton.ca/npsia/upcoming-events/4409-2

February 20-24

Free law enforcement training! Minnesota HTCIA is advertising “Fighting Cyber Crime”, 40 POST credits’ worth of courses at the St Cloud State Campus. The training is a response to the increased ease with which people can access the Internet to commit crimes, as well as the increased emphasis on issues of homeland security. Participants will learn ways to uncover, protect, and exploit digital evidence to respond to crimes. Register via the course flyer at http://www.mn-htcia.org/documents/Cybercrimecourseflyer.pdf.

February 27-March 1

The New York District Attorney’s Office has partnered with the National White Collar Crime Center to offer Cybercop 101 – Basic Data Recovery & Acquisition (BDRA) to qualified members. This 4 day course teaches the fundamentals of computer operations and hardware function, and how to protect, preserve and image digital evidence.

This class introduces participants to the unique skills, best practices and methodologies necessary to assist in the investigation and prosecution of computer crime. It includes presentations and hands-on instruction on such topics as Partitioning, Formatting, Data Storage, Hardware and Software write blockers, the Boot Up process, and Duplicate Imaging. Register here for this and future courses!

REMEMBER: To get discounts or free training (where applicable), you must be a member.  Please join or renew your 2012 membership today!


Platinum sponsor MSAB: A full spectrum of mobile forensics labs

July 20, 2011

To provide a fully rounded spectrum of information about mobile device forensics, Platinum sponsor Micro Systemation AB, makers of XRY and XACT, is offering a variety of labs built to be valuable to investigators, not just the company.

Branded content will be presented, of course, from MSAB product specialists Jansen Cohoon and James Eichbaum, along with technical trainer Shaun Sutcliffe. Python scripting labs will support XRY functionality, while Sutcliffe will present a “Mobile Forensics Fundamentals” course designed to teach core process irrespective of tools used.

There will also be an XRY-specific lab. “We’re focusing on providing quality training without making infomercials,” says Cohoon. “Of course we’re going to talk about XRY, but our primary interest is to teach methods that will be useful with any tool.”

But Cohoon adds that his experience as a reserve deputy with the Oktibbeha County (Mississippi) Sheriff’s Office led him to want to offer more depth. As a result, MSAB will be offering labs on iOS forensics and Apple’s new iCloud service, as well as labs on Android and GPS forensics. Two other labs will go in-depth with cell site analysis and mapping.

Hands-on Python scripting

Cohoon will be teaching about Python scripting for forensic examiners. Python has been part of XRY since 2009 and is starting to catch on within the investigative community.

“A lot of law enforcement agencies are finding value in having someone on staff who can do scripting, whether writing EnScripts or working with Python, dd and other languages,” Cohoon explains. “Programming isn’t something everyone can do, but Python is popular in university computer science departments because it’s easy and is built in a way that forces good code writing.”

These qualities make it a good tool for forensics. “Scripting brings the investigator to the vendor level,” says Cohoon, “giving more insight into how their tools work and what they do.” And that can only strengthen courtroom testimony as investigators detail the processes they use to obtain evidence. “You’re not changing the data — you’re finding more of it,” Cohoon says.

His beginner-level lab will focus on the Python application, including some existing scripts, what they do and what investigators will see after running them. He’ll also discuss how the scripts and their results relate to XRY, MSAB’s flagship tool.

For example, he says, “You might have a phone that you know a lot of SMS are on, but you’re not getting them even though XRY supports the phone and got the file system. So, you can write an SMS script and program it to add its output to the .xry file, and you get the messages that way.” His advanced scripting lab, meanwhile, will cover writing new scripts as well as modifying existing ones.

iOS, iCloud, Android and GPS

Cohoon will be teaching iOS device and iCloud forensics in another lab. “The OS is constantly evolving, so we’re going to try to make the lab as up-to-date as possible,” he says — possibly even including iOS 5, if it becomes available in enough time to engineer for it.

Meanwhile, iCloud, the service that is slated to replace Apple’s MobileMe remote phone access feature, will carry its own forensic implications. “We’ll be talking about the artifacts, and what is available and important to investigators from the iCloud service,” says Cohoon.

Another lab will focus on Android. “Vendors are just starting to incorporate Android physical acquisitions into their tools, so we want investigators to understand the platform,” says Cohoon. Instructor Eichbaum, formerly a detective with the Stanislaus County (Calif.) Sheriff’s Office, will cover — among other things — rooting and “shell rooting,” which Cohoon explains is like live RAM acquisition. Eichbaum will also be teaching a lab on introductory GPS forensics.

App Overtime

Neither iOS nor Android experiences would be complete without third party “apps” — applications, which lend additional functionality to the core product. In another lab, Cohoon will discuss the “investigative wealth” within these apps, together with a variety of tools both free and commercial that can be used to examine their data.

“Investigators may dump the phone, but they don’t always see what’s in the dump, and they miss evidence,” Cohoon says. “For instance, Apple now strips much of the geolocation data, but many apps still contain it.”

He’ll cover eight or nine popular apps, such that they’ll be able to spot what Cohoon calls “repetitive patterns” they’ll see as they continue to explore apps. “Apps are all built on SQLite, XML and so on,” he explains, “so those languages underlie whatever investigators turn up in their analyses.”

Cell site analysis and mapping

Rounding out the labs will be basic- and advanced-level courses on cell site analysis and mapping. Jim Cook of Premier Customer Connections, a California wireless consulting firm that is unaffiliated with MSAB, will go more in-depth from his “Cell Phones: the New DNA” lecture. His basic lab will show investigators how to map cell sites, azimuths and call detail record correlations, while his advanced lab will get into real world cases — in which participants will be asked to map, as accurately as possible, cell sites, sectors and call detail as well as SMS records.

Dealing with any of these issues in your law enforcement or corporate investigations? Register for the HTCIA conference today — https://www.htciaconference.org/registration.html