Mobile forensics: how to identify suspicious network traffic

During a forensic analysis on mobile devices, especially when you are not able to perform a full memory acquisition, a network traffic analysis could be useful in order to identify suspicious activities.

In the past, I used a linux box connected to a wired network, with the wirelkess interface configured as access point, with IP routing enabled and a running TPCDUMP in order to dump che the network traffic.

On the mobile device, some additional steps are required:

  1. Disable the 3G/4G data link
  2. Close all the opened applications and disable background data refresh 
  3. Connect your smartphone to the WiFi network generated by the linux box
  4. Make some activities on the device (send an SMS, make a call, take a photo, restart the phone: some implants might react to such events).

Finally, save and analyze the capture.

However, some days ago, I discovered a tool developed by Kaspersky Labs, named TinyCheck [1] useful to perform all this steps:

TinyCheck allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point in order to quickly analyze them. This can be used to check if any suspect or malicious communication is outgoing from a smartphone, by using heuristics or specific Indicators of Compromise (IoCs).


How to install TinyCheck

Prior the TinyCheck installation, you need to have:

  • A Raspberry Pi with Raspberry Pi OS (or any computer with a Debian-like system)
  • Two working Wi-Fi interfaces (check their number with ifconfig | grep wlan | wc -l).
  • A working internet connection
  • (Adviced) A small touchscreen previously installed for the kiosk mode of TinyCheck.
$ cd /tmp/
$ git clone https://github.com/KasperskyLab/TinyCheck
$ cd TinyCheck
$ sudo bash install.sh

By executing install.sh, all the dependencies associated to the project will be installed and it can take several minutes depending of your internet speed. Four services are going to be created:

  • tinycheck-backend executing the backend server & interface;
  • tinycheck-frontend executing the frontend server & interface;
  • tinycheck-kiosk to handle the kiosk version of TinyCheck;
  • tinycheck-watchers to handle the watchers which update automatically IOCs / whitelist from external URLs;

Once installed, the operating system is going to reboot.


References

  1. https://github.com/KasperskyLab/TinyCheck

Related posts

  1. dfir_ntfs: a forensic parser for NTFS filesystems
  2. iLEAPP: an iOS logs, events, and plists parser
  3. iOS Forensics: how to perform a logical acquisition with libimobiledevice
  4. How to sort and organize files recovered by PhotoRec
  5. Didier Stevens: finding Metasploit & Cobalt Strike URLs