www.encase.com/ceic
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
(C) Oxygen Software, 2000-2014
http://www.oxygen-forensic.com
Quick poll – your favorite way of mobile communication
Page 2
Voice calls?
SMS?
Emails?
Modern smartphone users don’t think so…
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
What happens in the world of mobile applications every 60 seconds
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
Page 3
Messengers (WhatsApp, Kik, Viber, Skype, Google Talk, …)
Social networks (Facebook, Twitter, Instagram, …)
Voice/video calls (Skype, Viber, Facebook, Google Voice, …)
Geo-aware services (Foursquare, Google places, Facebook, Yelp, …)
Hundreds of contacts, thousands of messages and calls, gigabytes of log files
Most services incorporate different types of communications; the most popular ones
implement just one feature
Modern ways of communication
Page 4
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
Contents:
What is it? Numbers, facts, functions
Extracting WhatsApp data from devices
Analyzing extracted data
Getting deleted information
Extras
Viber - real alternative
Summary
Struggling for extracting the maximum data out of the
W WhatsApp application
Page 5
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
Numbers
• the most popular and widely used messenger right now (WhatsApp – 465
mln, Skype – 300 mln, Viber - 280 mln);
• multiplatform product (iMessage, Hangouts, Skype ).
Facts
• Modern way of registration – no account is required, just a phone number;
• List of contacts – created automatically based on address book contacts.
Functions
• Main function – sending text messages; easier and cheaper than SMS;
• Additional functions – sharing photos, audio, video, contacts, geo-
location
WhatsApp in the world. Numbers, facts, functions
Page 6
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
- multiplatform solution - iOS, Android, BlackBerry, Windows Phone, Symbian,
Nokia S40
- completely different approaches to data extraction
Data extraction.
iOS, Android, BlackBerry. Different approaches and their disadvantages
Page 7
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
iOS
- iTunes backup
• can be password protected (need to know the password)
• lock-screen password required
- physical dump
• old models only (up to iPhone 4, iPad 1, iPod Touch 5gen)
- jail-breaking
• can be unavailable for latest iOS versions (there is a version for iOS 7.1!)
• lock-screen and backup passwords required
• a lot of new files and log entries left in the device
• Internet connection required
- advanced logical
• lock-screen password;
• alternative for encrypted iTunes-backup only
- iCloud backup
• account name and password
Page 8
Data extraction.
iOS, Android, BlackBerry. Different approaches and their disadvantages
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
Android
- physical dump
• Chip-off
• custom recovery
• boot loader exploits
- rooting and physical via logical + FS
• rooting procedure is not always available;
• rooting procedure can be destructive;
• lock-screen password required
- android backup
• Android OS 4.* only
• not all devices supported
• lock-screen password required
• unpredictable data set
- extra files on flash card (details- later)
Page 9
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
Data extraction.
iOS, Android, BlackBerry. Different approaches and their disadvantages
BlackBerry
- OS 10 - new OS, new protection principles, new problems
- BlackBerry backup
• no device is needed
• Internet connection required
• account password must be known (account name is stored inside the
backup)
• live device – must be unlocked to create a backup
- extra files on flash card (similar to Android smartphones)
Page 10
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
Data extraction.
iOS, Android, BlackBerry. Different approaches and their disadvantages
Standard client for iOS, Android, BlackBerry, etc – no need to examine
any other applications
- Common information about account (phone number, name,
photo)
- List of contacts (all contacts, Whatsapp contacts)
- Private messages
- Groups and group messages
- Photo and audio messages, video clips
- Geo coordinates
- vCards
- Dictionary (deleted words and messages)
Data analysis
Page 11
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
Data analysis. File structure. Platforms differences
Page 12
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
- /private/var/mobile/Applications/net.whatsapp.WhatsApp/*
- /Documents, /Library/Logs, /Library/Media, Library/Preferences
- /Documents - Contacts.sqlite, ChatStorage.sqlite – main databases
- /Documents - SyncHistory.plist - timestamps of recent syncs with PC
- /Documents - Colors.plist - list of recent chat parties with colors to show; phone
numbers but you already have them in contacts
- /Library - /Library/Media - all media files used for private and group chats (separate
folder for each chat with subfolders for every piece of media and its thumbnail); files are not
stored embedded within databases; instead, links to physical files are stored
- /Library - /Library/Logs - not much interesting (last connection time, phone owner's
phone number, information about audios/videos recently recorded)
Page 13
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
Data analysis. File structure. Platforms differences
- /Library - /Library/Preferences/net.whatsapp.WhatsApp.plist - app settings: user
ID, display name, phone number, some stat regarding sent bytes, received messages count etc
Page 14
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
Data analysis. File structure. Platforms differences
- lockdown service – lockdown_info.plist (common information about the phone)
- mobilesync service - Bookmarks.plist, Calendars.plist, Contacts.plist,
MailAccounts.plist, Notes.plist
- iosdiagnostics service – diagnostic_info.plist (debug information)
- file relay service (Keyboard cache (dictionaries), log of application installations,
voicemail, user databases (address book, calendar, SMS, e-mail accounts list), user
photos, system logs of various kinds)
- installation_proxy (list of installed applications, application parameters and data
files)
File structure. Platforms differences
Page 15
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
- com.apple.mobile.file_relay.MobileInstallation.cpio.gz – application installation timestamp
- com.apple.mobile.installation_proxy.plist – list of installed applications
- com.apple.mobile.file_relay.CrashReporter.cpio.gz – apps crash reports
- com.apple.mobile.installation_proxy – apps data (the most intersting and useful service)
net.whatsapp.WhatsApp – folder with WhatsApp data
- iTunes Backup-like structure (without /private/var/mobile/Applications)
- additional folders - /Library/Caches, /tmp
- /Library/Caches:
- duplicates of pictures stored in /Library/Media
- /net.whatsapp.WhatsApp/Cache.db - cache of recent requests to WhatsApp server
- /Snapshots/net.whatsapp.WhatsApp/Main/ - screenshot of the last screen state
- /tmp - temporary storage for recorded media files (duplicates of what stored in /Library/Media); no deleted
files here
Page 16
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
File structure. Platforms differences
(jailbroken device):
- /private/var/mobile/Applications/196569DB-1E75-4318-9547-
6C591D4A7B4F
- /Documents, /Library, /tmp
- /StoreKit, /WhatsApp.app – application itself (new in comparison with
AdvLog)
Page 17
File structure. Platforms differences
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
/data/data/com.whatsapp – user data
- /databases - wa.db, msgstore.db
- /files - profile data, contacts' pictures (/Avatars), log files (/Logs)
- /shared_prefs - com.whatsapp_preferences.xml, RegisterPhone.xml -
settings
- /data/user/0/com.whatsapp, /data/user/1/com.whatsapp, … - folders for
data created by different device users (tablet version of Android OS);
- /data/data/com.whatsapp – active user data
- /data/media/0 -> sdcard emulation; /data/media/0/WhatsApp =
/sdcard/WhatsApp (sdcard -> /mnt/sdcard -> /storage/emulated/legacy/0)
- can be mapped to another folder! So it’s safer to check
/sdcard/WhatsApp
- media content (images, audio, video, voice notes)
Page 18
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
File structure. Platforms differences
/data/data/com.whatsapp folder contents
Page 19
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
File structure. Platforms differences
- /data/media/0/WhatsApp folder contents
Page 20
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
File structure. Platforms differences
- /apps/com.whatsapp
- /db = /databases, /f = /files, /sp=shared_prefs, /r - resources
- /sdcard data may be skipped during data extraction
Page 21
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
File structure. Platforms differences
for BB 10: app/com.whatsapp.WhatsApp.gYABgD934jlePGCrd74r6jbZ7jk
Page 22
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
File structure. Platforms differences
• /settings/pps/services/notify/settings - cat.com.whatsapp.WhatsApp,
evt._all_.com.whatsapp.WhatsApp (common app display parameters)
• appdata, sharewith (empty)
• /appdata - /data, /logs (empty), /tmp (empty)
• /data - contactStore.db, messageStore.db (db format differs from iOS/Android)
• /data/contacts/* - contacts' pictures (links in contactStore.db)
• /data/http_cache/*, /data/thumb_cache/* - content cache (similar to cache folders in iOS)
• /data/enhancedcontent/*, /data/mapKit3Dcontent/* - primitives to draw maps (no user
content)
• /data/Settings/WhatsApp Inc./WhatsApp.conf - app settings (username, user phone number;
format differs from iOS)
Page 23
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
File structure. Platforms differences
– SQLite databases only (well, not always)
Search and recovery of deleted data
Page 24
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
– Messages – Text messages and traces in dictionaries
Search and recovery of deleted data
Page 25
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
– photos, audio and video records
Search and recovery of deleted data
Page 26
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
- Pictures are stored within the database
- Audio and video records are stored as links to external files
– vCards, geo locations
Search and recovery of deleted data
Page 27
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
– the logs!
• /Logs subfolder; created daily (if WhatsApp was used); very verbose
• keep information regarding pictures creation, location detection, timestamps, phone numbers
Search and recovery of deleted data
Page 28
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
- only for Android
- old good carving method
- suitable mostly for pictures (photos and geo-locations)
- no way to link recovered pictures to recovered records (you cannot recover file
names and timestamps)
Search and recovery of deleted data
Page 29
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
- Daily copies of messages database within a week (no contacts!);
- Chance to see groups and messages deleted recently which cannot be recovered from the
master SQLite database
Encrypted backups on flash drives in Android devices
Page 30
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
- Daily copies of messages database within a week (no contacts!);
- Chance to see groups and messages deleted recently which cannot be recovered from the master SQLite database.
Encrypted backups on flash drives in BlackBerry devices
Master Title
Page 31
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
• Android – AES-128-ECB, encryption key (192-bit) is stored in the client
application: 4j#e*F9+Ms%|g1~5.3rH!we,
• BlackBerry - “old" (REMF) and “new" ("WA") formats.
- Hardware encryption key for the old format;
- New format
• proprietary encryption mechanism (no relation with BB encryption)
• the same encryption key as for the Android,
• another method of encryption (AES-128)
• Inside – message database of the same format as msgstore.db for
Android, messageStore.db for BlackBerry
Encrypted backups on flash drives in Android and BlackBerry devices
Page 32
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
• Data extraction methods vary for different platforms
• Set and completeness of the data depends on the method of extraction
• Table formats may vary for different platforms
• Some of the data can be encrypted
• Deleted data can be recovered; set of the data depends on the method of
extraction
• Each application data structure must be examined separately
• The new version of the application client can sometimes causes data analysis
from the very beginning
Summary
Page 34
Challenges in Obtaining and Analyzing Information
from Mobile Devices by Oxygen Forensics
