Glenn K. Bard Public Agency Training Council tech Chief Technical Officer PA State Trooper – Retired NCMEC – Project ALERT CISSP, EnCE, CFCE, CHFI, A+, Network+, Security+, ACE, AME 2 #ISC2Congress PATCtech Glenn Bard, CTO Scott Lucas, Instructor and Examiner Steve Dempsey, Instructor Brian Sprinkle, Case Manager and Software consultant James Alsup, Director - PATC 3 #ISC2Congress App Analysis » Now onto the Apps • For starters, What are Mobile Applications? • A mobile application (or mobile app) is a software application designed to run on smartphones, tablet computers and other mobile devices. They are usually available through application distribution platforms, which are typically operated by the owner of the mobile operating system, such as the Apple App Store, Google Play, Windows Phone Store, and BlackBerry App World. • Source: Wikipedia 4 #ISC2Congress App Analysis » How many people use apps? • According to ABI, it is predicted there will be 56 Billion apps downloaded……….. In 2013 alone. • ABI also estimates that app downloads will generate 25 Billion dollars………. In 2013 alone. » Clearly apps can contain the evidence we need to prove our cases. » And the data criminals want to steal. 5 #ISC2Congress App Analysis » What kind of apps can be important? • Messaging apps: KIK, Kakao, Textie, TextMe, TextPlus, ooVoo, Skype, Yahoo! IM, and so on. • Social Networking: Facebook, Instagram, Twitter, FourSquare. • Cloud Storage: Dropbox, CloudOn, Evernote • GPS: TeleNav, Google Maps, Mapquest • Vaults: Private Phone Vault, NQ Vault, Hide Photos • Picture sharing: SnapChat, Wickr, Blink • Travel: Kayak, Delta, United 6 #ISC2Congress App Analysis » How are we going to get the data out of these apps? • The apps are going to contain certain types of files depending on the OS. – Apple: DB, SQL, SQLite, and Plist – Android: DB, SQL, SQLite and XML 7 #ISC2Congress App Analysis » Where are we going to find these files? • Most common place, the device. • But also: – Backups – SD Card 8 #ISC2Congress App Analysis » And there are some easy locations to remember to find it: First up: iOS Private / var / Mobile And this location you will find subfolders, the two we are going to focus on: Applications: Third part apps Library: iOS installed apps 9 #ISC2Congress App Analysis 10 #ISC2Congress Applications Library 11 #ISC2Congress App Analysis » And on Android, one of the main locations: • Data / Data • Then in that location many apps. • Under each app pay attention to: – Shared Prefs – Databases » Note: All of the “flavors” of Android are different, and this is just a guideline, not a steadfast rule. 12 #ISC2Congress App Analysis 13 #ISC2Congress App Analysis 14 #ISC2Congress Shared Prefs Databases 15 #ISC2Congress App Analysis » What tools are we going to need? • Free: – – – – Mozilla FireFox with the add on SQLite Manager Plist Editor Notepad DCode • Pay: – Oxygen Forensic Suite has an amazing SQLite Database and Plist viewer. (The one we are using today.) – Many other forensic tools such as MPE, Device Seizure, SecureView , Mobiledit, Lantern, UFED and so on. 16 #ISC2Congress App Analysis » What kind of things can we find? • • • • • Locations Voicemails “Form Data” Passwords And so much more. » Now let’s do it on a real phone: 17 #ISC2Congress App Analysis » » » » » » Glenn K. Bard [email protected] Cell: 724-289-0699 Office: 800-365-0119 Website: PATCtech.com Twitter.com/PATCtech » https://www.facebook.com/pages/PATCTech/116471378378526 18 #ISC2Congress