I was recently given the opportunity to attend an advanced mobile forensics course taught by Joe Church from Digital Shield. As part of the rite of passage certification process, Joe handed us an image of an infected Android device and challenged us to find the malware.
By the third day of great instruction and working with the all-in-one mobile forensic tool, the solution became as simple as clicking on the “malware scanner” easy button. Although the all-in-one forensic tools are extremely useful and beneficial, I couldn’t help but wonder if other antivirus tools could offer different results.
To find the answer to that question, I mounted the Android image using an Ubuntu examination computer and gave a commercial anti-virus solution a chance at scanning the file system.
In this article we are going to go through the process of converting split .bin files into one raw image, on-the-fly, and then mounting the userdata volume inside of the raw image. Once the userdata volume is mounted we will scan it for malware. For the purposes of this article I used an examination computer with Ubuntu 12.10 installed on it. Let’s get started.
Installing the tools:
The Android image that was given to us by Joe was the result of a physical extraction of an HTC Desire Android phone done with the Cellebrite UFED. The extraction resulted in a bit by bit image of the device spanning into two .bin files. To get these two .bin files to act as one complete physical image we will use one of the many great tools from Joachim Metz called libsmraw. Libsmraw is the library and tools to access the (split) raw image format. This tool has the ability to convert split images into one raw image, on-the-fly. Libsmraw can be downloaded from here: https://code.google.com/p/libsmraw/. At the time of this writing, the latest version was libsmraw-alpha-20130402.tar.gz. Download the tar.gz file and then extract the files from the tar.gz file into your directory of choice. After you extract the contents of the tar.gz, you should end up with one folder titled “libsmraw-20130402” The folder contains the source code for the tool.
Prior to installing the tool, make sure that you have FUSE installed on your system. The tool uses Filesystem in Userspace for mounting. You must satisfy this dependency by installing Fuse from the command line, so let’s do that.
Open a Terminal Window. In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal”.
Now type the below command into the terminal, and press enter. Enter your root password, if needed.
sudo apt-get install libfuse-dev
It is now time to install Libsmraw. Use the cd command to navigate to the folder that contains the source code. To install from source we are going to have to run four commands.
sudo make install
For a detailed explanation of how to install from source, please refer to the “Installing the tools” section of our previous post here.
The second tool that you will need is an antivirus program. On the Ubuntu side, one of my favorites and the one that I chose for the test is AVG. AVG can be downloaded from here. Download the DEB package and install in with the Software Center. Once it is installed, run the following command to initialize it.
sudo /etc/init.d/avgd start
Then run the following command to update the virus definitions.
It is now time to begin the examination. I added the .bin files to the root of a usb drive and inserted the drive to a usb port on my examination computer. External media gets mounted under the media directory.
Type the following into the terminal to determine how your external media was mounted.
Notice that my external media was mounted under the “/media/carlos” directory as 02BFA63C6292C374.
Now we need to navigate to the .bin files on the external media. We will use the CD command to change directory into the external media. Type the following into the terminal.
Replace “carlos” with your username and also replace “02BFA63C6292C374” with the directory name assigned to your external media. After doing so, press enter.
Type “ls -l” and press enter. LS is the list files command. The flag -l uses a long listing format.
Notice that we are in the root of my external media and yes, I have the two .bin files that make up the complete image of the Android device. The first chunk is tittled blk0_mmcblk0.bin and appears to be about 2GB in size. The second chunk is tittled blk0_mmcblk0(2).bin and appears to be about 180MB.
In order to get libmsraw to link an arbitrary number of files together, in this instance two, and convert them to a single image, on-the-fly, the files must contain a consecutive naming scheme. This means that we are going to have to make a change the filename of the first chunk. Rename the first chunk from “blk0_mmcblk0.bin” to “blk0_mmcblk0(1).bin”. This change will not affect the data contained in the image.
We are almost ready to mount the files together with libsmraw. Let’s designate a location where we can temporarily mount the .bin files. To do that, we need to create a mount directory. Let’s create a directory called raw in the root of the mnt folder. Type the below command into the terminal and press enter. Type your root password (if needed).
sudo mkdir /mnt/raw
We now get to use libsmraw. To mount the .bin files as a singe raw image type the following command into the terminal. You only have to point smrawmount to the first chunk.
sudo smrawmount blk0_mmcblk0\(1\).bin /mnt/raw
Smrawmount is the command to link all of the files and mount them as a single raw image. Blk0_mmcblk0\(1\).bin is the first chunk of the image. The “\” before the parenthesis “(” is used in the shell so that the parenthesis is read as a literal character. /Mnt/raw is the mount point. Sudo gives smrawmount superuser privileges for the operation. Press enter and type your root password (if needed).
If you got your cursor back, everything went well. Your image is now mounted under the /mnt/raw/ directory as raw1. Type “sudo ls -l /mnt/raw” and press enter.
The next step is to determine the starting sector of the userdata partition inside of the image. To do that, we will use the sleuthkit tool mmls. Mmls is a tool that can display the partition layout of a volume system (partition tables). Type the following into the terminal and press enter. The flag -a is to show allocated volumes, and the flag -B is to include a column with the partition sizes in bytes.
sudo mmls -aB /mnt/raw/raw1
Mmls is reporting that slot 22 contains a 1GB volume. According to mmls, this is the largest volume of them all and it starts at sector offset 1343488. This is the userdata volume in my image. To determine the type of file system contained in this volume, type the following command.
sudo img_cat -s 1343488 /mnt/raw/raw1 | file –
Img_cat is a sleuthkit comamnd that outputs the contents of an image file, the flag -s tells mmls to look at sector offset 1343488, which in this instance is the start of my userdata volume. Mnt/raw/raw1 is the raw image. The “|” is known as a pipe. A pipe is a technique in Linux for passing information from one program process to another. File is the command to determine the file type. The dash following file “-” is a descriptor that tells file to use the standard output of the img_cat command rather than a file.
That last tip came from John Lehr, and I wanted to give him credit. John maintains an excellent blog on Forensics with Linux called Linuxsleuthing. Read it here.
File is reporting that the userdata volume in this image is an ext4 file system. File is also reporting that the file system needs journal recovery, which means that the file system is dirty. Hal Pomeranz from Deer Run Associates, explains that the “noload” flag must be passed to the mount command to prevent the journal from loading when mounting dirty ext4 file systems. Read his article here.
We now have the information we need to mount the userdata volume. Let’s create a directory called userdata in the root of the mnt folder. Type the below command into the terminal and press enter. Type your root password (if needed).
sudo mkdir /mnt/userdata
Type the below command to mount the userdata volume.
sudo mount -o ro,noload,offset=687865856 /mnt/raw/raw1 /mnt/userdata/
Mount is the command to mount a filesystem. The flag -o specifies the options for mounting. In this instance we opted to mount it as a “ro” read-only file system and we told mount to “noload” the journal. We also told mount to look at byte offset 687865856, which is the beginning of the userdata volume. The offset must be specified in bytes, which is the sector offset 1343488 times 512. The options following the -o flag must be separated only by a comma. Mnt/raw/raw1 is the image and /mnt/userdata/ is the mount point. Press enter, and type your root password (if needed).
Again, if you got your cursor back, then everything went well. The userdata volume is now mounted under /mnt/userdata/. Change directory (cd) into the /mnt/userdata directory and run ls -l.
Your userdata volume is now in a read-only mode available for any action that you deem necessary to include a virus scan. Type the following command to run an AVG scan on the current directory.
sudo avgscan ./
AVG found fourteen infected applications in this image. AVG will not quarantine them or delete them. From here you are free to copy the infected files out for further analysis.
This is an alternate way of scanning any image that you can mount in Linux for the low-hanging infected fruit.
If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you. Please post your comments or email the author of this article at firstname.lastname@example.org. Twitter: @carlos_cajigas