스파이캠 수동 획득

I’ve recently happened to analyze a spycam. Although its outside view is prefectly the same as normal smartphone as we use on a daily basis, in the inside, you might feel that it has pretty old android OS running in the background. Turns out, it’s a spycam with Android OS version 6.

The problem is the detective in charge and I were completely in the dark, not knowing what it really was until I finished the first phase of analysis. We both presumed that it’s one of the mobile phones of the perp.

First thing we’re going to do is acquire the data, specifically image it to a file for further forensically sound analysis. We have a bunch of software to choose, I went myself with the commerial one.

Since the model of the device isn’t exactly shown up on the search box of the tool, like other smartphones from overseas, I tried taking Android Live extraction with USB debugging switched on.

The tool pops up and alerts me that “This device is rooted, it’s recommended that you should proceed with [Rooting] acquisition mode”. but I just continued doing Android Live first.

## Android Live Extraction

In practice, It’s important to think that the device could be bricked because of your wrong decision & procedure. So we always need to build a contingency plan, that’s why I go extract the data through Android Live first. No one would know what’s going to happen.

The result gives us the size of foresic image about 55MB out of 32GB in total.

Next thing I did was to try the Physical extraction by [Rooting] acquisition mode, but unfortunately failed saying that it cannot list the partitions.

Generally if it’s a smartphone and if it goes right, it would show us all partitions of the block devices, so we are ready to dump the USERDATA partition like below.

However in this case, the device doesn’t fall under the mobile phone’s category. What’s more, it is customized by the manufacturer for its spycam purpose, so the tool cannot do its automatic job for us.

After failure it seemed there is no response even though I pushed the buttons trying to power off/on. I even pressed and hold the power button, after a few tries with hold the two buttons mixed, it did turned off eventually. The system’s like off the screen with powered on. It could’ve been worse, this is where we take extra care.

## Physical Extraction

Here’s how physical extraction goes.

2. Boot up the device.
3. Switch on USB Debugging option.
4. Connect device to PC with cable.
5. Use ADB command to dump USERDATA partition.

• When serial number of the device appears, it means it’s ready to use ADB.
1
2
3
List of devices attached
0123456789ABCDEF        device


• Get the interactive shell, and the spycam has the root privilege.
1
2
3
root@ABCDE:/ # id


### Partitions

There are 6 partitions mounted with Ext4 file system in the device. Partitions are :

• /system
• /cache
• /protect_f
• /protect_s
• /nvdata
• /data

df(disk free) command gives us the mount point and how much storage used in the partition. Data partition is mounted on /data, and the MicroSD inserted for acquisition is on /storage/7EA4-5A19.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Filesystem               Size     Used     Free   Blksize
/dev                     1.4G    76.0K     1.4G   4096
/sys/fs/cgroup           1.4G    12.0K     1.4G   4096
/mnt                     1.4G     0.0K     1.4G   4096
/system                  2.4G     1.2G     1.2G   4096
/cache                 387.4M   408.0K   387.0M   4096
/protect_f               5.8M    60.0K     5.8M   4096
/protect_s               5.8M    56.0K     5.8M   4096
/nvdata                 27.5M     1.7M    25.8M   4096
/storage                 1.4G     0.0K     1.4G   4096
/data                   25.6G   152.8M    25.5G   4096
/mnt/runtime/default/emulated    25.6G   152.8M    25.5G   4096
/storage/emulated       25.6G   152.8M    25.5G   4096
/mnt/runtime/write/emulated    25.6G   152.8M    25.5G   4096
/mnt/media_rw/7EA4-5A19    29.5G   160.0K    29.5G   16384
/mnt/runtime/default/7EA4-5A19    29.5G   160.0K    29.5G   16384
/storage/7EA4-5A19      29.5G   160.0K    29.5G   16384
/mnt/runtime/write/7EA4-5A19    29.5G   160.0K    29.5G   16384


We noticed from the /proc/partitions that mmcblk0 represents the full block device, mmcblk0p22(dm-0) would be the userdata.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
major minor  #blocks  name

7        0       1254 loop0
254        0    1505048 zram0
179        0   30539776 mmcblk0
179        1       3072 mmcblk0p1
179        2       5120 mmcblk0p2
179        3      10240 mmcblk0p3
179        4      10240 mmcblk0p4
179        5        512 mmcblk0p5
179        6        512 mmcblk0p6
179        7      16384 mmcblk0p7
179        8      16384 mmcblk0p8
179        9       8192 mmcblk0p9
179       10      10240 mmcblk0p10
179       11        512 mmcblk0p11
179       12       2048 mmcblk0p12
179       13       6144 mmcblk0p13
179       14       8192 mmcblk0p14
179       15       5120 mmcblk0p15
179       16       5120 mmcblk0p16
179       17       1024 mmcblk0p17
179       18      32768 mmcblk0p18
179       19      37888 mmcblk0p19
179       20    2621440 mmcblk0p20
179       21     409600 mmcblk0p21
179       22   27311616 mmcblk0p22
179       23      16384 mmcblk0p23
179       96       4096 mmcblk0rpmb
179       64       4096 mmcblk0boot1
179       32       4096 mmcblk0boot0
253        0   27311616 dm-0


### Dump the Data

What I first tried was insert MicroSD card to dump the block device with dd. But just because it pictured in your head, doesn’t mean that it will always be successful. The device auto-mounts the FAT32-formated MicroSD, and the file system uses a 32bit field to store the file size in bytes which 4GB is the limit of the sigle file.

1
2
3
4
5
root@ABCDE: # dd if=/dev/block/mmcblk0 of=/storage/7EA4-5A19/android.dd bs=1024
dd: /storage/7EA4-5A19/android.dd: File too large
4194304+0 records in
4194303+1 records out
4294967295 bytes transferred in 461.530 secs (9305933 bytes/sec)


To work around this issue, we may install other file system in the MicroSD that supports the size limit over 4GB. Another possibility would be use ADB to tranfer the file. This case, we could use the commands adb pull, dd with nc alternatively.

Let’s dump the whole block device(mmcblk0) and data partition(dm-0) selectevely.

On the Spycam:

1
2
3
root@ABCDE:/ # dd if=/dev/block/mmcblk0 | toybox nc -l -p 4444

root@ABCDE:/ # dd if=/dev/block/dm-0 bs=2048 | toybox nc -l -p 4444


On the forensic workstation:

1
2
3
$nc 127.0.0.1 4444 > Android_M7.dd$ nc 127.0.0.1 4444 > Android_M7_dm-0.dd


Result:

1
2
3
4
5
6
7
8
9
root@ABCDE:/ # dd if=/dev/block/mmcblk0 | toybox nc -l -p 4444
30539776+0 records in
30539776+0 records out
31272730624 bytes transferred in 8251.129 secs (3790115 bytes/sec)

root@ABCDE:/ # dd if=/dev/block/dm-0 bs=2048 | toybox nc -l -p 4444
13655808+0 records in
13655808+0 records out
27967094784 bytes transferred in 7143.096 secs (3915262 bytes/sec)


The results indicate that it outputs approximately 26GB for data partition, 30GB for the whole dump.

To use the port 4444, port forward needs to be configured before ADB connection.

When loading the full block device dump(mmcblk0) on FTK Imager, 23 partitions are identified as we previously saw above. One thing to notice is Partition 22(data partition) is not identified due to its encryption, FDE(Full Disk Encryption).

userdata(dm-0) dump, however, all folders & files are properly parsed by the tool. Now by this far it’s ready for analysis.

If you want to decrypt FDE, you have to find the crypto footer and do some stuff to brute force to find DEK(Disk Encryption Key) & password.

## Recovery Mode

FYI. by putting the device in Recovery Mode, we might also find some trivial information of the device such as kernel version, model, android version and so on. it is written in chinese, though.

## Wrap-up

To be honest, there was no big difference between logical and physical extraction in my case, because the photos, video files that are relevant to the crime left intact. So they are totally sufficient in order to prove the charges. Videos and photos taken while committing sexual acts were also saved in MicroSD card.

This case will hopefully give you a little insight when dealing with the similar evidence. Maybe in the next post, we should…decrypt FDE userdata partition. I will do it after a wee bit of play with it and do the test.

Tags:

Categories:

Updated: