From bd10c5b7c6a38d3ca56bf9a5900cb2d739e8d8b5 Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Fri, 20 Jun 2014 22:38:15 +0200 Subject: [PATCH] iphone und blabala fertig. androiud still not filled in --- report4/content.tex | 110 +++++++++++++++++++++++++------------------- report4/main.tex | 4 +- 2 files changed, 64 insertions(+), 50 deletions(-) diff --git a/report4/content.tex b/report4/content.tex index 99b6248..4d8dda0 100644 --- a/report4/content.tex +++ b/report4/content.tex @@ -1,39 +1,46 @@ - \newpage\section{Questions (12 points)} \subsection{How and when did Mr. Smith and Mr. Mayer communicate? (2 point)} -\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | X | } - \hline service & timestamp & (from) to & content\\ - \hline skype & 27-11-2012 12:20:00 & to:allegro.mayer from:johannes.m.smith & Auth\_Request\\ - \hline skype & 06-12-2012 13:20:33 & from:allegro.mayer to:johannes.m.smith & Auth\_Granted\\ - \hline call & 2012-12-06 14:35:38 & Johannes Smith 06603169718 & (0:01:15 sec)\\ - \hline skype & 06-12-2012 16:33:53 & to:allegro.mayer from:johannes.m.smith & "Hallo"\\ - \hline sms & 2012-12-06 17:20:46 & to +436603169718 & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin.\\ - \hline sms &2012-12-06 17:30:43 & to +436603169718 & Sicherer kanal wär besser ....\\ - \hline viber call & 2012-12-06 17:31:57 & Johannes Smith & (71 sec)\\ - \hline sms & 2012-12-06 17:36:26 & from +436605166042 & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\ - \hline sms & 2012-12-06 17:42:50 & to +436605166042 & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\ - \hline sms & 2012-12-06 17:45:19 & to +436605166042 & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\ - \hline call & 2012-12-06 17:45:36 & Johannes Smith +436605166042 & (0:00:21 sec; diensthandy? DumpBank We Sell Your Shit)\\ +\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | l | l | X | } + \hline source & service & timestamp & from & to & content\\ + \hline IPBA & skype message & 27-11-2012 12:20:00 & Smith & Mayer & Auth\_Request Hallo! Ich würde Sie gerne in meine Skype-Kontaktlistaufnehmen. Johannes Smith\\ + \hline IPBA & skype message & 2012-12-06 13:20:33 & Mayer & Smith & Auth\_Granted\\ + \hline IPBA & call & 2012-12-06 14:35:38 & Mayer & Smith & duration 0:01:15\\ + \hline IPBA & sms & 2012-12-06 16:20:46 & Mayer & Smith & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin.\\ + \hline IPBA & sms & 2012-12-06 16:30:43 & Smith & Mayer & Sicherer kanal wär besser ....\\ + \hline IPBA & viber call & 2012-12-06 16:31:57 & Mayer & Smith & (71 sec)\\ + \hline IPBA & skype message & 2012-12-06 16:33:53 & Smith & Mayer & "Hallo"\\ + \hline IPBA & sms & 2012-12-06 16:36:26 & Smith & Mayer & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\ + \hline IPBA & sms & 2012-12-06 16:42:50 & Mayer & Smith & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\ + \hline IPBA & sms & 2012-12-06 16:45:19 & Mayer & Smith & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\ + \hline IPBA & call & 2012-12-06 16:45:36 & Mayer & Smith & duration 0:00:21\\ \hline \end{tabularx}\end{center} \subsection{What information was exchanged between Mr. Smith and Mr. Mayer? (3 points)} -dropbox extracted from android. no time now. mutter kollabiert gerade.\\ +Mayer sends Smith an eMail and a Dropbox folder named confidential containing 4 files. +\begin{itemize} +\item \emph{\textbf{2012-11-27 14.31.56.png}} iPhone screenshot from some flightplan App, shows a number of flights departing Vienna shortly after 1700 (among those, two flights from Vienna to Paris) +\item \emph{\textbf{Homer-Simpson-Butt-Wide-Load.png}} image of from an episode of the TV series The Simpsons, showing Homer Simpson with \textbf{Wide Load} written across his back. +\item \emph{\textbf{Stocks-watch.jpg}} shows a key lying on a newspaper with a headline beginning with \textbf{Investing} +\item \emph{\textbf{stocks.jpg}} smaller version of \emph{\textbf{IPBA::IMG\_0005.JPG}} from the iPhone backup. +\end{itemize} + \subsection{Can you find any evidence or hints that support the suspicion of insider trade? (3 points)} No hard evidence was found.\\ -The fact that both parties looked up stock trading sites could hint at that.\\ -Also communication between Mayer and Smith does not give a definite proof that they really did anything. +The fact that both parties looked up stock trading sites could hint at that. Also some not too suspicious images were exchanged.\\ +Mayer communicates with Ernst Strasser while Smith communicates with Karl Heinz Grasser.\\ +Obviously because of the Unschuldsvermutung neither Mayer nor Smith could even remotely be connected with insider trading *scnr* \subsection{Was the person that the witness identified really Mr. Mayer? (2 points)} As Mayer was in Paris on Friday, 7th of December 2012, late afternoon it seems unlikely that a witness saw them.\\ Unless of course Mayer and Smith met in Paris which could be hinted at by the FILE in the dropbox-directory and the witness too was in Paris at that time. + \subsection{Mr. Mayer seems to have more secrets than initially expected. What is his big secret? (2 points)} -By using MAYRS EMAIL address, we found out, that he is engaged with NAME.\\ -Communication suggests that MAYR + Laura were on a romantic trip in Paris. +It looks like Mayer is married to Mrs. Ilse Mayer-Brandl (profile: \url{https://www.facebook.com/ilse.mayerbrandl}) and has an affair with Laura Markovic (\url{https://www.facebook.com/laura.markovic.129}). @@ -83,23 +90,23 @@ The call-log was extracted from \emph{\textbf{IPBA::Wireless Domain:Library/Call \end{quote} The content was: -\begin{center}\begin{tabular}{ | l | l | l | l | } - \hline date & to/from & Phonenumber & duration (sec)\\ - \hline 2012-12-06 13:35:38 & to & 06603169718 & 75\\ - \hline 2012-12-06 14:02:20 & to & 06803303660 & 0\\ - \hline 2012-12-06 14:03:02 & from & +436605969364 & 23\\ - \hline 2012-12-06 14:08:34 & to & 0660303010 & 0\\ - \hline 2012-12-06 14:10:02 & to & 0660303030 & 1181\\ - \hline 2012-12-06 15:17:05 & to & 0660303030 & 1023\\ - \hline 2012-12-06 15:34:30 & to & 0660303030 & 864\\ - \hline 2012-12-06 16:00:10 & from & +436605166042 & 17\\ - \hline 2012-12-06 16:08:02 & to & 06604394199 & 9\\ - \hline 2012-12-06 16:25:30 & from & +436605166042 & 0\\ - \hline 2012-12-06 16:26:11 & from & +436605166042 & 0\\ - \hline 2012-12-06 16:34:39 & to & 06604394199 & 6\\ - \hline 2012-12-06 16:34:52 & to & 06604394199 & 12\\ - \hline 2012-12-06 16:35:10 & to & 06604394199 & 23\\ - \hline 2012-12-06 16:45:36 & to & +436605166042 & 21\\ +\begin{center}\begin{tabular}{| l | l | l | l | l | } + \hline date & to/from & Phonenumber & name & duration (sec)\\ + \hline 2012-12-06 13:35:38 & to & 06603169718 & & 75\\ + \hline 2012-12-06 14:02:20 & to & 06803303660 & Laura Markovic & 0\\ + \hline 2012-12-06 14:03:02 & from & +436605969364 & & 23\\ + \hline 2012-12-06 14:08:34 & to & 0660303010 & & 0\\ + \hline 2012-12-06 14:10:02 & to & 0660303030 & & 1181\\ + \hline 2012-12-06 15:17:05 & to & 0660303030 & & 1023\\ + \hline 2012-12-06 15:34:30 & to & 0660303030 & & 864\\ + \hline 2012-12-06 16:00:10 & from & +436605166042 & Johannes Smith & 17\\ + \hline 2012-12-06 16:08:02 & to & 06604394199 & Ernst Strasser & 9\\ + \hline 2012-12-06 16:25:30 & from & +436605166042 & Johannes Smith & 0\\ + \hline 2012-12-06 16:26:11 & from & +436605166042 & Johannes Smith & 0\\ + \hline 2012-12-06 16:34:39 & to & 06604394199 & Ernst Strasser & 6\\ + \hline 2012-12-06 16:34:52 & to & 06604394199 & Ernst Strasser & 12\\ + \hline 2012-12-06 16:35:10 & to & 06604394199 & Ernst Strasser & 23\\ + \hline 2012-12-06 16:45:36 & to & +436605166042 & Johannes Smith & 21\\ \hline \end{tabular}\end{center} @@ -116,15 +123,15 @@ The SMS-Database was extracted from \emph{\textbf{IPBA::Home Domain:Library/SMS/ The content was: -\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | l | X | } +\begin{center}\begin{tabularx}{\textwidth}{| l | l | X | l | X | } \hline date & from/to & number & service & text\\ \hline 2012-12-06 16:17:20 & from & Viber & SMS & Your Viber code is: 9386 Close this message and enter the code into Viber to activate your account.\\ - \hline 2012-12-06 16:20:46 & to & +436603169718 & SMS & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin\\ - \hline 2012-12-06 16:30:43 & to & +436603169718 & SMS & Sicherer kanal wär besser ....\\ + \hline 2012-12-06 16:20:46 & to & +436603169718 & SMS & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin\\ + \hline 2012-12-06 16:30:43 & to & +436603169718 & SMS & Sicherer kanal wär besser ....\\ \hline 2012-12-06 16:33:58 & to & +436604413637 & iMessage & Hi wie gehts? Treffen wir und mal auf einen drink?\\ - \hline 2012-12-06 16:36:26 & from & +436605166042 & SMS & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\ - \hline 2012-12-0616:42:50 & to & +436605166042 & SMS & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\ - \hline 2012-12-0616:45:19 & to & +436605166042 & SMS & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\ + \hline 2012-12-06 16:36:26 & from & +436605166042 Johannes Smith & SMS & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\ + \hline 2012-12-06 16:42:50 & to & +436605166042 Johannes Smith & SMS & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\ + \hline 2012-12-06 16:45:19 & to & +436605166042 Johannes Smith & SMS & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\ \hline \end{tabularx}\end{center} @@ -231,9 +238,9 @@ The Viber-Database was extracted from \emph{\textbf{IPBA::AppDomain:com.viber/Do 21f2ce84f493d6c6601851844d14cf4dbdd1523ebe98bdc9deb5db380533df77} \end{quote} -The content was: +The call-log was: \begin{center}\begin{tabular}{| l | l | l | l | l |} - \hline timestamp & to/from & number & name & duration (sec)\\ + \hline timestamp & to & number & name & duration (sec)\\ \hline 2012-12-06 16:27:32 & to & 436803303660 & Laura Markovic & 0\\ \hline 2012-12-06 16:31:57 & to & 436605166042 & Johannes Smith & 72\\ \hline @@ -287,7 +294,7 @@ On December 7. 2012 14:17 at Paris, with Laura Markovic (\url{https://www.facebo \newpage\section{Android} -\subsection{Source: Android.tar.gz (ANDROID)} +\subsection{Source: Android.tar.gz (ANDRO)} Android image from Johannes Maskus Smith's phone. \begin{quote} \textbf{size}: 270397822 byte\\ @@ -297,18 +304,25 @@ Android image from Johannes Maskus Smith's phone. ab18c6a2b5b9f8a0e1539474612a4a7ceae627255a2169565f0dddf3409ef67d} \end{quote} + \subsection{Contacts} \subsection{Call-Log} -\subsection{SMS-Log} +\subsection{SMS/iMessage} +\subsection{Calendar} +\subsection{Browser} +\subsection{WLANs} \subsection{Media} -\subsection{eMail-App} \subsection{Viber-App} \subsection{Skype-App} -\subsection{Whatsapp-App} \subsection{Dropbox-App} \subsection{Facebook-App} + + + + + \newpage\section{Details} \subsection{Used tools on GuestVM} Tools that were used for analysis (-{}-version): diff --git a/report4/main.tex b/report4/main.tex index 8308d9e..71794c0 100644 --- a/report4/main.tex +++ b/report4/main.tex @@ -113,7 +113,7 @@ % START DOCUMENT \begin{document}\thispagestyle{empty} -\hspace{50pt} +\hspace{40pt} \section*{Digital Forensics 188.922} \textbf{2014S} @@ -124,7 +124,7 @@ \textbf{0726236\\\url{mailto:jan@jvales.net}}\\\\ \textbf{Still want an official \LaTeX{} template!}\\ -\vspace{40pt} +\vspace{30pt} \section*{Table of Contents}\begin{footnotesize}\tableofcontents\end{footnotesize} \subsection*{Version}\begin{footnotesize}\url{http://git.somenet.org/?p=priv/jan/digfor.git}\\ -- 2.43.0