Apps Archives | Forensic Blogs

October 18, 2019 by LCDI

Intrusion Into the Internet of Things

Shelves lined with devices in the Internet of Things, all potential subjects of intrusion.

Welcome to the Internet of Things Intrusion team’s first blog. The Internet of Things—or IoT for short—is a fancy term for the interconnected devices that make up our world. Many consumers know these devices as “smart” devices. For example, your smartphone can connect to your smart fridge to let you know when you’re, say, out of Hood Simply Smart Milk.

The Internet of Things connects all elements of the user’s life. This connectivity comes at a cost, however; more often than not, security is an afterthought to functionality in these devices. In our modern age of frequent, high level hacking, these devices make easy targets for even a small time hacker. This project will be focusing on these flaws, looking at common IoT devices from the perspective of anyone with a couple of hours, an internet connection, and malicious intent.

The Intrusion Begins

Like every project here at the LCDI, we spent the majority of our first month researching. We began by looking into a bunch of different IoT devices, like the Google Home, Amazon Echo, Nest Protect, and Ring Video Doorbell. With many IoT devices available to us at the Leahy Center, we limited our preliminary research to a few devices, split into two categories: popular devices and devices with known flaws. Picking devices that are easy to break into serves as a good way to understand the process, while using the most popular devices will allow us to understand the weaknesses that put the most people at risk. After we put together our list, we decided to begin work with our first device: the TPLink Kasa Cam.

Our First Intrusion

Photo of live footage taken from TPLink Camera once set up

Partly due to our inexperience in IoT intrusion, the feat of breaking into the TPLink camera proved quite formidable. We found our first obstacle when connecting the camera to a network for setup. It took us a week to get a proper test network that we could connect it to. That week, however, was not wasted; we used the time to research our target in greater depth, including different ways to break into it.

After getting our test network up and running, we were able to set up the TPLink without issue; very user friendly! After set up was complete, we were ready to attempt to break in to the camera. This is where we hit a snag. To get access to the camera, you first need to connect to the camera’s IP address. We tried many different methods to get the IP address of the TPLink camera, including a Wireshark capture, googling for default IP’s, and searching through device settings, but no luck. On top of this, TPLink’s website is very unclear about how to find this information. That said, the month isn’t over, so we will use the rest of the time we have to keep trying.

Conclusion

We have gained a lot of knowledge on IoT vulnerability in our first month here. Our plan for next month is to continue onto new devices. The information we learned from our first trial has helped us create a simple, efficient approach to each device. For each device, we will begin with research into both the device itself and ways to break in. From there, we will create an account to use with the device, set it up, and generate data. This data will vary based on the device—the data generated on an IP camera will be different than the data generated on a smart smoke alarm. Finally, we will attempt to put our intrusion methods into action and see if they work. Make sure to read our team’s next blog to stay up to date on the project!

BE SURE TO CHECK US OUT ON TWITTER @CHAMPFORENSICS, INSTAGRAM @CHAMPFORENSICS, AND FACEBOOK @CHAMPLAINFORENSICS TO SEE OTHER IMPORTANT INFORMATION PERTAINING TO OUR PROJECT!

The post Intrusion Into the Internet of Things appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

September 20, 2019 by LCDI

Windows Store and Apps Analysis – MUS2019

Windows Store and Apps (APPX) Analysis

While attending the Magnet User Summit in Nashville, I had the opportunity to sit in on fascinating talks and labs. One of my favorites was the talk about Universal Windows Apps given by our very own Professor Yogesh Khatri and Jack Farley. As somebody who knew next to nothing about UWP apps, I was both impressed and surprised by Microsoft. Let’s talk about some of the highlights!

UWP Apps Pros and Cons

Firstly, what is a UWP app? The Universal Windows Platform is Microsoft’s vision for the future of Windows apps. This vision evolved to include the HoloLens and IoT devices in the equation for one SDK and one user experience. You may not think you use these, but the Windows 10 photo viewer, calculator, and settings menu are UWP apps.

The Microsoft Store securely delivers apps. This helps to ensure the integrity and authenticity of Windows apps. The app packages are also sandboxed, have very limited access to the win32 API, and no access to the registry or computer filesystem outside of their own container folder. That’s where Microsoft surprised me—sandboxing has been a hallmark of Mac App Store apps for years, and it’s great to see this essential security feature come to Windows.

You can manage permissions for these apps and these permissions are called “capabilities”. The apps are also all neatly organized into their own folders, each with a unique directory name. And this is where I am not at all surprised by Microsoft: there are FOUR different naming schemes for these apps and each scheme is used in a different place. This is the sort of confusing and complicated design choice that I would expect of the people who brought us… well, Windows. Further, to interact outside of their folder, they need to link to another process on the system called RuntimeBroker. This seems like a sloppy implementation since there will probably be numerous different RuntimeBrokers running at any given time.

App Use and Functionality

As for what sorts of artifacts you can find in these container folders, if there is any internet functionality in the app, there will be cookies, history, and so on. There are also folders for files that are synced across Microsoft accounts and a cache for large files that the app can recreate but would rather not.

These apps function like mobile apps in that when they are inactive, they are suspended to conserve resources. The threads are stopped but the app stays in memory (unless Windows needs the memory for something else). Memory pages are stored in C:\swapfile.sys if they need to be set aside for a while. It’s possible that these pages will be compressed.

There was a lot more to talk about, too: what’s leftover after an app is uninstalled (lots of registry stuff!), how you can get lists of installed apps, and so on. The slides and tools from the presentation can be found at https://github.com/ydkhatri/Appx-Analysis if you want to learn more.

I am grateful to have had the opportunity to attend this talk and many others at the conference. Thank you to the LCDI and Magnet Forensics for making this possible!

Blog written by Champlain College first year Jessica Hunsberger

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Windows Store and Apps Analysis – MUS2019 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

December 4, 2018 by LCDI

Mobile App Forensics Intern Blog 2

Introduction

Over the past month, our team has analyzed the applications Expedia and Google Trips. These apps help users plan trips to locations abroad with features to order reservations and plan day trips. Our goal for analyzing these applications was to find out how much information they hold for forensic investigators. This will in turn give investigators an easier time catching suspects.

Findings

The application Expedia has very little, if any, information on the system itself. It appears to only store information if the user purchases a ticket. The only other thing we found was sometimes there may be a flight plan stored on the system, but that’s it.

Google Trips, on the other hand, stores most if not all of the information on the system itself. Specifically, it contains all reservations, day trips, and other user input on the system. The application also stores all locations and events of the city that the user is visiting. If a person uses this application rigorously it would provide investigators with a lot of information. The application relies on MIDs, or a set of identifiers provided by Google. When correlated with the locations using certain items in the database, one can easily find the location of the corresponding MID.

Conclusion

The team’s next project will involve game app forensics. What information do apps downloaded from the playstore keep? What is stored internally? The team’s goal is to find as much information as we can about internally stored device data from two game apps. The apps are unknown as of now. Stay tuned for updates by checking out @champforensicslcdi on Instagram and @ChampForensics on Twitter!

The post Mobile App Forensics Intern Blog 2 appeared first on The Leahy Center for Digital Investigation.