Digital Forensic Investigation: Seizing Tracy McGreedy's Android Phone

Introduction

Digital forensics is crucial in solving crimes involving digital devices like smartphones. Detective Frost-eau believes Tracy McGreedy is a suspect and suspects communication with an accomplice. The company-owned smartphone becomes a key piece of evidence.

Learning Objectives:

1. Procedures for collecting digital evidence

2. Challenges with modern smartphones

3. Use of Autopsy Digital Forensics with an actual Android image

4. Importance of maintaining a chain of custody

Acquiring a Digital Forensic Image:

Forensic investigators use various methods for image acquisition:

• Static acquisition: Creating a bit-by-bit image while the device is turned off.

• Live acquisition: Capturing an image while the device is turned on.

• Logical acquisition: Copying selected files from the seized device.

• Sparse acquisition: Copying fragments of unallocated data, potentially containing deleted data.

Scenario 1: Computer That’s Switched Off

• Use a write blocker to clone the disk without modifying the original data.

• Utilize forensic imaging software to create a bit-by-bit copy.

• Save the image on a suitable storage device.

Scenario 2: Computer That’s Switched On

• Aim for a live image to access volatile memory (RAM).

• Use tools that run on the target system, accessing data in both volatile and non-volatile memory.

Acquiring a Smartphone Image:

Modern smartphones pose challenges due to encryption:

• Android 4.4 and later: Full-disk encryption.

• Android 7.0 and later: Direct Boot, file-based encryption mode.

• Encryption key discovery is crucial for a complete investigation.

Forensic McBlue - Practical Case:

Tracy McGreedy’s company-owned Android phone is seized:

1. Faraday Bag: Prevents remote data wiping by blocking wireless signals.

2. Unlocking the Phone: Forensic McBlue uses the password, a coincidence related to the server room incident three weeks ago.

Interactive Challenge: As a digital forensics investigator, what method would you choose for acquiring a forensic image from a powered-on Android phone with encryption? Share your approach and considerations.

Analyzing Android Phone with Autopsy and ADB

Tools Used by Forensic McBlue:

Forensic McBlue employs Android Debug Bridge (adb) and Autopsy Digital Forensics for Android phone analysis. The adb command used for backup is:

adb backup -all -f android_backup.ab

• -all: Backs up all applications allowing backups.

  • -f android_backup.ab: Saves the backup to android_backup.ab.

Limitations of adb Backup:

• Some apps disallow backup with the setting allowBackup=false.

• Restricted since Android 12, prompting the need for more robust alternatives.

Obtaining a Full Raw Image:

1. Commercial tools often rely on adb and may require root access.

2. Forensic McBlue exploits the Android device, gaining root access for full storage control.

3. Confirms root access with whoami and uses mount | grep data to identify the storage device (/dev/block/dm-0).

Creating a Raw Image with adb pull:

adb pull /dev/block/dm-0 Android-McGreedy.img

• Pulls the device /dev/block/dm-0 to create a local image file (Android-McGreedy.img).

• Requires root access on the Android device.

Importing Image into Autopsy:

1. Open Autopsy, choose to create a new digital forensics case.

2. Specify case details (name, number, investigator - Forensic McBlue).

3. Name the raw image file for clarity.

4. Select the data source type and provide the location of the raw image file.

5. Choose ingest modules, including Android Analyzer modules.

6. Autopsy creates a new case and runs ingest modules on the Android image.

   

Connection Card Interaction:

• Day 24 Task: Start the Target Machine, use provided credentials for RDP, VNC, or SSH.

• Autopsy Setup: Autopsy is set up on an MS Windows machine; start the room and wait for full boot.

Your Task:

1. Click "Start Room" for Autopsy access.

2. Optionally, use "Show Split View" or access the VM with provided RDP credentials.

3. Check if the created Autopsy case is available without the need to create a new one.

Share your observations and any additional steps you'd take in this digital forensic investigation!

Q1. One of the photos contains a flag. What is it?

A1. thm{digital_forensics}

Q2. What name does Tracy use to save Detective Frost-eau’s phone number?

A2. detective carrot-nose

Q3. One SMS exchanged with Van Sprinkles contains a password. What is it?

A3. chee7aqu

Jolly Judgement Day: Unveiling the Final Flag

Welcome to the grand courtroom showdown where justice hangs in the balance! Your task is to present the evidence that matches Santa's questions and guide the proceedings towards a Conviction score higher than 100.

Santa's Question: What is the final flag?

Evidence Options:

1. THM{YouMeddlingKids}

Your Decision: Select the evidence that you believe is the final flag matching Santa's question.

Remember, each correct answer contributes to the Conviction score, while incorrect choices may test Santa's patience. The quest for justice rests in your hands! Choose wisely.