http://conference.hitb.org/hitbsecconf2012ams/
Amsterdam, 2012
Day1, Track1, 10:30
Ivo Pooters
Turning Android Inside Out

Presented a forensic scenario where
    A guy was found dead and had an android phone
        This device was cloned with dd
    A guy from SwiftLogic was arrested for suspicion on leaking private and sensitive information/schematics
        This device was cloned with nandump

MTD block device
    dd -> bad it has no out of band (OOB) bytes
    nandump -> wise choice

Cellbrite ufed
android emulator
    doesn’t like foreign images
load dyaffs2 support into linux kernel

when using nansim
    need correct parameters to load the right size of the image loaded
    need to write the OOB bytes in the OOB-based image, so that the yaffs2 filesystem is correctly loaded

50.56.29.109/ss
    contains PDFs from the SwiftLogic
    basic user: norby
    basic pass: aaassspp

Dead guy phone evidence
    Looked up on twitter 'yob taog', the SwiftLogic guy

Found com.andrIOd.mm
    not in android market at all
    looks like very custom, non-public application
    looks like was installed on SwiftLogic guy by the selling shop/accomplice just hours before SwiftLogic guy picked up the phone in the shop
    interesting fact – SwiftLogic guy put a status on Facebook/Twitter that is going to pick up his new shiny phone very soon and is excited about that

Found com.vzw.smsProvider

Live analysis
    android emulator + adb
    wireshark
    adb, dalvik debug monitor logcat

Static analysis (relid more on this)
    see Fortinet talk for better tool list
    apk-tool
    jd-gui
    etc

com.andriod.mm
    triggers on SD card mount
    zips all the filed on the SDcard
    uploads to the IP mentioned above
    sends SMS to the dead guy

http://www.dfrws.org/2011/challenge/results.shtml
http://www.dfrws.org/2011/challenge/index.shtml

Rooting a phone can tamper evidence
    So, developed in-memory temporary rooting techniques
        in .NL, rooting is not a problem
        in .US, it is kind of a problem