Escolar Documentos
Profissional Documentos
Cultura Documentos
Vladimir Katalov
ElcomSoft Ltd.
www.elcomsoft.com
Who We Are
Curiosity
Privacy
The right to know
Government surveillance
Forensics
Backup and recovery
Top 10 fears of 2015
Source:
http://www.livescience.com/52535-american-fear-survey-2015.html
What This Presentation is NOT About
Hacking
Accessing someone else account
Compromising Google
Criminal activities
Profit
Not Every
Android
Smartphone is a
Google Device
China is the
biggest market
30% of all
smartphones
sold in China
Google services
completely
banned
Mobile vs Cloud Forensics
Google mail
900 million users (May2015)
Monthly unique users: 90 million (2014)
Percentage of Americans using Gmail: 24% (2013)
Gmail app downloads from Google Play: 1 billion (2014)
Percentage of Gmail users working on mobile device: 75% (2015
Google Chrome
Google Chrome users: 1 billion (2015)
Percentage of web browser usage: 35% (2013)
Android
Apple iCloud
Number of Android devices: 1.4 billion (September 2015)
Introduced in Oct 2011 with iOS 5
Android share: over 80%
Optional upgrade to iCloud Drive since iOS 8
Average daily Android activations: 1.5 million
5 GB free storage, up to 1 TB paid storage
About 25,000 unique device models
Extremely convenient: over 500 million users
What Apple Knows About You?
Quite a lot:
https://www.apple.com/privacy/government-information-requests/
We have:
Acquisition steps:
Notes:
Apple response
Notification emails (do not appear now)
2FA to protect iCloud backups
iOS 9: ATS (App Transport Security), pinned certificates, new
storage location and data format, updated encryption, mandatory
2FA (?)
Solution: Two-Step Verification?
https://www.google.com/transparencyreport/userdatare
quests/legalprocess
/
Gmail
Email content
Google Sign-On
Google Security Settings
Recent security events and used devices, connected apps, saved
passwords
Google Takeout
Leaves traces
Not all data is exported
Limited flexibility
Inconvenient format
Google Dashboard: Account Activity
Google Dashboard: profile, connected devices & apps
Google Dashboard: Mail
Google Chrome Sync
Google Chrome: search & browsing history
https://history.google.com/history/
Total searches
Searches by day
Top search clicks
Map search history
Voice search history
Info on devices
Location history
What is saved:
tp://arstechnica.com/gadgets/2015/10/android-6-0s-auto-backup-for-apps-perfect-data-backup-for-the-1
Device Backups: Android 6.0
Albums/events
Comments
Geo tags
Subscriptions
View counters
People
Android Device Backups: Downloading
thentication: https://android.clients.google.com/auth
Download backup: https://android.clients.google.com/back
Get refresh token (input: email, password)
Get authentication token (input: refresh token) Input: android_id, package to restore (download), Auth
Output (array of strings):
pm (general info on applications)
t info on backups available: https://android.googleapis.com/backup
android (wallpaper: xml + picture)
Input: android_id, authentication token) com.android.nfc
Output (array) com.android.providers.settings (including Wi-Fi password
Android_id com.android.vending
Backup creation date/time com.google.android.talk
Date/time of device registration on account com.google.android.googlequicksearchbox
Device name or model com.google.android.calendar
SDK version com.google.android.inputmethod.latin
Last activity date/time com.google.android.gm
Android M
//accounts.google.com/ServiceLogin?hl=en-US&Email={email}
okie: GAPS=1:iv-YjJtilF-coJ0RpCZhlmMBj97IRA:RKppYacKUG4PUMNX
okie: GALX=mItW3iafLoo;Path=/;Secure
//accounts.google.com/ServiceLoginAuth HTTP/1.1
e: GoogleAccountsLocale_session=en; GAPS=[]; GALX=[]&Email={email}&Passwd={password}
okie: NID=[...] SetCookie: SID=[...] Set-Cookie: LSID=[...]
okie: HSID=[...] Set-Cookie: SSID=[...] Set-Cookie: APISID=[...] Set-Cookie: SAPISID=[...]
ttps://talkgadget.google.com/u/0/talkgadget/_/chat?{parameters}
e: NID=[...]; HSID=[...]; SSID=[...]; SID=[...]; APISID=[...]; SAPISID=[...]
okie: S=talkgadget=VlFAZCxwB-G_h53WWt_g6Q
conversation (dialog):
//clients6.google.com/chat/v1/conversations/getconversation?alt=protojson&key=API_KEY
: NID=[...];
[...]; SSID=[...]; SID=[...];
Dialog data (id, inviteTime, activatedTime)
=[...]; [...]
Participants' data (id, name, avatarUrl)
ization:SAPISIDHASH {hash}
Events (Message, AddUser, RemoveUser, SentPhoto, VideoCall, Location
IDHASH: SHA-1(timestamp+SAPISID+URL)
Date/time
Info on video call: date/time (start+end)
Text
Locations (address, mapUrl, latitude, longtitude)
Picture (photoUrl, width, height, album_name)
Obtaining Google Chrome history
Headers:
Accept: */*
Accept-Language: ru,en-US;q=0.8,en;q=0.6
Connection: keep-alive
Host: history.google.com
Cookie: cookie (obtained after auth-n, includes auth. token)
https://history.google.com/history/youtube/watch?jspb=1&max=1394034083520660
Or
Use YouTube API
https://developers.google.com/youtube/v3/docs/
https://history.google.com/history/youtube/search?jspb=1&max=1422545631282456
Google Drive
Authenticate:
https://www.googleapis.com/auth/drive
Get file list:
GET https://www.googleapis.com/drive/v2/files?key={YOUR_API_KEY} (pretend to be Chromium)
Returns:
Download URL
ID Detailed list request:
Parent ID GET https://www.googleapis.com/drive/v2/files?
If Shared with me maxResults={MAX_RESULT}&pageToken={PAGE_TOKEN}&fields={FIELDS}&ke
Owner
y={YOUR_API_KEY}
Access rights {PAGE_TOKEN} page token
File name
{MAX_RESULT} number of files in response
File size
Description {FIELDS} fields to return
Properties
To get info on particular file, set its ID in the request, provide parameters:
https://developers.google.com/drive/v2/reference/files/get
Download file:
GET https://www.googleapis.com/drive/v2/files/fileID?alt=media
Get circles:
POST https://clients6.google.com/ rpc/plusi?key=[..]
(returns circles, friends: email, contactId, obfuscatedGaiaId, displayName)
GET https://picasaweb.google.com/data/feed/api/user/{USER_ID}/albumid/{ALBUM_ID}?kind=comment&[..]
Returns:
gphoto:id (own id)
gphoto:photoid
authorId
published
updated
title
content
Google Chrome: passwords
message PasswordSpecificsData {
optional int32 scheme = 1;
optional string signon_realm = 2;
optional string origin = 3; Obtaining master encryption keys
optional string action = 4;
optional string username_element =Chrome
5; sync
optional string username_value = 6; https://clients4.google.com/chrome-sync/command/?client=Chromium&client_id=[...]
optional string password_element = (body:protobuf
7; with GetUpdatesMessage(need_encryption_key=true)
optional string password_value = 8; response: GetUpdatesResponse with entries & encryption key
optional bool ssl_valid = 9;
optional bool preferred = 10; Get master encryption keys
optional int64 date_created = 11; Key=pbkdf2_sha1(base64(encryption_key)+"saltsalt",1003)
optional bool blacklisted = 12; MacKey=pbkdf2_sha1(base64(encryption_key)+"saltsalt",1004)
optional int32 type = 13;
optional int32 times_used = 14;
} The keys can be additionally encrypted using the passphrase (on the client si
message PasswordSpecifics {
optional EncryptedData encrypted = 1;
optional PasswordSpecificsData client_only_encrypted_data = 2;
}
Google Dashboard: stats we can get
https://picasaweb.google.com/data/
get refresh_token (by client_id, then by client_secret oauth_code)
Google drive
https://accounts.google.com/o/oauth2/programmatic_auth?authuser=0
https://www.googleapis.com/auth/drive
Set-Cookie: oauth_code=4/5xOmk7KEXG70-3cYAju66pp8sx1U4FyCIRWI_J1zQ
https://accounts.google.com/o/oauth2/token
{
"access_token" : "ya29.yAHuL5lPQW63Yn90hVETqe95ueyM8SpoqhyqPmy-hTywd4chkANfQTt0VNeTBMQhrkw",
"refresh_token" : "1/slXyWGQPs1IVI7t-VC3_VKWSWUYJONt1Ue8tRG-pc"
}
get access_token
https://accounts.google.com/o/oauth2/token HTTP/1.1
client_id=[...]&client_secret=[...]&grant_type=refresh_token&refresh_token=[...]&scope=[]
Google Takeout
Marketing:
Your account, your data. Export a copy.
Create an archive with your data from Google
products.
Reality:
Google Takeout exports data in a number of
different formats
Not all information is available
In fact, many types of data are not accessible via
Takeout
User receives a notification email
Google Takeout vs. Elcomsoft Cloud eXplorer
Service EC Takeo Service EC Takeo
X ut X ut
User info + + Location history + +
Messages + + Google Books - +
Contacts + + Google Drive + +
Notes (Google + + Email (Gmail) + +
Keep)
Reminders - - Android Cloud +
Backups
Web history + - Google Wallet - +
Chrome + + Google Play - -
Music/Video/Apps
Media (Google + + Google Tasks - +
Photo)
Calendars + + Google Bookmarks - +
Google settings + - Google Fit - +
Authentication & data acquisition
Phishing
Brute-force attacks
e.g. iBrutr
(https://github.com/Pr0x13/iBrutr)
Reverse brute-force attacks
Password reset/recovery
Key loggers
Fake AP
Network sniffing
Social engineering
Passwords re-use
How LE Get Passwords
ts)
Contacts + + - Location ? + +
history
Notes + + - Google ? + -
(Keep) Books
Web + + + Google + + +
history Drive
Chrome + + + Gmail + + +
Media + + - Android - + +
(Google Cloud
Photo) Backups
Final Thoughts (mixed)
Nullcon 2016
Vladimir Katalov, ElcomSoft Co. Ltd.
http://www.elcomsoft.com
http://blog.crackpassword.com
Facebook: ElcomSoft
Twitter: @elcomsoft