How well does our BitDefender integration work?

Mobile malware is picking up steam. From malicious apps that send private and personal data to unknown third parties, to sound- and light-activated mobile malware, to mobile malware that can exfiltrate information from Windows PCs, mobile malware increased between 580% and 1000% last year, with tens of thousands of pieces of malware currently in the wild.

That’s why in December, BitDefender’s anti-malware technology was implemented in Cellebrite’s UFED Physical Analyzer software to analyze physical and file system extractions and provide a comprehensive malware report.

The integrated solution helps forensic examiners to pinpoint whether undetected malware aided the commission of crimes. More specifically, BitDefender unpacks apps’ .apk files and looks inside them for infected files. The company regularly and frequently updates its signature files, so each time you run UFED Physical Analyzer’s malware scanner, you get fresh malware signatures to scan images.

At Mobile Forensics World last month, presenters Carlos Cajigas and Pete McGovern with Florida-based EPYX Forensics used open source Linux-based tools to validate our integration of BitDefender mobile malware scanning. Among the tools: AVG and Clam, as well as BitDefender mounted within Linux Ubuntu.

As described in the EPYX blog, Cajigas had already scanned the image of an infected HTC Desire with UFED Physical Analyzer’s BitDefender integration. There, our software identified 331 infections.

After a review of how AVG, Clam, and BitDefender performed against 11,080 known pieces of malware identified from ViruShare.com, a repository of samples, Cajigas ran AVG and Clam against the device’s image. They found only 14 and 19 infections, respectively. As he noted, this can be valuable low-hanging fruit that may be all that is needed to make a case.

Even so, a final scan with BitDefender uncovered 368 suspicious files out of 39,473 total files (including those within the 11,080 .apks); of those, 41 were viruses. Cajigas accounted for the discrepancy between this scan and the initial Physical Analyzer scan by stating that he had performed the first scan several weeks earlier—and that BitDefender had likely updated its signature files since.

Beyond the malware scan

Cajigas points out: “Simply scanning a device only points to the fact that there may be some evil on that image. Reverse engineering can find out if the image is in fact infected, or would be a false positive.”

What counts as a false positive? That depends. “If I root my phone, I will install BusyBox on it,” says Cajigas. “Because most people call it a hacking tool, malware detectors alert on it. But because it was intentionally installed, it’s not in fact malware. This makes it a false positive.”

Several variables determine whether a forensic examiner should move forward in determining whether a malware infection has any bearing on a case. One variable is the severity of charges. Another is what other evidence exists in the case. A case that hinges on mobile device evidence may require additional investigation so as to reduce reasonable doubt.

“If you find malware, how would you be satisfied that the malware you found is not related to the crime?” Cajigas asks. “The only answer is research and investigation.” He recommends pulling any infected .apks into a resource like Anubis, which “sandboxes” .apks for safe exploration. Here, it is possible to see what URLs the .apks are calling, along with any other suspicious behavior.

From there, it may be necessary to reverse engineer the suspected malware. Cajigas says this is an advanced skill which usually involves very specific training. Yet, developing this kind of skill—or finding an expert who has it—could be important to a case.

He offers the example of an .apk that is shown to be a worm. “Later on the examiner might determine that the worm opened a backdoor that calls to a command and control center, which steals information such as the device’s IMEI or ICCID—but does not download child porn,” he explains. This could be very important in a child exploitation case.

As Cajigas’ presentation showed, the addition of BitDefender to UFED Physical Analyzer means that investigators’ ability to identify potential and actual malware is much stronger than it would be if Clam or AVG were all they had to rely on. However, examiners must be able to testify in court about the process they used to detect and then investigate suspicious .apks.

UFED Physical Analyzer 30-day Trial

Join us one month from today at Mobile Forensics World!

Techno Security Conference   Computer Security ConferenceThe agenda is set and we’re hoping to see you a month from now! As the Host Sponsor of Mobile Forensics World 2013 at Myrtle Beach, SC, Cellebrite has obtained unlimited FREE VIP registrations* — a $1395 value — for this year’s conference being held on June 2 – 5, 2013. Why should you grab one?

Technical education

During MFW, plan to learn how to:

  • Explain probative smartphone and tablet evidence to attorneys as John Carney, CTO of Carney Forensics, describes issues with mobile security and forensics.
  • Decode unsupported iOS apps as Joe Church, Founder/Owner of Digital Shield, discuss the apps’ different data structures and methods.
  • Analyze gang members’ and terrorists’ communications towards curbing violence. Sgt. Dan Morrissey, of the Sacramento County (CA) Sheriff’s Office, will describe how his team applies link analysis.
  • Understand how terrorists communicate via mobile device and social media apps. Majid Hassan, Director of CAPIT, will go in-depth on how mobile devices are more than IED triggers.
  • Verify commercial tools’ malware scanning utilities via Linux Ubuntu’s free built-in capability Carlos Cajigas and Pete McGovern of EPYX Forensics will provide a step by step process.
  • Recover and analyze PC backups as Gilad Sahar, Cellebrite’s Decoding Research Team Leader, compares this type of data with data from a full physical extraction.
  • Access valuable data on locked Android devices that have been subjected to zero-day attacks with Nadav Horesh, Cellebrite Extraction Research Team Leader.

Finally, don’t miss this year’s panel. Six months after the release of the “Mobile Forensic Trends for 2013” white paper, join industry subject matter experts as they talk live about the predictions they made and the latest trends they see in “Trends in Mobile Forensics: Midyear Review.”

Cellebrite presentations

In our company track, we’ll cover how Cellebrite’s UFED Series supports mobile forensics in the lab, on the battlefield, or anywhere in between. We’ll also present how to use automated link analysis tools like UFED Link Analysis to get more actionable leads in an investigation; forensic support for name-brand and knock-off smartphones manufactured with Chinese chipsets; an in-depth demo of UFED Touch extracting and decoding smartphone and tablet evidence; and finally, how Cellebrite engineers develop password bypass solutions beyond the bootloader.

Monday’s Night at the Arcade!

Monday evening, we’re co-hosting a party out on the veranda. Together with Techno Security Host Sponsor Nuix, we’re offering food, an open bar, games including air hockey and an X-Box tournament (with prizes), and raffles. Come to network and win!

Also be sure to register for our two-part lunch & learn, “Collect with Cellebrite – Process with Nuix.”

Pre-Conference Certification Training

We’re also pleased to offer pre- and post-conference training. From Friday, May 31st through Sunday, June 2nd, Digital Shield Inc. will hold Cellebrite’s 3-Day Ultimate Certification Course. Click here to register for this class.

Starting Wednesday, June 5th and ending Thursday, June 6th, H11 Digital Forensics presents Cellebrite Certified CHINEX Training.  Click here to register for this training.

Register using our FREE conference passes!

To register for one of the free VIP passes, visit the following online registration:

https://www.techsec.com/conferences/register.cgi?c=TS-2013

Select the Sponsor/VIP Pass – NO IPAD option, enter “0” for amount paid and enter “Cellebrite-VIP” in the Promotional Code section of the form.

The full agenda for Mobile Forensics World and Techno Security is available at http://www.thetrainingco.com/agenda/agenda.cgi?c=TS-2013 For any attendees who hold a CISSP, CISA or CISM certification, this conference also provides 32 CEU credits.

We look forward to seeing you in Myrtle Beach this June!

*Travel and hotel expenses will be your responsibility. The conference hotel fills quickly each year, and you must be registered for the conference to reserve rooms at the hotel.