Mobile forensics: how to identify suspicious network traffic
During a forensic analysis on mobile devices, especially when you are not able to perform a full memory acquisition, a network traffic analysis could be useful in order to identify suspicious activities.
In the past, I used a linux box connected to a wired network, with the wirelkess interface configured as access point, with IP routing enabled and a running TPCDUMP in order to dump che the network traffic.
On the mobile device, some additional steps are required:
- Disable the 3G/4G data link
- Close all the opened applications and disable background data refresh
- Connect your smartphone to the WiFi network generated by the linux box
- Make some activities on the device (send an SMS, make a call, take a photo, restart the phone: some implants might react to such events).
Finally, save and analyze the capture.
However, some days ago, I discovered a tool developed by Kaspersky Labs, named TinyCheck  useful to perform all this steps:
TinyCheck allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point in order to quickly analyze them. This can be used to check if any suspect or malicious communication is outgoing from a smartphone, by using heuristics or specific Indicators of Compromise (IoCs).
How to install TinyCheck
Prior the TinyCheck installation, you need to have:
- A Raspberry Pi with Raspberry Pi OS (or any computer with a Debian-like system)
- Two working Wi-Fi interfaces (check their number with
ifconfig | grep wlan | wc -l).
- A working internet connection
- (Adviced) A small touchscreen previously installed for the kiosk mode of TinyCheck.
$ cd /tmp/ $ git clone https://github.com/KasperskyLab/TinyCheck $ cd TinyCheck $ sudo bash install.sh
install.sh, all the dependencies associated to the project will be installed and it can take several minutes depending of your internet speed. Four services are going to be created:
tinycheck-backendexecuting the backend server & interface;
tinycheck-frontendexecuting the frontend server & interface;
tinycheck-kioskto handle the kiosk version of TinyCheck;
tinycheck-watchersto handle the watchers which update automatically IOCs / whitelist from external URLs;
Once installed, the operating system is going to reboot.