From 7cf67fb03d58835d7b100f7094311c9cea836a55 Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Sat, 21 Jun 2014 02:46:45 +0200 Subject: [PATCH] android is done now. --- report4/content.tex | 255 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 242 insertions(+), 13 deletions(-) diff --git a/report4/content.tex b/report4/content.tex index 6133bfa..e1850cc 100644 --- a/report4/content.tex +++ b/report4/content.tex @@ -3,14 +3,18 @@ \begin{center}\begin{tabularx}{\textwidth}{| l | l | l | l | l | X | } \hline source & service & timestamp & from & to & content\\ \hline IPBA & skype message & 27-11-2012 12:20:00 & Smith & Mayer & Auth\_Request Hallo! Ich würde Sie gerne in meine Skype-Kontaktlistaufnehmen. Johannes Smith\\ + \hline ANDRO & eMail & 2012-11-27 13:03:02 & Mayer & Smith & Re: current stocks!\\ + \hline ANDRO & dropbox & 2012-11-27 16:08:24 & Mayer & Smith & shared folder confidential\\ \hline IPBA & skype message & 2012-12-06 13:20:33 & Mayer & Smith & Auth\_Granted\\ \hline IPBA & call & 2012-12-06 14:35:38 & Mayer & Smith & duration 0:01:15\\ + \hline IPBA & call & 2012-12-06 16:00:10 & Smith & Mayer & duration 0:00:17 No corresponding entry on ANDRO.\\ \hline IPBA & sms & 2012-12-06 16:20:46 & Mayer & Smith & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin.\\ \hline IPBA & call & 2012-12-06 16:25:30 & Smith & Mayer & duration 0:00:00\\ - \hline IPBA & call & 2012-12-06 16:26:11 & Smith & Mayer & duration 0:00:00\\ + \hline IPBA & call & 2012-12-06 16:26:11 & Smith & Mayer & duration 0:00:00 (ANDRO: duration 0:00:13)\\ \hline IPBA & sms & 2012-12-06 16:30:43 & Smith & Mayer & Sicherer kanal wär besser ....\\ - \hline IPBA & viber call & 2012-12-06 16:31:57 & Mayer & Smith & (71 sec)\\ + \hline IPBA & viber call & 2012-12-06 16:31:57 & Mayer & Smith & duration 0:01:11\\ \hline IPBA & skype message & 2012-12-06 16:33:53 & Smith & Mayer & "Hallo"\\ + \hline ANDRO & viber call & 2012-12-06 16:35:14 & Smith & Mayer & duration 0:00:00. No corresponding entry on IPBA. \\ \hline IPBA & sms & 2012-12-06 16:36:26 & Smith & Mayer & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\ \hline IPBA & sms & 2012-12-06 16:42:50 & Mayer & Smith & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\ \hline IPBA & sms & 2012-12-06 16:45:19 & Mayer & Smith & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\ @@ -20,12 +24,15 @@ \subsection{What information was exchanged between Mr. Smith and Mr. Mayer? (3 points)} -Mayer sends Smith an eMail and a Dropbox folder named confidential containing 4 files. +Mayer shared a folder called called \emph{\textbf{confidential}} with Smith over Dropbox.\\ +The invitation eMail contains the URL to that folder (\url{https://www.dropbox.com/sh/vynk4jf4tghe88d/ +xkfh_H-BLn?lst#/}).\\ +The folder is publicly accessible so it was possible to extract its contents. \begin{itemize} -\item \emph{\textbf{2012-11-27 14.31.56.png}} iPhone screenshot from some flightplan App, shows a number of flights departing Vienna shortly after 1700 (among those, two flights from Vienna to Paris) -\item \emph{\textbf{Homer-Simpson-Butt-Wide-Load.png}} image of from an episode of the TV series The Simpsons, showing Homer Simpson with \textbf{Wide Load} written across his back. -\item \emph{\textbf{Stocks-watch.jpg}} shows a key lying on a newspaper with a headline beginning with \textbf{Investing} -\item \emph{\textbf{stocks.jpg}} smaller version of \emph{\textbf{IPBA::IMG\_0005.JPG}} from the iPhone backup. +\item\emph{\textbf{2012-11-27 14.31.56.png}}\\iPhone screenshot from some flightplan App, shows a number of flights departing Vienna shortly after 1700 (among those, two flights from Vienna to Paris) +\item\emph{\textbf{Homer-Simpson-Butt-Wide-Load.png}}\\Snapshot of from an episode of The Simpsons showing Homer with \textbf{Wide Load} written across his back. +\item\emph{\textbf{Stocks-watch.jpg}}\\A key lying on a newspaper with a headline beginning with \textbf{Investing} +\item\emph{\textbf{stocks.jpg}}\\Smaller version of \emph{\textbf{IPBA::IMG\_0005.JPG}} from the iPhone backup. \end{itemize} @@ -308,18 +315,240 @@ ab18c6a2b5b9f8a0e1539474612a4a7ceae627255a2169565f0dddf3409ef67d} \subsection{Contacts} +The contacts were extracted from the table \emph{\textbf{raw\_contacts}} and \emph{\textbf{phone\_lookup}} from the file\\ +\emph{\textbf{ANDRO::data/data/com.android.providers.contacts/databases/contacts2.db}} +\begin{quote} +\textbf{size}: 110592 byte\\ +\textbf{''file''-output}: SQLite 3.x database\\ +\textbf{sha512}\\\ttfamily{ +ac4da8a978cb0b1e09f9b556065b93790892568a38e0d86cc5d36490fa1b3acc\\ +527651378468b8b17c5d56db375bae2f906e53f0a765471d9fae4b0860a6fbc0} +\end{quote} + +The content was: +\begin{center}\begin{tabular}{| l | l | } + \hline number & display\_name\\ + \hline 06604413637 & Antonio Schweinebauer\\ + \hline 06605969364 & Karl Heinz Grasser\\ + \hline +4300436605969364 & Allegro Mayer\\ + \hline +4300436605969364 & Allegro Mayer\\ + \hline 06603203711 & Allegro Mayer\\ + \hline +4300436605969364 & Allegro Mayer\\ + \hline +\end{tabular}\end{center} + +It looks suspicious that 2 diffrent People share the same Number. Maybe the tables became corrupt? + + \subsection{Call-Log} -\subsection{SMS/iMessage} +The call-logs were extracted from the table \emph{\textbf{calls}} from the file\\ +\emph{\textbf{ANDRO::data/data/com.android.providers.contacts/databases/contacts2.db}} +\begin{quote} +\textbf{size}: 110592 byte\\ +\textbf{''file''-output}: SQLite 3.x database\\ +\textbf{sha512}\\\ttfamily{ +ac4da8a978cb0b1e09f9b556065b93790892568a38e0d86cc5d36490fa1b3acc\\ +527651378468b8b17c5d56db375bae2f906e53f0a765471d9fae4b0860a6fbc0} +\end{quote} + +The content was: +\begin{center}\begin{tabular}{| l | l | l | l | l | } + \hline date & type & number & name & duration\\ + \hline 2012-12-06 13:30:49 & to & 6604413637 & Antonio Schweinebauer & 92\\ + \hline 2012-12-06 13:33:24 & to & 6604413637 & Antonio Schweinebauer & 109\\ + \hline 2012-12-06 13:40:43 & from & 19804042297 & & 16\\ + \hline 2012-12-06 14:01:50 & to & 6604413637 & Antonio Schweinebauer & 0\\ + \hline 2012-12-06 15:23:38 & to & 6604413637 & Antonio Schweinebauer & 0\\ + \hline 2012-12-06 15:52:45 & to & 6604413637 & Antonio Schweinebauer & 11\\ + \hline 2012-12-06 15:55:22 & to & 6604413637 & Antonio Schweinebauer & 3\\ + \hline 2012-12-06 16:00:01 & to & 6604413637 & Antonio Schweinebauer & 15\\ + \hline 2012-12-06 16:13:29 & from & 436605969364 & Karl Heinz Grasser & 63\\ + \hline 2012-12-06 16:22:21 & to & 4300436605969364 & & 0\\ + \hline 2012-12-06 16:25:12 & to & 6603203711 & Allegro Mayer & 0\\ + \hline 2012-12-06 16:26:03 & to & 6603203711 & Allegro Mayer & 13\\ + \hline 2012-12-06 16:33:10 & from & 6603203711 & Allegro Mayer & 74 Viber\\ + \hline 2012-12-06 16:35:14 & to & 6603203711 & Allegro Mayer & 0 Viber\\ + \hline 2012-12-06 16:45:30 & from & 436603203711 & Allegro Mayer & 20\\ + \hline +\end{tabular}\end{center} + + +\subsection{SMS} +The sms were extracted from the table \emph{\textbf{sms}} from the file\\ +\emph{\textbf{ANDRO::data/data/com.android.providers.telephony/databases/mmssms.db}} +\begin{quote} +\textbf{size}: 40960 byte\\ +\textbf{''file''-output}: SQLite 3.x database\\ +\textbf{sha512}\\\ttfamily{ +da62de7c96eac0299584fe7a7278b43a5986f1a6c5f5a6ed1f2ec18bddcbd0d2\\ +0e6bb39419f5777d8610783f95405d509a39306217ed6ed6186e17ef2db85cd6} +\end{quote} + +The content was: +\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | X | } + \hline date & type & address & body\\ + \hline 2012-12-06 16:29:50 & from & Viber & Your Viber code is: 7868 Close this message and enter the code into Viber to activate your account.\\ + \hline 2012-12-06 16:36:22 & to & 6603203711 & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\ + \hline 2012-12-06 16:42:55 & from & 436603203711 & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\ + \hline 2012-12-06 16:45:24 & from & 436603203711 & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\ + \hline +\end{tabularx}\end{center} + + \subsection{Calendar} -\subsection{Browser} -\subsection{WLANs} -\subsection{Media} +The calendar events were extracted from the table \emph{\textbf{Events}} from the file\\ +\emph{\textbf{ANDRO::data/data/com.android.providers.calendar/databases/calendar.db}} +\begin{quote} +\textbf{size}: 33792 byte\\ +\textbf{''file''-output}: SQLite 3.x database\\ +\textbf{sha512}\\\ttfamily{ +8e8a8a427432c3e2ddfc3435b1121da27442d53eed27bb433b784850efa703d4\\ +b8b6e55ebbe31ab55612e94a83cd933bb75fbffbb33f680a260bcc9c86380f86} +\end{quote} + +The content was: +\begin{center}\begin{tabular}{ | l | l | l | l| l |} + \hline event & location & start & end & attendees \\ + \hline Geschäftsessen & Maylee & 2012-12-07 11:00:00 & 2012-12-07 12:00:00 & Johannes Smith\\ + \hline +\end{tabular}\end{center} + + +\subsection{Accounts} +All registered accounts were extracted from the table \emph{\textbf{accounts}} from the file\\ +\emph{\textbf{ANDRO::data/system/accounts.db}} +\begin{quote} +\textbf{size}: 20480 byte\\ +\textbf{''file''-output}: SQLite 3.x database\\ +\textbf{sha512}\\\ttfamily{ +986ef7b12650f36959592640dc824fa22c40fd1d6c13dc36f4eeb719c6b6ef80\\ +773762691bb9adb0b9c7490e5eedd4c5fa462b5b8c6119e6736bc2be3b09cd03} +\end{quote} + +There seems to be nothing of interest on Smith's Facebook public profile (\url{https://www.facebook.com/johannes.markussmith}).\\ + +Whatsapp seems to be interesting: It seems that \emph{\textbf{+436603169718}} is Smith's secondary phone number. + + +\subsection{eMail} +Relevant eMail-headers were extracted from the table \emph{\textbf{Message}} from the file\\ +\emph{\textbf{ANDRO::data/data/com.android.email/databases/EmailProvider.db}} +\begin{quote} +\textbf{size}: 33792 byte\\ +\textbf{''file''-output}: SQLite 3.x database\\ +\textbf{sha512}\\\ttfamily{ +bbcfc7565fe211a9b86d49a8ce816b4ac6d44c6bd7360f0342961af2051f60f9\\ +c6481393562aa5413e25ec8b7b78c0be43e530b498f59d11b6e5f2c5c6cdab5e} +\end{quote} + +Relevant eMail-bodies were extracted from the table \emph{\textbf{Body}} from the file\\ +\emph{\textbf{ANDRO::data/data/com.android.email/databases/EmailProviderBody.db}} +\begin{quote} +\textbf{size}: 108544 byte\\ +\textbf{''file''-output}: SQLite 3.x database\\ +\textbf{sha512}\\\ttfamily{ +a3b3d4160cc51651894bdd569677ecaea80cdee5b0622015604293b2dcb1c2e4\\ +15c05f2ccbf70b82b8b5fc03c8d3c8ced182db17a9cdf603aa08f831c57d2ce8} +\end{quote} + +On \emph{\textbf{2012-11-27 13:03:02}} subject \emph{\textbf{Re: current stocks!}} +\begin{lstlisting}Thanks!!! +It seems that we've made the right decisions!! + +Am Dienstag, 27. November 2012 schrieb Johannes Smith : + +> FYI. +> regards, +> johannes +> +> +\end{lstlisting} + +On \emph{\textbf{2012-11-27 16:08:24}} subject \emph{\textbf{Allegro Mayer shared "confidential" with you}} +\begin{lstlisting}Allegro hat über Dropbox einige Dateien für dich freigegeben! + +Klicke hier, um "confidential" anzuzeigen: https://www.dropbox.com/el/?r=/sh/vynk4jf4tghe88d/xkfh_H-BLn&b=clk:124439748:4804662256873865079:776:445&z=AACxCiMV76RVXzyBMgmjFiqsgTRbi53b5uE5OmdOmwYvZg +\end{lstlisting} + + \subsection{Viber-App} -\subsection{Skype-App} -\subsection{Facebook-App} +The Viber-call-logs were extracted from the table \emph{\textbf{viber\_call\_log}} from the file\\ +\emph{\textbf{ANDRO::data/data/com.viber.voip/databases/viber\_call\_log.db}} +\begin{quote} +\textbf{size}: 5120 byte\\ +\textbf{''file''-output}: SQLite 3.x database\\ +\textbf{sha512}\\\ttfamily{ +64fb64c0568f54c762561c0d939538a938adb7a671904418b763992701b5b24a\\ +75ec0c3f0e6959525f05bae929b6734c7d6ccac19a0363ebc3459c7b45cbdbe1} +\end{quote} + +The content was: +\begin{center}\begin{tabular}{ | l | l | } + \hline number & timestamp\\ + \hline 06603203711 & 2012-12-06 16:35:14\\ + \hline +\end{tabular}\end{center} + + +\subsection{Whatsapp-App} +The Whatsapp call-log seems to have been wiped, as there was nothing useful to extracted from the table \emph{\textbf{messages}} from the file\\ +\emph{\textbf{ANDRO::data/data/com.whatsapp/databases/msgstore.db}} +\begin{quote} +\textbf{size}: 8192 byte\\ +\textbf{''file''-output}: SQLite 3.x database\\ +\textbf{sha512}\\\ttfamily{ +700ad004b1c20d4c3bdc4d56ee59e3469db661a045fcb4803906f9d77a76f5c5\\ +829d0751f84e913fcebe0d23491ec2c4d5ca03f577cbb087218b314422a68821} +\end{quote} + +The Whatsapp contactlist was extracted from the table \emph{\textbf{wa\_contacts}} from the file\\ +\emph{\textbf{ANDRO::data/data/com.whatsapp/databases/wa.db}} +\begin{quote} +\textbf{size}: 7168 byte\\ +\textbf{''file''-output}: SQLite 3.x database\\ +\textbf{sha512}\\\ttfamily{ +ace8f7e526fc641556d96a58f0bdffd99f2b93bf39be271c9599eab10bcdd3b5\\ +7111b321a9dd6ca51c81c7bd4422e6126a6a7dd66d3fa59e328ff990a99642d1} +\end{quote} + +The content was: +\begin{center}\begin{tabular}{ | l | l | l | } + \hline jid & number & display\_name\\ + \hline 436605969364@s.whatsapp.net & 6605969364 & Karl Heinz Grasser\\ + \hline 436604413637@s.whatsapp.net & 6604413637 & Antonio Schweinebauer\\ + \hline 436603203711@s.whatsapp.net & 6603203711 & Allegro Mayer\\ + \hline 4300436605969364@s.whatsapp.net & 4300436605969360 & Allegro Mayer\\ + \hline +\end{tabular}\end{center} + + +\subsection{WLANs} +The file \emph{\textbf{ANDRO::data/misc/wifi/wpa\_supplicant.conf}} whows an interesting network configuration. +\begin{quote} +\textbf{size}: 126 byte\\ +\textbf{''file''-output}: ASCII text\\ +\textbf{sha512}\\\ttfamily{ +cf30537161f54bad5f9a741f90c14afb2e6cf00151ed3ed414f301c9aa5cb964\\ +b6d745f0daabb44f922efded0c1b7c93698b43545dbf465608807bc22b779787} +\end{quote} + +\begin{lstlisting} +trl_interface=eth0 +update_config=1 + +network={ + ssid="pornhub" + psk="I'mNaked!FindMeUpstairs" + key_mgmt=WPA-PSK + priority=1 +} +\end{lstlisting} +The same Access-Point name was used on Mayer's iPhone too. \newpage\section{Dropbox} +TODO: move to top. + Mayer shared a folder called called \emph{\textbf{confidential}} with Smith over Dropbox.\\ The invitation eMail contains the URL to that folder (\url{https://www.dropbox.com/sh/vynk4jf4tghe88d/ xkfh_H-BLn?lst#/}).\\ -- 2.43.0