So yeah guys, this case sounds a little bit wierd. A phone has been hacked as claimed and the victim is recieving calls from abroad , and attacker says he has stolen the vitims pictures.
The victim also says he see strange actions happeningon the phone, skype being installed and uninstalled so many times.
I've noticed the following dodgy apps on the phone. The phone is a Samsung SIII [ Un-rooterd]. Dodgy apps as follows
1-uspycam
2-true caller
3-hideman
4-cam dictionary
5-hotspot shield
6-tigersvpn
7-vpnonclick
8- Has no anti virus what so ever
What do you guys think i should do next, is there a way i can sanbbox the entire phone to check for malware?
Thanks Chaps.
Cellebrite UFED has a built in spyware detection solution that works great with Android phones.
I suggest that you perform a physical extraction of this Galaxy S3 and then run this scan in UFED Physical Analyzer.
This should be able to detect if spywares are installed.
Best regards,
Ron Serber
Thanks , is there any other way other than cellbrite?
Have you looked at the victims CDR's? I would focus my attention on the data traffic from their device? You may see that the device is transferring a large amount of data during early morning hours? If so where is it going? If you decide to ask tell them you would like an hourly breakdown if possible.
Where is your suspect? If he is here in the U.S. you can obtain a decent amount of material with "specific and articulable facts", but that will depend on your jurisdiction.
Yes, when talking to about movile forensics we're looking at examining whatever on an image but not on the device itself.
I've found some useful ways to initiate a malware analysis on mobile
1- Take an image of the phone
2- Mount the image as a drive
3- Scan the image for malware using Anti-virus software ( I've used House CALL , anyone knows a better one for anroid malware? )
4-For testing application, use emulator and then download the APK of any suspicious app on the emulator ( a safe enviourment) look at the permissions given to that app, and what it does. ( give you a real feel)
5- Network analysis, take a tcpdump using emulator, run whatever application you want, take the traffic.cap file and analyse it using wireshark
This was the best i could do, anyone has any thoughts? recommendations?
You should start by configuring it to use your proxy or run Shark(Android version of wireshark) the entire day, then analyse the trafic.
So basically this is just as the tcp dump command done by emulator, which is forensically sound.
Plus Shark only works on rooted devices i assume,
Anyone has software to scan the android for malware after its been mouted as a drive on the computer?
Anyone has software to scan the android for malware after its been mouted as a drive on the computer?
Lee Reiber suggests using HouseCall in his "MPE+ Android Malware Detection" webinar. You can find that video here on forensic focus.
Yes, This is why is said.. i've used house-call.. but is there any other AV software that is dedicated for android malware?
CopyRight, assuming you don't have an UFED, how would image the device?