android complete.

[pub/jan/digfor.git] / report4 / content.tex

\newpage\section{Questions (12 points)}
\subsection{How and when did Mr. Smith and Mr. Mayer communicate? (2 point)}
\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | X | }
  \hline service & timestamp & (from) to & content\\
  \hline skype & 27-11-2012 12:20:00 & to:allegro.mayer from:johannes.m.smith & Auth\_Request\\
  \hline skype & 06-12-2012 13:20:33 & from:allegro.mayer to:johannes.m.smith & Auth\_Granted\\
  \hline call & 2012-12-06 14:35:38 & Johannes Smith 06603169718 & (0:01:15 sec)\\
  \hline skype & 06-12-2012 16:33:53 & to:allegro.mayer from:johannes.m.smith & "Hallo"\\
  \hline sms & 2012-12-06 17:20:46 & to +436603169718 & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin.\\
  \hline sms &2012-12-06 17:30:43 & to +436603169718 & Sicherer kanal wär besser ....\\
  \hline viber call & 2012-12-06 17:31:57 & Johannes Smith & (71 sec)\\
  \hline sms & 2012-12-06 17:36:26 & from +436605166042 & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\
  \hline sms & 2012-12-06 17:42:50 & to +436605166042 & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\
  \hline sms & 2012-12-06 17:45:19 & to +436605166042 & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\
  \hline call & 2012-12-06 17:45:36 & Johannes Smith +436605166042 & (0:00:21 sec; diensthandy? DumpBank We Sell Your Shit)\\
  \hline
\end{tabularx}\end{center}


\subsection{What information was exchanged between Mr. Smith and Mr. Mayer? (3 points)}
dropbox extracted from android. no time now. mutter kollabiert gerade.\\

\subsection{Can you find any evidence or hints that support the suspicion of insider trade? (3 points)}
No hard evidence was found.\\
The fact that both parties looked up stock trading sites could hint at that.\\
Also communication between Mayer and Smith does not give a definite proof that they really did anything.


\subsection{Was the person that the witness identified really Mr. Mayer? (2 points)}
As Mayer was in Paris on Friday, 7th of December 2012, late afternoon it seems unlikely that a witness saw them.\\
Unless of course Mayer and Smith met in Paris which could be hinted at by the FILE in the dropbox-directory and the witness too was in Paris at that time.

\subsection{Mr. Mayer seems to have more secrets than initially expected. What is his big secret? (2 points)}
By using MAYRS EMAIL address, we found out, that he is engaged with NAME.\\
Communication suggests that MAYR + Laura were on a romantic trip in Paris.




\newpage\section{iPhone}
\subsection{Source: iPhone.tar.gz (IPBA)}
iPhone backup image from Allegro Mayer's Phone. The extracted files were analysed with iP Backup Analyzer2.
\begin{quote}
\textbf{size}: 6775181 byte\\
\textbf{''file''-output}: gzip compressed data, last modified: Fri Dec 14 11:42:54 2012, from Unix\\
\textbf{sha512}\\\ttfamily{
ff746e574a0d668e1d82c3ff72501a75eabe642e1dee7f20d3d74b9fe72054f9\\
9b9a91ded1b3f98067a63065423c620c73c42c65e13c3b110424854b3e7f6678}
\end{quote}


\subsection{Contacts}
The contacts-db was extracted from \emph{\textbf{IPBA::Home Domain:Library/AddressBook/AddressBook.sqlitedb}}
\begin{quote}
\textbf{size}: 87040 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
450e49183cc8781577f0c57a91a8a40f604ac2d3621037467f80745850b5613b\\
8c0492724930e90552c671a5f81e20b7f88e5cfd175fe6718eab350b2f3dbc90}
\end{quote}

The content was:
\begin{center}\begin{tabular}{ | l | r | }
  \hline Name & Phone \\
  \hline <None> & +436603169718 \\
  \hline Laura Markovic & 0680 3303660 \\
  \hline Sabine Oberhuber & +436604413637 \\
  \hline Johannes Smith & +43 660 5166042 \\
  \hline Ernst Strasser & 0660 4394199 \\
  \hline
\end{tabular}\end{center}


\subsection{Call-Log}
The call-log was extracted from \emph{\textbf{IPBA::Wireless Domain:Library/Callhistory/call\_history.db}}
\begin{quote}
\textbf{size}: 12288 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
4cf477e649e9fc868183667489222e3e48cba5e2925423bc8dcdb51783c9b9b6\\
47fc184518b06e8a2b44f7c1e0fc746058eaf0b23a462870b380ea6f7354b6e1}
\end{quote}

The content was:
\begin{center}\begin{tabular}{ | l | l | l | l | }
  \hline date & to/from & Phonenumber & duration (sec)\\
  \hline 2012-12-06 13:35:38 & to & 06603169718 & 75\\
  \hline 2012-12-06 14:02:20 & to & 06803303660 & 0\\
  \hline 2012-12-06 14:03:02 & from & +436605969364 & 23\\
  \hline 2012-12-06 14:08:34 & to & 0660303010 & 0\\
  \hline 2012-12-06 14:10:02 & to & 0660303030 & 1181\\
  \hline 2012-12-06 15:17:05 & to & 0660303030 & 1023\\
  \hline 2012-12-06 15:34:30 & to & 0660303030 & 864\\
  \hline 2012-12-06 16:00:10 & from & +436605166042 & 17\\
  \hline 2012-12-06 16:08:02 & to & 06604394199 & 9\\
  \hline 2012-12-06 16:25:30 & from & +436605166042 & 0\\
  \hline 2012-12-06 16:26:11 & from & +436605166042 & 0\\
  \hline 2012-12-06 16:34:39 & to & 06604394199 & 6\\
  \hline 2012-12-06 16:34:52 & to & 06604394199 & 12\\
  \hline 2012-12-06 16:35:10 & to & 06604394199 & 23\\
  \hline 2012-12-06 16:45:36 & to & +436605166042 & 21\\
  \hline
\end{tabular}\end{center}


\subsection{SMS/iMessage}
The SMS-Database was extracted from \emph{\textbf{IPBA::Home Domain:Library/SMS/sms.db}}
\begin{quote}
\textbf{size}: 41984 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
6fa73f676ca04eed70f10b8286c884ebcc5c01073bbdd8128ba26f676c7a6212\\
793f944999a9331fb990ef8e5dd5420b9d758b8456cb7b6f9f577bb8098cfafa}
\end{quote}


The content was:
\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | l | X | }
  \hline date & from/to & number & service & text\\
  \hline 2012-12-06 16:17:20 & from & Viber & SMS & Your Viber code is: 9386 Close this message and enter the code into Viber to activate your account.\\
  \hline 2012-12-06 16:20:46 & to & +436603169718 & SMS & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin\\
  \hline 2012-12-06 16:30:43 & to & +436603169718 & SMS & Sicherer kanal wär besser ....\\
  \hline 2012-12-06 16:33:58 & to & +436604413637 & iMessage & Hi wie gehts? Treffen wir und mal auf einen drink?\\
  \hline 2012-12-06 16:36:26 & from & +436605166042 & SMS & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\
  \hline 2012-12-0616:42:50 & to & +436605166042 & SMS & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\
  \hline 2012-12-0616:45:19 & to & +436605166042 & SMS & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\
  \hline
\end{tabularx}\end{center}


\subsection{Calendar}
The Calendar-Database was extracted from \emph{\textbf{IPBA::Home Domain:Library/Calendar/Calendar.sqlitedb}}
\begin{quote}
\textbf{size}: 126976 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
bcb14cbb2df068bf6905f3383c0bade056a0f1188aa9606dbe639e4d11f32a5d\\
79dee3f3fdf4ac6eb7581c6a4c6c46f0620cf6e49f46567a40870e13926cc3af}
\end{quote}

The content was:
\begin{center}\begin{tabular}{| l | l | l | l | }
  \hline event & start & end & location\\
  \hline Paris geschäftsreise & 2012-12-07 14:00:00 & 2012-12-09 19:00:00 & Paris\\
  \hline Meeting & 2012-12-10 10:00:00 & 2012-12-10 11:00:00 & Zbank\\
  \hline Nordic walking & 2012-12-11 07:00:00 & 2012-12-11 07:30:00 &  \\
  \hline Statusmeeting & 2012-12-11 08:00:00 & 2012-12-11 12:00:00 &  \\
  \hline
\end{tabular}\end{center}


\subsection{Browser}
The plist \emph{\textbf{IPBA::HomeDomain:Library/Safari/History.plist}} opened with IPBA2 plist-viewer cointains the browser history.

\begin{center}\begin{tabularx}{\textwidth}{| l | X | X |}
  \hline timestamp & title & url \\
  \hline 2012-12-07 09:03:15 & Flughafen Wien - Abflüge - Offen für neue Horizonte & https://www.google.at/url?sa=t\&source=web\&cd=3\&ved=0CD0QjBAwAg\&url=http\%3A\%2F\%2Fwww.viennaairport.com\%2Fjart\%2Fprj3\%2Fva\%2Fmain.jart\%3Frel\%3Dde\%26content-id\%3D1249344074230\%26reserve-mode\%3Dactive\&ei=jLDBULjlB8bE4gTn-oGABw\&usg=AFQjCNHU5R5b3WsiOhYSIsli3inGLTEFGQ\\
  \hline 2012-12-07 09:02:03 & flughafen wien - Google-Suche & https://www.google.at/search?q=flughafen+wien\&ie=UTF-8\&oe=UTF-8\&hl=de\&client=safari\\
  \hline 2012-12-07 09:01:54 & Laura Markovic & https://m.facebook.com/laura.markovic.129?\_\_user=100004760941674\\
  \hline 2012-12-06 16:14:19 & RNS News - London Stock Exchange & http://m.londonstockexchange.com/exchange/mobile/news/detail.html?announcementId=11421386\\
  \hline 2012-12-06 16:14:14 & FTSE AIM 100 - London Stock Exchange & http://m.londonstockexchange.com/exchange/mobile/indices/summary.html?index=AIM1\\
  \hline 2012-12-06 16:14:07 & Homepage - London Stock Exchange & https://www.google.at/url?sa=t\&source=web\&cd=1\&ved=0CEQQFjAA\&url=http\%3A\%2F\%2Fm.londonstockexchange.com\%2Fexchange\%2Fmobile\%2Fhomepage.html\&ei=ScTAUPK8FMfKtAaQq4GYBQ\&usg=AFQjCNE22q6svVgMrwz\_D7x-iD0srW0nTw\\
  \hline 2012-12-06 16:14:00 & stock exchange london - Google-Suche & https://www.google.at/search?q=stock+exchange+london\&ie=UTF-8\&oe=UTF-8\&hl=de\&client=safari\\
  \hline 2012-12-06 16:10:22 & Ohne Anstehen: Tickets Eiffelturm \& Rundgang Rive Droite, | Mobil - GetYourGuide.com & http://www.getyourguide.de/paris-l16/ohne-anstehen-tickets-eiffelturm-rundgang-rive-droite-t25185/\#calendar\\
  \hline 2012-12-06 16:10:03 & Ohne Anstehen: Tickets Eiffelturm \& Rundgang Rive Droite, | Mobil - GetYourGuide.com & http://www.getyourguide.de/paris-l16/ohne-anstehen-tickets-eiffelturm-rundgang-rive-droite-t25185/\\
  \hline 2012-12-06 16:09:56 & Paris: Touren, Ausflüge \& Aktivitäten | Mobil - GetYourGuide.com & https://www.google.at/aclk?sa=l\&ai=Cw0lOT8PAUNn8BIaX0wXeoYHwD43W1e0EldC\_uXSaooQJCAAQAiD4mYsSKAJQw5HQuPv\_\_\_\_\_AWCpsL6AzAGgAYutzM0DyAEBqQJiko-yhe21PqoEIk\_QmH99e-Hnj0NaSGjzY1ceX0oZt9LcfH\_ckQNETkSVs7yABZfgvAvYBgI\&sig=AOD64\_3cmbdhf4eRcAjv\_a9FMrltcGuHTA\&ved=0CC0Q0Qw\&adurl=http://21.xg4ken.com/media/redir.php\%3Fprof\%3D89\%26camp\%3D65425\%26affcode\%3Dkw720159\%26inhURL\%3D\%26cid\%3D31229666013\%26networkType\%3Dsearch\%26url\%5B\%5D\%3Dhttp\%253A\%252F\%252Fwww.getyourguide.de\%252Fparis\%252Fsightseeing-touren-ltc16-2\%252F\%253Fpartner\_id\%253DCD951\\
  \hline 2012-12-06 16:09:50 & paris sightseeing - Google-Suche & https://www.google.at/search?q=paris+sightseeing\&ie=UTF-8\&oe=UTF-8\&hl=de\&client=safari\\
  \hline 2012-12-06 16:08:58 & Laura Markovic & https://m.facebook.com/laura.markovic.129?\_\_user=100004760941674\#!/laura.markovic.129?\_\_user=100004760941674\&soft=jewel\%3D2\\
  \hline 2012-12-06 16:08:49 & Facebook & https://m.facebook.com/home.php?refid=9\#!/laura.markovic.129?\_\_user=100004760941674\\
  \hline 2012-12-06 13:56:39 & Facebook & http://m.facebook.com/?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&\_rdr\#!/home.php?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&soft=side-area\&\_\_user=100004760941674\\
  \hline 2012-12-06 13:55:36 & Facebook & http://facebook.com/\\
  \hline 2012-12-06 13:51:26 & Facebook & https://m.facebook.com/home.php?refid=9\#!/home.php?soft=side-area\&\_\_user=100004760941674\\
  \hline 2012-12-06 13:50:58 & Facebook & https://m.facebook.com/home.php?refid=9\#!/home.php?soft=jewel\%3D0\&\_\_user=100004760941674\\
  \hline 2012-12-06 13:46:54 & Facebook & https://m.facebook.com/login.php?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&landing\_serial=2\&refid=9\\
  \hline 2012-12-06 13:46:08 & Willkommen bei Facebook & https://m.facebook.com/login.php?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&landing\_serial=1\&refid=8\\
  \hline
\end{tabularx}\end{center}


\subsection{WLANs}
The plist \emph{\textbf{IPBA::SystemPreferencesDomain:SystemConfiguration/com.apple.wifi.plist}} opened with IPBA2 plist-viewer cointains a list of Wireless Networks the phone has joined.\\

\begin{center}\begin{tabular}{| l | l | l |}
  \hline ssid & last join & last autojoin \\
  \hline tunet & 2012-12-06 90:41:55 & \\
  \hline VirtualRouter & 2012-12-06 09:38:00 & 2012-12-06 09:45:45 \\
  \hline pornhub & 2012-12-06 11:51:01 & 2012-12-06 16:05:07 \\
  \hline
\end{tabular}\end{center}


\subsection{Media}
Images were extracted from \emph{\textbf{IPBA::CameraRollDomain:Media/DCIM/100APPLE}}\\

IMG\_0002.PNG: Screenshot of Facebook-App showING a photograph of a woman. Laura Markovic (\url{https://www.facebook.com/laura.markovic.129}) seems to be tagged in that photograph.
\begin{quote}
\textbf{size}: 844814 byte\\
\textbf{''file''-output}: PNG image data640 960 8-bit/color RGB, non-interlaced\\
\textbf{sha512}\\\ttfamily{
986ae5d4272e003d2b8de8a9851d02721c908a43b3eb824331447c309ac92bc3\\
426d99ec2a749462372778feacaedcbd23823cc34dd53d07ab5e7524e4276a0f}
\end{quote}

IMG\_0003.PNG: Screenshot from Maps-App showing directions within Paris.
\begin{quote}
\textbf{size}: 939169 byte\\
\textbf{''file''-output}: PNG image data640 960 8-bit/color RGB, non-interlaced\\
\textbf{sha512}\\\ttfamily{
4238d1a52b41c7f0991dcce42ca347863244af381f34ff59efa33ab9cc85b241\\
849d7087cf42ce426936fc83b3a72ae991a3fc220d4716d874590222237edacf}
\end{quote}

IMG\_0005.JPG: Showing some statistics about company shares.
\begin{quote}
\textbf{size}: 62763 byte\\
\textbf{''file''-output}: JPEG image data, EXIF standard\\
\textbf{sha512}\\\ttfamily{
6201ddb71d24c5b662284ef091f758db5d4144643909eb29dc2522a91fc75bf0\\
e54995f6115f66c96cbd51ec7c052294e8a587eedc156aaa085214fee0619293}
\end{quote}


\subsection{Viber-App}
The Viber-Database was extracted from \emph{\textbf{IPBA::AppDomain:com.viber/Documents/Contacts.data}}
\begin{quote}
\textbf{size}: 41984 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
89eae3d5fa62a3ea1b499a539f71ee8fc7c8adb147c12d5bb90868384b93206c\\
21f2ce84f493d6c6601851844d14cf4dbdd1523ebe98bdc9deb5db380533df77}
\end{quote}

The content was:
\begin{center}\begin{tabular}{| l | l | l | l | l |}
  \hline timestamp & to/from & number & name & duration (sec)\\
  \hline 2012-12-06 16:27:32 & to & 436803303660 & Laura Markovic & 0\\
  \hline 2012-12-06 16:31:57 & to & 436605166042 & Johannes Smith & 72\\
  \hline
\end{tabular}\end{center}


\subsection{Skype-App}
The Skype-Database was extracted from \emph{\textbf{IPBA::AppDomain:com.skype.skype/Library/Application Support/Skype/allegro.mayer/main.db}}
\begin{quote}
\textbf{size}: 128000 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
29da4b939b6f3f2def0296ca2087355e57321ecb0a5d0e10264c16c69359a748\\
593fd29b8eef03407be07d386e6a980f2b6d25d29a5d3740bd566531a03c79a1}
\end{quote}

The content was:
\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | l | X |}
  \hline timestamp & to/from & Skype id & name & content\\
  \hline 2012-11-27 12:20:00 & from & johannes.m.smith & Johannes Smith & Hallo! Ich wüurde Sie gerne in meine Skype-Kontaktliste aufnehmen. Johannes Smith\\
  \hline 2012-12-06 13:20:33 & to & johannes.m.smith & Johannes Smith & \\
  \hline 2012-12-06 13:20:57 & to & christoffel.johannes.smith & Chris Smith & Fügen Sie mich als Kontakt hinzu, damit wir anrufen und chatten können\\
  \hline 2012-12-06 13:21:33 & to & addy-juli & Julia & Fügen Sie mich als Kontakthinzu, damit wir anrufen und chatten können.\\
  \hline 2012-12-06 16:33:51 & from & johannes.m.smith & Johannes Smith & Hallo\\
  \hline
\end{tabularx}\end{center}


\subsection{Dropbox-App}
The plist \emph{\textbf{IPBA::AppDomain:com.getdropbox.Dropbox/Library/Preferences/com.getdropbox.Dropbox.plist}} opened with IPBA2 plist-viewer cointains a field \emph{\textbf{Dropbox Username}} and the email-address \emph{\textbf{allegro.mayer\@gmail.com}}\\

Also the field \emph{\textbf{Dropbox Camera Upload Has Ever Uploaded}} is \emph{\textbf{true}}\\


\subsection{Facebook-App}
The plist \emph{\textbf{IPBA::AppDomain:com.facebook.Facebook/com.facebook.Facebook.plist}} opened with IPBA2 plist-viewer cointains a field \emph{\textbf{FBLastLoginEmail}} and the email-address \emph{\textbf{allegro.mayer\@gmail.com}}\\

Searching of FB reveales the link to the profile: \url{https://www.facebook.com/allegro.mayer}.\\
That About-Page states his relationship status is married to Mrs. Ilse Mayer-Brandl (profile: \url{https://www.facebook.com/ilse.mayerbrandl}).\\

Relevant FB-postings by Allegro Mayer:\\
On December 7. 2012 11:54 at Flughafen Wien, Vienna Airport, Austria.
\begin{quote}On my way to Paris\end{quote}

On December 7. 2012 14:17 at Paris, with Laura Markovic (\url{https://www.facebook.com/laura.markovic.129}).
\begin{quote}enjoying a romantic weekend with my dearest love in Paris!\end{quote}






\newpage\section{Android}
\subsection{Source: Android.tar.gz (ANDROID)}
Android image from Johannes Maskus Smith's phone.
\begin{quote}
\textbf{size}: 270397822 byte\\
\textbf{''file''-output}: gzip compressed data, last modified: Fri Dec 14 12:06:37 2012, from Unix\\
\textbf{sha512}\\\ttfamily{
9614e30affc09d1cbfad5a96e43b2e40dae3c5c123db22dcbd53e980d14418d9\\
ab18c6a2b5b9f8a0e1539474612a4a7ceae627255a2169565f0dddf3409ef67d}
\end{quote}

\subsection{Contacts}
\subsection{Call-Log}
\subsection{SMS-Log}
\subsection{Media}
\subsection{eMail-App}
\subsection{Viber-App}
\subsection{Skype-App}
\subsection{Whatsapp-App}
\subsection{Dropbox-App}
\subsection{Facebook-App}


\newpage\section{Details}
\subsection{Used tools on GuestVM}
Tools that were used for analysis (-{}-version):
\begin{itemize}
\item IP Backup Aanalyzer 2.0 build 20130319 (mar 2013)
\end{itemize}

\subsection{Used tools on Host}
Tools that were used for analysis (-{}-version):
\begin{itemize}
\item sqlite3 3.8.5 2014-06-04 14:06:34 b1ed4f2a34ba66c29b130f8d13e9092758019212
\item sha512sum (GNU coreutils) 8.22
\item ls (GNU coreutils) 8.22
\item file 5.18
\item tar tar (GNU tar) 1.27.1
\end{itemize}

\subsection{Machines}
\begin{itemize}
\item \textbf{Virtual machine}\\
Windows XP Version5.1 (Build2600.xpsp\_sp3\_qfe.130704-0421 : Service Pack3)
\item \textbf{Oracle VirtualBox} 4.3.10
\item \textbf{Host machine}\\
Linux rebx 3.14.0-gentoo-somenet.org \#1 SMP Sun Apr 6 01:00:17 CEST 2014 x86\_64 Intel(R) Core(TM)2 Duo CPU T9300 \@ 2.50GHz GenuineIntel GNU/Linux
\end{itemize}