Book Review: Practical Mobile Forensics

practical mobile forensics“Practical Mobile Forensics” by Satish Bommisetty, Rohit Tamma, and Heather Mahalik is a great book for both the individual looking to learn more about Mobile Forensics and those looking for a good smartphone reference book.

The book covers mobile forensics on Apple iOS, Android, Windows and BlackBerry devices. With the majority of emphasis spent on Apple and Android based product.

In “Practical Mobile Forensics” you will find extensive information on Apple and Android devices including models, features, architecture layout and security.

It covers multiple tools (commercial and open source) to obtain, decrypt, and analyze smartphones including recovering deleted files, contacts, messages and other data.

I am pretty familiar with the Android platform, so the book was a good refresher course on how to connect to and recover data from an Android Device. Though, as I am not as familiar with the iPhone platform, I found the book a great learning tool about Apple mobile devices and how they function and store data.

I did enjoy too that the author not only covered commercial/ law enforcement recovery tools, but also included numerous step-by-step tutorials in performing many of the same functions with open source utilities. The tutorials were easy to follow and the book was full of reference links to find out more information on the tools and technology behind mobile devices.

Though written from a legal forensics/ law enforcement point of view, security individuals will also find this book a good reference guide for mobile devices.

I highly recommend this book.

Available from Packt Publishing and

Memory Forensics: How to Pull Passwords from a Memory Dump

Last time, we talked about a quick and easy way to get a memory dump on a Windows based PC. This time, we will cover pulling passwords out of captured memory files.

Several programs exist for memory analysis, we will be using “Volatility” from Volatile Systems. If you are performing your analysis on a Windows system I recommend downloading the stand alone .exe version. If you don’t then you will also need to install Python.

Once Volatility is installed, we need to get some information from the memory dump. Open up a command prompt and run the following command:

volatility imageinfo -f memorydumpfilename.raw

This command gives you several pieces of information, for now, we just need to know the profile type of the memory dump, in this case Win7SP1x86. We will use this in the next few steps.

Now, we need the hive list so we can get the starting location in memory of where the registry information resides:

volatility hivelist -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile for some reason they are showing up as a single)

We now have a list of where several key items are located in the memory dump. Next, we will extract the password hashes from the memory dump. To do this we need to know the starting memory locations for the system and sam keys. We look in the dump above and copy down the numbers in the first column that correspond to the SAM and SYSTEM locations. Then output the password hashes into a text file called hashs.txt:

volatility hashdump -f memdumpfilename.raw –profile=Win7SP1x86 -y 0x87c1a248 -s 0x8bfaa008 > hashs.txt  (double dashes in front of profile)

Open the hash dump file in a text editor and you should see hashes of all the user’s passwords:

Now, if you are using Windows XP and have passwords shorter than 14 characters (LM passwords), you can run them through a password cracker like John the Ripper. Or better yet,  you can copy the long alphanumeric string after the user id number (500 or 1000 numbers) and paste them in Objectif Sécurité’s Online XP Hash cracking program. This utility cracks most LM based password hashes in 5 seconds or less. For more information see  Cracking 14 Character Complex Passwords in 5 Seconds.

This will not work on Windows 7 passwords or XP passwords longer than 14 characters though. These hashes are stored in the more secure NTLM format and can take a lot longer to crack. One cool thing though is that you do not need to crack the NTLM hash to get access to a system. You can log into a system using the hash itself as the password!

The password could be a simple 14 character password or a complex 32 character monster, it does not matter. You can still use the hash to get a command prompt. For more information see NTLM Passwords: Can’t Crack it? Just Pass it!

This really goes to show that passwords really are not as safe as one might think. Dual or multiple authentication systems are really the way to go on secure systems.

Well, that wraps up pulling passwords off of a memory dump, next we will learn how to view the active network connections and processes from a memory dump.

If you enjoyed this tutorial check out my new book, totally updated for 2018!

Basic Security Testing with Kali Linux, 3rd Edition

File Forensics: Unziping Word Documents to see XML Source

Have you ever tried to open a Word Docx file in notepad? If so, then you know that you get a screen full of random mess that looks something like this:

If the document is written in XML, then you should see formatted, readable text. So why don’t you? The key is the first two readable characters that show up in the picture above – “PK”.

The answer is that the Word data files are zipped! Since DOS days, all zip files when viewed as text start with the characters PK. All you need to do is run the Docx file through an unzip program and you can see several files and folders full of XML data:

The files can now be opened in notepad, but if you just double click on them, they will open in your web browser and be a bit more readable. Browsing through the newly created folders and you will find a ton of formatting information and the complete text of the document.

But you will also find information that could be very useful for forensics. Including file revision, creation and modify dates, document creator and who was the last one to modify the document:

Apparently, this type of forensics was used to catch the guy that put a collar bomb on a high school student in Australia. Forensics examiners found the bombers name hidden in documents on a USB drive draped around the victims neck.

For more information, including a forensics recreation, check out “Forensic Examinations 5 – File Signatures, Metadata And The Collar Bomber – Part 2“.

Learn to Analyze Malware – Malware Analyst’s Cookbook Preview

I usually don’t recommend a book before I finish reading it, but once in a great while I run into one that is so good, that I feel that it is best just to get the word out. Malware Analyst’s cookbook is such a book.

Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, written by Michael Ligh, Steven Adair, Blake Hartstein, and Matthew Richard is one of the best security books that I have seen.

Are you a computer programmer and want to learn about malware analysis? A server administrator, network guy or computer tech looking to add to your knowledge or explore a new career field? Then this book is for you.

Though it would help if you have some programming experience, Malware Analyst’s Cookbook is written so even those without programming expertise can follow along. All the programs listed in the book are included in the companion DVD, so you don’t have to type them in. The book does recommend that you have some networking knowledge and understanding of how malware works.

If you want to learn how to surf anonymously, capture malware without getting infected yourself, and analyze it using (mostly) free utilities and websites then this is the book for you.

Some of the topics covered include:

  • Honeypots
  • Malware Classification
  • Sandboxes and Multi-AV Scanners
  • Malware Labs
  • Malware and Memory Forensics
  • De-Obfuscation

This book is a great reference and learning tool, written by authors that perform malware analysis and forensics for a living. I highly recommend this book.