(INSIGHT) 20130716 - Digital Evidence From Android-Based Smartwatch - Jack2

FORENSIC INSIGHT;
DIGITAL FORENSICS COMMUNITY IN KOREA
Digital Evidence
from Android-based Smartwatch
Jae-ki Kim
Jack2
jack2@korea.ac.kr
jack2yo@gmail.com
http://jack2.codebreaking.org
Overview
1. Target Device
2. Method & Process
3. Digital Evidence
4. Conclusion
forensicinsight.org
Page 2
Target Device
forensicinsight.org
Page 3
Target Device
Smart Watch Galaxy Gear (SAMSUNG)
forensicinsight.org
Page 4
Target Device
Smart Watch Galaxy Gear (SAMSUNG)
4212 SoC. ARM Cortex-A9 MP2 800 MHz CPU,

ARM Mali-400 MP4 440 MHz GPU
512 MB LPDDR1 SDRAM, 4 GB
1.63 320 x 320 S-Stripe RGB
D Super AMOLED
4.0+BLE
190 AF
Li-Ion 315 mAh, 25, 150
forensicinsight.org
OS
Page 5
Method & Process

For Collecting Digital Evidence
from Android-based Smartwatch
forensicinsight.org
Page 6
Method & Process

0. Warming-Up
Access to a Galaxy Gear
forensicinsight.org
Page 7
Method & Process

0. Warming-Up

Need to approved device (ex. Galaxy S III or later)
forensicinsight.org
Page 8
Method & Process

0. Warming-Up

Install Gear Manger Application (only SAMSUNG Apps)
forensicinsight.org
Page 9
Method & Process

0. Warming-Up

Synchronization (For the 1st time)

NFC
Bluetooth
forensicinsight.org
Page 10
Method & Process

0. Warming-Up

Synchronization (For the 1st time)

NFC
Bluetooth
Hold the Galaxy Gear Charging Dock

Connect with USB
forensicinsight.org
Page 11
Method & Process

1. Rooting
Previous work
Install Samsung USB Drivers
Settings > Gear Info > Tap Software Version 10 times
Enable USB Debugging on the Galaxy Gear
Plug in the Galaxy Gear via USB
forensicinsight.org
Page 12
Method & Process

1. Rooting
Previous work
Install Samsung USB Drivers
Settings > Gear Info > Tap Software Version 10 times
Enable USB Debugging on the Galaxy Gear
Plug in the Galaxy Gear via USB
Root the Galaxy Gear

Download Cydia impactor
Start
Install Busybox
forensicinsight.org
Page 13
Method & Process

2. Imaging
Limitations
Only 4GB Built-In Memory
No Network Interface (Wi-Fi, 3G/4G)
Remote Dump with nc
forensicinsight.org
Page 15
Method & Process

2. Imaging
Limitations
Only 4GB Built-In Memory
No Network Interface (Wi-Fi, 3G/4G)
Remote Dump with nc

C:\Users\Jack2> adb forward tcp:8787 tcp:8787
root@android:/ # ./busybox nc -l -p 8787 -e dd if=/dev/block/mmcblk0p21
/dev/block/mmcblk0p21 /data ext4 rw,nosuid,nodev,noatime,barrier=1 .
C:\Users\Jack2> nc 127.0.0.1 8787 > jack2.img
forensicinsight.org
Page 16
Digital Evidence
forensicinsight.org
Page 17
Digital Evidence
Use FTK Imager
Very large amounts of data -_- ;;
Select useful 4 digital evidences ^^
forensicinsight.org
Page 18
Digital Evidence
bt_config.xml
Path
/data/misc/bluedroid/
Info
Specific information synchronized smartphone (Device name , Bluetooth address )
If you fail to obtain a smartphone,

Identify the synchronized device
forensicinsight.org
Page 19
Digital Evidence
NotificationSync.db
Path
/data/data/com.samsung.appcessory.NotiConsumerService/databases/
Info
SMS/MMS, Hangout Message, Gmail information synchronized smartphone
Though deleted messages from your smartphone,

Check original message used by Synchronized information
forensicinsight.org
Page 20
Digital Evidence
watch.xml
Path
/data/data/com.samsung.accessory.FindMyPhone/ConsumerService/shared_prefs/
Info
Find a synchronized smartphone
Guessing Activity Time

Ex) Put smartphone in the car and Visit Crime scene
forensicinsight.org
Page 21
Digital Evidence
WeatherClock
Path
/data/data/com.sec.android.widgetapp.ap.hero.accuweather.consumer.widget/databases/
Info
Check the local weather used Synchronized smartphone
Although Galaxy Gear is no GPS,

Check recently visited local information
forensicinsight.org
Page 22
Conclusion
Next Target Issue
forensicinsight.org
Page 23
Conclusion
Smart Watch Galaxy Gear2 (SAMSUNG)
1.0 GHz
512 MB LPDDR1 SDRAM, 4 GB

1.63 320 x 320 S-Stripe RGB
D
v4.0 LE
, , , /
200 AF
Li-Ion 300 mAh, 2~3, 6
forensicinsight.org

Page 24
Reference
http://theunlockr.com/2013/11/20/root-samsung-galaxy-gear-video/
https://www.facebook.com/groups/212473532271572/permalink/247282375457354/
forensicinsight.org
Page 25
Question and Answer
forensicinsight.org
Page 26

(INSIGHT) 20130716 - Digital Evidence From Android-Based Smartwatch - Jack2

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

(INSIGHT) 20130716 - Digital Evidence From Android-Based Smartwatch - Jack2

Hochgeladen von

Copyright:

Verfügbare Formate

FORENSIC INSIGHT;

DIGITAL FORENSICS COMMUNITY IN KOREA

2. Method & Process

Smart Watch Galaxy Gear (SAMSUNG)

Smart Watch Galaxy Gear (SAMSUNG)

4212 SoC. ARM Cortex-A9 MP2 800 MHz CPU,

Li-Ion 315 mAh, 25, 150

Method & Process

Method & Process

Access to a Galaxy Gear

Method & Process

Access to a Galaxy Gear

Method & Process

Access to a Galaxy Gear

Method & Process

Access to a Galaxy Gear

Synchronization (For the 1st time)

Method & Process

Access to a Galaxy Gear

Synchronization (For the 1st time)

Hold the Galaxy Gear Charging Dock

Method & Process

Method & Process

Root the Galaxy Gear

Method & Process

Remote Dump with nc

Method & Process

Remote Dump with nc

/dev/block/mmcblk0p21 /data ext4 rw,nosuid,nodev,noatime,barrier=1 .

C:\Users\Jack2> nc 127.0.0.1 8787 > jack2.img

Select useful 4 digital evidences ^^

If you fail to obtain a smartphone,

Though deleted messages from your smartphone,

Guessing Activity Time

Although Galaxy Gear is no GPS,

Smart Watch Galaxy Gear2 (SAMSUNG)

512 MB LPDDR1 SDRAM, 4 GB

Li-Ion 300 mAh, 2~3, 6

Question and Answer

Das könnte Ihnen auch gefallen