Forensic Blogs

An aggregator for digital forensics blogs

by

Mobile Forensics Update 2

Introduction

If you read our last blog post, you know that the Mobile Forensic team ran into some issues early on. We are happy to share that we have since overcome those issues, and we’ve hit the ground running with our project. We are no longer using the LG G6 devices mentioned last month due to issues rooting these devices. Instead we are using Nexus 7 tablets running Android 6 and 7.

Two apps we pulled and analyzed data from are Snapchat and Telegram. Before we set up accounts, we had to create different personas for each team member. The personas we came up with were Johan Smith, Tony Pepperoni, and Mallow Operator.

Snapchat

Before we started collecting our data, we had to figure out what actions we would go through so we all had data we could compare. Some of the actions to generate data for Snapchat included adding each other as friends, creating a group chat, and posing to a story. When generating data for analysis, we kept track of who sent chats to whom, what time we did each action, and if anything went wrong. After pulling the data with adb, we compared the timestamps and actions from the pull with our datagen log. We were successfully able to see what Snapchat saves and what we can find on the phone.

Telegram

When we were setting up Telegram, we had to setup Google Voice numbers in order to create our profiles. With Telegram we also had to figure out what actions we wanted to take so that each person could get similar pull results—hence the creation of another datagen. With Telegram our actions included adding contacts, joining different groups, and sending videos and stickers. We kept track of timestamps again and then compared the data and the pull. We decided to use both Cellebrite and adb to see if there was any benefit of one tool over the other. At the moment, we’re still analyzing Telegram to see if there is anything noteworthy so stay tuned!

Conclusion

With these pulls we were able to see what data Snapchat and Telegram save on your phone. We were looking to see if any unusual data was saved by the applications. So far nothing has stood out with either Snapchat or Telegram. The next app we will be doing a datagen and pulling is LinkedIn.

Stay tuned for more updates to come and follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Mobile Forensics Update 2 appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis Introduction

Introduction

This semester, the Application Analysis team chose four Windows applications to perform a forensic analysis on – Spotify, Bitcoin Miner, Speedtest, and Dashlane. In the coming weeks, we will examine the artifacts generated by these applications.

Analysis: Web App Security

We will inspect the applications’ security features. Without proper security features, hackers can access data stored by the application. Noting how the applications handle data will illuminate security features.

The Applications

Spotify is a web-based music streaming application. It has a user base of well over 140 million paid and unpaid users, making it the largest music service available. With a music library of over 30 million songs, it’s clear to see why users love it so much. Spotify features connectivity with friends and celebrities. The team wonders if this could lead to a privacy issue. We will analyze this by recording the data the application stores about music preferences and other personal information.

Bitcoin Miner is the most popular bitcoin mining application in the Microsoft Store. Cryptocurrency has recently emerged as a lucrative investment opportunity. Applications offering users a friendly interface for exchanging and mining cryptocurrencies have followed. We are inquiring about the artifacts left over by mining cryptocurrency.   

SpeedTest is an internet speed testing application that offers “easy, one-click connection testing in under 30 seconds.” It also claims to be “the most accurate and convenient way to test your speed.” Millions of users access this service. Analyzing an application such as this one should be simple. We will be looking into the data that the application stores about you and your device. This data includes age, gender, work experience, education, and browser history.

Dashlane acts as an online password bank. The application stores entered user and online account information. Never again do you need to remember all your passwords. You only need one master password to open Dashlane. The application will log-in to websites through its database and fill out forms with the information you provide. We will examine the artifacts generated by storing information, navigating to websites, and using the autofill feature. For this application, it will be important for us to be on the lookout for potential security risks.

Conclusion

Currently, we are generating and analyzing the artifacts as well as observing security features. We will report on our findings in the blog posts to come.

Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Application Analysis Introduction appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis: Conclusion

Introduction:

To close out our list of Web Apps, we finished up on Discord. It has been an interesting experience for us to work with the three diverse apps over the last semester. Our analysis on Discord brought our research to a close. Seeing several key similarities with our first application Slack, it was an ideal application to close out our research for the side by side comparison.

Our Process:

With our final app, we utilized similar testing methods to Slack; we created a set of Test Channels and generated user data. After that was done, our team made a clone of the Virtual Machine, then deleted Discord on the original and promptly analyzed the images. In our findings, we noticed very similar behavior in storage of cached images when compared with Slack, although the content they each stored varied greatly. To read more about this topic, check our report which will be published soon.

In comparison of these apps, Dropbox was the most straightforward. However, it lacked the robustness of the other Web Apps as it lacked the expansiveness of XML. The app did not change much from the front end in terms of design. For the User Data, Dropbox’s local sql database provided information of what files were found on the Machine, along with deleted files visible in the cache. In contrast, Slack and Discord were two sides of the same coin. They both featured a strong use of XML to manage their styles, and featured images of user profiles and stored the urls of certain cached images. Discord did end up having one major difference. We were able to find bits of the messages amongst Win7enterpriseTest1\C\Users\User\AppData\Roaming\discord\Cache in messages?limit=50. We’ll have a deeper indepth look at this in our final report.

Analysis: Discord Artifacts

Going into Discord, we expected to find close to nothing on the local files of the web application, but after getting a closer look, we found out we couldn’t be more wrong. Discord has a strong security statement stating that they take the reasonable steps to ensure a user’s information is protected.

Application

The uses of caching and SQLite formatting allowed us to recover artifacts such as the aforementioned chat logs to the images and files uploaded. Interestingly, one of Discords more interesting features is its database’s storage of frequently used Emojis. In comparison, the Business Web Applications tried to stick to the bare minimum and focus on the bare bones such as only having time stamps and ID values. Dropbox’s Local Database primarily focused on this with it having extensive storage on File information, though it was lacking in the niches of Discord, which, as mentioned before, even stored emoji usage. A more extensive comparison can be found in our Final Report.

Conclusion:

With increased integration of platforms such as Discord, Dropbox and Slack, there will be an increased need for privacy. Implementation without security will continue to allow various security flaws to exist. However, it must be remembered that with the need for Security comes the need of usability. To remain a strong web application with a following, an ease of use, and efficiency must be maintained.

Through the process, our group learned a lot and got deeper insights on Web App Forensics. We hope this Blog can hold you over before the final report drops. Stay tuned!

Questions or comments? Please share with us in the comment section below! You can also reach out to our Twitter and Facebook or email us at lcdi@champlain.edu.

The post Application Analysis: Conclusion appeared first on The Leahy Center for Digital Investigation.