Mobile forensics af...
 
Notifications
Clear all

Mobile forensics after factory reset  

Page 1 / 2
  RSS
Alistair
(@alistair)
New Member

Hello all,

so first of all let me introduce myself. My name is Alistair and I am currently doing research on BYOD (Bring your own device) implementation in enterprise environment and the security associated with these policies. My main focus is on Mobile Device Management (MDM) software that enable BYOD practices to be implemented throughout the enterprise.
Most MDM software profess the ability to secure company assets residing on the smartphone or tablet device by issuing a remote wipe (full or selective) and therefore making any sensitive information on the device unrecoverable. I am researching the remote wipe concept and analyzing if it's secure enough for business or not.

Now that we got the introduction out of the way, I want to say first that this forum is amazing. I have been a lurker for a while and the amount of expertise and community support here is incredible, really great job with bringing the forensics community together. Now, I have just begun looking into mobile forensics so bear with me if some of what I say is incorrect.

So, from my research I know that the iPhone (starting with 3GS) provides hardware encryption and a remote wipe basically destroys the encryption keys making the data recovered pretty much useless. I have looked everywhere and, presently, there seems to be no way to recover the hardware encryption keys short of plugging in some complex device into the CPU and extracting them (which would be a lot of manual work for your average person). Therefore, I can safely say that Apple has implemented the security aspect of mobile devices in an enterprise environment impeccably.

Now, with Android devices, there is a lot of fragmentation, many devices use the open source Android platform and implement it in various ways. Also all Android devices use NAND flash as internal storage so erasing is a complicated task (writing is done on a page basis and erasing is done on a block basis). NAND flash calls the garbage collector when the entire block is marked as unused and then proceeds to do a block erase. If one page on that block is still being used, all unused pages on that block will be recoverable.

So my question is two fold, first if anybody has any BYOD experience in the company they work for, would a remote wipe executed on an Android device be sufficient? (Given the restrictions flash storage imposes, I highly doubt this). Second, I have dumped the physical image of an Android tablet after remotely wiping it (by rooting it and issuing a 'dd' command to dump the entire mmcblk0 partition), what tools do you use or would be ideal for file carving on this raw image file?

If you have read this far, thanks for taking the time!

All help is greatly appreciated.

Quote
Posted : 03/05/2013 11:29 pm
jaclaz
(@jaclaz)
Community Legend

Hallo Alistair welcome to the board ) .

I have no experience with the specific matter of your request but - if I may - can I ask a couple of questions about BYOD?

If I get it right ? , the scope of the research is to find a way to "plant" in my personally owned device *something* (or access something like the remote iPhone wiping) that allows my employer (read as "the enterprise" or the wacky IT guy in the enterprise) - at his will and without my consent - to completely wipe my smartphone or tablet contents (including each and every of my personal data, contacts, messages and what not)?

Is this what MDM software does (or is intended to do)? 😯

jaclaz

ReplyQuote
Posted : 04/05/2013 12:40 am
Alistair
(@alistair)
New Member

Hello jaclaz,

indeed this is the case. Of course the remote wiping would occur if you lost the device or someone stole it. But let's say you lost it, the remote wipe occurred, then you found out. Say goodbye to all your stuff on it.

Some MDM companies also say they have the ability to selectively wipe only company data but I am not too sure if that works. But yeah, in summary, the company can remotely wipe your device if you enrolled it in their BYOD policy. D

ReplyQuote
Posted : 04/05/2013 12:44 am
Patrick4n6
(@patrick4n6)
Senior Member

You must understand that privacy is different in the US Jaclaz, and many employees would sacrifice a little privacy on their personal device for the convenience. (I am not one of those people, but then I come from a different culture to the US.)

A well done MDM will create a separate container for all corporate information, and allow the employer to gather or wipe that data. Ideally you don't ever access the user's non-corporate data. How well that's implemented remains to be seen.

ReplyQuote
Posted : 04/05/2013 6:26 am
Alistair
(@alistair)
New Member

Indeed that is what the top MDM providers are aiming to do, but coming back to my question, is a secure erase on an Android device possible? Most remote wipe procedures are just a push notification to call the "reset to factory settings" command but I have demonstrable proof that it is not enough (dd the partitions you are interested in, carve them and retrieve deleted files).

Actually what I want to know is, is there a way to securely wipe an Android device without wearing out the flash storage. For example, a call to the native NAND flash secure erase command (I think it differs from brand to brand but an ATA-Secure erase wipes out the flash back to factory settings from what I know).

Any experienced forensics experts care to shed some light on this?

Thanks!

ReplyQuote
Posted : 04/05/2013 9:04 am
trewmte
(@trewmte)
Community Legend

Alister

Some links

Windows version of How to wipe a BlackBerry device remotely
http//support.microsoft.com/kb/2575026

Blackberry version of How to set a Remote Wipe on Blackberry Enterprise Express server
http//supportforums.blackberry.com/t5/BlackBerry-Professional-Software/How-to-set-a-Remote-Wipe-on-Blackberry-Enterprise-Express-server/td-p/554158

Also read this
http//supportforums.blackberry.com/t5/BlackBerry-Professional-Software/BES-express-Remote-wipe-does-not-really-wipe-all-device-data/td-p/529618

Here is a case of unintended remote wiping - Samsung smartphones vulnerable to remote data wipe
http//news.cnet.com/8301-1009_3-57520327-83/samsung-smartphones-vulnerable-to-remote-data-wipe/#!

Also, how would remote wiping work in the absence of wireless coverage?

ReplyQuote
Posted : 04/05/2013 1:28 pm
jaclaz
(@jaclaz)
Community Legend

You must understand that privacy is different in the US Jaclaz, and many employees would sacrifice a little privacy on their personal device for the convenience. (I am not one of those people, but then I come from a different culture to the US.)

This has nothing to do with "privacy", it has to do with integrity of personal data and to the possibility that a third party (which may or may not be reliable/fair/etc.) has the possibility to wipe them without my consent.
We already had a few known "real life case" with remote "iThings" wiped (and in that case the "mess" was caused by the good Apple guys that were tricked by a hacker)
http//www.emptyage.com/post/28679875595/yes-i-was-hacked-hard
I.e. the issue is not with the "Enterprise" having access to "my" personal data on "my" device (access that I can prevent anyway) but that there can be a mechanism to completely wipe "my" device (including "my" personal data) accessible/triggerable by someone that provides no particular guarantee of "security", nor "reliability" and that can do that without my consent, and remotely.

A well done MDM will create a separate container for all corporate information, and allow the employer to gather or wipe that data. Ideally you don't ever access the user's non-corporate data. How well that's implemented remains to be seen.

Which would be perfectly fine with me. )
Enterprise can wipe "their" data from my device.
I can wipe "my" data from my device.
Everyone wipes their own stuff and is happy.

jaclaz

ReplyQuote
Posted : 04/05/2013 5:18 pm
Alistair
(@alistair)
New Member

Alister

Some links

Windows version of How to wipe a BlackBerry device remotely
http//support.microsoft.com/kb/2575026

Blackberry version of How to set a Remote Wipe on Blackberry Enterprise Express server
http//supportforums.blackberry.com/t5/BlackBerry-Professional-Software/How-to-set-a-Remote-Wipe-on-Blackberry-Enterprise-Express-server/td-p/554158

Also read this
http//supportforums.blackberry.com/t5/BlackBerry-Professional-Software/BES-express-Remote-wipe-does-not-really-wipe-all-device-data/td-p/529618

Here is a case of unintended remote wiping - Samsung smartphones vulnerable to remote data wipe
http//news.cnet.com/8301-1009_3-57520327-83/samsung-smartphones-vulnerable-to-remote-data-wipe/#!

Also, how would remote wiping work in the absence of wireless coverage?

That is also one area I am researching, what if the thief just puts the device in "airplane mode" ? Or recovery mode? All communication with the outside world will be cut off and good luck remotely wiping your company information. This also goes to show that MDM software weren't created with security as a top priority, but mostly just to facilitate the centralization of devices in a BYOD context.

On the topic of selective wiping, where the MDM software uses a container and wipes it when the device is compromised. Well, that is one level up from the normal "wipe the entire device and hope that everything is destroyed" thought, however, a physical image of the device would allow the attacker to carve out certain files from that container. Let's say you want to increase the security and have the container encrypt all data, well, the keys have to be stored somewhere right? Due to the restrictions of flash storage, the MDM software could possibly wipe the encryption keys, but they would still remain in storage somewhere. A forensic recovery of the keys would allow the attacker to decrypt the company data, read e-mails and potentially other sensitive documents as well.

A knowledgeable thief (let's say a corporate spy) would know to cut all communication between the device and the outside world after stealing it to disable remote wipe.

And as the ultimate cherry on top, there are also ways of retrieving data from the RAM (volatile memory) of an Android device, so the thief could put the smartphone in "airplane mode", retrieve content from RAM (encryption keys and whatnot), then even if the device issues a remote wipe, no problem, the spy has all he needs to decrypt and retrieve your information.

Kind of scary huh?

ReplyQuote
Posted : 05/05/2013 12:22 am
jaclaz
(@jaclaz)
Community Legend

That is also one area I am researching, what if the thief just puts the device in "airplane mode" ? Or recovery mode? All communication with the outside world will be cut off and good luck remotely wiping your company information. This also goes to show that MDM software weren't created with security as a top priority, but mostly just to facilitate the centralization of devices in a BYOD context.
….

A knowledgeable thief (let's say a corporate spy) would know to cut all communication between the device and the outside world after stealing it to disable remote wipe.

Yep ) , if I were a corporate spy, I would always bring with me a couple forensic Faraday bags
http//www.forensicfocus.com/Forums/viewtopic/t=9890/
(or - personally being really cheap - a big roll of aluminum foil)
and not even attempt to change anything in the device, an approach strangely similar to the one our digital forensics professional investigators use with evidence phones and tablets.

Then I presume that at the corporate spy headquarters they do have a shielded laboratory room roll .

So, if the stolen/lost handy/tablet falls in the hands of an "average thief" you can wipe the information from it (which is by the way exactly what the "average thief" will try to do anyway, in order to be able to sell the device wink ) whilst if the thingy is stolen with the intent of stealing resident data from it you cannot do anytihing about it.

Now, probabilities (completely faked - as always), out of 10,000 😯 devices missing

  • The thingy is lost accidentally, or forgotten in a public toilet, etc. 6,500
  • The thingy is stolen by a "normal thief" 3,000
  • The thingy is stolen by a "corporate spy" 500

Of the 6,500 lost accidentally

  • The thingy is lost accidentally and it falls in the hand of a nice guy/gal who returns it 2,500
  • The thingy is lost accidentally and it falls in the hand of a "normal" thief 3,999
  • The thingy is lost accidentally and by sheer (bad) luck falls in the hands of a corporate spy 1

So you have the full wipe that in 9499 cases is unneeded (of these 6,999 actually does a favour to the thief and in 2,500 actually most probably prevents the device to be returned to you), in 500 cannot possibly work, and in 1 case may work if you manage to activate it in the short timeframe between the time the user realizes he/she lost it and reports the loss and the moment the corporate spy happens to be passing by and gets it.

jaclaz

ReplyQuote
Posted : 05/05/2013 1:19 am
trewmte
(@trewmte)
Community Legend

Alister some ideas.

On the basis that remote wiping is one security policy/procedure and you have other policies/procedures listed, maybe link other policies/procedures which, if compromised, trigger the remote wipe policy in the device itself might work for you.

Some of the M2M devices in an area I work have one-time passwords/pass*. You seem very clued up so I suggest/highlight some possibilities. You are aware of

a) PIN and PUK invalidation operation (U/SIM) - prevent access but not overwrite
b) e.g. the Blackberry password invalidation policy - prevents acess and overwrites

Combining a policy remote_wipe_trigger with invalid entry of pass

- x-number of enter attempts when device not connected to wireless network

Under this policy wipe of work partitioned area could be possible

- x-number of enter attempts when device connected to wireless network

Under this policy the user has to enter valid password which is not authenticated in the device but sends the password to the authentication server which send back another the entry pass*. The pass* changes everytime the password is entered which means the genuine user would only need to use the password when gaining access to sensitive areas of the partition data.

The above notion is similiar to the security triplets used in GSM but varies in that the password to access general work is not the same as the password to enter the sensitive area. Thus the password for the sensitive area would require the genuine user to contact the appropriate person in the company before being allowed to go any further; the attempts_failed policy activates when detection of x-number of invalid entries.

The retention of pass* in RAM could be subject to the same one-time policy to dissolve connection to access the sensitive area by overwrite_pass* (keys etc).

ReplyQuote
Posted : 05/05/2013 1:36 pm
Alistair
(@alistair)
New Member

Hello trewmte,

thanks for the amazing write-up and I completely agree with the implementations that you suggested. But my question remains

Most people use a classical 4-digit pin number to protect their device (longer passwords are harder to remember, and also a hindrance to usability according to casual users), this comes down to brute forcing only 10,000 possible combinations which is trivial for a computer to process.

I'm not too familiar with blackberry devices, but as an incumbent in the corporate environment, I'm pretty sure BB devices have their security pretty much setup from long years of experience. My focus is more on the iPhone/iPad and the multitude of Android devices out there. As you all know, these devices were released as casual consumer devices, and slowly shifted into the corporate environment with the rising trend of BYOD.

So, even if your device is password protected, and has a "x number of entry attempts or wipe" policy associated with it, I could easily put the device, let's say into "recovery mode" (e.g. DFU mode for iPhone), brute force your PIN number in hopes of cracking it, and dumping a physical forensic image of the device for me to analyze.

I am also interested in a "secure wipe" for mobile devices. I mean the iPhone erases the keys, that's great, but let's say in the near future (although unlikely) some flaw in the AES algorithm gets published, now I have your encrypted data and can use that flaw to decrypt it.

What we need is a completely secure erase that wipes the data on the device never to be recovered again.

ReplyQuote
Posted : 07/05/2013 12:23 am
jaclaz
(@jaclaz)
Community Legend

Most people use a classical 4-digit pin number to protect their device (longer passwords are harder to remember, and also a hindrance to usability according to casual users), this comes down to brute forcing only 10,000 possible combinations which is trivial for a computer to process.

If I may, if you lock the phone after three (or five) failed attempts (just like the PIN does and then you need the PUK), even a 4 digit may do.

I may state the obvious ? , but for smartphones a combination of facial recognition AND PIN might be an option.
Facial recognition alone, doubtly so
http//kgmacke.hubpages.com/hub/Beware-of-the-Ice-Cream-Sandwich-the-marketing-ploy-of-face-recognition

jaclaz

ReplyQuote
Posted : 07/05/2013 9:00 pm
Coligulus
(@coligulus)
Active Member

For authentication, something I am currently working on a beta for is EyeVerify. I should stress this is not my product nor affiliated with my organisation. This solution uses eye vein biometrics much like a fingerprint but without the need for any additional equipment, just the devices camera. The product is not GA yet but I know they are working with the key MDM providers to integrate the solution into their products. You can find more info here

http//www.eyeverify.com

With regards to securely wiping a device, the only handsets I have discovered that actually do this are BlackBerrys.

Integrating something like Jonathon Zdziarski's iErase into the actions performed by x number of failed password attempts may help, however this only looks at free space on the device. The reality is deleted data will still reside within live files on the device and the tool is unable to touch this. More info here

http//www.zdziarski.com/blog/?page_id=407

Even when a selective wipe is performed by an MDM solution data will still remain on the device, particularly iDevices. This is partly due to the way the selective wipe is enacted. Removing the email profile may make the profile disappear on the device rendering the mail application UI un-usabe to the user, however underneath the skin all email data remains. Add to this the way that the SQLite databases work on the device and it is still possible to recover other exchange data from the live files still resident on the device. So, in short, a selective wipe achieves very little to protect corporate data from a persistent malicious 'spy'. The best way to protect the data - as was already - mentioned is to use a secure container which is independently encrypted on top of the device level encryption. However, as was also pointed out the encryption keys must be on the device somewhere. So, we need to look at only allowing specific device types to enrol in the MDM solution to prevent being able to circumvent any kind of device level passcode cracking and ensuring that enforced passcodes are part of the organisations mobile policy. For iOS this means disallowing anything other than iPhone 4S or iPad 2 or newer devices as it is not possible to load a RAM disk on these and attack the passcode unless the device is already jailbroken and SSH happens to be installed. MDM solutions have the function to prevent specific makes, or even OS versions from enrolling ensuring that sensitive corporate data never makes it down to easily compromise-able devices. They also have the capability to identify and act upon compromised (rooted/jailbroken) devices.

Android is a different kettle of fish altogether. Samsung are to soon to release their 'Knox' container for supported devices which will create a protected and encrypted partition on the devices for corporate data. The security is good enough that the US DoD have approved these devices for use by soldiers for BYOD and company liable devices. This supports the position that the 'Knox' solution has gone a long way to providing solid security on this platform, at least for Samsung devices. However, again the keys must be there somewhere.

Unfortunately the keys have to be stored somewhere, and even if they were not stored on the device but say, the device received the keys over the air each time an encrypted application was used they would still need to cached on the device in order to be used by the application, and on top of that the user would have to be online in order to do anything. This makes the aim of trying to encourage productivity of employees by facilitating BYOD or mobile working practices more of a challenge as there are still areas of poor reception, and how would someone work on a plane where there is no WiFi? There is no getting away from this. There will always be an issue with regards to key storage vulnerabilities IMO until there is a practical and cost effective way to use something like a CAC card or RSA type token which houses the keys, and application developers find a way to effectively use the keys and then scrub the memory where the keys were cached prior to use.

Like all things information security related a layered approach is required to ensure that IF someone can get into the device they need to be a specialist not just some have a go hacker who stumbles across sensitive data. The first layer being MDM to protect the device (which ultimately is a foundation and not the answer to everything) and then tie this together with MAM technology to protect the data. There are also companies currently working on VDI type technologies which house the data behind the corporate firewall and use applications on the device only as a viewer/editor and use a secure connection to tunnel back behind the corporate firewall. I am yet to evaluate any of these as right now they are not GA either, though they look far better than traditional VDI which is useless on mobile devices.

Any organisation which takes security seriously will apply data loss prevention technologies to ensure that the most sensitive types of data never make it to the mobile device in the first place. Whether that be by using a dedicated DLP solution or for example simply disallowing email attachments to be pushed to mobile devices for example. An organisation can have an assessment conducted on the devices they allow into their environment to understand the weaknesses of the devices and the time it would take to exploit them. Next perform a risk assessment and adjust their practices and policies accordingly.

Risk assessment IMO is a key step. If the company knows their devices are vulnerable but that it will take 6 months to exploit that vulnerability, and they know that the sensitive information they have on the devices will only be valuable to an attacker for 3 months then there is ultimately less risk than if those figures were the other way around.

Thanks

ReplyQuote
Posted : 08/05/2013 2:39 pm
Alistair
(@alistair)
New Member

Thanks Colin for that wonderful reply, very informative indeed!

I agree that key storage is a big issue in not just mobile devices but in all aspects of secure computing, one always has to apply due diligence when storing the encryption key.

I think iPhone models after 4 have done it pretty well as they store the master keys in the CPU (or in the hardware somewhere) and they cannot (currently) be extracted via any software tools that I'm aware of. As you have also pointed out, MDM softwares are not meant to be sold as security software but as a means of simplifying BYOD and device enrollment, security is just a necessity that usually comes packaged with the software. How well they implement it, is still to be determined. Doing a quick look around, you can find ways to bypass jailbreak detection, because what the software usually does is search for the 'su' binary under certain directories, and there are a gazillion ways to jailbreak your phone (just head over to XDA developpers to see for your self).

Secure containers are a step-up, but again, the keys have to be somewhere. I have personally extracted keys for my TrueCrypt container and successfully decrypted the encrypted container to a raw image file, which I was then able to mount and see the files stored in it. I am sure this is also possible for MDM software using the secure container defense. Encryption is only as good as the algorithm protecting it, and of course, on how well you secure the keys themselves. AES-128/256 still have a long way to go, in my opinion. before being broken. But the same was said for DES, until they had to close the door on it due to some scary vulnerabilities.

I find that the iDevices are a bit more secure at this time, due to the engineering of the device with security in mind from the get-go. I never heard of the new Samsung device you're talking about but it seems like they are also making a correct change in securing their device internally. The newer Android devices also support the native TRIM command for flash storage, this command would mark the pages that are no longer in use as 'invalid' and garbage collector would essentially purge them. However, the reliance on how securely TRIM erases data is yet to be determined. I tried it on my own Acer tablet and it worked more or less, but I was still able to recover some data.

I believe that the current setup of full-disk encryption + remote wipe is enough for corporate security, but if the device gets into the hands of a knowledgeable corporate spy with a plethora of resources at his disposal, then he would know how to counter corporate security measures and extract the data one way or the other.

Coming back to my main point, remote wiping is just not a viable solution because it is not guaranteed to succeed. If your remote wipe doesn't succeed, your device remains in the state it was stolen in. A better solution, in my opinion, would be for the device itself to 'phone home' at fixed time intervals, and after a certain amount of failures, it would initiate a 'local' wipe. A bit drastic as a solution, but still better than getting your sensitive assets into the hands of a thief.

Thanks

ReplyQuote
Posted : 13/05/2013 4:42 am
trewmte
(@trewmte)
Community Legend

As you have also pointed out, MDM softwares are not meant to be sold as security software but as a means of simplifying BYOD and device enrollment, security is just a necessity that usually comes packaged with the software.

The security concern must be why even allow sensitive data on BYOD?

http//trewmte.blogspot.co.uk/2013/01/smartphone-byod.html

ReplyQuote
Posted : 13/05/2013 6:20 am
Page 1 / 2
Share: