Forensic Blogs

An aggregator for digital forensics blogs

by

Wearable Forensics Blog 4

Forensic Analysis of Wearable Technology

Previously, the Leahy Center for Digital Investigations Wearables Team posted a third blog about their research, specifically pertaining to the Samsung Galaxy Watch and the Fitbit Versa. For the remainder of the semester, the team will be investigating the Garmin Fenix 5 and the Apple Watch Series 4. This week, the team began the first half of data generation for the two devices. We specifically tested fitness tracking, GPS and location tracking, and heart rate monitoring. While the data generation timeline is similar to the Fitbit and Samsung timeline, due to their higher sophistication and varied functionality, the Apple Watch and Garmin Fenix 5 needed more extensive testing.

Apple Watch

The Apple Watch is probably the most robust in functionalities and largest in international market share, according to IDC. The Apple Watch Series 4 includes every single functionality we looked into testing for the other devices, including NFC Payment, which wasn’t available for some others. From the first use, the Apple Watch seems to hold very accurate and detailed information; the team is excited to try to see how this data is stored on the phone.

The team also hopes to test the fall detection feature of the device. This functionality displays an alert on the watch using the accelerator and gryoscope to detect a hard fall. The user has a minute to respond to the screen prompt to call emergency services or confirm they are okay. If more than a minute passes, the watch will automatically send the user’s information and location to EMS. The team hopes to use this to illustrate the timeline that can be built from Apple Watch information in investigations.

Garmin

While Garmin only has a quarter of the market share that Apple does, the company is known for its impressively accurate fitness tracking devices. The team performed the first set of tests on the Garmin Fenix 5 this past week. The watch differs from the other three watches in that it doesn’t have a touch screen; however, the fitness tracking seems to be the most accurate of them all. The Garmin is one of the most interesting devices to investigate because the charging port is also a data transfer port. This means the team is able to directly see the data on the watch by plugging it into the computer.

Final Weeks

The team has a month left to research, run tests, and finalize their report on the four devices. Make sure to check back in to see their final report. This update will include all tests, notable results, and how to compile data from the devices and paired phones!

The post Wearable Forensics Blog 4 appeared first on The Leahy Center for Digital Investigation.

by

Wearable Forensics Team Blog 3

Forensic Analysis of Wearable Technology

Previously, the Leahy Center for Digital Investigations Wearables Team posted in their second blog about their progress this semester with the Samsung Galaxy Watch, the Fitbit Versa, the Garmin Fenix 5, and the Apple Watch Series 4.

A Second Datagen

The team decided it would be a good call to redo their data generation from the previous weeks to prove that the data they collected would be in the same files. The team performed a second round of data gen with the same actions as the first one. Thankfully, this round of data gen went exactly the same as the last one.

When they returned the next day, the team began the exciting process of analyzing the data. The results they got were very similar to the first round of data gen. Previous artifacts were confirmed and no new information was found within the phones. After they confirmed their findings, they decided to move on to test one new capability of the watches: mobile payments.

NFC Payment & Google Fi

The team looked into mobile payments with the Samsung Galaxy Watch using a Visa gift card. Unfortunately, the Galaxy Watch was paired up with a Google Pixel 3, and the Samsung Pay is incompatible with any phone besides another Samsung phone. As a result, the team was unable to test NFC payment on the Samsung Watch. The team was also unable to test this capability with the Fitbit versa. It is only available on the special edition, which the team did not have.

Caption: The team tested notifications with the Google Fi account by sending and receiving text messages. The team responded to some of these from the watches, but it was all available in the exported application data.

To test notifications on each of the watches, the team created a Google Fi account for the Google Pixel phones. The team used other phones to message the Google Pixel 3 phones and noted the notifications on the watches. They also performed a phone application acquisition pull for each of the paired devices to find what information was located on the phone itself.

Wrapping Up…

As the team wraps up their work on the Samsung Galaxy Watch and Fitbit Versa, they look forward to working with the last two devices: the Apple Watch Series 4 and the Garmin Fenix. They plan on following a similar methodology to the Fitbit and Galaxy watches, create data, and pull the applications from their respective devices in order to examine and analyze the watches. They’ll be posting another blog post with another status update soon, so be sure to check us out on Twitter @ChampForensics, Instagram@ChampForensics, and Facebook@ChamplainLCDI to keep up to date with our progress!

The post Wearable Forensics Team Blog 3 appeared first on The Leahy Center for Digital Investigation.

by

Data Recovery Blog 2

Putting Hard Drives to the Test

At the LCDI, we believe your data is important, and surely most would agree. The pictures of your family vacation are important, but what about your passwords? The hard drives that are in most computers store your data, leaving it open for anyone with the proper knowledge to find it and use it if not disposed of properly. This is not a new problem, as online computer news articles from almost 20 years ago described past experiences of people who purchased old hard drives and discovered the data of the last user.

The foundation of our goal is to ensure an understanding of deleting and storing data. Through our research, we have found free and available data recovery programs and sleuth kits to check data drives. Our investigation required a set of samples to test our techniques and programs. We bought a myriad of used hard drives from all over the internet. These previously belonged to other people, so it’s likely that remnants of the past user are still on them. The majority of online sources claim the drives they sell are clean “wiped”, but we’ll put that to the test. How clean can a hard drive be and what do these standards look like?

Using Sleuth Kits to Recover Data

In our last blog post, we explored the National Institute of Standards and Technology and the Department of Defense’s deletion standards which would be a clear indicator of security. The drives we purchased allow us to explore the effectiveness of each method compared to each other. After we’ve used the wiping standards, we must test the ease at which someone could recover the deleted data. In the lab, we have been busy looking at the Sleuth Kit tools to get that job done. The software we use is freeware and open ware, ensuring availability without special permission or a fee.

We have gone through a variety of software already, including Autopsy and Wise Data Recovery, two professionally used Sleuth Kits.

Autopsy examining deleted files

In the above image, we have pulled up a sample image file in Autopsy. In this sample, the previous user had deleted 10 images. The tool used a computer image file to carve data present but unlabeled, which we could then review.  The image file we loaded contained the deleted files. Although the computer preserved the data of the file, it lost the links for the file system to access it. These deleted files turned out to be various jpgs of different colors and text. The tool carved the data left within the computer and presented it to us similarly to the sample image below.

Wise Data Recovery loading files

Though this program is not as in depth as Autopsy, Wise Data Recovery was still able to get a good amount of information. This program allowed us to scan the Local C Drive, and we were able to load the files into the program for research and investigation.

These programs are used in professional settings and are free to download. However, the question arises: if these are available to everyone, what does that mean for your data? Anyone who has a computer and a way to attach your drive could snoop through your old data, which is the exact reason we work to share this information. What’s more alarming is these two programs don’t show the full extent of the files that could collect your data. There is no way to be sure that the next person will not have the ability to collect your data, or even how much they could gleam from the drive. 

Exploring Physical Drives and Virtual Machines

The recovery of data is very accessible and it should be taken into account when deleting data. In the coming weeks, we look forward to working with the physical drives and exploring the techniques and depth of data that can be extrapolated from something as small as a picture.

To stay updated with our progress, check out our Twitter, Instagram, and Facebook.

The post Data Recovery Blog 2 appeared first on The Leahy Center for Digital Investigation.