nBnUHEkiBUJHbHrAnHraiu
Hoang 5V Ti/tfng
TONG QUAT VE DIEU TRA SO TREN HE DIEU HANH ANDROID
Didu tia sd (Di0tal Forensics) la mdt nhanh eua nganh khoa hpe didu tia, su dung eae phuong phap ky thuat dd phuc hdi va didu tia dua tidn eae dii lidu tdn tai tien eac tMet hi dien tii hoac cac tMdt bi ky thuat sd. Didu tia sd tidn tiiidt hi di ddng (Mobile forensic) nhim khdi phuc lai cac bang chimg ky thudt sd til eae tMdt bi di ddng vdi mue dieh tdi Men lai cdc sir Mdn giup tim ra hdnh vi pham tdi hay hd tip eho vide du doan eac hoat ddng tiai phep nhu cd y xdm nhdp, danh eip thdng tin hoac gdy gian doan qua trinh Idm viec cua cae tMet bi di ddng.
Vd mat phap \} dieu tia sd tien tiiidt bj di ddng giup cho eo quan didu tra khi didu tia tdi pham hen quan ddn linh vuc tdi pham cdng nghd eao cd duoe nhiing chimg eit sd ttiuydt phue dd i p dung ede chd tai xu phat vol eac hanh vi pham phap Mat.
Didu tia sd tidn tMdt bi di ddng he didu hdnh Android ed 3 ky thudt: Ky tiiuat logic, Ky thuat v§t ly va Phue hdi dii hdu da bi xda.
KY THUAT LOGIC 1. Tinh nang cua ky thuat logic Trong hiu hdt cdc tmdng hpp, nhiMg dii hdu sau day ddu cd thd dupe trieh xuit: danh ba hdn lac, nhat k? eude goi, tm nhin SMS/MMS, cac du; Ueu img dung, thdng tin bin gM hd thdng. Phin Idn ede du hdu nay dupe luu tiong co sd du hdu SQLite vi vay ed the phue hdi mdt luang Idn du hdu thdng qua trieh xuat logic.
Khi thuc Men didu tra sd mdt thidt bi Android, cac yeu td han chd thudng khdng phii la Mdu dti hdu tim Mdm ma la quydn tmy cap dii hdu ciia nha phdn tich. Tit c i cac dii Ueu hdt ke a tidn kM chimg duoc luu trong bd nhd trong cua tMdt hi dupe bao vd vd ydu cdu ed phai cd quydn root mdi CO the dpc.
Ndu khdng cd quydn root,
I
cdc nha phan tich phai thuc Mdn mdt sd phuong phip leo thang dae quydn dd dat ducre quyen tmy cap vao cac dti heu nhu danh ba, nhat ky cupc gpi, tm nhan... Nhimg phuong phap nay thudng mang lai r ^ ro, cd thd thay ddi dir hdu cua thidt bi vd tham cM bien ndTAP CHI CNTT&TT KY 1 (6.2016) I 3 7 I
CONG NGHE - GIAI PHAP
thanh "cue ggeh".
2 . Trieh x u a l du' lieu thdng qua adb - MSB debugging
Tit pMdn ban Android 4.2.2 tio di, Google da bd sung tiiy chpn Secure USB, nd cd thdm mdt ydu ciu bd sung lira chpn kdt ndi vdi mdy tmh tidn man Mnh tiiidt bi, didu nay ngan can adb tmy cap tdi tMdt bi da khda hi cdc miy tinh khdng tm cay. Ndu chon "Always allow; from this computer", tMet bi se luu khda RSA cQa mdy tinh va ydu ciu bd sung se khdng xudt Mdn tiong cae Idn ket ndi vdi may tinh sau dd, kd ca kM didn thoai bi khda.
-ADB pull
Ldnh "adb pull" dupe diing dd keo file tir tMdt bi Android vdo may tinh. Dinh dang lenh nhu sau:
adb pull E-p] [-a] < r e m o t e > [ < l o c a l > ] a. ADB backup extractions
Chiic nang ADB backup dupe Google bd sung bit dau tir ban Android 4.0 Ice Cream Sandwich. Dieu nay cho phep ngudi sii dung hoac nha phan tieh sd sao luu dO; hdu img dung vdo may tinh. Qua trinh nay khdng ydu cdu tMdt hi phai root, do dd no kha him ich cho cdc phan tich phap y didu tia sd.
- Binb dang cdu l&nh cbo ADB backup Dinh dang cau ldnh eho chue nang sao luu ADB backup nhu sau:
adb backup [-f < f i l e > ] [-apkj-noapk]
[-obb| -noobb] [-shared | -noshared] [-all]
[-systeml-nosystem] [<packages...>]
- Phan tich sao luu adb
cac ket qua sao luu dii Udu duoe luu trO; nhu la mdt tap tm .ah, nhung thuc su la mdt tdp tm .tar da duoc nen vdi cdc thuat toan Deflate. Ndu m^t khau dupe nhap vao tMdt bi Mil sao luu da dupe tao ra, cae tap tm cung se duoc ma hda AES.
4 . Adb Dumpsys
Dumpsys Id mdt cdng of. duoe xdy dimg tiong hd
didu hanh Android thudng dupe stt dung cho mac dich Mdn thi tiang thai ciia cac djch vu dang chgy tidn tMdt bi. Tuy nMdn, nd ciing cd thd giiip ich dio viec phan tich, didu tia sd.
- Dumpsys batterystats
cau lenh: adb shell dumpsys batterystats Hidn thi cac dich vu vi thdi gian chay cua chiing.
Hidn thj vide sir dung bd vi xu ly dang chay boi cdc ling dung. Nd Ii phuong phap cd the su dung dd cho bidt nhung ling dung dupe su dung gin % tidn tMet hi.
cau Idnh: adb shell dumpsys procstats - Dumpsys user
Bit dau hi Android JeUy Bean, Google bd sung hd tio nMdu ngudi dimg tidn cac tMdt bi may tmh bang. Vdi Lollipop, Google md rdng hd tip nay dio didn thoai. Mdt tiong itiiimg thdeh thiic tiong phan tich didu tia sd la vide ehiing minh nhiMg nguii sii dung da su dung tMdt bi, ai da diing sau ban phim.
Ldnh adb sheU dumpsys user se Mdn thi thdng tm dang nhdp lin cudi cting cho tit c i ngudi dimg.
- Dumpsys WiFi
Cae dich vu WiFi se hidn thi tit ca cdc SSE) ma m$t ket ndi da duoc luu. Didu nay cd the eho bidt thidt bi da a mot vi tri nhit dinh, thdng tm cM tiet hon cQng ed tien he thdng tdp tin nhimg nd ddi hdi quydn root de xenL Su dung dumpsys chiing ta cd the truy cap da heu nay md khdng cdn ydu ciu root
- Dumpsys notihcation
Cac dich vu Uidng bdo se cung eip tiidng tin v^
thdng bao dang hoat ddng. Didu ndy cd the hiiu ich de gM lai tiang thai cua mdt tMdt hi Mii nd duoc thu giii hoae xae dinh img dung nao Mdn tM m6t thdng bao cu ttid. M6i thdng bao cd ttid kha Idn va chira nMdu tiidng tm, cM cd mdt tiong sd dd ed thi htm ieh.
0 1 2 3 4 5 ^ 7 6 9 A S C D E F 0123456'7B9ABCD£f OOOOh:] p7 15 IC 09 4« E« 03 9C K R AS U 27 D3 F4 90 || n'.'.'.rm.aaiar''SS'.
OOlOlti! 8C 3F CF M i tt?l.
Hinh I: Ndi dung hex cua gesturckey.
a . Bo qua khoa dang nhap mitn hinh Khda dang nhap man Mnh la mdt trong nhimg khia ceinh hdc biia nhit cua didu tia sd tidn Android.
Thdng thudng, todn bd vide dieu tra phu thude vao khi nang dat dupe quyen tiny cap vao thidt b; cua ngudi phdn tich didu tia sd. Khdng cd phuong thtic v ^ nang ndo cho vide vupt qua khda dang nhdp man hinh ma dieu nay phu thude vdo pMdn ban he didu hanh, cai dat tMet bi va quan tiong la khi nang cua ngudi phan tich dieu tia sd tidn di dOng.
- Cac kieu khda man binh dang nhdp Cd nhieu phuong thuc dupe su dung nhu: None/
SUde, Khda miu. Password/ PIN, Smart Lock, Bao mat vdn tay.
Dimg ADB: Ydu eau may phii root, yeu ciu USB debugging, yeu cdu an todn go loi [My pMdn ban Android).
Khdi ddng vao ehd dd phuc hdi My chinh Recovery:
Khdngydu ciu root (Root se dupe mang lai thdng qua inh phuc hdi), khdng yeu ciu USB debugging (thuc hidn thdng qua fastboot), khdng ydu cau an todn go l6i, yeu eau mdt bp nap khdi ddng md khda
Dimg tdi khoin mail eua google ndu cd.
6. Crack khoa m a u Android
Gia su ehiing ta da cd file md bdm chita thdng tm vd khda md hinh gesture.key, ndi dung file cd dang nhu Huih 1.
Ndi dung hex la kdt qua bam theo hdm SHA-1 eta md hinh khda mau. Thuc td Ii chi cd mdt sd lupng han ehd efia md hinh vdi mdi md hinh tdi tMdu 4 ehii sd, tdi da 9 ehii sd va mdi sd chi dupe dimg mdt lin. Phuong phap kha dung nhit cho vide bd khda bdm nay Id su dung tin cdng tir dien.
7 . Vi/dt qua m3 P I N , password Mgt khau tidn tiudt hi Android dupe luu Id mot gia tri bam. De tianh mat khau ydu, tmdc kM bdm chudi mat khau hoac ma PIN dupe thdm vao mot gia tri salt do he dieu hanh sinh ra. Dd crack duoc PIN/
password, chiing ta can eo gia tri bdm ciia password va salt b Me password.key va khdi phuc lai gid tri salt trong locksettmg.db
8. Thu t h a p dC lieu t h e S I M
The SIM chua mot sd thdng tm nhu: Danh ba. Tin nhin SMS, Cac sd da gpi, Sd Serial cita SIM... Kidm tia va tiich xuit cac thdng tin tidn SIM Id mdt qud trinh nhanh chdng va ehiing ndn dupe liy ra tir tMdt bi va Mdm tia ridng biet bang ddu doc thd SIM va cac phin mem giup ich cho phdn tich phdp y tir the
DOOOh:
0 0 1 0 b : 0020fa:
D o a o b : 0D40ta:
0 1 2 3 4 5 e 7 S 9 A
^ 3 4 2 3 9 3 1 M 4 6 37 3 0 3 9 4 2 3 2 3 2 3 9 3 7 3 4 3 1 3 0 3 3 3 2 3 1 3 0 3 9 4 3 4 5 34 4 3 3 3 4 1 4 3 3 7 35 34 SB 3 0 4 2 4 5 44 3 9 44 35 3B 3 5 34 3 0 3 7 3 2 3 7 4 6 3 3 4 5 46 «4
B 37 4 2 39 39
C D 9 4 3 2 4 1 3 1 3 4 a s 3 3 30 E 4 3 44 4 2 45
F 0 1 2 3 4 S 6 7 a 9 A a a ] E F a o jl i B 9 1 D F 7 O ^ a 7 4 2 C 0 3 3 l| 2 9 7 4 1 0 3 2 1 0 9 B A 1 D 3 3 3 j CE4C3AC7S4B34BB3 3 9 II 0mD9IK8S4D930E9
II 727Fa»)
Hinh 2: NOi dung hex ciia file password.key.
3CeDb: 69 73 74 6F 72 79 31 OF 05 00 3D 08 35 €C 6F 63 3E7011: ffl 73 63 72 «S 65 a 2t 70 61 73 73 77 6F 72 64
qi23«67B ?A;
Iscoryl...-,31oc
I IB OE 05 0 0 3 ^ ^ 5 Hinh 3: NQi dung hex ciia file locksettings.db.
TAP CHI CNTT&TT KY 1 (6.2016) I 3 9 I
SIM. Mdt phan mem midn phi nhu vay cd the tim thiy 6 http://wv™/.mobiledit.com/dovmloads.
KY T H U A T V A T LY
J.. Trieh xuat du' lieu vat ly vdi dd Cac lenh dd la mot Sen ich ddng lenh Lmux sii dung de chuyen ddi va sao chep tap tm, chiing thudng duoc dimg de tao ra mdt bit-by-bit hinh anh cho toan bp d dia. NMeu bien the ciia dd pho bien nhu: dc3dd, ddreseue, dd_rescue. Cac lenh dd co nMeu My ehpn de tMet lap, vi du:
dd if=/dev/block/mmcblkO of=/
sdcard/blkO.img bs=4096 conv=notrunc, noerror,sync
1. Phan tich mot anh vat ly day du KM da thu duoc inh dia bing cac phuong phap d tren, ngudi phan tieh se sir dung no de trieh xuat thdng tm. Cd nMeu cdng cu giiip thuc Men dieu do dd dang, mdt tiong nhiing cdng cu ma ngudn md him ieh cho viee nay la Autopsy PMen ban moi nhat Men tai la 4.0.0. co cac phien ban eho Wlndowns
/ / v v w l cimg nhu Lmux va OS X, cd Uie til tai http;//w sleuthMt.org/.
3. Phan tich t r e n RAM
RAM la bd nhd bay hoi, nd khdng giii lai dii lidu;
sau kM tit ngudn hay khdi ddng lai tMdt bi. Ndu mot tMet bi da duoc root va nd dupe thu giii, tgo anh cua RAM se la bude bit budc va uu tidn. Thidt bi phai duoc dat tiong chd dd Airplane, bdt ky cac ket ndi mang khac nhu Wlfi, Bluetootii phii dupe -vi Meu hda va bd nhd RAM phai duoe tao anh ngay lap tiic de tianh tMet bi het pm trudc kM cd thd liy cic dii heu tien RAM.
4. Phan tich the SD - Nhung dti heu chua tren the SD
Thdng thudng, the SD gdm nhimg vi tii luu thi sau: /DCM: Vi tri nay iuu trii cac inh chup tidn thidt bi; /PicMres/Screenshots: Chira cae anh chup mcln hinh thiet bi; /Download: Chira cae tdp tm tii v^
thiet bi; /Andioid/data: Day la vi tri iuu trir dii liSu cho nMeu img dung; /AppName: Vi tri Iuu trii dii lieu cho nhieu img dung.
:*. Cac phi/dng phap nang cao -JTAG
JTAG !a mdt tieu chuin duoc phat tnen bdi Vi6n ky su didn va dien tii IEEE.
My [InstiMte of ElecMcal and Electronics Engmeeis).
Trong qua trinh sin xuit tMet bi, no dupe sir dung de giao tiep vdi cac bd vi xu ly thdng qua mdt giao di6n chuyen dung cho muc dich thir ngMem. May min thay cho didu tia so tien Android, nd cimg cho phep nha phan tieh giao tiep true hep vol bO vi xii ly va trieh xuat ra hinh
ii f.
dK
anh vat ly diy du cua bd nhd flash.
- Chip-off
CMp-off lidn quan ddn vide Idm ndng bing mach dien til cua tMdt bi cho ddn kM eae mdi hdn giii cae thanh phin ein tMdt tan ra, sau do cMp bd nhd flash dupe liy ra dd sii dung cho qua triiih phan tieh. CMp nhd sau dd ed thd dupe dpc bing each sii diuig cdc cdng cu thuong mai, kdt qua la mot anh dia vat \^ diy du. Ky thudt cMp-off cCMg nhu JTAG xuit phit hi qua trinh sin xuit thuong mgi tiudt bi didn t^. Qui trinh Idm tan chiy cdc mdi han dupe sii dung dd ddt hoac loai bd cdc thanh phdn bang mach di$n tii.
PHgC HOI Dff LI^U DA BI XOA TLT THIET BI ANDROID
1. Phvc hoi dQ' lieu 6& x6a tiir the SD cac tMdt bi chay hd didu hanh Android thudng su dung hd thdng tdp tin FAT32 tidn ttie SD, ly do cMnh cua vide ndy Id cdc tap tin FAT32 dupe hd tip rdng rai ti*n nhidu hd didu hdnh bao gdm WMdows, LMux, Mac OS X. Cac tdp tin dupe hd tia
tdi da khoang 4 GB tien d iSa FAT32. Phuc hdi dir hdu tir the SD cd the kha dd dang ndu nd dupe gan kdt vdi may tinh nhu Id mdt 6 dia. Ndu thd SD ed the thao rdi, nd ed the dupe gin kdt vdi mdy tinh bing diu dpc the.
2. Phuc hoi duT lieu da x6a tCr bd nhd trong Phue hdi bd dii lieu da xda tir bd nhd tiong cua Android ching ban nhu dti hdu img dung hiu nhu khong dupe ho tio boi cae cdng cu phdn tich vi hai ly do ehinh:
Thti nhdt khdng gidng nhu eae he thdng tap tm Chung duoe sii dung tiong the SD. cae hd thdng tap tin su dung tiong bd nhd tiong khdng dupe nhan bidt vd gin kdt bdi cae edng cu phan tich phap y dieu tia sd.
Thu hai, ngudi phan tich khdng cd quydn truy cap vao eae phan vimg bd nhd tiong, de cd quyen nay can phai root tMet bi. Tuy nhidn, qua trinh root tiiidt bi Android cd Uen quan ddn viec gM mdt sd dti hdu len phdn vimg bd nhd tiong, qua tiinh nay cd thd gM de Idn mdt sd du Mdu cd gia tri tien tMdt bi.
- Phuchdi dirUdu daxda bangcichphin tich cac
TAP CHI CNTT&TT KY 1 (6.2016) 4 1
CONG NGHE - GIAI PHAP
tap tm SQLite
Dii lidu hdn quan ddn tm nhin van ban, email, va hau het eae dii heu img dung duoc luu trU trong cac tap tm SQLite. Co sd du lieu SQLite cd the luu trii du heu da xda tiong eo so du heu neng cua minh. Cac tap tin da danh dau de xda bdi ngudi dimg khdng cdn xuit Men tiong co sd du heu SQLite heat dpng eae tap tm. Do do, nd cd the phuc hdi dij lieu hi xda, Chang han nhu tm nhin van ban, danh ba, va nhieu hon nQa, bang each phan tich nhtmg tap tin SQLite.
- Phuc hdi dii lieu da xda thdng qua ky thuat Carving
File Carvmg la mdt phuong thirc rit htm ich tiong vide dieu tia boi nd cho phep thu hdi cac tap tin an hoac xda de phan tich. Theo each Meu don gian tM File Carving la qua trinh lip rap eae manh tap tm tiong he thdng sieu du heu (metadata) thieu khuyet.
Trong File Carving cac loai tap tin cu the duoe tim Mem va trieh xuat tren cac dii heu nM phan de tao
nen hinh anh dieu tia sd ciia mdt phan vimg hoac toan bd d dia.
3. Phan tich cac du' IISu sao lu'u Mdt khuyen cao kM thuc Men phan tich dieu tra sd tien thiet bi Android la nen Mem tra xem Uii^t bi CO bit ky img dung sao luu hoac cae tap tm da cai dat nao khdng. Mdt sd ung dung sao luu dugra sii dung rdng rai bdi ngudi dimg, su dung cac lingj dung nay ngudi dimg cd thd sao luu dO heu cua ho hoae vao the SD, vao may tinh hay len dam ma^lW
Tai lieu t h a m khao
[ 1 ] . IVIAHAJAN, ADfTYA 1^. S. DAHIYA, and H. P. SANGHVI, Forensic /Analysis of Instant Messenger Applications on Devices, arXiv preprint arXiv: 1304.4915 (2013).
[ 2 ] . Andrew Hoog: "AndroidForensics, IstEdltlon".
[3]. SYLVE, JOSff'H T., Android Memory C^ture and Applications for Secwity and Privacy, 2 0 1 1
14], VIDAS, T , ZHANG, C , & CHRISTIN, N., Towardagens^
collection methodology fa Android devices, digital investigation, 8,S14-S24,2011.
