Talk "SailfishOS: forensic artifacts"

https://standoff365.com/conferences/356

timecode is 5h05m

Krassimir Tzvetanov

This presentation shows the mapping of the digital artifacts pertinent to investigation, which can be found on the file system of a phone running SailfishOS 3.2. SailfishOS is a Linux kernel-based embedded device operation system, mostly deployed on cell phones. It is being rapidly deployed in Russia, India, and China. In Russia, the government has targeted some 8 million handheld terminals and phones to be replaced with SailfishOS by the end of 2021. In India, the OS is deployed by couple of the major network providers. And in China, Huawei is investigating it as an Android replacement, as economic tensions with the U.S. arise.

While its popularity is growing, there is no sufficient research, so it is likely for investigators to encounter security issues in the field. Among important artifacts are call logs, text messages, location services, address books, and other important artifacts.

watched it. not very interesting, just some .config/ paths with sms/calls/etc.

2 Likes

I read the associated article published in “computers & security”. This is not really forensic analysis. The author explained that he copied all the data from the phone to study them, but not from a locked phone. He used su-devel (sic) to get root access and copy the data.

Then, all the article is about where are stored personal data in the file system. Well, the backend of SailfishOS is open source and public in git. So all this is known from source, no need to “investigate” or make an article of this. Well except that for a “real” phone, indeed it corresponds to where it should be.

There are some funny extracts like:

Special mention is required for
“DeletedContacts”, which contrary to its
name does not contain deleted contacts
when opened with sqlitebrowser
( DB Browser for SQLite 2020 ). Further
investigation needs to be conducted to see if
deleted contact information can be extracted
from the contacts.db file. It, also, needs to be
noted that the database file had the same
size as it did before the entry was deleted. An
additional attempt to recover the entry with
sqlparse.py ( Mdegrazia 2020 ) was attempted
but again without success. It was also
observed that the WAL (write ahead log)
increased by a little over the size of the
database file, which leads to the speculation
the information will probably be found there.

(cited from page 7)

Well, indeed, SQlite is working like that, it preallocates disk space to avoid constant charge on the file system for every minor addition or deletion in a table. The transactions are piling up in the journal (the WAL file) also. No need to investigate here neither. All of this is open source.

To conclude, looking at this wiki page https://sailfishos.org/wiki/Core_Areas_and_APIs and the corresponding projects in git.sailfishos.org/mer-core would provide all the information already.

9 Likes