Indicators of compromise may be compromising your Android investigations

yep indicators of compromise maybe compromising your Android analysis Who am I I work for the National white-collar crime Center and I'm from the lovely say to West Virginia my professional job right now is hacking into analyzing breaking analyzing some more all the fund mobile devices and those things those things that are the buzzword that I'm going to refute to say so surprising surprised I'm from Charleston West Virginia so we're not hooked online and I says hey I want to go and talk at Charleston 'besides it's a little bit farther away than just going around town there's about eight and a half hours wrong Charleston it's a great trust mr. Austin is so much more pretty alright so what this talk is

going to be in my tenure I've had I've had a lot of interesting cases and I've worn a lot of different hats I've been part of a prosecution team and I've put people in prison for the analysis of what's in their mobile device whether it's contraband on the device we're using his intelligence I've assisted state local and federal agencies and their intelligence gathering efforts on mobile devices and I've even done civil litigation within now and my job there's a lot more research and a lot more of that subject matter expert consulting and with that one of the big things that I see is it is a full ecosystem on a mobile phone much like with the computer

and if you do any type of incident response or forensics work one of the big things that we're always doing is taking steps to validate our evidence taking steps to verify our evidence and it's not just the safe evidence handling procedures or you know if I'm going to do I are yeah we're gonna stomp on that box a little bit in the IR process but we're going to be taking the steps and getting the information we need to provide authenticity to our artifacts so one of the big things that we don't see with mobile devices and that's why I want to share this with y'all is when we look at a mobile device and the

commercial solutions out there when it comes to acquisition and analysis or even the bespoke solutions or the custom scripted solutions there's a lot to be desired you know if we have a Windows box throw the dart at the board and you're gonna find a more than capable product some are better than others um you know jump out in looking for a professional consulting team again some are better than others but the availability the transparency and the knowledge is way out there but with mobile it's an emerging landscape and it gives a lot of different vectors in is if I am a computer user and I'm not elected to turn on Skype and I am just

utilizing my Windows walks to grab a email to do other corporate functions my attack surface is relatively small I'm most likely going to be on that network there's part of my business if I get to work from home take it to a coffee coffee shop there's risks there but with mobile it's a completely different Radio one of the big things when it comes to verifying that evidence if we find something is a mobile device is one of those things where I can put photographs on your device you know in my tenure as a law enforcement officer I've had tons and tons of people tell me that the thousands of evil images on their computers just got there and doing

computer forensics we know that that's not the case with a mobile device the lines are getting more blurred just by knowing your number I'm able to send you a thousand images and yes you could block me but I'm gonna get a different number and you're probably not gonna change yours so I'm gonna still continue to do that not only can I send those images I can essentially engineer you and it's in a more digestible way folks are getting better and better when they're in that corporate environment and we know it's work mail and we're having our work email give us a banner that says do not click on links this is an external email it shows up flag

there's a lot of rules going into place but you're getting your text messages just free in the tiny graph that you can't see as part of there is a trending graph of the development of new malware samples for the Android platform so that's not just the total samples about that's the total samples the average being brought so for 2017 4.4 million and for 2018 2.7 million those yep arbitrary numbers that I'm saying in a talk but it's a huge attack surface tons of new samples in the trend did go down 1718 but it is still much higher than it's been in the big thing is yes there are constant attacks and one of the reasons

that Android becomes such a huge target is it's got a 3/4 market share globally more users use Android that's in more devices it's the kernel is open it's the Android Open Source Project is much more inspectable and while that lends itself to increasing its security because we have vendors that are responsible for pushing out our patches and our update cycles we start to get behind the ball so much on iOS we make that trade of telemetry versus security from a security standpoint in an our standpoint there's very limited telemetry in iOS it's hard to inspect things it's hard to acquire the data and then analyze it because Android we can but we're also behind that ball in a different security

model and it's not just like when you talked earlier about potential key loggers or potential spyware there is actual in the wild observe samples that we're pulling off of Android devices that are capable of reading your text messages capable of reading your thoughts capable of fabricating entries into your text messages performing malicious redirects on your web browsers harvesting your location data harvesting audio files and there are even a few unique samples that go to that ability of remote interaction it's where they're actually able to in real time grab data and act things take pictures so that brings us to what can we actually do to start combating it so one of the big things that any type of Incident

Response case is gonna be indicators of compromise so if there's some type of security incident or potential security incident that has alerted us to something and when you're trying to do our root cause analysis or dig in so we can one contain it and then work to eradicate and remediate I always see you're great because they're going to be signatures they're gonna be hash values of files executables payloads so there's gonna be unique signatures that we can look for locations of certain artifacts certain iOS these are written that hey if this path is created that's a potential indicator compromise there's no benign windows processes where there's no legitimate third-party applications that are creating these pathways with these

naming conventions we see a lot of non and or-else logic which is is it named this and not this and it also contains this file path different characteristics and just anomalous characteristics of it so it's a huge io C's allow us to inspect a device a lot of different ways but there's a problem whenever it comes to getting to do that so if I am an Android user or an enterprise that has androids as part of my work product Google and the Android Open Source Project gives us a couple things get Play protect we can use different enterprise mobility management for mobile device management solutions we're able to go in and make sure people have

passcodes on we can go in and limit the wi-fi's that they can grab but a lot of other types of security we're leaving up to that device to handle we can go and deploy a Windows computer and just leave it up to the native Windows applications for security there's always going to be an enhancement or generally there's gonna be an enhancement but we do that with mobile and we end up seeing quite a few failures the Play protect store is riddled with errors there is long been the statement hey as long as I download this application from the Google Play Store that I'm good any given day when we go and we do a scrape

it's a quarter million to 300,000 samples that are active in the Google u.s. Play Store now this has been trending down but it's still pretty big if you're an Android user what's one of the big reasons that people always say we use Android we want more customized we want to be able to customize it more we want to be able to change our operating system we want to be able to watch movies before they're released and we're doing that in a cost of our security in our privacy any time we go outside of the Google Play Store we're to going to an even bigger risk risk and in modern versions of Android built on the NSA kernel you know it's a very

hardened operating system there is a lot of constraints that are going in Communications inter-process communication is being handled through various API to keep it secure but there's still vulnerabilities so one of the big things that we see happen is I'm an enterprise I have mobile devices we use enterprise mobility management which doesn't do much in terms of security it's our common security but then things happen where I'm a device owner or I'm an investigator I work for a consulting firm we've got a mobile device Incident Response do you work for an organization and somebody is subject of an internal investigation one of the first things Ren do is go and seize or attempt to seize either the corporate asset mobile

device we're gonna see if we can seek legal process and get there personally own mobile device criminal cases civil litigation tons of things are involving mobile devices so where's the big problem with it all right first off Security's compromised Incident Response if we're gonna make the statement and we're trying to scope out an incident for containment in remediation we've got to be sure of what we're doing it's one thing to think of it narrow scope with I have one mobile phone and I have one computer but when we think of today's organizations we're talking millions of endpoints even we're trying to correlate how this attack or how this data has been lost and we've got to look at that

full scope we can't just say yeah it looks like it came from this mobile device we have to be able to say that with certainty route calls analysis one of the big things that we see a push for in today's media and in today's government operation is that attribution characteristic you're gonna say hey there was this that occurred and we want to say that this certain group did it we're in my case I've acquired data and I've analyzed it and I may be attempting to take some of these freedom away for the rest of their life based on what I found on their device and that's something that I don't take very lightly he could be somebody could end up losing

their job because of it if it's an internal investigation so the big thing comes if we are looking at that mobile device and we're saying okay I'm gonna pull these texts mess is off there I'm gonna pull these call logs off there but with just that little note that millions of active actively developed Android malware samples the attack surface is huge it's phone calls to make a call you and say to go to this website email emails being pushed to our phone users are more apt to click things on their phone because we trust everything on our phone we get SMS messages we have facebook on there we have other social media platforms there are all avenues for social engineering

or phishing campaigns clickbait being sent somewhere you don't want to go so that's where we get the wolf in sheep's clothing so when it comes to true evidence integrity are you sure that you can attest to how these things done on that device just by acquiring data and looking at it really sure there's money on the line there's jobs on the line and in a lot of cases I've work there's people's freedom on the line so when we look at those common acquisition methods we have things like adb talkin android Narus code we've got some commercial tools up their oxygen forensics and cellebrite magnet forensics and these are just different companies that make a product to speed up and enhance the

analysis and acquisition of these mobile devices a lot of mobile device management and EMM solutions also will allow some data acquisition or some remote cloud pull or some remote backup tools with ADB and ADB is the Android debugging bridge it's a Native Client that's part of the Android operating system that allows some low-level communication it's really cool and then of course some of my favorite types of acquisitions are when I get a rip phones apart and remove the chip chip off acquisitions in systems programming acquisitions different ways to get the data so we get the data what do we do with it 99% of the examiner's that I get a teach and help and work with they grab

the data and they pop it in a tool they hit the magic find evidence button and we move on to the next thing it is I'm telling you Mobile forensics has changed so much in the last few years but it's become the Nintendo forensics world there are there is a tool that literally has a find evidence button and you hit it in the blue wheels start turning and you just sit back and wait and presentation of your evidence is categorized by what they want to tell you it is and one of the things that we don't see in the one of these being the most popular and robust mobile forensics tool in the world when you hit that Go

button it's not assessing anything about that device of security it's not taking any steps like it's doing to parse many arbitrary applications and present you with data there's nothing going on to say yeah this is given the context of a human using this there's nothing going on one of those tools you're able to click on a malware scanning button and it's one of the few tools that lets you do it and it does a signature based search with BitDefender so pretty robust hashed set sometimes there's gonna be some static names depending on where the database is but I've seen hits before with getting some static names but what do we know about malware when we see it

is it always gonna be the same name is it going to be downloaded as one thing is it gonna stay that one of my favorite examples an oldie but goodie is Zeus what happens when you run Zeus it disappears the process is given some arbitrary character value so if we're using that methodology and looking at the device statically we're not gonna find any indicator for compromise even though it could be riddled with it riddled with evidence with it in that in that compromise could affect the integrity of what we're doing nothing's going on so I wanted to find something because one of the big components of my current job is to actually guaranteed to stay local and tribal law enforcement

and I wanted to be able to give the folks who are working these cases something that isn't barbarically difficult because whenever I think of it I get excited I'm like we're gonna get his fan line and you use clamavi we're gonna use low key and we're gonna do it like this and we're gonna be great people just typing on that blue and black screen that's not the way the world operates so we've got to add a little bit integration there so Brian carriers tool autopsy an autopsy 4.9 has a really great open-source module that lets you grab an API key from virustotal so community API key from virustotal is free autopsy is free so we

of them both in they can handle EXT for EXT acts in the fat32 file systems all the file systems we're going to find on android and it does a lot of analysis on there so one of the things virustotal will do is it will go through and it's gonna look and say hey this is gnome to me this is not known to me but again it's only looking based on what that module is telling it to submit there's gonna be some limitations on that public api but of course it's nothing it's not the fuel the full yara rule it's not a full contextual analysis of the evidence it's gonna be based also on that hash

it's gonna be based on name it's gonna be based on depending on the way you have the ingest module configured are we gonna do any searching for urls are we in try and put urls up to virustotal to be searched but it's a good it's a good time so when i got there i realize is ice making this when i when i make these powerpoints i try to roll through an investigative process and i kind of skipped a couple things which is why just signatures wouldn't be that great

very high level and if we look at something just based on signature base static that's where we would have a hash we're taking a half of the entire executable in this case an APK for the android device a subcomponent of that APK because apks are archives it can be an archive and you can see their core files is it the way that something creates a signature whether it be a process ID the process name dynamically is it a combination there uh and that's where we see that these current methods is discussed in the previous slide we're not able to look at that because the data set is static so we've got to really work that limited data set that

we have so the biggest thing was I knew I couldn't read when reinvent the wheel on it so the best thing to do was to find a method to intelligently search for indicators compromised on that evidence set with its unique characteristics so I knew that Yara yet another ridiculous acronym which is the Swiss what do they call it the pattern matching Swiss Army knife from malware euro rules are really cool it's a very plain easy to follow descriptive like text language that will just give conditions to an artifact or to an object's where I can say does it contain a certain ASCII string at this offset does it contain this hash at this location there's a huge culmination of

different things that yarra can do honestly you can do pretty much anything you want so when we're looking at the mobile ecosystem and we know that okay we're gonna have apks our apps there's apps are gonna have databases containing data we know that we can download it from the Google Play Store but what happens every few weeks when we've downloaded an app what comes through update are those updates managed directly through the Google Play Store those arbitrary many are arbitrary so what we have is yes the initial application passed the Google Play Store a week goes by we update it we now have malware one of the biggest ones that we saw was Pokemon go Pokemon go was was

one of the huge things that we saw that people were figuring out and saying hey people are downloading this is there a way that we can take over some of this control when we do the update there's there a way that we can push people out of the application store into a Trojan horse that they download freely off the internet so that's where yar came in because we're able to get down a much more granular level determine different things we wanted to classify with it and even use it to look for no blacklisted phone numbers so who here if you use an Android of you something like true caller so true caller is an app that

will come through and it'll say hey this is a potential spam call I use it and it's pretty successful true caller is pretty cool you can get an API key from them they've got a full software development kit and I'm currently working on a project to where that's gonna be incorporated so whenever we analyze these Android devices we're not only doing yarra for known malware we're known indicators are compromised we're also looking for do we have Texas text messages and phone calls from blacklisted numbers because that's the full context of the threat environment for Android so the big ones that I came up with working the best was first was clam antivirus part of get to it from

Talos the talus research groups website cross-platform very extensible malware scanning engine it can do amazing stuff with email gateways but it does really good at pointing it at the acquisition set of data from Android and letting it roll I'm a very robust signature set you can write your own clam rolls if you want to extend its capability for known samples fast free we love it the other one was using Loki Loki is a very Spartan iOS II scanner that extraordinarily flexible in it will take in hashes that will take in rulesets and it will take ignarro rules and you can point it in anything you want so in my case of an Android backup whether it's

an arbitrarily mounted volume on a Linux system or whether it's a bundle of files on a Windows system I can point loci at it and have amazing results so everything's working great so my framework that I would do I our cases mobile forensics cases I'm gonna grab the data in whatever manner I want to most often ADB and over a variety of the different ADB implementations Android we can do what's called a custom recovery where we would do it boot it to an alternate operating system or install a completely different operating system is the device something that we can route and we can get a root shell on and we can use DD and pull data back out

listening on that cat or does it require some physical intervention like JTAG joint test action groups soldering on to those PCB pins in systems programming where we're actually gonna sidestep in on the actual demand of memory package or chip off everybody's favorite be physically sever the chip from the mobile phone and we pop it in a reader or pop it in an adapter and we do our analysis that way we can either mail notice if we do chip off or a lot of these we're gonna have the X the entire physical extent of that memory on the device and you see some really crazy stuff you see most Android devices are twenty and thirty partitions the

Motorola HTC mm1 9 was like 99 partitions from the factory so you find a lot of different unique new unique environments that Android is operating in so we grab the data we pull it down tonight so we don't we fire it up with Loki and Loki in that it's a very small screen shot but from the factory they're already helping you out with false positive hashes file name locations file names that are suspicious hashes some yarra rules for hack tools web shells just general yarra rules so there are tons of things that from the factory it's ready to look at you can go and simply Google search I need your rules for the specific thing on github and

help pull it down so Loki performed valiantly playing a V worked flawlessly I did not I was missing the mark and one of the big things was I've got a brand new in this case I was using beta version of Android Pi I never stopped to actually look at the rule sets that is being shipped in these tools I said to stop and I had to look it turns out Android 9 real sets whether it being a commercial antivirus product it's for Windows or Mac OS or in the case the rule set for some of these for Loki isn't really cognizant of these Android malware sets so yes they're performing their job and we're not gonna find

anything because we're looking for Windows executables or Windows iOS C's on Android we're not gonna get anything now there are some and trust me I googled it a lot because I really didn't want to have to do what I was decided to do next so I googled a lot and I compiled a lot of stuff way too much stuff on question yes even in the regards to file system do you every different yes to almost build specific almost yes and one of the big things that select with Android so we'll have Android seven so then I might have a Samsung Galaxy s7 I'll say Android 7.0 point one security update part 32 what version of Android

seven point nine point one is an API 22 API 23 hey be out 24 so then there's a whole other set of conditions that Google has in and you're exactly right so if I write a yarra rule and it wants to look for a WiMAX partition that's one vendor that has that partition so exactly right - if it's Kinnaman I can either spin my wheels doing that or have I not written that real set in that specific and it's huge and one of the crazy things that I was that I found was of all the github repos I was searching through to find people that have already written some euro rules concerning it the average time was three years old and

we know that the landscape of anything malicious that's we still have to do the due diligence and make sure that the old stuffs not there because how often do we see that folks are popular old vulnerabilities or an antiquated set of I an antiquated iOS II scheme would actually be able to find something if free but in the newest one I found was nine months old yes yeah and I did notice that it's kind of like whenever we see the kids like when rig was really popular yeah you're gonna see the the clustering where we see the clustering techniques and that's one of the cool things about Yara's where it can be so extensible is where we can

open source or yarrow rules and people can come in and say hey can I ride in that line I have an htc can I ride in language into your open your group so that's what I decided to do I'm very fortunate that where I work and the manner in which I get to work is I curtain you have probably 400 Android test devices a variety of operating systems builds my my office looks ridiculous at any given moment I mean it's it's a sight to behold none of them are really great no some of them are decent fun but I've decided to go on a hunt so luckily fireEye makes a lot of tools so that folks who aren't that

great at it like me can have a chance with IOC rider an IRC editor and I've literally went out and have pulled every Android malware sample that I can find off github every Android malware sample I can find on fire a share virus Bay hybrid analysis all the ones who let me download it and that brings me some of the project that I'm working on with it so I work follow a choir hito his clan Navy hit it with Loki look for the indicators to compromise but know that we have to embolden that so surprisingly this really short domain was still open like I can't believe I let that with that Android piracy org it'll return

nothing or that spams like we're trying to sell it to you right justly bought for $12 left running project of Android malware samples mission campaigns claim rules Garba rules in the spirit of happy in the spirit of Billy Madison O'Doyle rules so that's where I'm standing with the IOC's because you will find them Android is riddled one of the things I did notice was using one of the commercial tools that had integrated with BitDefender if you get a device with some road miles on it like a year on it that's got true use it's gonna flag signatures and every time that I did that I'm like if it's flagging signatures I can't only imagine what

else I'm gonna find when I dig down and actually do more in-depth analysis so I've talked about finding the malware but one of the big things that's what we missing in a lot of mobile forensics training I think only one really big national provider the certain Institute really hammers it in with their mobile forensics training is what do we do what how if I'm going to be presenting a statement or summary of these artifacts and they need to hold weight whether it be in court arbitration executive committee or just as part of an investigation what about done and a lot of times when we find this I know I've consulted with a lot of examiner's in whenever I

encourage them to go and look for it Chris I found that what do we do this is where we start we've got to figure out what it is capable of so we need to analyze it find out what his permissions are find out what that actual core executable is can we do a sandbox detonation that's usually where we go so for the crash course part of this we've defined our security we're going scanning if you go hunting you're gonna find a prey eventually so if we don't hunting for malware we're gonna find it or if we go hunting for other indicators of compromised you do it enough you are going to find it now what do you do of

course the winnow ones isolation cautious precaution this is not your phrasing machines should be on the wide web for most traditional forensics especially mobile but we have to have an appropriate analysis platform so for doing this project pretty much I did everything with Microsoft Windows and I'll let the fire off layer team do a lot of the heavy lifting for me with their virtual machine build a flare virtual machine and then there's a really great open source project called Android tamer the next distribution that's already set up with all of the the hundreds of packages that really allow you to dive deep into an Android file system because the Android files the Android executable in the Android

file system is a little more than just that apk that apk is it sits on your device or what you download from the Google Play Store is actually a little more it's gonna be an archive so if you are on a Knicks base machine or Mac you're gonna be able to onion archive it and go jumping in - usually I give folks two sets of device when I've gotten that data of course I'm gonna make a static copy that we keep for purposes of archival we're gonna have two or three copies of it that we've made for our analysis depending on the environment in the case we can use tools like virustotal hybrid analysis Anubis a Joe

sandbox the list goes on of online sand boxes that will do automated automatic detonation and work on generating that automated report but much as I was able to go to hybrid analysis and download samples so can you so if you're doing anything that may have pH I personally personally identifiable health information or PII personally identifiable information or something that is you just don't want the world to know if you also have like a virus total account virus total intelligence account I can have I can define certain things that I will be alerted to so there is course always that thought that somebody malicious will be watching to see when their maliciousness is alerted to it's

always take that into consideration before we file everything up so once we open the that's really great handwritten a puts in your android apk your Android manifest assets libraries classes so that's gonna be your Java bytecode that's actually gonna run that sucker so what would the big things that I look for immediately so in static analysis I'm a big fan of dumping that over with strings or again using fire I makes a great tool called floss that looks for strings with different parameters and through some obfuscation I'm gonna look for the basic things because I still find the basic things from malware in the wild I can I routinely still grab Android malware from the wild and I find

hard-coded URLs from the strings function you feel amazing when you do that like this so easy you find very verbose lis declared permissions right in it in the manifest that says hey I want to have the permission to read SMS I want to have the permission receipt Ms Reid the usual dictionary read contacts acid accessible location and so on now if you are an Android user what do we know happened a couple versions ago when I'd download an application I am warned immediately this application wants to read my SMS this application wants to do all this people agree to it that's that's still the crazy thing folks agree hand over fist the desire and that drive for that to just they

want that map and they want it to work now you'll agree to anything but that's always great whenever I can find ok I've read these permissions but then I've observed its analysis in a sandbox and it's requesting elevated permissions or its request or its received permissions greater so that's where we know there may be something around so again we can jump in there with tools like Jade you know Java detox from a code Mac OS and Windows JD GUI Dexter jar there's a lot of different things that we can do to help break it down to get that readable JavaScript has it been off you skated there's tons of ways we can be obfuscate it one of my favorite of cyber chef can

run pretty much any function you want over something so that way I'm able to look at the functions I can look at the code signatures I can look at the declared permissions and see what I've got going on knowing that I'm gonna be able to probably pivot into something like a sandbox report this is a screenshot from a Jose Jose Pro Android sandbox and they hit it on the mark they start out with huge graphics just come in and say hey this malware is doing all of these things it has things in place for spam it has things in place to affect the networking and when you go and you drill down because this is the

high level what to do when I find it you're gonna be able to from a high level say this malware was potentially based on this analysis in what we have was not capable of affecting this article of evidence that is pinned to mount to our investigation or conversely because of things like in the criminal system Brady we've got to be able to say incriminating criminais ting evidence and exculpatory evidence due diligence have we actually looked for all the articles of evidence and if we given an explanation to them so that's one of the big things that we run into with that night and this talk went way too quick and when I flew through it

with with E for folks in here all right so he's in but yes hit me all right so the way that chain of custody so I'll walk through a sample one and this one has actually went to court been adjudicated so we arrived on scene of me executing a search warrant I take the evidence into my possession at that point I make notes of the state it's in you know is it on is it off if it's on I'm gonna take steps to isolate it from Radio connectivity so pop the SIM card airplane mode put it in a Faraday bag I'm gonna control the state well so that's where we that's where we keep falling through so the big thing that

I've learned is transparency with it so when I show up on scene and I'm gonna snag that phone there's gonna be a picture of it before I've touched it in my notes are gonna be verbose and I always would I call them big pads a little like shirt shirt pocket size notebooks they would have my verbose notes those go ahead and get copied over and sent with the discovery one of the big things I found is there's a lot of folks that tried it with hold things or they want to make people work for it I was just an open book it's like here's everything you want so yes I would state in my in my executive summary I touched

the device I've used an Android device for nine years I put it in airplane mode if you want to know what airplane mode is we can go and look at the open-source developers guide or we can go and look at Jonathan Levin's Android confectioner's cookbook and be able to definitively say what went on there so then it keeps going because you said the physically manipulation oh yeah this is where it gets dicey there's that's gonna say been proven through like statutes or policy or case law to be ineffective arguments but that gives you some leeway of in regards to like certain things that the state of what that action does yeah and so essentially like it's about defending

evidence at that point like there's a lot of case law I know that like essentially like a prosecutor removing the bullets yes yes yes right and when the big thing is a search warrant is meant to be a static artifact of time if I wanted to get something real and ongoing that's gonna be a title three you know pin trace it that's an intercept like if I wanted to listen to a live phone call that is a whole other ballgame then simply going before a you know judicial officer in my state with an app sworn affidavit requesting on these merits permission to take something in upon the time that I take it it can't change its if it changes I'm responsible

for it and I have to explain why so where that gets tough is a lot of these devices we get are locked a lot of these devices they will not give us the passcode and there's still a lot of debate on whether people can be compelled in the United States to give a passcode so we are left with breaking it and this is one of those keywords it depends you know some devices for a long run of Android devices USB OTG I've got a USB rubber ducky that I had tons of ducky scripts I'd pop it in brute force it unlock device other ones you know now there's a really big exploit set called emergency download mode where we're

causing a short in a Qualcomm processor it exposes it in different ways is a is a different process to windows box different versions of the team win recovery project different versions of the Odin project yeah you are substantially changing it so the way that I've always accomplished this especially if it's gonna be evidence that is going to be going to potentially a criminal trial yeah yeah so for a criminal trial say if I have a device for one if I'm reading it I know I have access to it so the reason I would route is to enhance the level of access so a lot of Android devices like you've got an s7 if you take that s7 and you fire up an ADB

shell you're not gonna be able to go in if that level of permission most often and get your text messages the EMM SMS MMS database it's too high of a permission for a DB we can route it and we can give it we can route it and we can use DD and get the full extent of that Android file system get the full extent of the databases the actual applications installed all of these great paths and we can see not only the pass but the way their context relates with other paths so we can really verify that evidence so yeah we're cute I mean we're we're hacking the device I mean we're grabbing root shell on it before

that is done we've acquired data and tested methods to the highest extent we can so you're never gonna jump in and say I'm gonna root before I've even seen what I can get and you're documenting along the way and then for me I'm not gonna do it if I've never done it before so I can tell you that the employers that I've done this for and the agencies that I've done it for have all been really good we usually drum up a test device to say okay well you're gonna be our platform is a Samsung Galaxy s7 930 V from Verizon this is what we want to do we're gonna take that seat it with known data

perform the action and then go after and look for the modifications so that way we can go and say you know we did it as controlled as we could utilizing these methods a lot of times these exploit methods are open-source so we're able to say these this is the actual methodology behind it you know where it gets goofy is in iOS right now there are some things that are not to be talked about capable of doing some things and the same goes with Android you know that physical exploitation is is a huge thing and there are certain commercial tools that are very robust support the pass code of thousands of devices and you're not really told how

it's doing it and I've been in the position where I'm taking that to court and your narrative is I had this device these are the steps I've taken here's my initial evidence I've been performing this action here's the evidence what if it's locked we never had evidence that's a good question because yeah how would you feel cuz you do you've done offensive work before in the or do offensive work how would that go if I said okay the only way I was able to get this data off these ten computers was offensively jumping in grabbing a shell and pulling it out yeah yeah yeah

no missing persons right protective yes you go throughout this whole sake it's cool it who said that you care yeah it's something you don't know how these friends of tools doing this what's going on with the stingrays right right where if you use the the cell site interceptor you use the stately nervous hey you can't talk about it judges are swirling that out yep you know so these companies are making a product yes so I guess through like in many cases by disclosing that for purposes of meeting or trying to satisfy some requirement they essentially become you're able to directly circumvent at that point or like essentially caused the company to be unable to be financially viable they create their

own self sign interceptors and it's even easier with software because when we think you know hardware there's gonna have to we've got to engineer something but these software exploits and we look at things like zero diem where we can say okay I want remote code execution is gonna say I'm gonna cut you this huge check what would stop somebody if these companies would have to disclose that from saying through the concepts of rhodium pay me my Bitcoin and it's I mean think of it because you're probably more in it than I am to know that that markets use the exploit market the volume discovery and exploit development markets huge and one of the big things

that cuz I spent a couple weeks you're going around on teaching mobile forensics and that's always one of the things that I have to hit and I hit hard like this isn't the way that we see it through the marketing material is not what it is you know by the time we see it it's just bypass this this is supported but in reality this is a highly competitive market that is you know specifically offensive security and it's completely glossed over as being a couple clicks of a button and then we have these things that are pivotal pieces of evidence like you said when we've got you're innocent until proven guilty in this country and we've got to

protect everybody's rights period in the way to that should be taken in the state of West Virginia where I'm from you know one of the things on the prosecution is we must know every facet of evidence so good bad ugly and different and that is a very high standard when you get 20 terabytes in a case and you're expected to know what is incriminating one sec sculptor Tory what's the validity of it and you have to go through and explain it in until you it's changed my thoughts and opinions and a lot of the actions of myself and the folks that I get a counsel with on the way that we handle the offensive nature of passcode bypass

or privilege escalation and mobile devices because I'm tell you if you go to any agency and say didn't you guys hack mobile phones no okay how many pass codes you might pass this year okay 300 all right yeah other folks might disagree with what you do but I mean it is what it is so yeah definitely looking forward to furthering the conversation on how we how it moves from that hmm I think that's all I got for this thank you