• Keine Ergebnisse gefunden

Tools and Processes for Forensic Analyses of Smartphones and Mobile Malware

N/A
N/A
Info
Herunterladen
Protected

Academic year: 2021

Aktie "Tools and Processes for Forensic Analyses of Smartphones and Mobile Malware"

Copied!
18
0
0

Wird geladen.... (Jetzt Volltext ansehen)

Jetzt herunterladen ( 18 Seite )

Volltext

(1)

Tools and Processes for Forensic Analyses of Smartphones and

Mobile Malware

Michael Spreitzenbarth March 21st 2011

(2)

Agenda

About the Project

Introduction

Android Forensics

ADEL & Panoptes

Mobile Malware

Further Work

(3)

About

Aims of the project:

Development of forensic methods and tools

Development of mobile Honeypots / Honeynets

Development of mobile Sandbox

POC of attack and defense scenarios

Participants:

Ruhr University Bochum

University of Erlangen-Nuremberg

G-Data

Recurity Labs

(4)

Why Android ?

Open Source mobile OS

Biggest growth rate in sector

Many different manufacturers

Many different fields of application (smartphone, tablet, TV...)

According to the leading market research companies THE mobile OS of the future

(5)

Top Smartphone Platforms 3 Month Average

Top Smartphone Platforms 3 Month Average

Top Smartphone Platforms 3 Month Average

Market-Share (%) of Smartphone Subscribers Market-Share (%) of Smartphone Subscribers Market-Share (%) of Smartphone Subscribers

January 2011 January 2011

US Europe

Apple 24,7 20,0

Google 31,2 24,3

Microsoft 8,0 13,7

Palm 3,2 --

RIM 30,4 15,0

Symbian -- 27,0

Source: comScore MobiLens & IDC European Quarterly Mobile Phone Tracker

(6)

Android Forensics

Security restrictions of the Android platform

SQLite databases

Filesystem:

YAFFS2

EXT4

(7)

Android Forensics

Panoptes

Software-Agent

ADEL

„Forensic“ Software

(8)

Panoptes

Software Agent (on-phone-toolkit)

JAVA App

Uses Content Provider to access the databases

Generates CSV-files

Has to be installed on the device

(9)
(10)

(Android Data Extractor Lite)

ADEL

Modular design

Connection through adb

Dumps SQLite databases

Uses its own SQLite parser

Generates XSL / XML report

(11)
(12)

Conference on Digital Forensics, Security and Law

Richmond, Virginia, USA May 25-27, 2011

Forensic Analysis of Smartphones:

The Android Data Extractor Lite

Felix Freiling, Michael Spreitzenbarth, Sven Schmitt

(13)

Mobile Malware

Smartphones have powerful hardware

First malware sighted:

ZeuS-MITMO

DroidDream

zHash

Only few detection processes

Nearly no defensive measures

(14)

Mobile Sandbox

Android based sandbox for malware analysis

Fully automated analysis process and reporting

Is it possible to adopt known approaches?

CWSandbox or MobileSandbox

pTrace or sTrace

(15)

Further Work

Creation of forensic tools and procedures for YAFFS2 and EXT4

Increased functionality of ADEL

Analyze and „understand“ Android malware

Building a Mobile Sandbox for Android

(16)

Questions ?

(17)

Thank you very much for your Attention

Michael Spreitzenbarth

Chair for IT Security Infrastructures

University of Erlangen-Nuremberg

91058 Erlangen-Tennelohe

michael.spreitzenbarth@informatik.uni-erlangen.de

(18)

References

F. Freiling, S. Schmitt, and M. Spreitzenbarth, „Forensic Analysis of Smartphones: The Android Data Extractor Lite (ADEL)” in Conference on Digital Forensics, Security and Law, 2011.

T. Holz, F. Freiling, C. Willems, „Toward Automated Dynamic Malware Analysis Using CWSandbox“ in 3th EuropeanWireless Conference, 2007

M. Becher, „MobileSandbox“, http://mobilesandbox.org

TuX-Logos from the website http://tux.crystalxp.net/

iPhone vs. Android vs. BlackBerry from the website

http://www.csectioncomics.com/2010/11/iphone-vs-android-vs-blackberry.html

Referenzen

Jetzt herunterladen ( PDF - 18 Seite - 1.52 MB )

ÄHNLICHE DOKUMENTE

Workshop on databases in biometrics, forensics and security applications

Jana Dittmann (Otto-von-Guericke University Magdeburg, Germany) Arno Fischer (Brandenburg University of Applied Science, Germany) Gunter Saake (Otto-von-Guericke University

Database and data management requirements for equalization of contactless acquired traces for forensic purposes

In Table 2, the amounts of data for an equalization of non-planar surfaces with applied traces are presented for the acquired area, the raw data and the resulting maximum heap data

Forensic analysis of YAFFS2

Given the cycle time of 2 seconds for background garbage collection, even in a best case scenario, a block that features only one obsolete chunk gets erased 24 seconds at most after

Genomics and Phylogeny of Motor Proteins: Tools and Analyses

Different types of information are available for each species (publications, references to sequencing projects, taxonomy and name infor- mation) and each protein sequence

Mobile Business with Smartphones and Tablets: Effects of Mobile Devices in SMEs

If these typical characteristics of mobile ICT are significant for a company, it can be assumed – following the TTF framework (H1a and H1b) and caused by a reduction of

Explosion‑related deaths: An overview on forensic evaluation and implications

Scenarios include self-inflicted explosion deaths, domestic explosions, work-related explosions, terrorist events, and explosions caused by accidents involving heavy

Investigation of JTAG and ISP Techniques for Forensic Procedures

The first test will focus on showing the differences on the different types of acquisition by comparing the results of a forensic analysis of the same device using Cellebrite

Are NPS missed in routine forensic analysis of serum and hair?

Methods: Three diffe- rent methods were developed using GC/MS for general unknown screening in serum and LC/ESI/MS/MS to perform targeted screening for NPS in hair and