Wednesday, March 13, 2013

Cellebrite File System Dump

Back when I was first figuring out how to acquire the Samsung Galaxy Camera, I did a file system dump using Cellebrite's UFED Logical. Having some time after work, I decided to take a look at what the Cellebrite found using the Physical Analyzer we have at the LCDI. I didn't spend a serious amount of time looking at the data since it was dumped early in the research stage and not much had been done yet.

I never used the Physical Analyzer before today, but from my short interaction with it, I found it to be quite useful and extensive. Below you can see the left panel that provides you with numerous types of data to look at. The first thing I looked at were the SMS messages, since technically the camera isn't a phone. There is no default text message application on the camera, so this text had to of come from either the application Talkatone or Google Voice. Either way, it's very interesting that the Cellebrite picked it up as being a text message and not just some application cache.

Next, I looked at Facebook data. There were many different SQLite databases found, not for just Facebook, but for the entire camera. This was expected and the Physical Analyzer did a great job of parsing the databases, as well as giving me an option to export them. Looking at a database without it being parsed can be tricky to get through, but I wanted to see what data was stored in plain text. Below is the database file for the Facebook friends Sammy Sung has. I used my brother's data for an example. You'll notice that the camera, and many other devices, store pretty personal information:

In yellow we obviously have my brother's name on Facebook, Joe Stamm. Right after that we're given his email address and phone number because it is on his Facebook page. This link includes his Facebook ID, but has been blurred out for privacy reasons. Below that, highlighted in green, we have a link to his profile picture. Upon putting the link into a web browser, I was presented with a picture of my brother. Luckily, he got some of my good looks.

Now, I could struggle through the rest of the ASCII and try to get the same information for all the other Facebook user's that are friends with Sammy Sung, but that would take way too much time. Instead, I used the built in database parser. Just by clicking on the .db file, I automatically got brought to the Database View within the Physical Analyzer. This presented me with an organized list of data, including the Facebook ID and first and last name of every Facebook friend Sammy has, their email address, their phone number, and their birthday. This data is only presented if the users have this information on their Facebook page: 

Lastly, I noticed Physical Analyzer had a Timeline option. A timeline in any forensic software is such a relief and saves an examiner from rummaging through months or even years and years of data. So within this feature, I can jump to whatever date I want to and look for specific things that were occurring on the camera at that time. Below you'll see that on January 30, numerous bookmarks were deleted and on January 31, various emails were sent to the camera:


Wednesday, March 6, 2013

Where am I?

I'll have to admit that I have been slacking lately with this project as I've been so busy with school and work. Now that I'm on spring break for a week, I finally have plenty of time to get some things done. Every time I think I'm done gathering data, I think of something else I'd like to do. So in respect to doing a full analysis, I am not there yet. In the mean time, I have been playing around with Oxygen and Santoku. I haven't deleted any data yet, but I wanted to forensically look at the data I have so far.

I downloaded Oxygen Forensic Suite 2013 and surprisingly, the camera was recognized. This was not the case when I first tried Oxygen, but that was before the camera was rooted and I was using an older version of the software. Knowing that both EnCase 7 and Oxygen can acquire the camera, I decided to dabble some more into Santoku.

Today I found my Android Forensics book (which I've been looking for this whole time) and used Santoku's terminal to try the logcat and dumpsys commands. I used the command "adb shell logcat > log.txt" to  dump the logs from the camera to a text file on Santoku. I found that this dump didn't capture as much data as the command "adb logcat" did. Using the latter, the results were presented within the terminal and were updated every couple of seconds. I noticed that when I touched the screen on the camera, the log was updated with the word PUSHED and when I shut the display off, a number of LCD requests were created. It was pretty interesting to watch the log do a live update and it's something I'd like to look further into.

What I found more interesting though, was the command "adb shell dumpsys > dump.txt" This dump consists of account data, application data, network data, and much more. It turns out to be a pretty extensive word document and can take a while to sort through if you don't know what you're looking for specifically. Thanks to Andrew Hoog's android forensic book, I was able to filter through the dump and find what I wanted.

I ran the command and opened the dump.txt file. I found the 6 accounts created on the camera:

You'll notice the dump says 7 accounts, but this is because it is associating the name Sammy Sung with the Facebook account.

Next, I looked for Last Known Locations, which provided me with pretty exciting data:

Looking at the mTime under Passive, we can convert that number to:

Beneath the mTime is mLatitude and mLongitude. This is the location of the camera when it last connected to a cell tower. I threw these numbers into this website to see if the locations were accurate. I had expected the locations to be somewhat close to where I was, but to my surprise, they were dead on:

I'm still looking more into what logcat and dumpsys have to offer. Andrew's book goes into numerous other Linux commands to run in order to find all sorts of data on the camera. I plan on spending the rest of my week trying out these commands and gathering as much data as possible from them.