Mobile forensics af...
 
Notifications
Clear all

Mobile forensics after factory reset

18 Posts
5 Users
0 Likes
2,646 Views
(@alistair)
Posts: 23
Eminent Member
Topic starter
 

Hello all,

so first of all let me introduce myself. My name is Alistair and I am currently doing research on BYOD (Bring your own device) implementation in enterprise environment and the security associated with these policies. My main focus is on Mobile Device Management (MDM) software that enable BYOD practices to be implemented throughout the enterprise.
Most MDM software profess the ability to secure company assets residing on the smartphone or tablet device by issuing a remote wipe (full or selective) and therefore making any sensitive information on the device unrecoverable. I am researching the remote wipe concept and analyzing if it's secure enough for business or not.

Now that we got the introduction out of the way, I want to say first that this forum is amazing. I have been a lurker for a while and the amount of expertise and community support here is incredible, really great job with bringing the forensics community together. Now, I have just begun looking into mobile forensics so bear with me if some of what I say is incorrect.

So, from my research I know that the iPhone (starting with 3GS) provides hardware encryption and a remote wipe basically destroys the encryption keys making the data recovered pretty much useless. I have looked everywhere and, presently, there seems to be no way to recover the hardware encryption keys short of plugging in some complex device into the CPU and extracting them (which would be a lot of manual work for your average person). Therefore, I can safely say that Apple has implemented the security aspect of mobile devices in an enterprise environment impeccably.

Now, with Android devices, there is a lot of fragmentation, many devices use the open source Android platform and implement it in various ways. Also all Android devices use NAND flash as internal storage so erasing is a complicated task (writing is done on a page basis and erasing is done on a block basis). NAND flash calls the garbage collector when the entire block is marked as unused and then proceeds to do a block erase. If one page on that block is still being used, all unused pages on that block will be recoverable.

So my question is two fold, first if anybody has any BYOD experience in the company they work for, would a remote wipe executed on an Android device be sufficient? (Given the restrictions flash storage imposes, I highly doubt this). Second, I have dumped the physical image of an Android tablet after remotely wiping it (by rooting it and issuing a 'dd' command to dump the entire mmcblk0 partition), what tools do you use or would be ideal for file carving on this raw image file?

If you have read this far, thanks for taking the time!

All help is greatly appreciated.

 
Posted : 03/05/2013 10:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hallo Alistair welcome to the board ) .

I have no experience with the specific matter of your request but - if I may - can I ask a couple of questions about BYOD?

If I get it right ? , the scope of the research is to find a way to "plant" in my personally owned device *something* (or access something like the remote iPhone wiping) that allows my employer (read as "the enterprise" or the wacky IT guy in the enterprise) - at his will and without my consent - to completely wipe my smartphone or tablet contents (including each and every of my personal data, contacts, messages and what not)?

Is this what MDM software does (or is intended to do)? 😯

jaclaz

 
Posted : 03/05/2013 11:40 pm
(@alistair)
Posts: 23
Eminent Member
Topic starter
 

Hello jaclaz,

indeed this is the case. Of course the remote wiping would occur if you lost the device or someone stole it. But let's say you lost it, the remote wipe occurred, then you found out. Say goodbye to all your stuff on it.

Some MDM companies also say they have the ability to selectively wipe only company data but I am not too sure if that works. But yeah, in summary, the company can remotely wipe your device if you enrolled it in their BYOD policy. D

 
Posted : 03/05/2013 11:44 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

You must understand that privacy is different in the US Jaclaz, and many employees would sacrifice a little privacy on their personal device for the convenience. (I am not one of those people, but then I come from a different culture to the US.)

A well done MDM will create a separate container for all corporate information, and allow the employer to gather or wipe that data. Ideally you don't ever access the user's non-corporate data. How well that's implemented remains to be seen.

 
Posted : 04/05/2013 5:26 am
(@alistair)
Posts: 23
Eminent Member
Topic starter
 

Indeed that is what the top MDM providers are aiming to do, but coming back to my question, is a secure erase on an Android device possible? Most remote wipe procedures are just a push notification to call the "reset to factory settings" command but I have demonstrable proof that it is not enough (dd the partitions you are interested in, carve them and retrieve deleted files).

Actually what I want to know is, is there a way to securely wipe an Android device without wearing out the flash storage. For example, a call to the native NAND flash secure erase command (I think it differs from brand to brand but an ATA-Secure erase wipes out the flash back to factory settings from what I know).

Any experienced forensics experts care to shed some light on this?

Thanks!

 
Posted : 04/05/2013 8:04 am
(@trewmte)
Posts: 1877
Noble Member
 

Alister

Some links

Windows version of How to wipe a BlackBerry device remotely
http//support.microsoft.com/kb/2575026

Blackberry version of How to set a Remote Wipe on Blackberry Enterprise Express server
http//supportforums.blackberry.com/t5/BlackBerry-Professional-Software/How-to-set-a-Remote-Wipe-on-Blackberry-Enterprise-Express-server/td-p/554158

Also read this
http//supportforums.blackberry.com/t5/BlackBerry-Professional-Software/BES-express-Remote-wipe-does-not-really-wipe-all-device-data/td-p/529618

Here is a case of unintended remote wiping - Samsung smartphones vulnerable to remote data wipe
http//news.cnet.com/8301-1009_3-57520327-83/samsung-smartphones-vulnerable-to-remote-data-wipe/#!

Also, how would remote wiping work in the absence of wireless coverage?

 
Posted : 04/05/2013 12:28 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

You must understand that privacy is different in the US Jaclaz, and many employees would sacrifice a little privacy on their personal device for the convenience. (I am not one of those people, but then I come from a different culture to the US.)

This has nothing to do with "privacy", it has to do with integrity of personal data and to the possibility that a third party (which may or may not be reliable/fair/etc.) has the possibility to wipe them without my consent.
We already had a few known "real life case" with remote "iThings" wiped (and in that case the "mess" was caused by the good Apple guys that were tricked by a hacker)
http//www.emptyage.com/post/28679875595/yes-i-was-hacked-hard
I.e. the issue is not with the "Enterprise" having access to "my" personal data on "my" device (access that I can prevent anyway) but that there can be a mechanism to completely wipe "my" device (including "my" personal data) accessible/triggerable by someone that provides no particular guarantee of "security", nor "reliability" and that can do that without my consent, and remotely.

A well done MDM will create a separate container for all corporate information, and allow the employer to gather or wipe that data. Ideally you don't ever access the user's non-corporate data. How well that's implemented remains to be seen.

Which would be perfectly fine with me. )
Enterprise can wipe "their" data from my device.
I can wipe "my" data from my device.
Everyone wipes their own stuff and is happy.

jaclaz

 
Posted : 04/05/2013 4:18 pm
(@alistair)
Posts: 23
Eminent Member
Topic starter
 

Alister

Some links

Windows version of How to wipe a BlackBerry device remotely
http//support.microsoft.com/kb/2575026

Blackberry version of How to set a Remote Wipe on Blackberry Enterprise Express server
http//supportforums.blackberry.com/t5/BlackBerry-Professional-Software/How-to-set-a-Remote-Wipe-on-Blackberry-Enterprise-Express-server/td-p/554158

Also read this
http//supportforums.blackberry.com/t5/BlackBerry-Professional-Software/BES-express-Remote-wipe-does-not-really-wipe-all-device-data/td-p/529618

Here is a case of unintended remote wiping - Samsung smartphones vulnerable to remote data wipe
http//news.cnet.com/8301-1009_3-57520327-83/samsung-smartphones-vulnerable-to-remote-data-wipe/#!

Also, how would remote wiping work in the absence of wireless coverage?

That is also one area I am researching, what if the thief just puts the device in "airplane mode" ? Or recovery mode? All communication with the outside world will be cut off and good luck remotely wiping your company information. This also goes to show that MDM software weren't created with security as a top priority, but mostly just to facilitate the centralization of devices in a BYOD context.

On the topic of selective wiping, where the MDM software uses a container and wipes it when the device is compromised. Well, that is one level up from the normal "wipe the entire device and hope that everything is destroyed" thought, however, a physical image of the device would allow the attacker to carve out certain files from that container. Let's say you want to increase the security and have the container encrypt all data, well, the keys have to be stored somewhere right? Due to the restrictions of flash storage, the MDM software could possibly wipe the encryption keys, but they would still remain in storage somewhere. A forensic recovery of the keys would allow the attacker to decrypt the company data, read e-mails and potentially other sensitive documents as well.

A knowledgeable thief (let's say a corporate spy) would know to cut all communication between the device and the outside world after stealing it to disable remote wipe.

And as the ultimate cherry on top, there are also ways of retrieving data from the RAM (volatile memory) of an Android device, so the thief could put the smartphone in "airplane mode", retrieve content from RAM (encryption keys and whatnot), then even if the device issues a remote wipe, no problem, the spy has all he needs to decrypt and retrieve your information.

Kind of scary huh?

 
Posted : 04/05/2013 11:22 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

That is also one area I am researching, what if the thief just puts the device in "airplane mode" ? Or recovery mode? All communication with the outside world will be cut off and good luck remotely wiping your company information. This also goes to show that MDM software weren't created with security as a top priority, but mostly just to facilitate the centralization of devices in a BYOD context.
….

A knowledgeable thief (let's say a corporate spy) would know to cut all communication between the device and the outside world after stealing it to disable remote wipe.

Yep ) , if I were a corporate spy, I would always bring with me a couple forensic Faraday bags
http//www.forensicfocus.com/Forums/viewtopic/t=9890/
(or - personally being really cheap - a big roll of aluminum foil)
and not even attempt to change anything in the device, an approach strangely similar to the one our digital forensics professional investigators use with evidence phones and tablets.

Then I presume that at the corporate spy headquarters they do have a shielded laboratory room roll .

So, if the stolen/lost handy/tablet falls in the hands of an "average thief" you can wipe the information from it (which is by the way exactly what the "average thief" will try to do anyway, in order to be able to sell the device wink ) whilst if the thingy is stolen with the intent of stealing resident data from it you cannot do anytihing about it.

Now, probabilities (completely faked - as always), out of 10,000 😯 devices missing

  • The thingy is lost accidentally, or forgotten in a public toilet, etc. 6,500
  • The thingy is stolen by a "normal thief" 3,000
  • The thingy is stolen by a "corporate spy" 500

Of the 6,500 lost accidentally

  • The thingy is lost accidentally and it falls in the hand of a nice guy/gal who returns it 2,500
  • The thingy is lost accidentally and it falls in the hand of a "normal" thief 3,999
  • The thingy is lost accidentally and by sheer (bad) luck falls in the hands of a corporate spy 1

So you have the full wipe that in 9499 cases is unneeded (of these 6,999 actually does a favour to the thief and in 2,500 actually most probably prevents the device to be returned to you), in 500 cannot possibly work, and in 1 case may work if you manage to activate it in the short timeframe between the time the user realizes he/she lost it and reports the loss and the moment the corporate spy happens to be passing by and gets it.

jaclaz

 
Posted : 05/05/2013 12:19 am
(@trewmte)
Posts: 1877
Noble Member
 

Alister some ideas.

On the basis that remote wiping is one security policy/procedure and you have other policies/procedures listed, maybe link other policies/procedures which, if compromised, trigger the remote wipe policy in the device itself might work for you.

Some of the M2M devices in an area I work have one-time passwords/pass*. You seem very clued up so I suggest/highlight some possibilities. You are aware of

a) PIN and PUK invalidation operation (U/SIM) - prevent access but not overwrite
b) e.g. the Blackberry password invalidation policy - prevents acess and overwrites

Combining a policy remote_wipe_trigger with invalid entry of pass

- x-number of enter attempts when device not connected to wireless network

Under this policy wipe of work partitioned area could be possible

- x-number of enter attempts when device connected to wireless network

Under this policy the user has to enter valid password which is not authenticated in the device but sends the password to the authentication server which send back another the entry pass*. The pass* changes everytime the password is entered which means the genuine user would only need to use the password when gaining access to sensitive areas of the partition data.

The above notion is similiar to the security triplets used in GSM but varies in that the password to access general work is not the same as the password to enter the sensitive area. Thus the password for the sensitive area would require the genuine user to contact the appropriate person in the company before being allowed to go any further; the attempts_failed policy activates when detection of x-number of invalid entries.

The retention of pass* in RAM could be subject to the same one-time policy to dissolve connection to access the sensitive area by overwrite_pass* (keys etc).

 
Posted : 05/05/2013 12:36 pm
Page 1 / 2
Share: