Pages

Saturday, August 19, 2017

Imaging and examining an Android car stereo


And road trips


All blog posts to date
Introduction Acquisition Analysis
Introduction Imaging an Android Device Examining the image
Picking a Toolkit Live imaging an Android device Some hidden artifacts in a physical image
Why not load ClockworkMod or TWRP to image a device? Using Autopsy to examine an Android image
Identifying your Userdata Partition Some artifacts in the /data/system/ directory
Some non-root methods to learn about a device Viewing SQLite Databases
A quick note on imaging newer Android devices Facebook for Android Artifacts
Using Windows to Live Image an Android device Interpreting data from apps
Obtaining all files in the data partition without a physical image Waze for Android forensics
Magnet Forensics App Simulator
App Reversing Other Topics
Reverse Engineering an Android App File The differences between a physical image and a logical extraction
Fun with Apktool Dirty cow
Deep dive into an app Imaging and examining an Android car stereo
Unpacking boot and recovery kernels
MTPwn
Introduction
I love road trips.


Be it road trips for football games, road trips with family, road trips with friends, road trips for skiing, or road trips to just get away for a little while.  So often, the destination is great, but the top memories from the trip are memories from driving.

So last year, the musical Hamilton was all the rage.  The musical tells the story of Alexander Hamilton, one of the nation's founding fathers who founded the Department of Treasury, who was a royal pain to many of the other founding fathers, and the musical is told largely through the eyes of Aaron Burr, one of the nation's first vice presidents and also the man who shot and killed Hamilton in a duel.  The musical has a hip-hop soundtrack and tells the story of Hamilton and some of the virtues of the founding fathers in a fun and semi-educational manner.  The top thing my wife wanted was to go to Broadway in New York and see Hamilton.  So for her birthday, I surprised her with Hamilton tickets.




We drove to New York, saw the show (it was outstanding), ate at a New York deli, drank beer at a New York bar, had a great time celebrating my wife's birthday.  You know what else is great?  The Hamilton soundtrack.

You know what's not great?  The Hamilton soundtrack on loop for the entire drive.  You see, my car has a stereo that runs Android, because of course the guy who runs an Android forensics blog would have a thing like that.  I set up the Amazon Music app,  and my wife figured out how to play music of her choice in the car.

"The world's gonna know your name. What's your name, man?"
After about eight times, I certainly know your name.
"Alexander Hamilton, my name is Alexander Hamilton"
Yup, got it.
"And there’s a million things I haven’t done, but just you wait, just you wait..."
Still got it.  And yes, I've waited several times now.

So anyways, great road trip.  Having a stereo that can access the limitless libraries of music, podcasts,  and broadcasts on the Internet sure beats old road trips where I was limited to whatever radio station I could pick up until the bandwidth faded and all I got was static.

This post will be about my cool Android stereo.  Be ready for me to geek out a bit.  (You've probably read enough of this blog to already expect me to geek out.)

The stereo
Here's the stereo I have.  It is by a company called AutoPumpkin.  Now I don't have the Android 7.1 version, though I could upgrade.  Mine is a couple years old and runs (don't laugh) Android 4.4.

Note: this is not Android Auto.  Android Auto is probably more secure and more difficult to image than what I'm showing and may not store as much data.  My stereo essentially is a standard Android device with all the hookups needed for a car stereo.

I had to order a stereo harness for my car.  Once I received the harness, I soldered the harness wires to the corresponding AutoPumpkin head unit wires.  I prefer soldering over any other splicing technique just because it is more secure.  On the car itself, I had to open up the dashboard, remove the OEM stereo, and install the AutoPumpkin.  Additionally, I wired the new stereo up to the car's microphone so I can make phone calls easily while driving.  I also did some extra wiring to the car's steering wheel buttons so I can control volume and calls via the existing buttons on the steering wheel.  Pretty nifty.

The stereo has WiFi.  So I set up my phone as a WiFi hotspot, and just like that, my stereo is online.

The stereo comes with the Google Play store installed, so if you set up your Google account with the device online, you can download anything.  On the stereo itself, I have Google Play Music, Amazon Music, Pandora, Stitcher (podcasts), and of course I can stream anything from my phone to the stereo for unlimited audio options.  It makes long trips go quickly.

Now something I feel I have to say here.  You can technically with these stereos play movies.  You can install and use just about any Android app, which means you genuinely can play Netflix or other streaming movie services.  As in, you technically can have video playing on a screen which would naturally distract you from driving.  I will say this once and I hope I never have to say it again: don't.  It may be illegal where you live to play movies while driving, but regardless it is distracting.  Just don't.

Now that's out of the way.  This is a forensics blog, isn't it?  Let's have some fun!

Imaging the stereo
Yes, I'm going to image an Android stereo.  As you may recall from previous posts, live imaging an Android device requires three things: a data connection between the imaging computer and the device, an exploit, and an imaging command.  We're going to do things a little differently here.

The imaging computer will be the device itself.  I'm sure I could hook my laptop up to the stereo, but that's just a bit cumbersome.  We're going to instead hook up a USB stick (the stereo includes two USB cables) and image the device onto that stick.

So next, we need an exploit.  We need to root the stereo.  It turns out, that's the easiest step of all.  And I can take no credit for it.  Check out this awesome XDA site on these types of stereos.

Open Settings, go to Factory Settings, and you get a prompt for a password.  Type in the following:
*#hct#root#
And just like that, the device is rooted and now includes Superuser settings.


Now with the USB connected, download an Android terminal app.  I use the Terminal Emulator for Android app.  Open up the terminal and type su to gain root.


Then type mount to see your partitions





In the above images, you see the userdata block and the USB stick destination.

So with all this done, it's time to image userdata.  Enter the following into the terminal, and hopefully you're not as clumsy as me with the keyboard and make a few less typos.
dd if=/dev/block/mtd/by-name/userdata of=/mnt/usb_storage2/userdata.dd
And feel free to image any other block as above.

Examining the image

I unplugged the USB stick, brought it to my computer, and opened up the userdata image in FTK Imager.  And it looks like an Android image.



Want to check out Google Maps history?  /data/com.google.android.apps.maps/databases in the userdata image and check out the individual databases.

Data from the Amazon Music app is located under /data/com.amazon.mp3.  Check out what I found in /data/com.amazon.mp3/cache/images/ALBUM:



And check out what I found in  /data/com.amazon.mp3/files/.lyrics:


(If you're unsure what that is, check out the following video)



And check out what I found in  /data/com.amazon.mp3/databases/recently_played.db:



Did I mention my wife really likes Hamilton?

The big picture
So these stereos are really cool.  I have fun with mine, and they make road trips faster and more entertaining.  And they are easy to image and examine.  Depending upon what apps the user installs, there may be navigation apps to tell about the user's locations of interest.  That's a goldmine for any investigation involving a car stereo.  I mentioned Google Maps above.  I've also used Waze in the past and found my navigation history.

Now I showed a way to live image the device.  I suppose it also can be done with chipoff.  You could probably physically remove the chip, read it, and get the same results.  There's probably a good way to image it by connecting a laptop via USB.  Just for fun, I imaged it over WiFi once.

Point is, if you're having fun with your own of these devices, you can image it easily.  If you are an investigator and evidence could include an Android stereo like the one I have, there could be seriously valuable data there.

Summary
  • There are fun Android car stereos out there and they are easy to set up with a little bit of curiosity and a lot of Google-ing.
  • These stereos are easy to image and store data like any other Android device.
  • If you are running an investigation where the scope includes a smart car stereo, think navigatio history.

Questions, comments?  Any other Hamilton fans?  Leave a comment below, or send me an email.