Forensic Blogs

An aggregator for digital forensics blogs

by

Mac OS X Forensics Final Update

ewrtfreter

Intro

Mac OS X Yosemite and El Capitan have both been available to Mac users for a while now. As such, many users have updated their systems to at least one of the two versions of the OS X operating system. El Capitan has brought several new updates to OS X especially in terms of the default Apple apps. However, in terms of forensic artifacts it was fairly similar to OS X Yosemite with a few changes noted, but most of the artifacts remained the same.

It has been a while since the last time we reported on our progress. During that time period we finished examining the two operating systems and compiled spreadsheets containing the artifact locations. Then we generated a final report that will be available at “Mac Forensics Report” (Link to the final report). Overall the two versions of OS X were very similar and only had a few minor differences.

Analysis

The last time we update our progress we had just completed data gen and imaging of both the OS X Yosemite and El Capitan machines. We are happy to report that we finished our examination of the two images and were able to compile a list of artifact locations for both Yosemite and El Capitan. The lists contained many different artifacts ranging from application specific artifacts to system configuration files. Most of the artifacts that we located were user specific while a few were machine specific.

Once we had created the spreadsheets of the artifact locations we then compared them to determine what artifacts were different between Yosemite and El Capitan. We determined that the two versions were very similar and only a few artifacts had moved to new locations in El Capitan. However, through our analysis and comparison we were unable to locate some artifacts. We broke theses artifacts into two groups, obsolete and missing. Obsolete artifacts were determined if neither versions of the operating system had that artifact. Missing artifacts were determined if the artifact should have been generated during data gen but was still missing. In the end we created a comprehensive list of artifacts and their locations. This list can be found in our final report.

We created our final report using google docs so that we could all edit it at the same time. This led to a few problems, seeing as Microsoft Word and Google Docs do not keep the same formatting. This led us to have a few headaches further down the line. As a result, we had to type everything in Google Docs and then import it manually into Word in order to obtain the proper formatting that we were seeking. Once that was completed we then had to import all of our spreadsheets containing the artifact locations and format them to fit the theme of the final report as well. In the end we had created a nice report that looks great and has detailed information about the artifact locations for both OS X Yosemite and El Capitan.

With our final report completed we are now officially done with this project, at least for now. Our final report details specifically our methods and outcomes of our research. It goes into depth about what artifacts were determined to be new, obsolete, and what artifacts we expected to find but were unable to. Research into operating systems is never complete and further work can always be completed to enhance the available knowledge base and resources available.

Conclusion

Overall we determined a lot about the artifacts in both OS X Yosemite and El Capitan. We were able to overcome some of the difficulties of using virtual machines by using two separate iMacs to conduct our data gen. In general, Yosemite was very similar to the last project that we conducted at the LCDI. Almost all of the artifacts from last year’s research into Yosemite were exactly the same. The artifact locations in El Capitan were very similar to those in Yosemite. We only found a handful of artifacts in new locations and a few artifacts were unable to be located in El Capitan that we found in Yosemite. The largest change from Yosemite to El Capitan was with the mail application, and many of the artifact paths had changed. The two versions of OS X are very similar, but there is always more research to be done.

Our team made great progress in determining the default locations for artifacts in both OS X Yosemite and El Capitan. We were able to overcome several struggles associated with using a VM that earlier research encountered, but we still missed a few key pieces of software such as Microsoft Office. Further research could be conducted into applications that we missed in our data gen. We were unable to locate a few of the artifacts that should have been generated, and as such, further research could be conducted to determine if those artifacts are obsolete or where they are located in the current versions of the OS. It is also important to stay up to date with the current versions of operating systems. They are always being updated and this research needs to be conducted every time an OS is updated.

We look forward to updating you on our future projects here at the LCDI. Please take a look at our “final report”(Link to final report) on this project to get a more in depth look at the default artifacts in OS X Yosemite and El Capitan. If you have questions or comments about the project, you can leave a comment, or contact the LCDI via Twitter @ChampForensics, or via email at lcdi@champlain.edu.

The post Mac OS X Forensics Final Update appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Data Recovery Blog 3

Imaging Hard Drives

The data recovery team has been busy making disk images for the last couple of weeks and working with a variety of unique tools. The objective of our team is to test and determine the effective means of securely deleting data. Our investigation requires a set of samples to test our techniques and programs. The creation of disk images allows us to safely do this and inspect the data without risk. How clean can a hard drive be and what do these standards look like? 

What is a Disk Image?

In a world where 95% of people own a smartphone and 85% have a computer, disk images are the norm for digital forensics and criminal justice as a whole. A disk image is a collection of the data that’s stored on a device. Programs can load these files, to display the contains of the original source material. Some of these programs include GetDataBack and Wizard Partition Recovery. Sleuth Kits like FTK Imager can often produce disk images as well.

(From left to right) GetDataBack and Wizard Partition Recovery

Why Use Disk Images?

The most important piece of a case is the evidence that will solve it. The rise of technology has made computers the easiest way to store and send data. Thus, the evidence is mostly localized to a drive and its safety becomes of the utmost importance. Data recovered from a crime scene is volatile and extremely sensitive. Investigators cannot go into the device haphazardly or they run the risk of altering critical data. Altered data is unusable in court, thus data integrity and movement are heavily documented and preserved. However, in conjunction with other investigative devices, disk images allow users to access the data without risk of invalidating the evidence. They also allow an investigator to look through the data without the physical components, allowing easy access and transportation. Not only can disk images come from computers and hard drives, but also from phones and tablets.

The downside to disk images is that files are often quite large, but this depends on the size of the storage device they were made from. Compression usually mitigates this problem, but frequently, the disk images will keep the exact same size as the device being copied. This presents more problems, such as the amount of time it takes to create the file. The means of transportation also pose a problem unless there is another hard drive or cloud storage that is the same size or larger.

Benefits of File Hashing

Every detail of digital evidence is unique and valuable to digital forensic analysts and the law. Even an edit as small as changing a character then changing it back could make the data unusable in court. This is due to the creation of hash files and how they ensure validity. File hashing is the process of creating a code for a file that’s linked to the file itself. If any changes happen, including the opening, copying, pasting, or moving of a file, the hash value will change. This ensures the integrity of the evidence, even if there is no way someone could tell that a change had been made. This code is one way generated, meaning nothing can glean data from the code. Standalone programs found on the internet can generate this code. Integrating file hashing it into programs can generate this code while also completing some other function.

(From left to right) The program File Hasher in standby and File Hasher in progress

The program above is an example of a file hasher, aptly called “file hasher”. It takes the file from the user then generates a code based on the size and order of the characters in the file. This is how it ensures that there have been absolutely no changes to the order of the code. These changes can occur even when moving or copying the image.

The method of creating this code is not universal, and there are many types and methods of hash algorithms. The most popular are MD5 and SHA1, which generate a 40 digit long code. Other types of hash algorithms include RIPEMD, Whirlpool, and Blake, which all vary in the length of the code as well as the structure of the output. Though SHA1 is no longer considered safe for government use, it is still a very effective and safe method to ensure the safety of noncritical data.       

Write Blockers

As previously mentioned, the hash code changes for all interactions with it. That of course raises the question: How do you copy the data from the device without changing the hash code? The answer is a device called a write blocker, which allows the user to move or copy evidence from a hard drive onto a computer without changing the data. It does this by blocking commands from the computer that attempt to change the data on the device. This preserves integrity for the investigators and allows them to create the hard drive image. This only lets the user read and move the files. Write blockers do not prevent changes in computer data, though. This means data intentionally or unintentionally changed on the computer is still not viable.

Data recovery is the future of criminal justice and the better understanding we have of the technology used, the easier it is to understand what does and does not work. Data recovery programs allow easy access to data and allow the performance of digital investigations without a hitch. Write blockers may not always be a professional tool with limited public access. We believe the future will be more accustomed to these practices, making data easier and safer to store. To stay updated with the conclusion of our project, check out our Twitter, Instagram, and Facebook!

The post Data Recovery Blog 3 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Researching IoT Devices

Art depicting the connectivity of common devices Introduction

It is safe to say that everyone is constantly connected, through our smartphones, social media accounts, and even smart homes. Every day, more and more innovative devices are released to the public. Any device that is able to have a relationship with another is part of Internet of Things (IoT). Forbes goes so far as to state that “the relationship will be between people-people, people-things, and things-things”. While these devices offer easy-to-use functionality and instant access to information, how secure are they? In this blog, students at the Leahy Center will review some common devices and discuss some of their vulnerabilities.

IoT Smart Locks

Smart locks are great for remote access to your home’s doors. They’re a faster way to open them, as well as allow a user to keep a record of each action. However, Katie Hopkins, part of the IoT research team, is in the midst of a deep dive into smart lock vulnerabilities—discovering how to make a device that is supposed to keep your home secure vulnerable to hackers. Her research was specifically on Kwikset Kevo Smart Lock devices. Despite how secure one may think these devices are, Katie found that these vulnerabilities may subvert that expectation.

Image of a smart lock

Some vulnerabilities are very simple, such as a denial of service attack using a smartphone. The InfoSec Handbook, a guide to network security concepts, offers a useful definition. A denial of service attack is one that limits or rejects access due to an overflow of data from an outside device. In this case, an attacker can use the Kevo app to send large amounts of open/close requests to the lock. This confuses the device and causes it to not react to a physical key that comes with the device. Another vulnerability is that the lock’s batteries only last about two weeks. This leaves a window of opportunity for an attacker to gain control of the lock.

Some companies also claim that they encrypt passwords for these devices but end up not doing so; great information for a hacker, bad news for you! There are many more ways to exploit these devices, but these are just a few of the simpler ones. NewSky Security wrote a blog post that breaks down more exploits in detail.

Overall, these locks may be useful for securing your home, but their functionality causes new problems.

Google Home

One of the landmark accomplishments in smart devices has to be the creation of personal assistants. One of the more sophisticated virtual helpers is Google Assistant, a competitor to Apple’s Siri and Amazon’s Alexa personal assistants. This software can exist on most devices with a microphone and a speaker since Google Assistant interacts through voice. The user may give the device commands such as, “set an alarm”, or “open my garage door”.

Google Assistant can also interact with your other smart devices in a smart home. To do this, one can purchase a Google Home. Home runs the Google Assistant software and serves as a hub for all your smart devices. 

Image of a Google Home

IoT team member, Joe McCormack, has been doing research on the Google Home and did not find as many vulnerabilities with the software or hardware as Katie found in her research of the smart locks. But, just like the Kevo Smart Locks, there is always a flaw. Discovered by a group at the University of Michigan, the process which utilizes the microphone and translates it so the Google Assistant can execute those commands can be exploited. By using a low-powered laser, an attacker can shine different frequencies into the Google Home’s microphone and execute commands without a sound. This means a criminal can use this to do things like disarm smart home security systems and open smart locks without a sound. The technology required to do this is fairly complex but can be done by anyone with the proper knowledge.

D-Link WiFi Camera

The best way to catch a criminal is to actually see them in the act of a crime. It is also common for parents to keep an eye on their children while they are working or are left with a babysitter. Security cameras are a great way to automatically record the happenings of an area. Most come with motion detection, night vision, and the ability to record entire days worth of footage. One camera that the IoT Security team has been researching is from D-Link, a reputable manufacturer that specializes in network devices, including security cameras. The D-Link WiFi Camera model (DCS-5030L) is a cheap and effective way to monitor your home or office, but if the user does not update the camera regularly, there can be trouble.

Image of a D-Link wifi camera

Someone who is familiar with code can find specific files online that allow unauthorized access to the camera. That means that a person can gain control of the camera, look at recordings saved in the memory, and even move the position of the camera. However, it is actually pretty easy to prevent an attack. All you have to do is keep your firmware updated as D-Link has fixed many security issues over the lifespan of the device. This is normally the case for many devices.

Conclusion

There are vulnerabilities to most, if not all, of the IoT devices that you might use in your home. A capable hacker can exploit devices that you use every day; from your smart door lock to your smart refrigerator. We must be more aware of the issues that are present with new and exciting technology or our personal data could be compromised. It is always good to keep the device’s firmware up to date and have strong network security. By fortifying your devices and the network it resides on, you can prevent the possibility of an attacker taking control of your smart home, smart camera, or any other smart device. For the sake of your personal information, physical security, as well as privacy, remember that the convenience that smart devices offer might not be worth the risk.

The post Researching IoT Devices appeared first on The Leahy Center for Digital Forensics & Cybersecurity.