Professional Documents
Culture Documents
Vladimir Katalov
ElcomSoft Ltd.
www.elcomsoft.com
Who We Are
Curiosity
Privacy
The right to know
Government surveillance
Forensics
Backup and recovery
Top 10 fears of 2015
Source:
http://www.livescience.com/52535-american-fear-survey-2015.html
What This Presentation is NOT About
Hacking
Accessing someone else account
Compromising Google
Criminal activities
Profit
Not Every
Android
Smartphone is a
Google Device
China is the
biggest market
30% of all
smartphones
sold in China
Google services
completely
banned
Mobile vs Cloud Forensics
Google mail
900 million users (May2015)
Monthly unique users: 90 million (2014)
Percentage of Americans using Gmail: 24% (2013)
Gmail app downloads from Google Play: 1 billion (2014)
Percentage of Gmail users working on mobile device: 75% (2015
Google Chrome
Google Chrome users: 1 billion (2015)
Percentage of web browser usage: 35% (2013)
Android
Apple iCloud
Number of Android devices: 1.4 billion (September 2015)
Introduced in Oct 2011 with iOS 5
Android share: over 80%
Optional upgrade to iCloud Drive since iOS 8
Average daily Android activations: 1.5 million
5 GB free storage, up to 1 TB paid storage
About 25,000 unique device models
Extremely convenient: over 500 million users
What Apple Knows About You?
Quite a lot:
https://www.apple.com/privacy/government-information-requests/
We have:
Acquisition steps:
Notes:
Apple response
Notification emails (do not appear now)
2FA to protect iCloud backups
iOS 9: ATS (App Transport Security), pinned certificates, new
storage location and data format, updated encryption, mandatory
2FA (?)
Solution: Two-Step Verification?
https://www.google.com/transparencyreport/userdatare
quests/legalprocess
/
Gmail
Email content
Google Sign-On
Google Security Settings
Recent security events and used devices, connected apps, saved
passwords
Google Takeout
Leaves traces
Not all data is exported
Limited flexibility
Inconvenient format
Google Dashboard: Account Activity
Google Dashboard: profile, connected devices & apps
Google Dashboard: Mail
Google Chrome Sync
Google Chrome: search & browsing history
https://history.google.com/history/
Total searches
Searches by day
Top search clicks
Map search history
Voice search history
Info on devices
Location history
What is saved:
tp://arstechnica.com/gadgets/2015/10/android-6-0s-auto-backup-for-apps-perfect-data-backup-for-the-1
Device Backups: Android 6.0
Albums/events
Comments
Geo tags
Subscriptions
View counters
People
Android Device Backups: Downloading
thentication: https://android.clients.google.com/auth
Download backup: https://android.clients.google.com/back
Get refresh token (input: email, password)
Get authentication token (input: refresh token) Input: android_id, package to restore (download), Auth
Output (array of strings):
pm (general info on applications)
t info on backups available: https://android.googleapis.com/backup
android (wallpaper: xml + picture)
Input: android_id, authentication token) com.android.nfc
Output (array) com.android.providers.settings (including Wi-Fi password
Android_id com.android.vending
Backup creation date/time com.google.android.talk
Date/time of device registration on account com.google.android.googlequicksearchbox
Device name or model com.google.android.calendar
SDK version com.google.android.inputmethod.latin
Last activity date/time com.google.android.gm
Android M
//accounts.google.com/ServiceLogin?hl=en-US&Email={email}
okie: GAPS=1:iv-YjJtilF-coJ0RpCZhlmMBj97IRA:RKppYacKUG4PUMNX
okie: GALX=mItW3iafLoo;Path=/;Secure
//accounts.google.com/ServiceLoginAuth HTTP/1.1
e: GoogleAccountsLocale_session=en; GAPS=[]; GALX=[]&Email={email}&Passwd={password}
okie: NID=[...] SetCookie: SID=[...] Set-Cookie: LSID=[...]
okie: HSID=[...] Set-Cookie: SSID=[...] Set-Cookie: APISID=[...] Set-Cookie: SAPISID=[...]
ttps://talkgadget.google.com/u/0/talkgadget/_/chat?{parameters}
e: NID=[...]; HSID=[...]; SSID=[...]; SID=[...]; APISID=[...]; SAPISID=[...]
okie: S=talkgadget=VlFAZCxwB-G_h53WWt_g6Q
conversation (dialog):
//clients6.google.com/chat/v1/conversations/getconversation?alt=protojson&key=API_KEY
: NID=[...];
[...]; SSID=[...]; SID=[...];
Dialog data (id, inviteTime, activatedTime)
=[...]; [...]
Participants' data (id, name, avatarUrl)
ization:SAPISIDHASH {hash}
Events (Message, AddUser, RemoveUser, SentPhoto, VideoCall, Location
IDHASH: SHA-1(timestamp+SAPISID+URL)
Date/time
Info on video call: date/time (start+end)
Text
Locations (address, mapUrl, latitude, longtitude)
Picture (photoUrl, width, height, album_name)
Obtaining Google Chrome history
Headers:
Accept: */*
Accept-Language: ru,en-US;q=0.8,en;q=0.6
Connection: keep-alive
Host: history.google.com
Cookie: cookie (obtained after auth-n, includes auth. token)
https://history.google.com/history/youtube/watch?jspb=1&max=1394034083520660
Or
Use YouTube API
https://developers.google.com/youtube/v3/docs/
https://history.google.com/history/youtube/search?jspb=1&max=1422545631282456
Google Drive
Authenticate:
https://www.googleapis.com/auth/drive
Get file list:
GET https://www.googleapis.com/drive/v2/files?key={YOUR_API_KEY} (pretend to be Chromium)
Returns:
Download URL
ID Detailed list request:
Parent ID GET https://www.googleapis.com/drive/v2/files?
If Shared with me maxResults={MAX_RESULT}&pageToken={PAGE_TOKEN}&fields={FIELDS}&ke
Owner
y={YOUR_API_KEY}
Access rights {PAGE_TOKEN} page token
File name
{MAX_RESULT} number of files in response
File size
Description {FIELDS} fields to return
Properties
To get info on particular file, set its ID in the request, provide parameters:
https://developers.google.com/drive/v2/reference/files/get
Download file:
GET https://www.googleapis.com/drive/v2/files/fileID?alt=media
Get circles:
POST https://clients6.google.com/ rpc/plusi?key=[..]
(returns circles, friends: email, contactId, obfuscatedGaiaId, displayName)
GET https://picasaweb.google.com/data/feed/api/user/{USER_ID}/albumid/{ALBUM_ID}?kind=comment&[..]
Returns:
gphoto:id (own id)
gphoto:photoid
authorId
published
updated
title
content
Google Chrome: passwords
message PasswordSpecificsData {
optional int32 scheme = 1;
optional string signon_realm = 2;
optional string origin = 3; Obtaining master encryption keys
optional string action = 4;
optional string username_element =Chrome
5; sync
optional string username_value = 6; https://clients4.google.com/chrome-sync/command/?client=Chromium&client_id=[...]
optional string password_element = (body:protobuf
7; with GetUpdatesMessage(need_encryption_key=true)
optional string password_value = 8; response: GetUpdatesResponse with entries & encryption key
optional bool ssl_valid = 9;
optional bool preferred = 10; Get master encryption keys
optional int64 date_created = 11; Key=pbkdf2_sha1(base64(encryption_key)+"saltsalt",1003)
optional bool blacklisted = 12; MacKey=pbkdf2_sha1(base64(encryption_key)+"saltsalt",1004)
optional int32 type = 13;
optional int32 times_used = 14;
} The keys can be additionally encrypted using the passphrase (on the client si
message PasswordSpecifics {
optional EncryptedData encrypted = 1;
optional PasswordSpecificsData client_only_encrypted_data = 2;
}
Google Dashboard: stats we can get
https://picasaweb.google.com/data/
get refresh_token (by client_id, then by client_secret oauth_code)
Google drive
https://accounts.google.com/o/oauth2/programmatic_auth?authuser=0
https://www.googleapis.com/auth/drive
Set-Cookie: oauth_code=4/5xOmk7KEXG70-3cYAju66pp8sx1U4FyCIRWI_J1zQ
https://accounts.google.com/o/oauth2/token
{
"access_token" : "ya29.yAHuL5lPQW63Yn90hVETqe95ueyM8SpoqhyqPmy-hTywd4chkANfQTt0VNeTBMQhrkw",
"refresh_token" : "1/slXyWGQPs1IVI7t-VC3_VKWSWUYJONt1Ue8tRG-pc"
}
get access_token
https://accounts.google.com/o/oauth2/token HTTP/1.1
client_id=[...]&client_secret=[...]&grant_type=refresh_token&refresh_token=[...]&scope=[]
Google Takeout
Marketing:
Your account, your data. Export a copy.
Create an archive with your data from Google
products.
Reality:
Google Takeout exports data in a number of
different formats
Not all information is available
In fact, many types of data are not accessible via
Takeout
User receives a notification email
Google Takeout vs. Elcomsoft Cloud eXplorer
Service EC Takeo Service EC Takeo
X ut X ut
User info + + Location history + +
Messages + + Google Books - +
Contacts + + Google Drive + +
Notes (Google + + Email (Gmail) + +
Keep)
Reminders - - Android Cloud +
Backups
Web history + - Google Wallet - +
Chrome + + Google Play - -
Music/Video/Apps
Media (Google + + Google Tasks - +
Photo)
Calendars + + Google Bookmarks - +
Google settings + - Google Fit - +
Authentication & data acquisition
Phishing
Brute-force attacks
e.g. iBrutr
(https://github.com/Pr0x13/iBrutr)
Reverse brute-force attacks
Password reset/recovery
Key loggers
Fake AP
Network sniffing
Social engineering
Passwords re-use
How LE Get Passwords
ts)
Contacts + + - Location ? + +
history
Notes + + - Google ? + -
(Keep) Books
Web + + + Google + + +
history Drive
Chrome + + + Gmail + + +
Media + + - Android - + +
(Google Cloud
Photo) Backups
Final Thoughts (mixed)
Nullcon 2016
Vladimir Katalov, ElcomSoft Co. Ltd.
http://www.elcomsoft.com
http://blog.crackpassword.com
Facebook: ElcomSoft
Twitter: @elcomsoft