Monday, September 15, 2014

Super Sunday Funday Forensic Challenge - Update 4

Current Contest

Eight people are made it to Level 4 out of over 100 who are playing, and only one has passed it and moved on to Level 5. Level 5 remains unsolved! The contest ends tomorrow 9/16/14 so don't give up!

If you have questions I am planning to be in #dfir on on 9/11, 9/12, 9/15 and 9/16. If you have questions get an IRC client and come ask them. I may be on during the evening weekends but no guarantee to do so. Other players are in the channel though and you are welcome to talk amongst your selves.

For those of you not playing, or looking for a break here is some more good information.

Learn Windows Forensics from me!

I'll be co-teaching SANS FOR408 with Rob Lee in Ft. Lauderdale, FL at DFIRCon East Nov 3rd-8th 2014. If you want to spend a week learning everything you can about Windows forensics, and nights going deeper into the artifacts/structures if you want, I can't wait to meet you. As a bonus SANS has put out a $400 coupon for the event, go here to claim it.

Solutions to the past contest

Something I have not posted that I've been promising is the answers to the last 5 stage challenge. Let's continue that now. 

Stage 4 Question:
Hello Forensicator,
     Welcome to Stage 4, where the typing gloves come off and we get to see who has it in them to get to Stage 5.
The Challenge:
You’ve worked with law enforcement to track down the source of the IP Address you found in the memory dump connecting to the internet. They traced it down to a ZTE Avail running Android 4.2. This was a prepaid phone left in a coffee shop as it was triangulated and found still powered on and hidden behind a trash can. Local police believe that the attacker must have used the wireless access point functionality of the phone to route to the Internet. They have surveillance video but need to know the make of the laptop used and the time to identify the suspect.
1.       How can you determine if the phone was on during the time of the attack
2.       How can you determine the google account associated with the phone
3.       How can you determine which MAC and ip address was associated with the wireless AP feature
4.       How can you determine which type of computer connected to the wireless AP 
The Winning Answer:

1.       How can you determine if the phone was on during the time of the attack
This depends on the time that has elapsed since the attack to the time we tracked down the phone. If the phone had been on continuously since the time of the attack you could run the “uptime” command through ADB debugging or check the kernel log (dmesg.log) to see if the events in it still covered the time of the attack. 

If the phone had been turned off since the attack it is best to fall back filesystem timelining. I could create a timeline of activity in X-Ways from all the sql databases and various logs checking for activity, connections, wireless activity, the log for WiFi connections that we address later in this Stage to determine from some internal timestamps if there was activity and what was happening.
I would start with checking for messages and calls being sent and received during that time frame, and then move into checking the web browsing activity on the phone during the time of the attack.  Between file system timestamps, internal timestamps on databases for user activity and parsing through various logs with Unix timestamps this should be able to be established solidly.

Before relying on your timeline you will want to check the time settings of the phone at “data/property”.  

2.       How can you determine the google account associated with the phone
“Data/system/sync/accounts.xml” should contain the Google account that is associated with the phone. There are other places where this information can be found though.  At “Data/system/users/accounts.db” there is a file that contains all accounts that require authentication.  The Gmail address should be there as well if the user makes use of it for other activities.
At path “data/” there should be a file with the Gmail account name account.

3.       How can you determine which MAC and ip address was associated with the wireless AP feature
Various config files at paths just under “data/misc” contains files relating to Bluetooth, WiFi and other access that will have the MAC addresses of devices that connected to it. In particular at path “data/misc/dhcp” there would be information for what IP address the phone had from the Wireless access point it was connected to.  Since the computer is tethered to the phone for the connection, that will be the router for it and the most public IP address for the computer.  The wireless access point the phone was connected to would need to be checked for the public IP address out to the Internet.

The computer will have been given a DHCP lease for a local 192.168.x.x IP address on the phone that would be stored at  “data/data/”. The “dnsmasq.leases” file may be stored at a different path if the user had some other type of tethering application. On the phone I examined it had the file at the specified path.  That file will contain the IP address given to the computer by the phone, the MAC of the computer, and a Unix timestamp for the lease (another indicator of if it was on at the time of the attack!).
4.       How can you determine which type of computer connected to the wireless AP:
If this question is simply asking to be able to tell if the computer is an Apple or PC you can check the MAC address from "dnsmasq.leases"against a database such as “” to determine the vendor for the NIC.  Apple produces their own NIC cards and will be the manufacturer.  Marvell or something else will be the vendor for PCs.

If this question wants to know the EXACT type of computer this is a little sticky and I honestly need a test android to tether a computer to for testing.  I did notice that at ”misc/wifi/wpa_supplicant.conf” there are multiple devices names for connections on an Android dump I got access to for answering this question. It contained the make and model number of other devices, but without a phone to test on I cannot be certain if it is a phone that was connected to or from as a hotspot. Since I didn't see any information for WAPs like home routers I really feel this is a file that shows information for devices that have connected to my phone as a hotspot though.   

The only answer I needed:

 I really needed to see that the answer showed an understanding of how the wifi hotspot assigned ip addresses, where it would be stored and how it could be correlate. Beyond that I wanted to see an understanding of how Android write it logs, outside of the normal Android backup data, and the idea of MAC to vendor lookups.