SlideShare una empresa de Scribd logo

Study and analysis of Orweb anonymizer on Android Devices

Reality Net System Solutions
Reality Net System Solutions

This document summarizes a study and analysis of the Orbot, Orweb, and Orfox anonymizer apps on Android devices presented at DFRWS EU 2016. It describes the methodology used, which involved installing each app, browsing with them, and analyzing residual data after uninstalling. Analysis was performed on system and app folders to identify usage logs, caches, cookies and other artifacts left behind. The goal was to evaluate the effectiveness of these apps and identify opportunities for forensic analysis of user activity even after the apps are uninstalled.

Tecnología
1 de 25
Descargar para leer sin conexión
STUDY AND ANALYSIS OF ORWEB (AND ORFOX) ANONYMIZER(S) ON ANDROID DEVICES CLAUDIA MEDA & MATTIA EPIFANI DFRWS EU 2016 LAUSANNE, 31 MARCH 2016
ORBOT HTTPS://GUARDIANPROJECT.INFO/APPS/ORBOT/ What is Orbot? • Open source software for Internet traffic encryption through computers around the world • Configured to transparently proxy all of Internet traffic through Tor (The Onion Router) • Choice which specific apps can be use through Tor • Private internet connection • Private web surfing • Private chat messaging • Privacy on Twitter
ORWEB HTTPS://GUARDIANPROJECT.INFO/APPS/ORWEB/ • Current default browser for Orbot on Android  evades tracking and censorship by bouncing encrypted traffic several times through computers around the world. • Based on Orbot “When a communication arrives fromTor, you can never know where or whom it’s from” NewYorkTimes What is Orweb? Orfox Summer/Autumn 2015
ORFOX HTTPS://GUARDIANPROJECT.INFO/2015/06/30/ORFOX-ASPIRING-TO-BRING-TOR-BROWSER-TO-ANDROID/ • New browser for Android  BETA release available on Google Play for public testing only • Built from the same source code as Tor Browser (which is built upon Firefox) • Required Orbot app to connect to the Tor network • It allows users to bookmark sites What is Orfox?
ANALYSIS METHODOLOGY – PART 1 ENVIRONMENT Samsung Galaxy S5 with Android 5.0 Rooting with KingoRoot INSTALLATION Orbot download, install and execution Orweb download, install and execution Orfox download, install and execution DEVICE PHYSICAL ACQUISITION 1 2 3
SYSTEM FOLDER PACKAGES.LIST INSTALLED APPS INFORMATION (PACKAGE NAME, UID,APP PATH)  Package name org.torproject.android UserID 10076 App path /data/data/org.torproject.android  Package name info.guardianproject.browser UserID 10077 App path /data/data/info.guardianproject.browser  Package name info.guardianproject.orfox UserID 10078 App path /data/data/info.guardianproject.orfox ORBOT ORWEB ORFOX
SYSTEM FOLDER PACKAGES.XML LIST OF PERMISSIONS AND PACKAGES/APPLICATIONS <package name="org.torproject.android" userId="10076" version="15012310" ut="151b5c6d5a5" it="151b5c6d5a5" ft="151b5c6cf20" flags="540228" dt="151b5c6db57" dm="2" nativeLibraryRootRequiresIsa="true" nativeLibraryDir="/data/app/org.torproject.android-1/lib/arm" nativeLibraryRootDir="/data/app/org.torproject.android-1/lib" nativeLibraryPath="/data/app/org.torproject.android-1/lib" codePath="/data/app/org.torproject.android-1" primaryCpuAbi="armeabi-v7a" installer="com.android.vending"> <perms> <item name="android.permission.RECEIVE_BOOT_COMPLETED"/> <item name="org.torproject.android.MANAGE_TOR"/> <item name="android.permission.ACCESS_NETWORK_STATE"/> <item name="android.permission.INTERNET"/> </perms> </package> Attribute Description UT Timestamp in hex format of last update IT Timestamp in hex format of fist time installation Timestamp Fri, 18 Dec 2015 – 15:48:05 Fri, 18 Dec 2015 – 15:48:05
SYSTEM FOLDER PACKAGE-USAGE.LIST APP LAST EXECUTIONTIME (EPOCH) Application Timestamp org.torproject.android 1451345825.267 info.guardianproject.browser 1450459648.348 info.guardianproject.orfox 1452006535.657
SYSTEM FOLDER POWERMANAGER POWER (AND APPS) USAGE STATISTICS info.guardianproject.browser
SYSTEM FOLDER RECENT_TASKS RECENT ACTIVITIES LOGS (XML FORMAT) <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <task task_id="13" real_activity="info.guardianproject.browser/.Browser" affinity="info.guardianproject.browser" root_has_reset="true" auto_remove_recents="false" asked_compat_mode="false" user_id="0" effective_uid="10077" task_type="0" first_active_time="1451385683082" last_active_time="1451385798766" last_time_moved="1451385798756" never_relinquish_identity="true" task_description_color="ff212121" task_affiliation_color="-14606047" task_affiliation="13" prev_affiliation="-1" next_affiliation="-1" calling_uid="10077" calling_package="info.guardianproject.browser" multiwindow_style="0" is_private_mode="false"> <intent action="android.intent.action.MAIN" component="info.guardianproject.browser/.Browser" flags="10200000"> <categories category="android.intent.category.LAUNCHER" /> </intent> </task>
SYSTEM FOLDER USAGESTATSWEEKLY - USAGESTATSMONTHLY - USAGESTATSYEARLY USAGE STATISTICS <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <usagestats version="1" endTime="2381450658"> … <packages> <package lastTimeActive="1454766326" package="org.torproject.android" timeActive="193858" lastEvent="2" /> <package lastTimeActive="1456652361" package="info.guardianproject.browser" timeActive="3519627" lastEvent="2" /> … </packages> </usagestats>
DATA FOLDER COM.ANDROID.VENDINGDATABASESLOCALAPPSTATE.DB APPLICATION INFORMATION AND UPDATES  Package Name  Delivery DataTimestamp  First DownloadTimestamp  Account  Title  Last NotifiedVersion  Last UpdateTimestamp
DATA FOLDER COM.SEC.ANDROID.APP.LAUNCHERDATABASESLAUNCHER.DB APPLICATION DESKTOP SHORTCUTS (POSITION, ICON, INTENT, ETC.)  Icon Package  Icon Resource  Icon  Screen position  Intent
DATA FOLDER COM.SAMSUNG.ANDROID.SMDATABASESLOWPOWERCONTEXT- SYSTEM-DB SAMSUNG SMART MANAGER Package name Start Time EndTime
SYSTEM AND DATA FOLDER OTHER FILES  systembatterystats-checkin.bin  systemAppOps.XML  systemprocstatsstate-YYYY-MM-DD-HH-MM-SS.bin  datacom.android.vendingdatabaseslibrary.db  datacom.android.vendingdatabasespackage_verification.db  datacom.google.android.partnersetupshared_prefsApplicationHidingPreferences.xml  datacom.samsung.android.smdatabasessm.db  datacom.google.android.googlequicksearchboxdatabasesicingcorpora.db
ANALYSIS METHODOLOGY – PART 2 BROWSINGWITH ORWEB 1 DEVICE PHYSICAL ACQUISITION 2 Visited sites genoacfc.it thehiddenwiki.org rso4hutlefirefqp.onion torlinkbgs6aabns.onion xfnwyig7olypdq5r.onion dfrws.org luccacomicsandgames.com starwars.com
ORWEB APPLICATION FOLDER DATAINFO.GUARDIANPROJECT.BROWSERAPP_WEBVIEWCOOKIES COOKIES DATABASE SQLite DB Temporarily store website Cookies Information not immediately deleted Information about previously visited sites Unallocated space inside DB file and Cookies-journal
ORWEB APPLICATION FOLDER DATAINFO.GUARDIANPROJECT.BROWSERCACHEORG.CHROMIUM.ANDROID_WEBVIEW CACHE FOLDER Specific structure of cache element Header 30 5C 72 A7 1B 6D FB FC 05 00 00 00 URL Encoded content (i.e. JPG file) HTTP response with DATE andTIME
ANALYSIS METHODOLOGY – PART 3 BROWSING WITH ORFOX 1 ADDED GENOACFC.IT TO BOOKMARKS 2 Visited sites thehiddenwiki.org 3g2upl4pq6kufc4m.onion wikitjerrta4qgz4.onion easycoinsayj7p5l.onion torbox3uiot6wchz.onion bodybuilding.com genoacfc.it volleyball.org atpworldtour.com DEVICE PHYSICAL ACQUISITION 3
ORFOX APPLICATION FOLDER DATAINFO.GUARDIANPROJECT.ORFOXFILEMOZILLA<ID>.DEFAULT STORE TEMPORARY FILE DURING BROWSER ACTIVITY Browser.db-wal Tabs.db Tabs.db-wal Tabs.db: • current Tabbed sites Tabs.db-wal: • previouslyTabbed sites
ORFOX APPLICATION FOLDER DATAINFO.GUARDIANPROJECT.ORFOXFILEMOZILLA<ID>.DEFAULT BROWSER.DB-WAL Bookmarks Reading List Top Sites (only if added by user) Visited websites URLs
ANALYSIS METHODOLOGY – PART 4 UNINSTALL Orbot uninstall Orweb uninstall Orfox uninstall DEVICE PHYSICAL ACQUISITION 21
RESIDUALTRACES AFTER UNINSTALL  systempowerManager  systemusagestatsmonthly - usagestatsweekly - usagestatsyearly  datacom.android.vendingdatabaseslocalappstate.db  datacom.android.vendingdatabaseslibrary.db  datacom.android.vendingdatabasespackage_verification.db  datacom.google.android.googlequicksearchboxdatabasesicingcorpora.db  datacom.google.android.partnersetupshared_prefsApplicationHidingPreferences.xml  datacom.samsung.android.smdatabaseslowpowercontext-system-db  datacom.samsung.android.smdatabasessm.db
PROPOSED INVESTIGATION METHODOLOGY SYSTEM • PACKAGES.LIST • PACKAGE- USAGE.LIST • POWERMANAGER • RECENT_TASKS • USAGESTATS DATA • LOCALAPPSTATE.DB • LAUNCHER.DB • LOWPOWERCONTEX T-SYSTEM-DB INFO.GUARDIANP PROJECT.BROWSER • COOKIES • CACHE • STRING HEADER SEARCH [ 30 5C 72 A7 1B 6D FB FC 05 00 00 00 ] INFO.GUARDIANP ROJECT.ORFOX • BROWSER.DB- WAL • TABS.DB • TABS.DB-WAL
Q&A? Claudia Meda  PhD student in Science and Technology for Electronic and Telecommunications Engineering University of Genoa, Italy claudia22.meda@gmail.com @KlodiaMaida https://it.linkedin.com/in/claudia-meda-3142046b Mattia Epifani  Digital Forensics Analyst  CEO @ REALITY NET – System Solutions – Genoa, Italy  GCFA, GMOB, GNFA, GREM  CEH, CHFI, CCE, CIFI, ECCE,AME,ACE, MPSC mattia.epifani@realitynet.it @mattiaep http://www.linkedin.com/in/mattiaepifani http://www.realitynet.it http://blog.digital-forensics.it

Recomendados

Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
Reality Net System Solutions
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
Reality Net System Solutions
 
Forensicating the Apple TV
Forensicating the Apple TVForensicating the Apple TV
Forensicating the Apple TV
Reality Net System Solutions
 
Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400
Reality Net System Solutions
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
Reality Net System Solutions
 
The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS Forensics
Reality Net System Solutions
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)
Sri Prasanna
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 

Recomendados

Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
Reality Net System Solutions
 
BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
Reality Net System Solutions
 
Forensicating the Apple TV
Forensicating the Apple TVForensicating the Apple TV
Forensicating the Apple TV
Reality Net System Solutions
 
Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400
Reality Net System Solutions
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
Reality Net System Solutions
 
The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS Forensics
Reality Net System Solutions
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)
Sri Prasanna
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
OWASP
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on Windows
OWASP Delhi
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Sebastián Guerrero Selma
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
Brian Baskin
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
Ashwin Patil, GCIH, GCIA, GCFE
 
James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator action
PacSecJP
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adware
Cyphort
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
Jose Manuel Ortega Candel
 
Privileged file operations_bug_on_windows
Privileged file operations_bug_on_windowsPrivileged file operations_bug_on_windows
Privileged file operations_bug_on_windows
Sai Lay
 
OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition]
Jose Manuel Ortega Candel
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
Brent Muir
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass Protocol
Prasad Pawar
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google Hacking
Gareth Davies
 
The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox Mitigations
James Forshaw
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
Tazdrumm3r
 
Обход проверки безопасности в магазинах мобильных приложений при помощи платф...
Обход проверки безопасности в магазинах мобильных приложений при помощи платф...Обход проверки безопасности в магазинах мобильных приложений при помощи платф...
Обход проверки безопасности в магазинах мобильных приложений при помощи платф...
Positive Hack Days
 
Bio2RDF@BH2010
Bio2RDF@BH2010Bio2RDF@BH2010
Bio2RDF@BH2010
François Belleau
 

Más contenido relacionado

La actualidad más candente

Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google Hacking
Gareth Davies
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
Tazdrumm3r
 

La actualidad más candente (20)

44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on Windows
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator action
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adware
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
Privileged file operations_bug_on_windows
Privileged file operations_bug_on_windowsPrivileged file operations_bug_on_windows
Privileged file operations_bug_on_windows
 
OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition]
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass Protocol
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google Hacking
 
The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox Mitigations
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
 

Similar a Study and analysis of Orweb anonymizer on Android Devices

Обход проверки безопасности в магазинах мобильных приложений при помощи платф...
Обход проверки безопасности в магазинах мобильных приложений при помощи платф...Обход проверки безопасности в магазинах мобильных приложений при помощи платф...
Обход проверки безопасности в магазинах мобильных приложений при помощи платф...
Positive Hack Days
 
Presentation at the VIVO 2011 conference
Presentation at the VIVO 2011 conferencePresentation at the VIVO 2011 conference
Presentation at the VIVO 2011 conference
Johannes Keizer
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris Applications
AppZero
 
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
Jakub "Kuba" Sendor
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
inovex GmbH
 
DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]
Websec México, S.C.
 

Similar a Study and analysis of Orweb anonymizer on Android Devices (20)

Обход проверки безопасности в магазинах мобильных приложений при помощи платф...
Обход проверки безопасности в магазинах мобильных приложений при помощи платф...Обход проверки безопасности в магазинах мобильных приложений при помощи платф...
Обход проверки безопасности в магазинах мобильных приложений при помощи платф...
 
Bio2RDF@BH2010
Bio2RDF@BH2010Bio2RDF@BH2010
Bio2RDF@BH2010
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Ageクラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
クラウドネイティブ時代の分散トレーシング - Distributed Tracing in a Cloud Native Age
 
HTML5 on Mobile
HTML5 on MobileHTML5 on Mobile
HTML5 on Mobile
 
Presentation at the VIVO 2011 conference
Presentation at the VIVO 2011 conferencePresentation at the VIVO 2011 conference
Presentation at the VIVO 2011 conference
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris Applications
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
Internet of Things
Internet of ThingsInternet of Things
Internet of Things
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Building Real-Time Applications with Android and WebSockets
Building Real-Time Applications with Android and WebSocketsBuilding Real-Time Applications with Android and WebSockets
Building Real-Time Applications with Android and WebSockets
 
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
 
Mobile security
Mobile securityMobile security
Mobile security
 
Guadalajara con 2012
Guadalajara con 2012Guadalajara con 2012
Guadalajara con 2012
 
DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
 

Más de Reality Net System Solutions

ReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunitiesReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunities
Reality Net System Solutions
 

Más de Reality Net System Solutions (7)

iOS Forensics a costo zero
iOS Forensics a costo zeroiOS Forensics a costo zero
iOS Forensics a costo zero
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret Zone
 
Acquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOSAcquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOS
 
Life on Clouds: a forensics overview
Life on Clouds: a forensics overviewLife on Clouds: a forensics overview
Life on Clouds: a forensics overview
 
ReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunitiesReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunities
 
Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
 

Último

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Último (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Study and analysis of Orweb anonymizer on Android Devices

  • 1. STUDY AND ANALYSIS OF ORWEB (AND ORFOX) ANONYMIZER(S) ON ANDROID DEVICES CLAUDIA MEDA & MATTIA EPIFANI DFRWS EU 2016 LAUSANNE, 31 MARCH 2016
  • 2. ORBOT HTTPS://GUARDIANPROJECT.INFO/APPS/ORBOT/ What is Orbot? • Open source software for Internet traffic encryption through computers around the world • Configured to transparently proxy all of Internet traffic through Tor (The Onion Router) • Choice which specific apps can be use through Tor • Private internet connection • Private web surfing • Private chat messaging • Privacy on Twitter
  • 3. ORWEB HTTPS://GUARDIANPROJECT.INFO/APPS/ORWEB/ • Current default browser for Orbot on Android  evades tracking and censorship by bouncing encrypted traffic several times through computers around the world. • Based on Orbot “When a communication arrives fromTor, you can never know where or whom it’s from” NewYorkTimes What is Orweb? Orfox Summer/Autumn 2015
  • 4. ORFOX HTTPS://GUARDIANPROJECT.INFO/2015/06/30/ORFOX-ASPIRING-TO-BRING-TOR-BROWSER-TO-ANDROID/ • New browser for Android  BETA release available on Google Play for public testing only • Built from the same source code as Tor Browser (which is built upon Firefox) • Required Orbot app to connect to the Tor network • It allows users to bookmark sites What is Orfox?
  • 5. ANALYSIS METHODOLOGY – PART 1 ENVIRONMENT Samsung Galaxy S5 with Android 5.0 Rooting with KingoRoot INSTALLATION Orbot download, install and execution Orweb download, install and execution Orfox download, install and execution DEVICE PHYSICAL ACQUISITION 1 2 3
  • 6. SYSTEM FOLDER PACKAGES.LIST INSTALLED APPS INFORMATION (PACKAGE NAME, UID,APP PATH)  Package name org.torproject.android UserID 10076 App path /data/data/org.torproject.android  Package name info.guardianproject.browser UserID 10077 App path /data/data/info.guardianproject.browser  Package name info.guardianproject.orfox UserID 10078 App path /data/data/info.guardianproject.orfox ORBOT ORWEB ORFOX
  • 7. SYSTEM FOLDER PACKAGES.XML LIST OF PERMISSIONS AND PACKAGES/APPLICATIONS <package name="org.torproject.android" userId="10076" version="15012310" ut="151b5c6d5a5" it="151b5c6d5a5" ft="151b5c6cf20" flags="540228" dt="151b5c6db57" dm="2" nativeLibraryRootRequiresIsa="true" nativeLibraryDir="/data/app/org.torproject.android-1/lib/arm" nativeLibraryRootDir="/data/app/org.torproject.android-1/lib" nativeLibraryPath="/data/app/org.torproject.android-1/lib" codePath="/data/app/org.torproject.android-1" primaryCpuAbi="armeabi-v7a" installer="com.android.vending"> <perms> <item name="android.permission.RECEIVE_BOOT_COMPLETED"/> <item name="org.torproject.android.MANAGE_TOR"/> <item name="android.permission.ACCESS_NETWORK_STATE"/> <item name="android.permission.INTERNET"/> </perms> </package> Attribute Description UT Timestamp in hex format of last update IT Timestamp in hex format of fist time installation Timestamp Fri, 18 Dec 2015 – 15:48:05 Fri, 18 Dec 2015 – 15:48:05
  • 8. SYSTEM FOLDER PACKAGE-USAGE.LIST APP LAST EXECUTIONTIME (EPOCH) Application Timestamp org.torproject.android 1451345825.267 info.guardianproject.browser 1450459648.348 info.guardianproject.orfox 1452006535.657
  • 9. SYSTEM FOLDER POWERMANAGER POWER (AND APPS) USAGE STATISTICS info.guardianproject.browser
  • 10. SYSTEM FOLDER RECENT_TASKS RECENT ACTIVITIES LOGS (XML FORMAT) <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <task task_id="13" real_activity="info.guardianproject.browser/.Browser" affinity="info.guardianproject.browser" root_has_reset="true" auto_remove_recents="false" asked_compat_mode="false" user_id="0" effective_uid="10077" task_type="0" first_active_time="1451385683082" last_active_time="1451385798766" last_time_moved="1451385798756" never_relinquish_identity="true" task_description_color="ff212121" task_affiliation_color="-14606047" task_affiliation="13" prev_affiliation="-1" next_affiliation="-1" calling_uid="10077" calling_package="info.guardianproject.browser" multiwindow_style="0" is_private_mode="false"> <intent action="android.intent.action.MAIN" component="info.guardianproject.browser/.Browser" flags="10200000"> <categories category="android.intent.category.LAUNCHER" /> </intent> </task>
  • 11. SYSTEM FOLDER USAGESTATSWEEKLY - USAGESTATSMONTHLY - USAGESTATSYEARLY USAGE STATISTICS <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <usagestats version="1" endTime="2381450658"> … <packages> <package lastTimeActive="1454766326" package="org.torproject.android" timeActive="193858" lastEvent="2" /> <package lastTimeActive="1456652361" package="info.guardianproject.browser" timeActive="3519627" lastEvent="2" /> … </packages> </usagestats>
  • 12. DATA FOLDER COM.ANDROID.VENDINGDATABASESLOCALAPPSTATE.DB APPLICATION INFORMATION AND UPDATES  Package Name  Delivery DataTimestamp  First DownloadTimestamp  Account  Title  Last NotifiedVersion  Last UpdateTimestamp
  • 13. DATA FOLDER COM.SEC.ANDROID.APP.LAUNCHERDATABASESLAUNCHER.DB APPLICATION DESKTOP SHORTCUTS (POSITION, ICON, INTENT, ETC.)  Icon Package  Icon Resource  Icon  Screen position  Intent
  • 15. SYSTEM AND DATA FOLDER OTHER FILES  systembatterystats-checkin.bin  systemAppOps.XML  systemprocstatsstate-YYYY-MM-DD-HH-MM-SS.bin  datacom.android.vendingdatabaseslibrary.db  datacom.android.vendingdatabasespackage_verification.db  datacom.google.android.partnersetupshared_prefsApplicationHidingPreferences.xml  datacom.samsung.android.smdatabasessm.db  datacom.google.android.googlequicksearchboxdatabasesicingcorpora.db
  • 16. ANALYSIS METHODOLOGY – PART 2 BROWSINGWITH ORWEB 1 DEVICE PHYSICAL ACQUISITION 2 Visited sites genoacfc.it thehiddenwiki.org rso4hutlefirefqp.onion torlinkbgs6aabns.onion xfnwyig7olypdq5r.onion dfrws.org luccacomicsandgames.com starwars.com
  • 17. ORWEB APPLICATION FOLDER DATAINFO.GUARDIANPROJECT.BROWSERAPP_WEBVIEWCOOKIES COOKIES DATABASE SQLite DB Temporarily store website Cookies Information not immediately deleted Information about previously visited sites Unallocated space inside DB file and Cookies-journal
  • 18. ORWEB APPLICATION FOLDER DATAINFO.GUARDIANPROJECT.BROWSERCACHEORG.CHROMIUM.ANDROID_WEBVIEW CACHE FOLDER Specific structure of cache element Header 30 5C 72 A7 1B 6D FB FC 05 00 00 00 URL Encoded content (i.e. JPG file) HTTP response with DATE andTIME
  • 19. ANALYSIS METHODOLOGY – PART 3 BROWSING WITH ORFOX 1 ADDED GENOACFC.IT TO BOOKMARKS 2 Visited sites thehiddenwiki.org 3g2upl4pq6kufc4m.onion wikitjerrta4qgz4.onion easycoinsayj7p5l.onion torbox3uiot6wchz.onion bodybuilding.com genoacfc.it volleyball.org atpworldtour.com DEVICE PHYSICAL ACQUISITION 3
  • 20. ORFOX APPLICATION FOLDER DATAINFO.GUARDIANPROJECT.ORFOXFILEMOZILLA<ID>.DEFAULT STORE TEMPORARY FILE DURING BROWSER ACTIVITY Browser.db-wal Tabs.db Tabs.db-wal Tabs.db: • current Tabbed sites Tabs.db-wal: • previouslyTabbed sites
  • 22. ANALYSIS METHODOLOGY – PART 4 UNINSTALL Orbot uninstall Orweb uninstall Orfox uninstall DEVICE PHYSICAL ACQUISITION 21
  • 23. RESIDUALTRACES AFTER UNINSTALL  systempowerManager  systemusagestatsmonthly - usagestatsweekly - usagestatsyearly  datacom.android.vendingdatabaseslocalappstate.db  datacom.android.vendingdatabaseslibrary.db  datacom.android.vendingdatabasespackage_verification.db  datacom.google.android.googlequicksearchboxdatabasesicingcorpora.db  datacom.google.android.partnersetupshared_prefsApplicationHidingPreferences.xml  datacom.samsung.android.smdatabaseslowpowercontext-system-db  datacom.samsung.android.smdatabasessm.db
  • 24. PROPOSED INVESTIGATION METHODOLOGY SYSTEM • PACKAGES.LIST • PACKAGE- USAGE.LIST • POWERMANAGER • RECENT_TASKS • USAGESTATS DATA • LOCALAPPSTATE.DB • LAUNCHER.DB • LOWPOWERCONTEX T-SYSTEM-DB INFO.GUARDIANP PROJECT.BROWSER • COOKIES • CACHE • STRING HEADER SEARCH [ 30 5C 72 A7 1B 6D FB FC 05 00 00 00 ] INFO.GUARDIANP ROJECT.ORFOX • BROWSER.DB- WAL • TABS.DB • TABS.DB-WAL
  • 25. Q&A? Claudia Meda  PhD student in Science and Technology for Electronic and Telecommunications Engineering University of Genoa, Italy claudia22.meda@gmail.com @KlodiaMaida https://it.linkedin.com/in/claudia-meda-3142046b Mattia Epifani  Digital Forensics Analyst  CEO @ REALITY NET – System Solutions – Genoa, Italy  GCFA, GMOB, GNFA, GREM  CEH, CHFI, CCE, CIFI, ECCE,AME,ACE, MPSC mattia.epifani@realitynet.it @mattiaep http://www.linkedin.com/in/mattiaepifani http://www.realitynet.it http://blog.digital-forensics.it