everyone and welcome to today's DFIR Webcast, Android vs iOS- Battle
of the Smartphones: Data Retention. My name is Benjamin White
with the SANS Institute and I'll be moderating
this webcast. Today's featured speaker
is Heather Mahalik, SANS certified instructor
and senior digital forensics analyst
at Basis Technology. During the presentation
if you have any questions for Heather, please enter
then into the questions window located on the go to
webinar interface.
At this point, I will
hand the presentation over to Heather Mahalik. - [Heather] Hello everyone. First I wanna apologize
for the last time when I had to postpone this
talk due to the stomach bug. Now I'm fighting a cold,
so I also apologize if my voice sounds weird
or you hear me taking sips of my water to get through this.
Like Ben said, interrupt me
at any point with questions. I think it's easier to
answer them as we go along versus at the end. So if it's about the
slide I'm talking about we can reference it right there. The slide that's in front of you the next time this course is taught is actually
with Paul Henry next week.
I believe there are still
some seats available if anyone wants a
last minute add. But after that we will see you in Monterey where
Cindy Murphy and I. Will be co-teaching
for the first time. So I hope to see you
at one of the courses.
So what we're going
to cover today. This is the battle of
Android versus iOS. I only have an
hour so I'm hoping to cover as much as I can. And if you have more questions after the fact or you
wanna learn a little more, we hope to see you in 585 or you're welcome to email me my information will
be on the last slide.
You will have access to
the slides after the fact. So what we're going to cover is how Android and iOS
store application data. How the acquisition
method will affect your examination and what you
can pull from each device. Forensic handling
will also matter.
Methods to recover deleted data especially if your
forensic tool misses it. So we're gonna dive a
little bit deep in this just to touch on things
that you should know as a forensic examiner if
your looking at smartphones. Hopefully some things
that you don't know and you'll learn. And to become more of an expert and actually get
hands on with it, you'll have to
attend the course.
So overall application storage, where is the user data stored? SQLite is used by
these smart devices. The active databases
will contain deleted data so that's one thing to know. Even if you aren't getting
a full physical acquisition which we'll talk about, you still need to be
able recover deleted data which is different than
normal device forensics. Before we always
taught you that to get deleted data you have to
have a physical acquisition.
This is no longer true
for smartphone forensics. I will dive deeper into
that as the talk goes on. But just so you know
that SQLite stores application data and
makes a small footprint and it's great for
mobile devices. The database grows
in size to support the data requirements so
it's not set by default.
So you may find a huge
amount of deleted data still residing in these files. So iOS devices differs
slightly from Android in the fact that they
use property lists which are called P lists and take away databases to store the application data. By default on non
geobroken devices, I wanna just use that as
a little disclaimer here. You should be able to
find application data in the library folder
and under the documents.
So here, I'm showing on
the left hand side here, under the library, you can see I'm showing you an
example of drop box. There's a database file there that you could actually examine in any forensic
tool of your choice. You could examine it
in sequel like browser so there's lots of
options out there. So just remember the library and documents should
store your information relating to applications
on iOS devices.
For Android, SQLite
databases are also used. The preference files,
instead of P list information here like iOS, they'll use xml. You can examine those as well. The application files are
in individual subdirectories under the root of
the data partition.
So if you look here
on the screenshot you can see the data partition and then underneath you can see all the com folders. So com Amazon, you
would see Facebook. Anything else that they're using listed as a com file. There's a folder for each.
When we dive into each section, I will actually go into where to look in each partition. For the student or the
person that's asking the microphone is muted. Can't seem to get audio. Can you hear me? If you can will you type yes? Good to go? Okay, good.
You shouldn't be able to
speak into the microphone. You should just be able
to type your questions in. I should be the only one that
you can hear at this point. Okay so now we're gonna
start with the Android and talk about
application storage and then we'll branch into iOS.
And then the final section we'll actually cover just
third part apps in general and how they actually are
the same for the battle. So your forensic
acquisition does matter and I also mention forensic
handling does matter. What I mean by that is if
your device is in your hands and you do not use
a (mumbles) solution and your device is white,
then that will actually render your data useless. So that's what I mean
by forensic handling.
If you alter the
data or allow someone to remotely access the device
whilst it's in your hands, it will affect your acquisition. Your acquisition method,
that will matter here so if you do a logical,
file system or physical. A logical simply
giving you a report. If you're lucky, you
will get some access to attachments and maybe some access to raw materials.
So logical right
here will give you the least amount for
your examination. Your file system will get
your data on your SD card. Remember this. This will actually matter.
So if you do simply a
logical acquisition, you will miss
application information stored on the SD card. You'll also get access
to the raw data files. Some of the data
will be decoded. Some of the deleted data may
be present but not parsed.
I will talk to you
about how to do that. And then ultimately,
the best case scenario is your physical
acquisition because you have the raw image file. You have access
to all partitions. Some of it may be
reconstructed for you and some of it may be analyzed.
But assuming it's not,
I'm going to talk to you about how to do all this
manually on your own. So for physical acquisition,
what's obtained? You can see here, you'll get
a reconstructed file system and I have a star there. What that means is, this is
Physical Analyzer right here. The reconstructed file
system is going to put into a normalized
format for you.
So if it knows that
something should be called the data partition, it's actually going
to call it data. You'll see here. The no name zero is
usually your SD card. So it doesn't call it SD card, it does the best it can but it's not going to give you everything that you need without knowing which
partition store, which data essentially.
So you're getting access
to your data partition, your system partition
and your SD card and then others
that are required by the Android to function. Deleted data will be recovered, but it may not be all inclusive. So when I'm going through
these slides coming up, just keep in mind your
tool may parse some. If you see some deleted data, do not assume it's parsed all, especially from applications.
Decrypted data may not be
supported on all devices. So keep in decryption
and encryption will affect your acquisition. For file system, you get access to the external partition
which is the SD card. That is shown right here.
You can see on
this card actually in this example, you can see it has Blackberry on it. This was my old SD card
that I used in a Blackberry and then transferred
to my Android. So you can see
traces of old devices on the current device. You will get access
to the data partition, which is this HTC Android
incredible partition right here.
Some of the data will be decoded but the most important
thing to remember here is that you get access
to the raw files and that's what we want. So that is most important thing. When you're acquiring a device, however you acquire
it shouldn't matter as long as you get
access to the raw files in the data partition because
we to actually manually carve these to ensure our tool
is not missing anything and that we're
getting all the data. For logical, I'm
sure most of you have done logical acquisitions.
If you haven't, essentially
it's pulling what the user sees and is giving you access to the native files
that are used on phones. So if anything is
deleted, it's not going to normally be parsed for you but it does not
mean it's not there. So if you have a tool... So right here I'm showing
Physical Analyzer.
XRY and Oxygen will
also pull files that they'll put in for example, XRY puts it in an
unrecognized folder. If you can get access to the raw database,
you can pull deleted data from a
logical acquisition. It just depends on your tool and what it will parse. So Physical Analyzer does it it a folder called databases which I will show you in a few slides later.
And oxygen also gives you access to the raw databases. So if you're using a tool such as those three,
you should have access to raw data through
a logical acquisition and be able to actually pull out deleted data on your own. Alright, this is
a busy slide here. Evidentiary locations
on an Android device.
So a few things to see here. You can see the root directory and then you have
your application cache or cache your data. Your SD card and your system. The most important information that you're going to need for your forensic examination will reside in the
data partition, the cache partition, and
then also on the SD card.
A lot of people forget
that the SD card will contain a lot
unique information that is not stored
on the device itself. It will contain unique
application information. So I'll go through in
the next few slides what actually matters
and what you need to know but as an overview, this is a good place. This lists all the directories.
Where you should look. Where data is stored that may
affect your investigation. Right, so understanding
data on Android devices. Yes.
- [Man] We had a question
two slides back about which acquisition
tool are you showing? - [Heather] Oh I
actually see that. Okay so two slides
back, let's see. In this one? - [Man] Yes. - [Heather] This is
actually Physical Analyzer.
I did a logical acquisition and then just opened the
Android Physical Analyzer. So you can see it's
just giving me access to the attachments and
then all the analyzed data. This is what you would see
in the stand HTML report. Does that answer your question? Thank you, Ben.
Okay so before we
dive deeper into... So we just talked about
logical acquisition back here and what it pulls. One thing that these
smart devices do is as you use more
and more applications, they try and link
everything for you to make your life
easier as a user. It makes it faster.
So I'm sure many of you
have looked at your calendar on your smartphone and
think why is so and so from Facebook, why is their
birthday in my calendar? I didn't save it there. What the application is doing when you install it, it asks you can I access your calendar,
can I access your contacts? And is actually
syncing those for you. So this may be good for a user. It may be annoying for a user.
But it's bad for
forensic examiners if you do not
understand that concept. So this slide right here is showing in the com Android
providers contacts database, this is where the
contacts are stored. All of the contacts
are listed here under contacts two. These ones that I
am circling here that are kind of grayed out.
Those were actually
Facebook contacts. It has their Facebook picture. I did not save those
people to my phone. The same thing
happened on Skype.
So with Skype, if
you even search for a Skype user, it
will automatically save all the other ones
that are associated or are close to the one
you're searching with as a deleted contact. So if you're searching
for Heather M on Skype, it may show you Heather
M two, Heather M 13, all the ones. So if it lists hundreds,
all those hundreds are suggestions will be
stored as deleted contacts even though you never
connected with that person, you never wanted to, it may be stored there. So it's something that
you need to understand.
Facebook artifacts that
are usually affected are the calendar and contacts. Those will be stored into
both your database files if you opt to do that when
you install the application. And then again you may
see multiple instances of the same file. So you may see Becky in
this contact information listed in Facebook, in
my contacts, and if she were also a Skype friend or
another third part app friend, you would see her there.
So just make sure you understand
how the data got there. That if someone's accused of
something in your investigation and they're a Skype
contact, it does not mean that the user connected
with that person unless you can prove it. The best way to do this
is to attend a course like 585 where we teach
you how to prove that or to get a test device. Actually load the application
you're interested in.
Try to follow the same footsteps that the person that
you're investigating has possibly done
and prove or disprove how the data got there. But just be cautious
on smartphones because some of the stuff they
do and how they sync the data with the applications
may be confusing. Okay, so question is how
can you differentiate those real contacts from
app suggested contacts? Excellent question. So on Facebook, if you look at the metadata, it will actually list it
as a Facebook artifact.
Skype is a little trickier. Skype it automatically
just deletes them in the database file. But if you look at the metadata, it will say that it
was Skype associated. The issue is with
Skype, it doesn't say that the person actually
connected with that person and then deleted it.
So that's one thing
where you have to get a test device and test that. With Skype, what I
would say is that if it's a deleted Skype
contact and you're manually recovering from a database file, I would say it's likely that
the person was connected with this person or
that Skype suggested it just to cover your tracks. Now if it shows any
communication to
and from that person in the Skype main database file, then you can say with
certainty that the person did communicate with Heather
Mahalik at some point and then they may have
deleted that contact. But if there's no
communication traffic, it's likely that it
was just a suggestion.
Okay, so another question here. Recycle or destroy old phones? If we do a factory reset
and destroy the sim card memory cards, is that
enough or should we destroy the old phones instead
of recycling them? Excellent question. I actually upgraded
yesterday from my really old iPhone 4S to a 5S and
I did wipe the device after I did a file system
dump for 585 for research. I will say that on newer
devices, if you wipe them, if you can actually
physically acquire them and make sure nothing's on it, I vote for recycling them.
There's no need to destroy them. You can turn them in. A factory reset
through the device. So if you go into the general
settings on your iPhone or on your Android and
you just reset all data or wipe it, it truly is...
It's not overwriting
all your data, but it's rendering it useless. So even if you
physically acquire it, you should not be able to
find any of your user data. But I am a paranoid person,
so I always test that first before I just hand
over my phone. You may wanna do the same,
but it depends on the device.
For newer smartphones,
you should be fine doing a find my iPhone
or Android device finder and wiping it or using the
phone itself to wipe it. Okay, so moving onto
third-party communications. The third-party apps
are great for users because you do not
require data plan. You can simply use wifi.
They are great for examiners
who wanna do testing because again you
don't need a data plan. You can use wifi, get
these apps, use these apps. You can buy minutes and
actually make phone calls and store all this data. The issues with them is that
they mask communications and they store data
in databases that we, as forensic examiners,
aren't used to examining.
So remember you have
to examine all the data within the application folders,
not just in the call logs. So if I'm using
Skype to do calls, that data may be stored
in the call logs. But other data may
not also be there. So you have to always always
examine the application folder.
It will require manual decoding. I will tell you
even if your tool... So if you use Physical
Analyzer XOI Oxygen IEF, your tool will probably
miss some of the data. So even if it's not,
you should know manually how to go in and verify
your information.
So if you ever have to
testify to it or defend it, because I know how
my tool's working, here's where you find the data. So on Android devices,
the application data is stored in two locations:
in the NAND flash memory on the handset itself and
externally on the SD card, or on the eMMC card, which
is the emulated media card that's stored as a separate
partition on the device itself. So if it's on the device,
it's in the /data/data folder. If it's on the SD card,
it's in the MNT folder.
If you find an
application of interest, make sure you examine
both of these locations. I'm gonna give you an
example here in a few slides that show how if you only
look in /data/data folder, you would have missed
valid information for one app on the MMT folder. So make sure you know
you have to examine both. By default, applications
are not required to store in the /data/data
folder on Android devices, but most of them do.
So if you thought that
the user was using some kind of anti forensic tool, you should do a keyword
search across the entire media if possible to make sure
you're not missing it if it's not in the
/data/data folder. Here's a layout representation
of how the data's stored on these Android devices
for applications. So in the /data/data
folder, you can see there is an application
folder for each. Again, these are
called the com Android, Katana, Facebook.
You'll actually see each folder represents an
application in itself. The two directories that you
need to worry about the most are the cache and the databases. This is where all
the user information, all their preferences
should be stored if any login information
is available. Any graphics or
anything associated to that application the user
created will be stored here.
Unfortunately, I cannot list
for you every single database for each application
that you need to examine because a firmware
update may affect it. If someone's using
Facebook for Android versus just Facebook,
that may affect where the data's stored. But these two
directories will house the information you
need to examine. Alright, so an example for you.
I chose Zedge. Pretty generic application. You can get graphics, wallpapers
and ringtones from it. When I examine Zedge on
my own Android device that appear to be present on the flash memory
and the SD card.
Then I was looking at to
determine which data's relevant, why is it stored
in both locations? I'm gonna show you
why in a second here. But you can see in the NAND
that was stored in the /data/ and then a
.Net.Zedge.Android folder. On the SD card it was
in the /mnt/zedge. The screenshot here on the left, this is the NAND flash memory.
On the right, this
is the SD card. So you can see under .Net.Zedge, I'm lookin' in the databases you can see multiple
database files here. We have the google_analytics,
the webview, webview_cache. Zedge, zedge_cache and even
some of the journal files you will want to examine
just to make sure that something's not residing
in there that matters to you.
On the right you can see
under a zedge folder, I had cache, ringtones,
wallpapers and backup. You can see a
backup.Tmp was deleted. These are all also areas
you want to examine as well. Now we're gonna dig
into each of them.
In zedge in the database
view, if you look... I'm over here and I'm
looking at the web view in Zedge database file here. I'm looking at Zedge. If you're ever curious
as to where you are, if you're losing your
footing on where you are in your examination, this
is Physical Analyzer here.
Physical Analyzer will
actually list the database file that you're in at the top
where I'm highlighting here. If you're ever lost
and you're not sure which one you examined,
you can see it's Zedge and I'm looking
at it right here. Once you're in
the database view, you have to go through
each of the tables. Which sometimes
there might be five, sometimes there might be 100.
That's not a fun process,
but I strongly suggest examining all the tables first that you know contain
data, then going into ones that may contain data and
just validating your results. Just doing a quick
glance over them. Here I'm looking
at the favorites. This user, which was
myself, stored one favorite item in this Zedge
database file.
You can see here the title
is Android Versus Apple and the description
Android eating an apple. However, the actual file
itself is not there. So to get to the file itself, which is Android Versus Apple, I had to actually go to
my SD card and look at it. Here's the image view
on the right-hand side of the Android eating the apple.
Kind of a gruesome picture. For those of you
who like the battle of Android verus iOS, I thought
this was kind of relevant. You can see that it
ties it together. To do this, I looked
at the database file and then I actually
went to my SD card.
Sorry. I went to my SD card
and in the pictures you can see the image view. Right here you can see
Android Versus iOS, which was a wallpaper. You have to show it.
Essentially in this application, the NAND was storing the pointer to the files stored
on the SD card. This isn't true for
all applications, so each will vary
in different ways. If you're looking at
Facebook, for example, it may be completely different. All the data may be on the NAND.
And you may have
nothing on the SD card. It's application dependent. It's how it functions and
it's also how the user chooses to download
it and install it. This is just a
simple example here of linking between
the two devices.
More on Zedge, you can see here. You will also have ringtones. Please don't make
fun of my ringtones. American Hero is shown
here on the right.
You can actually see the x
of data associated with it. If your application asks you if you wanna allow
location information, you should expect
sorta coordinate. If this were a picture, and
I actually took it myself, coordinates may be available
that could be matched to show location information. In this instance here, it's
just showing you the name, creation dates, time
and last access.
This probably wouldn't be
relevant to your investigation, but it's just an example
that shows you how it may be. So don't forget, not only
do you have to examine the application data, but
if you have any pictures or videos or media files
you want to also examine the metadata associated with it. Any other questions on Android
before I jump into iOS? That was a quick overview on the application
data on Android. At the end, I'm gonna
kinda pull them altogether.
Hopefully if you
have any questions, please feel free to
interrupt or ask at the end. I see a question here. Is there a standard DOD wipe
level you should perform? I'm not aware of one on phones, definitely on your SD card. You should do that and I
personally wouldn't turn in an SD card or recycle it.
I always just hang onto those, just because you never know
when you'll need it again. But I am not aware of a DOD
wipe level for smart devices. If anyone else is, please
chime in and let us know. Usually just the standard
wipe that comes with it is good enough for anyone because they're going to
have to activate the phone.
Either restore an
image or start fresh. They're not going to
be able to restore your data and use it
as if it (mumbles). Then there's another statement. I think there's a technique
to mark bad blocks as good with a modified Android kernel.
Joshua, I assume
you're referring to if someone wipes it and
a block is marked bad you can make them
marked good again. But I don't think that when
the standard factory device option to wipe is set,
that it marks a block bad. Is that what you were
referring to there? Sorry there's a lot of
questions coming in. Lemme see if I can
find Joshua's here.
Someone mentioned
DOD has a certified wipe process for flash media.. Will a keyword search
for example SMS data get good hits across
various SMS apps? It depends on how
the data's stored. Some of the data may be
stored 7-bit encoded. If it's stored 7-bit on a
standard Android for SMS, then it wouldn't hit
on application data as a generic search if it
doesn't store that way.
Some of the tools will pull
any chatting that you're doing or any texting that you're
doing back and forth and put it in that
database for you with a link to the RAW file. But the best practice
is to actually go into that application folder
and look the SMS data natively and make sure that
you're getting it. Okay Josh, good that
that was answered. For 3LM or NOX, any difference? I'm not sure what
that's in reference to.
If you wanna type what
you're meaning there, that would be great. There are some more
questions coming in. Is it true in older
iPhones a factory reset will retain deleted
data for parsing? Excellent question. I was actually looking at an
article today and Tweeted it.
For iPhone 3 devices,
anything that was running the iPhone OS3, apparently it is true that you can recover
some user deleted data if the device is wiped
and that can be restored. I unfortunately do not
have any devices running that low of an iOS
firmware to test. We have tested it on
iPhone 3CS and later. We were not able to recover
deleted data on those.
So if someone is still
using the original iPhone or iPhone3, it is likely
that you may be able to recover data. I know that Lee Reeber
release a white paper at some point talking
about how he was able to recover address
book from iPhone3s so you may wanna reference that. But on newer smart devices you're not going to be able to. So a question from Robert.
Encryption. Could you comment on
encryption for phones? When will we have
full encryption like we do for laptops? It's a really good question. Any time it seems like
a device comes out and says they're
fully encrypted, there always ends up
being a work around. Right now the hardest
devices to get into that doesn't really
have anything to do with the full device
being encrypted are the Apple devices
using the A5 or A5, A6 and A7 chips.
But it's just how
they're laid out and we can't get access to them. So I'm not sure about a device being fully encrypted
and one we should expect to see that. I'm hoping never. But you know it will occur.
We honestly can only hope that there's a method for us to get forensic access to it so it doesn't keep
us out as examiners. Windows mobile right now is the hardest to get into. I know that has nothing to do with this talk at
all but Blackberry, the encryption on Blackberry
is probably the truest that keeps us from getting in. The way the Blackberry
locks on their devices like a hardware key
and then a software key is what keeps us
from even doing J tag and chip off methods to
get access to the raw data.
But for iPhone and
Android, I don't know when it's going to occur. If it's going to
occur and if it's ever going to keep us out so I'm sorry I can't fully
answer that question. I'm trying to sort through. So Michael's pointing out
here (mumbles) the new Samsung security for the
Note 3 for Android.
Someone's asking how can NSA
implants be made visible? I cannot comment on
that nor do I know. I have not researched that. How do you recommend
acquiring micro SD cards on Android device? Through the device
itself or separately? To be honest, if you have time and we teach this in
the class, do both. I know that's asking a lot.
But for time, you would
want to remove the SD card if you can and
acquire it separately using FTK FTK major N
case, whatever you prefer. Preferably not a
smartphone forensic tool just for the sake of speed. However, if you keep the
SD card in the device, it's nice to parse the data and look at the data
all inclusively. So if you acquire using FTK.
And you get a DV
image or an E01 image, it's not going to be able to put itself into Physical Analyzer or XRL oxygen for analysis. So that's why I prefer both. However, when I get
a smartphone dump, if I get a raw image, I always load it into
my normal forensic tool. So I'm a fan of N case.
I load it into N case. You can load it into FTK. And you should be able to look at your raw images
that way as well. So Zachary if speed
matters, do it separately.
But if you have the
time, also do the SD card in the device. Now keep in mind some
of these Androids have up to 64 gig SD cards. So that will take some time if you pull it
through the device, which will slow down
your acquisition. So Edward is stating...
We haven't moved into iOS yet. Encrypted user file
systems started with iOS4 and Android operating
system is not an option. It's not default. So essentially you
can download something that would possibly encrypt
your operating system on Android but it's not
default by the phone itself.
Okay I am going to
continue now with iOS. So these slides are going to be laid out very similarly. The acquisition again
will affect what you get so logical file system
in (mumbles) options. Logical is essentially getting
access to a backup file.
So any of the
inventors can tell you that they're doing something
slightly different. They may try to get
a little bit more and some of them will. So for example, if you
use lantern on a Macintosh to acquire an iOS
device, it does pull more database files than
a standard backup file will give you. That's one of the few
that I've seen so far.
All the other tools
essentially give you the same thing as a backup. They just give it to
you in a better format and provide some
analyzed data for you. The file system I'm going
to talk about with Apple file connection and
backup services mean and your physical image,
your raw image of the file. One thing to note.
When you physically
acquire an iOS device, it does not give you access
to unallocated space. It will only give you access
to what it can decrypt. So it there's encrypted
unallocated space that is not unable to be
decrypted by the tool, you not going to get
access to that as a user. So this is not a true
physical acquisition that we're used to
if we're talking about bit by bit image.
It's just something that
you need to be aware of. Brett has a question here. Has anyone compared
using NAS storage dump versus N case to
examine SD cards? I personally have not done that. I don't know if the audience
can see the questions? And if anyone has,
if they wanna answer Brett directly, they can.
Brett, what I use
to examine SD cards, I've used FT caminger
or FTK N case. I've used X-ray and
Physical Analyzer. Those are the tools that
I have used to examine it. So question: does
that depend on whether the iPhone is locked or unlocked to get access to
the encrypted files? Excellent question.
So I'm gonna break down in
the next few slides here Donald, the answers
to that I hope and if I don't answer
it, just let me know. So if the device is locked, how does it affect
your acquisition? So physical acquisition
gives you access to the raw partitions. It will recover some
deleted data for you; but again you're
going to have to (mumbles) and manually
recover the rest. It should decrypt data for you.
Now the email messages
and passwords. So this area right here, Donald, this is what's affected
if the device is locked and you cannot
get the pass code. So if you're using a tool that can bypass the pass code and give you acquisition
results in the form of a royal dump, it
will usually tell you if it cannot get the passcode. It's going to miss
email and passwords.
So those are the two areas
that are mainly affected. It will not get access
to any unallocated space that it cannot decrypt. So if it's searching
the key bag for encryption files and trying
to pair off each one, anything that's in
that unallocated space that cannot be encrypted, it
won't even present it to you. Because you're not
going to be able to decrypt it yourself.
The issue is we can't say what's
in that space definitively because we don't have
access to it to say what we're missing. So this is where
having a test device really comes into play. Most of the smartphone vendors are doing a great
job on these tools. So they're able to tell you if you look in their
guide what it's missing.
Most of them now will
just flat out say email and passwords will
not be provided to you. It's telling you flat
out what it's missing. The main difference usually
if it's a simple pass code, so four digits, it can
usually be bypassed. If it's complex pass codes,
it's a little bit harder.
Everything changed
though with the A5 chip. So for iPhone4 and below,
physical acquisition is easy. You can get past the pass code. For iPhone4S through
the latest ones, it's a little more
difficult unless you have the pass code.
Another question. So if an application has
updated protection enabled, then those files won't
be presented then. Unfortunately for this
answer, it depends on the application and
depends on the device. On an iPhone4 for
example, I ran Tango and Tango was parsed completely.
On iPhone4, I downloaded
it from the app store. Didn't ask it to do
any kind of encryption. I installed it on my
4S and dumped the phone and everything was encrypted
in that database file. So it depends on the
firmware of the device that you're running and
it depends on the version of the application
that's installed.
So it will differ upon devices. The same thing was
true on an Android. So in 585, in our
capstone, you'll see we have a Samsung Galaxy S2,
an iPhone5 and an iPhone4S. And on two of the devices,
some of the database files for applications are encrypted.
And on the other, it's not. So it's really is
firmware dependent and application dependent. There's no standard
unfortunately. For a file system
acquisition of iOS devices, it should work on
all versions of iOS.
So even if you have
the new iPhone5S, as long as it's unlocked,
you should be able to get a file system dump. The only difference
is if the DFU works you can get into it. You'll see tools come out and say hey we can
get into the iPhone5S. We can do this.
If you look at the fine print, it usually it says it
has to get into DFU mode and it has to be jail broken. So if it's locked
you're going to have a very difficult time with
the iPhone4S assimilator. Just be aware of that. What it actually does when
it gets a file system dump, it interacts with the
iOS backup service.
Some of the areas may be blocked and you might not
get access to it. But if you look at
the screenshot here, you can see the AFC
service and backup service. So the AFC is Apple
file connection. This is a folder that's required by iTunes for file exchange any time your
syncing your device.
You will see in here photo
data, purchases, downloads that stuff may be relevant. The backup service, this
is also called AFC2. At points, this is the area
you actually want to examine. So you'll see in here
your mobile folder, that's where the user
data's gonna be stored.
That's what actually
really matters. For your logical,
same thing as Android. The main difference here
is you won't get email if the device is jail broken. You may get access to more data if the device is jail broken.
I recently just
examined an iPhone4S. That was jail broken
and I had tons and tons of files to get through. Now when I say tons,
I had email addresses, I had 961,000 email addresses
that N case found for me. I had to manually
go through all the application folders and examine.
So a device that's jail broken might be exciting for you but it's also a lot of work. So keep that in mind. And again your deleted
data is possible if you get access to
the raw database files. Okay how is data stored
on these iOS devices? One thing that's
different from Android, there's no external storage.
So everything is
stored internally on the file system. It's stored in SQLite
databases which I mentioned and property lists so
we'll discuss those. Then also consider
network storage. So iCloud will contain
application information.
Any time you get
a new iOS device, it syncs all your application
right back to your phone. So yesterday when I
upgraded my phone, I didn't even have
to log in again. All that data was just synced
right back to my device. And then also
consider applications that require network
storage such as Dropbox.
So if you take 585,
Dropbox is a big part of your final scenario
because it's network storage that may still reside
on the device in traces. So you may actually
have raw files that just show network
communications. Another question is
if you have access to the certificates stored
on the synchronized PC. Can you make a backup
also in locked iOS? Excellent point there.
An excellent question, Marco. Yes you can. So if you're using a tool,
so celebrate for example. The (mumbles)
itself will ask you if you can essentially access
the SQ files on a Mac or PC.
So whatever computer you're
actually syncing your device to if you're not using iCloud, that's called the host computer. That host computer has
traces of files stored in it. They're called SQ files
that are in a locked folder and what that does
is unlock the backup so you can acquire it. So Marco, yes that would work.
The issue is not everyone has
access to the host computer. That would be
fantastic if you did. And you can bypass it. Most of the tools,
(mumbles) is another one that I know will ask you for it.
If anyone's interested
in doing iOS forensics on a Mac, there's a
new course coming out. It's 518 McIntosh forensics. Sarah Edwards is
the main author. Lee Crognale and I are
helping her write it.
We will discuss in
detail how to actually go in on a Mac and get those
SQ files to unlock devices. So what your partitions
will look like if you get a physical dump. So you're going to have your
operating system partition which Apple uses to
do all your updates and user data should
not be stored there. This partition is
marked read only unless you jail break
it and then it's rewrite and then you get access
to the system partition.
Then you can make changes,
download applications that aren't meant for Apple and have full access
to your device. Your data partition
is where all your data is going to reside
and your applications. So remember the mobile folder. Whether it's private
mobile var, if it's just straight to the mobile.
Depending on your
acquisition method, will matter in how you
get to this mobile folder. You could always search for it and it'll take you right to it. This is where your
application data is going to be stored. And I'm going to go
into each of them now.
So I did this for Android. Thought I would give you
the overwhelming slide for iOS as well. Two main folders: your
library and your media. Your media storing
your pictures.
Your library storing
everything else. So everything else
the phone does, all the databases will be stored within directories here. And this is just
giving you a summary of where everything is stored that you should look for. Again the apps are the same.
Third party apps are
used to communicate. They're going to mask the data. They're going to hide themselves and not always pull themselves into the normal databases where you're used to examining. So I'm now going to discuss
where to look for those.
So your private mobile var. Again it might just be
private mobile applications. Each application is stored
in an application folder. And it's names according to
the application identifier.
So it's a 32 digit
alpha numeric identifier that's assigned
for an application. The issue is it's not
just called Facebook. It's going to be a
string of characters. However, if you know the
random string of characters for Facebook, it
should be the same across all iOS devices.
So it you start keeping a list or maybe we can do
that as a community, this will help us in
our investigations. But if you don't know, once you dig a folder deeper, which I'll show you
in a few slides. It's very easy to decipher what that application belongs to. So here is how it will look on private var mobile applications that you're going to have
that application folder.
That's the 32 digit
alpha numeric string. And then within
that, the main folder you need to worry about
is your library folder. So this is where
you're going to find your cached data, your
cookies, your preferences. And your preferences may
actually have login information with user names and passwords.
So make sure you
actually check that. A question here. I have an iPhone image. The user forgot the password used to protect the
backup in iTunes.
Neither celebrate or
black bag can acquire it. Any suggestions? There is an issue. The rule is once
encrypted, always encrypted for a backup file
unless you have the password to decrypt it. Are you using the UFED
Touch to acquire this and if so you will
have the issues? If you can use Physical
Analyzer on a computer and do advanced
logical, it will create an encrypted backup
file for you.
Or you can use XRY
and that will create an encrypted backup
file for you. Then unfortunately you're
going to have to use ElcomSoft password phone
breaker and crack the passcode. But once you do
that then you can actually enter the pass
code into Physical Analyzer and it will parse
the data for you. So I know it's an extra
hoop to jump through, but it's something you can do.
Also if you don't
have ElcomSoft, you can download
the demo version. If you have the demo version, it will show you if it
can crack it right away and then you can purchase
the tool if it will work. What has been running
for two weeks? Hopefully you're not going
to answer with ElcomSoft. If so, there it is.
Yes, ElcomSoft password break. It's probably... Yes Michael, my dog
does have a question. I'm actually hiding in a room so he wouldn't interrupt
but he managed to do so.
If ElcomSoft is still running, unfortunately it's probably
a complex pass code with upper and lower
case and you'll notice ElcomSoft is only going
to crack lower case unless you throw a
dictionary file against it. I unfortunately had
the same thing happen on an iPad where someone set a pass code that I worked with and couldn't remember it. It ran for weeks and
it never cracked it. Another question.
Have you ever used
iPhone Backup Analyzer 2? It's an open source project. I actually tested
this a little bit. I haven't had the opportunity to fully use it but I
do have access to it. It seems like it's a great tool.
Okay can I repeat the
steps one more time? Sure, so if you have a phone that was encrypted
by iTunes at some point. So what will happen is
the tool will tell you the backup is
encrypted and it will either fail or it won't
be able to continue. If you use a tool like
XRY or Physical Analyzer on the computer, and do logical or advanced logical acquisition, it will still create
the backup file for you. The issue is it's
still encrypted.
So what you need
to do at that point is use ElcomSoft
password phone breaker. Load the backup file into it. Hope that it cracks
the pass code. If it's a simple pass
code, it will crack it.
If it's a complex pass
code, as long as it's all lower case, it
will also crack it. If it has upper and lower case and other characters,
you'll probably need a dictionary file to crack it. Once you have it cracked,
you could then open it in XRY or Physical Analyzer
after you enter the pass code. And if you crack that pass code, write it down because again once it's encrypted
it's always encrypted.
It will ask you every single
time to enter that pass code. Brad, the slides
aren't available yet. They won't be
available until after. So you're not going to
be able to download it until after the talk.
One of the most common
areas in folders affected by malware on both
mobile operating systems. Fernando I'm actually
going to wait and continue with the slides and then answer that after because that's a
completely separate topic, if that's okay. And if there's time,
I'll get to it. We do cover this in 585.
Just as a short
answer, most commonly, it's the SD card on
Android that's affected. I have not worked in iPhone that has truly had malware on it but I have had seen
traces of spyware in the SMS messages. Another question. Is the advanced
logical image crated equivalent to physical? It's not, it's more
like a file system dump so it's essentially still
just doing a backup file.
You can do a
physical acquisition if the device is
password protected. As long as it's an
iPhone4 or below. If it's not, you cannot
do a physical dump. Okay so example here on raw
data to continue in the slides.
For Facebook, that's what
we're gonna look at on iOS. So the following areas
must be examined.: The caches, the cookies
and the preferences. Even if your tool
parses the data, you should always
examine these folders just to make sure it's
not missing something. So here I'm showing you...
Up here do you see this
train of characters? This is that 32 alpha numeric
train I was talking about. Instead of naming it Facebook,
this is what it's called in the file system
or physical dump. So then you have to
go into the library and you can see right
underneath it says Facebook app so you know that FEE2B8A6
continued is Facebook. Now you have the
fortunate experience of going through and manually
parsing all these files.
So I'm going to show you
what you need to look at in these next few screens. Here we're looking
in the caches folder so if you go back here, we're jumping down to caches and we're looking at
the Facebook store. So in Facebook store,
in the SQLite database associated with store,
you're going to see the name. This is the profile
name of the user.
So the person who is
actually using it. So for my Facebook, it
would say Heather Mahalik. In this instance,
it says Gus Thomas. So Gus Thomas was the user and this was his
Facebook account.
In the preferences,
you're going to see a session P list so
this is the first time here that we're
actually looking at a proper (mumbles) file. If you look on the
right hand side here, so we're looking
at this in raw hex. You're going to see Carrabba's
Italian Grill Fayetteville. What this was is I
actually I was Gus Thomas for a dummy information for 585.
I checked in at Carrabba's
so this is showing a session P list where these are actually checked
in on Facebook. If you look at
surrounding metadata, you would see other
locations where the person has checked in and
you could verify that especially if your
tool parses it. Then you're able to
easily identify it. If you're not, come to 585 and we will teach
you how to further investigate and identify
this information.
A question. Do application identifiers
change with each new version or update of an app? Excellent question. It shouldn't but
it may depending on how the user downloads it. So if you download
Facebook messenger, that will have a
different identifier than just Facebook.
If you download
Facebook for iPhone versus just Facebook,
that may also affect it. But what I always do is I don't memorize
the identifiers. I always just look
one level above it. So here I would always
just go through all of them just seeing and say
okay this is Facebook.
The next one is Viber. The next one is Tango. So I just do that for
sanity instead of memorizing so I don't miss something. Evin has an excellent point I'm not sure I admit to going
anywhere in Fayetteville.
I completely agree. I was stuck there Kevin,
it was not by choice. Okay so here we're now
looking at the Facebook sync store database file
and this under people, you're seeing a list of friends. Now remember, friends
may also be...
So South Riding
Inn is a location. It's a bar. That can be a friend. So something that you
are associated with.
It doesn't have to
just be a person. But you can also see
their ID and their name. Sometimes the tool may
only pull up the ID. For you and not the name.
So you have to do the
association yourself. So you might wanna make sure that you actually go back and examine theses databases. Again if the data is deleted, you have to switch
from database view in the hex view and
look at it manually. Here is a Physical Analyzer
and I'm going to show you how it parses the Facebook data versus looking at it manually like I was just showing you.
So you can see here. Under installed applications, you can see Facebook. This is a great location
to start your searching. So when you have a smartphone...
This is an iPad in this example. But always look at the
installed applications because then you know
what you're dealing with. So here we can see
Haywire, Facebook. We know some things
we're gonna have to look.
Then from there you
can actually dig into the database file. So if you look on the
right hand side here. It's going to show you
the date it was purchased, the application ID. So here it's showing you
Facebook is associated to this application.
If you double click on it, it should take you
straight to that folder so you don't have
to manually navigate like I was just showing you. If you remember where
it's stored, great. You could also do a
keyword search for that FEE. And that string and it
should take you right to it.
Under the data files
under applications, you'll also see it here. Here under Facebook
this is the same iPad and Physical Analyzer. It's showing you the full path. You can go to
private/var/mobile/applications and straight to that folder.
You're also going to see here
HeyWire and where to find it. Tango, Twitter,
Words With Friends. Those are all ones that you
actually wanna manually examine because, again, in Words
With Friends you can chat. You might think that's
just a gaming application, but maybe someone was
just chatting strictly through Words With Friends.
You need to go in
and examine it. Again remember, some of
these may be encrypted. If the data does not look right and you know you're looking
in the correct database file, you can always reach
out to me and ask or you can assume
the data's encrypted. In the databases, here
again on this iPad, we are in Physical Analyzer.
Under data files, we
look at applications. You can go to databases
and if you know what the database name is,
you can just search for it. Here I mentioned to
you that Facebook syncs stored database file that
lists the person's friends. You could actually
search for that and look at it directly in here.
Be careful not to
only examine databases you know in this structure. A good example of this
would be Words With Friends, which I just mentioned
the slide back. Words With Friends
uses something called the Chess database file and that's where the
chats are stored. Those people would never think to look for chat or
SMS communication in a file called Chess, so
just make sure you know.
Same thing there is an
sgiggle database file that's associated with Viber. If you don't know that, you
do not wanna be manually going through and
missing something. So again, I cannot
stress enough. You need to go back to
the original database file in the application
and examine it there.
Alright, to tie this up. Social networking. Sorry, there's
one more question. Is there a plist or other file that will provide
specific information on iCloud Backup activity? The Info.Plist
and manifest.Plist
file in the backup, show the last time
it was backed up and it will also show the last
device it was synced with.
If it were synced
to a host computer, it would show you that
host computer name. I have not seen where it
shows you iCloud was used. It just usually shows
you the computer name. But those are two good
locations to check.
Again, this is covered in 518. Not to keep plugging
Sarah's course, but 518 the Macintosh
Forensics Course, this sorta thing is covered. There's a whole section
on iOS artifacts recovered from computers and
that's actually covered there. Social networking.
This is something we
really highlight in 585. Chat applications that
are commonly used free. You do not need a cellphone
plan to use these. Viber, Tango, Whatsapp, Nimbuzz, HeyWire, SnapChat,
FaceTime, Skype.
You can now just download
Facebook Messenger. Then the less apparent
ones I just mentioned, the Words With Friends. Again, remember if your
(mumbles) pulls out... I don't know if you guys notice, I'm gonna go back a few
slides here for a second.
If you noticed
here it says chats. IMessage, (mumbles),
FOR585 and SMS Spotlight. Just because these two
chats here were used, does not mean that I did
not use Words With Friends, which I actually did in
this example on purpose to show what was missed. If you're only relying
on these to be the chats, you would have missed
all the chatting that was done in
Words With Friends.
There's another question. Is there a good open
source alternative to Physical Analyzer? For Android, yes. You can use The Sleuth
Kit and Autopsy, they work well with
Android devices. For iOS there is Eye Examiner, which isn't going to give
you access to everything.
IBackup Bot, which will give
you access to the RAW files. It's not going to
parse as much data, but as long as you
know what you're doing you don't need a tool to
pull out the data for you. You can manually do it yourself. Those are just a
few that could work.
They're not as all-inclusive because they're gonna do
acquisition and analysis. I'm parsing for you
and give you reporting like Physical Analyzer but they
are a lot cheaper obviously. Okay, so Whatsapp. Sorry I just skipped
a slide ahead.
An example here. A chat that was
used in Whatsapp. You could see, this is
Physical Analyzer up here and it's showing the
chat communication. You can also look at
it in conversation view by clicking this button here
which is shown on the right.
Here we're showing conversation
view back and forth. It is listed under the chats. Whatsapp data was only
parsed in the chat. Now is what's missing, so
what did the tool miss? WhatsApp in the chat
storage (mumbles), Physical Analyzer was
able to grab everything from this database and
show you that information in the chat parse data.
What it missed? There's a (mumbles).Sqlite file that actually shows
the status of the user. Here the person said
they were sleeping. The standard one is hey,
I'm using WhatsApp now, then we'll go from there. This is just a little
example of what's missed to show you more
on what was missed.
If you go into the media folder, there are pictures
associated with WhatsApp. So if you're sending
'em back and forth, they are all stored here
in different folders. Here you can see a
picture of the dog that's stored in this folder and you can also see the
profile picture for the user. Physical Analyzer actually
didn't pull this out.
This is something that has
to be manually done yourself. Again, remember if
it's parsing some data, it doesn't mean
it's parsing it all. You may need to go through it
manually, look at it yourself. A few more questions here.
Can I recommend the
beginner on the best way to gettin' a smartphone
forensics, where to start? You can start by taking 585. The course actually does
have really advanced topics, but it's build for everybody. We hope that even
from beginner level to most advanced levels,
it's built for everybody to learn something. If you have no...
There aren't a lot of
general forensic books. But the best thing
I could suggest is keep taking these webinars. Get some smartphones
of your own. Use your own smartphone
to start acquiring it.
You can always reach out
to companies themselves. You could call Cellebrite
or Teel Tech and ask them. Bill Teel I know gives demos
of tools all the time to people to try to get into the field. You can always reach
out for free tools.
But I strongly suggest do
forensics on your own phone because you know how you use it, what you delete
and what's there. That's the best
way to figure out how to reverse
engineer these apps, what's actually stored there and what you should
be looking for. Practice makes perfect. Another question,
have I encountered any AirPrint artifacts
on iOS devices like printers used in
print jobs, et cetera? I actually have not yet.
I just started looking
in iOS (mumbles) with AirPrint artifacts. I'm hoping to add that into 585 for the next course in March. When I find that,
I will probably do
another webcast on it. So right now Kanye, I don't
have any answers on that.
The name of Android
open source programs. Again, there are a lot but I personally work
for Basis Technology. I work with Brian Carrier. Autopsy is free.
There are modules now for
it parsing Android devices. So it does depend on
how you acquire it. If you come across an
acquisition that you've done that Autopsy cannot
parse if you reach out to Brian and the team, they
will work with you to add it in. So you should be able to parse and they're also
building modules now that will help parse
more Android devices.
What is the difference
between method one and method two for
Advanced Logical? Scott, on this one for
method one and method two, it should tell you what it gets. Method one is recommended
and it gets more data. I believe method two
gets a little less. I don't have that
open in front of me, so I can't tell
you the difference.
But there is a description
on the right-hand side on what it actually gets,
but method one is preferred. In my opinion what are
the biggest challenges in forensics and infinite
response in noble devices? I will say that there are so
many applications out there it's impossible for your tool
to be able to get everything. It's impossible for the vendors, for us to expect the vendors
to be able to do this. The biggest challenge
is manual examination and knowing how
the data's stored.
Where to find it and
how to parse it for NAND. Is the hardest
thing in my opinion. Are there forensic capabilities against SnapChat photo messages? I know Physical Analyzer
will show contacts, but I'm not sure about
the actual photo. John, there's actually
I believe it was...
I forget which university. It's one of the online schools. Someone wrote a
paper, a white paper recently on SnapChat artifacts. Again, it depends on the device
and where the data's stored.
We did testing on iOS devices
and we weren't able to recover more than just the contacts
like you're saying. I've heard rumors on Androids that some pictures
were recovered, but from what I've tested I
have not been able to recover more than just the
contacts or statuses. Does the new Apple
jailbreak allow for easier access to the phone? Edward, which iPhone are
referring to in this instance? While Edward's
responding, Brett asked, "The question I get a
lot lately about spyware, "can you tell us how to
find the spyware on a phone "and where to look?" For spyware and malware,
look at the SD cards. If you're using a tool
like Physical Analyzer that runs BitDefender in it,
it should parse that for you as long as you run
the malware scan.
You have to make sure
that's up-to-date. For spyware, most
of that I've seen in the call logs and
SMS on iOS devices. You should see traces
where it's saying it's either recorded or that
it's being sent somewhere else. You're actually
gonna have to look at the database file itself
for call logs and SMS.
If it's an Android,
look at the SD card because everything downloaded that's going to run
application-wise in regards to
malware and spyware are gonna be stored
on the SD card. Here is another question
about using Advanced Analyzer and the Backup Encrypted File. Is there some way
I can contact you? Yes. Email me, my email
address is right here.
Hmahalik@basistech.Com. If you have further questions and you want more step-by-step, I'll try to answer them there. What is my tool for
bypassing locked iPhones? For locked backup files, I would say ElcomSoft
works the best. ElcomSoft's Film
Password Breaker, I believe it's $130 solution.
For a locked iPhone itself, I personally prefer
Physical Analyzer just because I've had
the best luck with it. Again if it's iPhone 4
and below, you're golden. If it's later than that,
you're going to have issues and you're going to need
to get the passcode. Edward, 4S and above.
I forget your initial question. Now I have to dig back, sorry. Does the new Apple
jailbreak for easier access to the device for 4S and above? We have gotten 4S file system
dumps with the new jailbreak where the entire file system... I was amazed.
That's the case I was
talking to you about. I was amazed at the amount
of data we actually got. So yes, I have seen it affected. The issue is I did not
do the acquisition, so I don't believe
the device was locked.
I can't be sure of that. If it's jailbroken
and then still locked, you may still have some issues. But yes, the new
jailbreak does give you a vast amount of data
that you would not get on a normal 4S device. Bob posted where the
SnapChat Paper was located, but they said they had
since taken it down.
What is the best way to acquire an iPhone image without
Physical Analyzer? FTK Imager, maybe. John, you're not going to be
able to do it with FTK Imager. You can actually use
John (mumbles) method and use dd essentially
and acquire it manually using command line
tools on a Mac. If you do not have Physical
Analyzer or X-ray Xact, you are going to essentially
have to use a Mac to do a full acquisition.
It's not as easy as
just hooking it up like a hard drive
and getting a dump. Is it possible to
get into an iPhone 5 if it has a passcode? No, not currently. Unless you get a backup file and go through those
methods I talked about. You're not going to
get a file system or a physical dump
unless it's jailbroken.
Some more questions here. Then if I'm running
over, you can cut me off. I'm just trying to get through
these as much as possible. Okay.
Excuse me? - [Benjamin] You can take
a couple more minutes if you want. - [Heather] Okay, sorry. Okay, I have a logical
full extraction from XRY from an Android phone. Looking at the phone, I
don't see the messages.
The XRYs were reporting
between the two suspects. What is the database
files or file I should look for to find these? There should be a comm/android. I think it's tele... I don't know how you'd...
Telephony? Telephoney? However you wanna say it. You should see an
SMS/MMS database file. You should also be able
to search for MMS/SMS. All one word .Db.
Or go into the unrecognized
files which is even better. You should see that
database listed there. It should be MMS/SMS. Make sure you also
examine it in Hex, Ryan, to make sure you
don't miss anything.
If you have more issues
on that, just email me. Andrew, I'm reading
your question now. Andrew, would you mind
emailing me your question so we can talk
about that further? 'Cause it's not something
I can get an answer in the time that I have here. But I'm interested in
seeing more on that one.
I think that's all
for the questions. But again, if you
have anything else you can find me on Twitter. You can email me at
hmahalik@basistech.Com. I know this was a
really quick overview.
I know that a lot of you
have great questions. Please feel to reach out. Please stay tuned
for more webcast. I hope to have Cindy
Murphy Lee (mumbles) do a few more on this as well.
Again as we keep
developing the course because smartphones
evolve every day, we'll keep doing these. Keep everyone abreast
of what's going on and we hope to see you in 585. - [Benjamin] Thank you
very much, Heather, for that great presentation and bringing this content
to the (mumbles) community. To our audience, we greatly
appreciate you listening in.
For a schedule of all upcoming
and archived SANS webcasts, go to SANS.Org/webcast. Until next time, take care
and we hope to have you back again for the
next SANS webcast. - [Announcer] The organizer
has ended this session and this call will
be disconnected. Goodbye..
Tidak ada komentar:
Posting Komentar