Uncovering the Covered Tracks:
Finding What’s Left Behind
Background
• Teenage geek - IT/Software industry
• Police officer for 7 years
• Worked in Tech Crime Unit
• Started JADsoftware (now Magnet
Forensics) as a part-time side project –
now a team of developers
Overview
• Recovering artifacts from multiple devices:
• PCs: • Skype • Facebook • Google Maps • Mobile: • Kik Messenger • Facebook • Snapchat • Chromebooks:
• Getting to unencrypted data
• Using timelines to find out what happened • Tools that can help
Skype
• Voice over IP service (with video and text chat options) • Started in 2003
• Over 633 million registered users
• 65 million people sign in to Skype every day
• 700 million minutes spent in Skype-to-Skype calls every day • Microsoft has retired Windows Live Messenger in favor of its Skype service, although Messenger will continue in mainland China. Microsoft began the transition for all users on April 8, 2013.
Skype
• main.db file – SQLite database
• Contains majority of interesting data
• Account info, Calls, Contacts, Messages, SMS messages, Video session info,
Skype
Skype
Skype
Skype
Skype
• Voicemails require a premium account
• Only get saved to this folder after being played
• Filename can be found in the Voicemails table in the main.db file - filename contains the date/time
• Audio is in a proprietary Skype format • BUT – there is a way!
•
Leading social networking site
•
Started in 2004
•
Over 950 million Facebook users worldwide
(Source: Facebook)
•
500 million people log onto Facebook daily
(Source: The Social Skinny 2012)
•
There are 83 million fake profiles. (Source:
CNN)
•
Photo uploads total 300 million per day (Source:
Gizmodo)
Facebook Chat
• Not like the good o’l days
• Still left behind, but mainly in live RAM, pagefile,
hibernation file
• Multiple formats
Facebook Chat
{\"msg\":{\"text\":\"lol i love
facebook, it's so awesome.
chatting is
fun!!\"},\"from\":1000000555,\"
to\":1100000066,\"time\":1257
370809956,\"type\":\"msg\"}
More chat:
{"tid":"mid.1368112514305:d61a480cfa3a140d91","href":"\/me
ssages\/read\/?tid=mid.1368112514305\u00253Ad61a480cfa3
a140d91","author_fbid":100004396603890,"author_name":
"Wendy Manford","thread_name":“Bourne","snippet":"Hey
have you seen the new...","message":"Hey have you seen the
new Bourne movie?","time":"Just now","image":{"__html":
"\u003Cimg
src=\"https:\/\/fbcdn-profile-
a.akamaihd.net\/hprofile-ak-ash1\/t5\/s43x43\/211578_100004396603890_405447609_q.j
pg\" alt=\“Wendy Manford\" class=\"img profpic\" height=\"43\"
width=\"43\" \/>
Wall post:
fbid":"646173788763494","legacyid":"646173788763
494","body":{"text":"can see y dem would a call afta
u...","ranges":[],"aggregatedranges":[],"hasTranslat
ableContent":true},"author":"100001790397816","ften
tidentifier":"646151518765721","likecount":0,"hasvie
werliked":false,"canremove":false,"canreport":true,"ca
nedit":false,"source":1,"istranslatable":false,"timesta
mp":{"time":1396761880,"text":"April 6 at 2:24am"
– Decoding photo URLs
Recovered photo view URL:
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.1221785571&type=1&
theater
– Decoding photo URLs
https: //www.facebook.com/photo.php?
fbid=
201526933901245715
&set=at.10150672801465915.4
48027.507140714.552175374.1221785571&type=1&
theater
Facebook Photo ID is "201526933901245715"
– Decoding photo URLs
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=
at.10150672801465915
.4
48027.507140714.552175374.1221785571&type=1&
theater
Facebook Album ID is "10150672801465915"
– Decoding photo URLs
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.
1221785571
&type=1&
theater
– Decoding photo URLs
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.1221785571&type=1&
theater
Now what?
– Decoding photo URLs
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.1221785571&type=1&
theater
We can use the Facebook Graph API to learn more
about this user.
– Decoding photo URLs
https: //www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.4
48027.507140714.552175374.
1221785571
&type=1&
theater
We’ll take the user ID above (bolded) and put it in to
the below URL (no need to login to Facebook):
Another photo URL:
{"tid":"mid.1368112514305:d61a480cfa3a140d91","href":"\/me
ssages\/read\/?tid=mid.1368112514305\u00253Ad61a480cfa3
a140d91","author_fbid":100004396603890,"author_name":
"Wendy Manford","thread_name":“Bourne","snippet":"Hey
have you seen the new...","message":"Hey have you seen the
new Bourne movie?","time":"Just now","image":{"__html":
"\u003Cimg src=\"
https:\/\/fbcdn-profile-
a.akamaihd.net\/hprofile-ak-ash1\/t5\/s43x43\/211578_100004396603890_405447609_q.
jpg
\" alt=\“Wendy Manford\" class=\"img profpic\" height=\"43\"
Google Maps
• Started in 2004
• Over 1,162,460 sites use Google Maps
• Overtook MapQuest in terms of traffic in 2009
• Google Maps Navigation, included on Android handsets, has guided users 12 billion miles a year
• 200 million users on Google Maps for Mobile
• Cases involving runaway youths, kidnapping, luring, homicide • Jo Yates homicide - Avon and Somerset Constabulary, Scott
Google Maps
•
Temporary Internet Files
•
RAM captures
Google Maps
• Uses a tile system to display maps • Each tile is 256x256 pixels
• Filename in Temporary Internet Files contains x, y, and z coordinates
• Coordinates are based on a world map • x, y requires the z value (zoom)
Examples:
• lyrs=m@196000000&hl=en&src=app&x=5&y=8&z=4&s=Galile o[1].png
Google Maps
Tiles can be downloaded:
Google Maps
Tile coordinates can be converted to Longitude, Latitude: function tile2long(x,z) { return (x/Math.pow(2,z)*360-180); } function tile2lat(y,z) { var n=Math.PI-2*Math.PI*y/Math.pow(2,z); return (180/Math.PI*Math.atan(0.5*(Math.exp(n)-Math.exp(-n)))); }
Google Maps
New Google Maps
• Newer version of Google Maps launched in March 2014 • Tile filenames and URLs are different now (thanks Google!) • It’s not pretty:
• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3m 8!2sen!5e1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7s!2 0m1!1b1[1].png
New Google Maps
• The new URLs:https://www.google.com/maps/@43.7242262,-79.4051719,12z https://www.google.com/maps/place/Cambridge,+ON/@43.4022995,-80.332588,12z/data=!3m1!4b1!4m2!3m1!1s0x882b89b820e46c19:0x503 7b28c7231d70 https://www.google.com/maps/dir/Ayr,+ON,+Canada/123+Gunn+Ave,+C ambridge,+ON+N3C+2Z6,+Canada/@43.3588082,-80.5205289,11z/data=!3m1!4b1!4m13!4m12!1m5!1m1!1s0x882c732d94 85d199:0x581a671dca1a1705!2m2!1d-80.4507835!2d43.2854723!1m5!1m1!1s0x882b88f2ca61211d:0xf99f9dd 46477f986!2m2!1d-80.2990956!2d43.4253036
New Google Maps
• The new tiles:• Sample filename:
• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3m8! 2sen!5e1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7s!20m 1!1b1[1].png
• Another sample, slightly different:
• pb=!1m5!1m4!1i15!2i18147!3i23991!4i128!2m1!1e0!3m3!5e1105 !12m1!1e47!4e0[1].png
• Focusing on chat and geolocation data stored
• On Android, files are located in the following folder on the
‘data’ partition:
com.facebook.katana
• File we’re interested in is named “
threads_db2
”
Kik Messenger
• Again, focusing on chat but there is potentially a lot
of great data here
• Files are located in the following folder on the ‘data’
partition:
kik.android
• File we’re interested in is named “
kikDatabase.db
”
Snapchat
• Photo messaging app
• More than 100 million users along with more than 350 million snaps sent per day
• Users can take photos, record videos, add text and drawings, and send them to a controlled list of recipients
• Sent photographs and videos are known as "Snaps“
• Users set a time limit for how long recipients can view their Snaps (1 – 10 seconds)
• After time expires, the Snap is deleted • Some data can still be recovered!
Google Chrome OS
(Chromium OS)
Google Chrome OS
• Launched on June 15th, 2011• Linux kernel-based operating system designed by Google • Works primarily with web applications
• Aimed at users who spend most of their computer time on the web
• Almost a pure web thin client OS, cloud based, cloud reliant • Chromium is the open source project, Chrome OS is the
commercial version only on specific hardware from Google’s partners
Google Chrome OS
• Encryption / Security• User data is encrypted on a separate partition
• Web apps are sandboxed
• Verified boot – system files are hashed and protected
Google Chrome OS
• So what can we do?• Need user login/password
• Screenshots of web history
• Copy out files (non-traditional, not “forensically sound”)
Google Chrome OS
• So what can we do?• Need user login/password
• Screenshots of web history
• Copy out files (non-traditional, not “forensically sound”)
Google Chrome OS
• Getting shell access• Open browser, press Ctrl+Alt+T
• Type “shell” and press ENTER
Google Chrome OS
• Getting into Developer Mode• Need to find method specific to your Chromebook:
http://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices
• For my HP Chromebook, “hold down the Esc and Refresh key and poke the power button”