1. AccessData User Summit 2016 April 5 th – 7 th, 2016 Lake Mary, FL iOS 9 and Android 6

2. Starting with iOS 9… 2 Release Date: September 16, 2015 Current Version: 9.3.1 Adoption: 79% Compatible Devices: iPhone 4s -> iPhone 6s Plus iPhone SE iPad 2 –> 4 Gen, iPad Air, iPad mini, iPad Pro iPod Touch 5 th and 6 th Generation

3. Some New Features (forensics…) 3 Starting with security…  New 6 digit PIN default on devices with Touch ID. Takes the possible combos from 10,000 to 1,000,000. Small increase!  iCloud 2-Factor authentication.  iCloud Keychain  Password/CC# syncing for approved devices  Apple claims “they can’t access”

4. ….on the topic of security, iMessage 4 Ummm..iMessage is not new in iOS9… (iOS5) But… lets talk about the security of iMessage in iOS9. No wiretaps… …or… #NSA?

5. Some New Features (forensics…) 5 Notes:  When creating a note choose your location!  iCloud  Gmail (if using gmail account as Apple ID)  On the Device (Stored in SQLite)  Stored: var/library/containers/shared/app group/~GUID~/notestore.sqlite  Can embed images within the Notes  Stored: var/library/containers/shared/app group/~GUID~/media

6. Database Changes 6 New/MORE! Information tracked with Applications. Let’s take a look at sms.db. sms.db messages table 9.3 on the right (51 columns) couldn’t fit them all on my screen sms.db 7.1 messages table on the left (38 columns) Honorable Mention: Spotlight search got a buff as well… but that leads to…

7. Jailbreaking…  7 Jailbreaking has become harder and harder and the wait longer and longer. Last Stable Jailbreak: iOS 9.1  What is sitting in your Evidence Room? What are we missing? Spotlight Database Location Information Email Applications not in the backup service Why the slow down in Jailbreak? Increased Apple security/patching schedule Jailbreakers: Quitting/->Android/Hired “Some of the hackers have probably gone underground as they find it a lot more lucruitive to sell the vulnerabilities to government agencies and security firms, for as much as $500,000.” – iphonehacks.com

8. Android 6 8 …soooo…. How often am I going to see this? Well…not much. 4.6% of the time. VersionNameDistribution 2.2Froyo.1% 2.3.3 - 2.3.7Gingerbread2.6% 3.0-3.xHoneycomb (tablets) 4.0.3 – 4.0.4Ice Cream Sandwich2.2% 4.1 – 4.3Jelly Bean21.3% 4.4Kitkat33.4 5.0 – 5.1Lollipop35.8 6.0Marshmallo4.6%

9. What’s new in Security? 9 “For device implementations supporting full-disk encryption and with AES crypto performance above 50MiBsec, the full disk encrpytion MUST be enabled by default at the time the user has completed the out of box setup experience.” Required Partitions :  Userdata  Sdcard (emulated only) Does not apply to:  Devices updated to 6.0  Devices without lockscreens  …cheap phones…

10. More Security… 10 Bootloader may still be unlocked… but a warning will be displayed upon each boot which notifies the user the bootloader is not locked. “not secure”. Micro Permissions: No longer an all or nothing system Can change permissions after installation Unlock Options: …a bunch… -> THE PICTURE -> Lock Delays: Power Button decisions Auto Lock (Immediate -> 30 min)

11. Forensic Aspects… 11  Two (2) SMS messaging applications  Messenger (com.google.android.apps.messaging)  Hangouts (duplicates SMS) (com.google.android.talk)  Two (2) Email applications  Gmail (com.google.android.gm)  Inbox (com.google.android.apps.inbox)  Three (3) ways to access the Internet  Google app (com.google.android.googlequicksearch box)  Google Now launcher (com.google.android.launcher)  Google Chrome (com.android.chrome)

12. Rooting 12 Rooting is still possible… with considerations Locked bootloader is the compromise What happens when you unlock the bootloader? Hurts forensically… Lots of consumer support, you might get lucky! What are we missing? Full file extraction… …means no databases,.json, or other containers. Limited to app injection… JTAG, direct eMMC, and Chip Off still fall victim to encryption…