and Best Practices wwwtcsforensicsca Overview The Rise of Smartphones Introduction to Smartphone Forensics Smartphone Security Threats Live DEMO Best Practices and Recommendations ID: 732476
Download Presentation The PPT/PDF document "Carfra & Lawton Smartphone Security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Carfra & Lawton
Smartphone Security and Best Practices
www.tcsforensics.caSlide2
Overview
The Rise of Smartphones
Introduction to Smartphone Forensics
Smartphone Security
- Threats
- Live DEMO
- Best Practices and RecommendationsSlide3
Things have changed!
According to IDC, Smartphone manufacturers shipped 100.9 million devices in the fourth quarter of 2010, while PC manufacturers shipped
92.1 million units worldwide. Or, more simply put, Smartphone's just outsold PCs for the first time ever.
www.tcsforensics.caSlide4
In the NewsSlide5
The Rise of Smartphones
IBM Simon (1993)www.tcsforensics.caSlide6
Global Sales Q3 2010
16/04/2012
www.tcsforensics.ca
Source: Canalys August, 2010.
www.tcsforensics.caSlide7
The Vendors
Research in MotionApple
Google
www.tcsforensics.caSlide8
The Software
Blackberry OS 7.0.0iOS 5.0.2 Android Ice Cream Sandwich
www.tcsforensics.caSlide9
Blackberry (BB OS)
www.tcsforensics.caSlide10
Blackberry (BB OS)
www.tcsforensics.caSlowest release cycleFirst supported by Lookout
Generally proactive patch policy
Strong track record of properly implemented encryption/wipingSlide11
Blackberry (BB OS)
www.tcsforensics.ca September, 2011 Elcomsoft – Russian Company cracks Blackberry Encryption. Bypass passwords.
January 16, 2012
Cellebrite
– We can now recover deleted content from Blackberry’s (including PIN messaging)Slide12
iPhone (iOS)
www.tcsforensics.caSlide13
iPhone (iOS)
www.tcsforensics.caModerate development cycle
Poor disclosure/response to security issuesGreatest selection of apps
Encryption and lock issues
Greatest selection of spyware
16 gig or 32 gig
(16-32 pickup truck beds full of paper)Slide14
iPhone (iOS)
www.tcsforensics.ca
May 2010 Ubuntu Linux Bypasses iPhone Pincode & Encryption
July 2009
SMS Message Allows Total Control of iPhoneSlide15
Android (Google)
www.tcsforensics.caSlide16
Android (Google)
www.tcsforensics.caMost open modelInsanely rapid development and adoption
Deployed on a wide range of hardware
problematic for centralized mobile management
Current devices don’t support hardware encryptionSlide17
Android (Google)
www.tcsforensics.ca November 2010 Jon Oberheide
release the Angry Birds Bonus Levels app to as proof of the Android Marketplace’s vulnerability.
July 2010
Wallpaper app download 4.6 million times sent users’ SIM numbers, subscriber IDs and voicemail passwords to China.
Slide18
Smartphone Forensics
www.tcsforensics.ca
www.tcsforensics.caSlide19
Like a computer?
16/04/2012
www.tcsforensics.ca
Smartphones are computers.
Where is the data?
What can be recovered?
Forensic process
www.tcsforensics.caSlide20
Smartphones are computers
16/04/2012
www.tcsforensics.ca
You can create, edit, and modify documents
You can browse the internet
You can check, respond, create email
Online banking
Connect to wireless networks
Corporate email
Instant Messaging (whatsapp, msn messenger)
www.tcsforensics.caSlide21
Where is the data?
www.tcsforensics.ca
Internal Phone Storage
MicroSD Storage cards
Phone backups on a computer
SIM CardSlide22
What can be recovered?
www.tcsforensics.ca
SMS/MMS Text messages
Call history (incoming, outgoing, missed)
Call duration / date and time
Pictures, Video, Audio
Email and Internet History
Documents / Email Attachments
Instant messenger chat historySlide23
What can be recovered?
www.tcsforensics.ca
How are files recovered?Slide24
Forensic Process
PreviewAcquisitionEvidence handlingAnalysis and reporting
www.tcsforensics.caSlide25
Preview Stage
Device Assessment & Action Plan - Can the device be acquired?What do we have? What do we need?
- How many devices? Models?
www.tcsforensics.caSlide26
Acquisition
The process of mirroring the contents of a Smartphone and calculating checksum values (Hashing) to ensure
integrity.
www.tcsforensics.caSlide27
Evidence Handling Stage
Maintain chain of custodyEnsure the legitimacy of the evidence presented in court is unquestionable
www.tcsforensics.caSlide28
Analysis
File Recovery – Deleted/OverwrittenKeyword SearchingDetailed Analysis
Malware, VirusEvidence of Wiping
Smartphone compromise
Improper access
www.tcsforensics.caSlide29
Reporting
Variety of options for production and reportsFull Forensic ReportRecovered Files/Documents Only
eDiscovery Process (email)Informal Disclosure
www.tcsforensics.caSlide30
Smartphone Security Threats
NetworkTheftApplications
Physical AccessThe User
Live DEMO
www.tcsforensics.caSlide31
Network
www.tcsforensics.ca
Wi-Fi
Mobile (2G, 3G, 4G)
Bluetooth
GPSSlide32
Theft
Greatest security threat!Is the stored data secure?Can the phone be tracked?Can the phone be wiped?
What about the SIM card?
www.tcsforensics.caSlide33
Applications
Avg. of 22 apps on U.S. phonesWhat do they do with your data?iPhone ~ 350,000 apps
Google ~ 300,000 apps
Blackberry ~ 15,000 apps
www.tcsforensics.caSlide34
Physical Access
www.tcsforensics.caCan the device be accessed?What type of data is stored?
Is it encrypted?
Are the backups encrypted?
How easy to install spyware?Slide35
The User
www.tcsforensics.caWe are our own worst enemiesDefault/convenient configurations tend to be less secure
Social engineeringPhishing
Web VulnerabilitiesSlide36
Live DEMOWe will now show you what can happen on a compromised wireless network.
Any volunteers? Slide37
Best Practices & Recommendations
EnterpriseFleet ManagementPolicy
Monitoring
Individual Devices
Configuration
User Behaviour/Habits
Forensic Overview
www.tcsforensics.caSlide38
Enterprise: Fleet Management
Complexity is the enemyKnow what’s out thereStrive for effective implementation
Mobile management server
Blackberry Enterprise Server
Blackberry Enterprise Server Express
www.tcsforensics.caSlide39
Enterprise: Policy
Acceptable UseSocial MediaEncryption/VPN
www.tcsforensics.caSlide40
Device Configuration
www.tcsforensics.caDisable bluetooth when not in use
Ensure ‘discoverable mode’ is disabled
Never configure WiFi to automatically connect, even to trusted networksSlide41
Device Configuration
16/04/2012
www.tcsforensics.ca
Set a handset unlock password
Use the strongest encryption & autowipe settings possible
Set autolock
Use a security app (Lookout)
www.tcsforensics.caSlide42
Device User Behavior
16/04/2012
www.tcsforensics.ca
Avoid unencrypted
WiFi
(no exceptions!)
Avoid
untrusted
apps and websites
Don’t let it out of your sight!
Don’t install hacked operating systems on your phone.
www.tcsforensics.caSlide43
Forensic Services
SIM Card Data ExtractionPhonebook / Contact List ExtractionExtraction of Phone LogsRelated Records: Call Durations, Numbers, Caller ID (Names), Call Date & TimeCall State: Incoming, Outgoing, Missed Calls
www.tcsforensics.caSlide44
Mobile Forensics Overview
Extraction of Phone SMS (Text) MessagesRelated Records: Sender, Receiver, Message timestampDeleted Text Messages Recovery (Limited to Certain Phone Models)www.tcsforensics.caSlide45
Mobile Forensics Overview
Extraction of Calendar, Tasks and Notes informationPhone Lock Code Extraction and Removal - (Limited to Certain Phone Models)File System Dump Support (Physical Memory Dumps)Phone System FilesExtraction of Website Visits (Internet History) - (Limited to Certain Phone Models)Webpage Link Address Information, Visit Timestamps
Multimedia FilesAudio: Ringtones, Music filesVideo: User Video files
Photo: User taken photos and image files
www.tcsforensics.caSlide46
Mobile Forensics Overview
Apple iPod, and iPad SpecificFile System Dump Support (Physical Memory Dumps)Lock Code extraction
www.tcsforensics.caSlide47
Mobile Forensics OverviewGPS Device Specific
Stored Destinations, Waypoints, RoutesStored GPS preferenceswww.tcsforensics.caSlide48
Conclusion
www.tcsforensics.caSmartphones will be increasingly targetedPresent a greater attack surface than PCs
Organizational security and policy should be considered and handled proportionally
Risk can be minimized by appropriate configuration and user behavior
RIM currently offers the most robust choice for organizations that require best in breedSlide49
Certifications
First
AccessData
Certified Examiner in Canada
Certified Computer Examiner
EnCase
certified examiner
Largest independent lab in Western Canada, 24/7/365 service
www.tcsforensics.caSlide50
Questions
www.tcsforensics.caSlide51
Thank You!
www.TCSFORENSICS.ca
www.tcsforensics.com1312 SE Marine Dr.
Vancouver, BC V5X 4K4
(604) 432-7828
www.tcsforensics.ca