Forensic Blogs

An aggregator for digital forensics blogs

by

Exploration Forensics Update 2

Introduction

This semester, the exploration forensics group is researching hardware and software that tests for paranormal activity. The team will test the devices and corresponding apps. Through these tests, they will discover how the devices gather readings and interact with a user’s data. In addition, the team will gather evidence on how the devices and applications operate and examine the accuracy of the sensors. If you haven’t read the team’s first blog post, find it here.

The last few weeks involved jail breaking the tablets, testing the devices, and becoming familiar with Radare2.

Radare2 and Testing on Free Apps

A large part of the last two weeks involved the team learning how to use Radare2. The ARM assembly language used for this software can be difficult to make sense of.

Figure 1: Radare2 interface

There are many free programs available to interpret IOS applications, but the team chose Radare2 because of its reputation as a respectable open-source disassembler. The first few days with the software was exploratory and experimental. The team tried “challenges” found online to gain understanding of the language and the program.

When the team felt ready to begin testing on the freeware IOS apps, there were problems locating the .ipa file. An .ipa file is an IOS archive file that stores the application information and data in binary. Due to this roadblock, no testing was done with the free applications before last week. The team instead focused efforts on figuring out how to extract the .ipa files from the iPad. Previous research indicated that extracting the files through iTunes would not be difficult. When the team tried to get the .ipa file for the apps Ghost Sensor and EMF recorder, the folder needed did not exist.

The team spent several days researching alternate ways to extract the .ipa files, but most tutorials use the previous versions of iTunes. Due to this, the team explored other programs used to decompile and extract information from apps.

The last shift before spring break was spent surfing various forums to find alternate ways into the .ipa files. Cydia, which was used to jailbreak the device, has additional add-ons available. The software “ipainstaller” allows for backup and management of ipa files on IOS devices. The team found a forum that explains how to use the extension. Once the extension was downloaded, finding the .ipa files were straightforward and the team was able to make copies of them.

Figure 2: The team used PuTTY and ipainstaller to extract the .ipa file

This week, the team will be investigating the .ipa files in Radare2 to examine the sensors and permissions.

Preliminary Testing

The team also began tests on the Ovilus V this period. While the original plan was to observe packets sent by the Ovilus, the newest Ovilus model does not have networking capabilities. This model replaced the network card with a larger speaker. Because of this, the team is investigating the capabilities of the device’s sensors instead.

The first test on the Ovilus attempted to create false-positives through the use of magnets. The Ovilus tests for many environmental factors, including temperature, humidity, barometric readings, electromagnetic fields, and movement. The device converts these readings into words, according to DigitalDowsing.com. The team hopes to cross-reference the measurements on the Ovilus to a second measurement to confirm accuracy. They also hope to try to spoof these readings to see the effect on the sensors.

The team took a magnet out of a broken hard drive in the lab to use in experimentation on the Ovilus. These powerful magnets should disrupt any magnetic field measurement, and we’re hoping to create false-positives to see how much these magnets can affect the sensors on the Ovilus.

Figure 3: Breaking open an old hard drive to salvage magnets Conclusion

Despite the roadblocks the team has experienced, there are many alternatives to the original research plan. Currently, investigation into alternate ways of accessing the iPad’s file system seems promising. In addition, the team plans to continue experimenting with the Paranormal Puck device and app, and testing on the Ovilus. Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Exploration Forensics Update 2 appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis Introduction

Introduction

This semester, the Application Analysis team chose four Windows applications to perform a forensic analysis on – Spotify, Bitcoin Miner, Speedtest, and Dashlane. In the coming weeks, we will examine the artifacts generated by these applications.

Analysis: Web App Security

We will inspect the applications’ security features. Without proper security features, hackers can access data stored by the application. Noting how the applications handle data will illuminate security features.

The Applications

Spotify is a web-based music streaming application. It has a user base of well over 140 million paid and unpaid users, making it the largest music service available. With a music library of over 30 million songs, it’s clear to see why users love it so much. Spotify features connectivity with friends and celebrities. The team wonders if this could lead to a privacy issue. We will analyze this by recording the data the application stores about music preferences and other personal information.

Bitcoin Miner is the most popular bitcoin mining application in the Microsoft Store. Cryptocurrency has recently emerged as a lucrative investment opportunity. Applications offering users a friendly interface for exchanging and mining cryptocurrencies have followed. We are inquiring about the artifacts left over by mining cryptocurrency.   

SpeedTest is an internet speed testing application that offers “easy, one-click connection testing in under 30 seconds.” It also claims to be “the most accurate and convenient way to test your speed.” Millions of users access this service. Analyzing an application such as this one should be simple. We will be looking into the data that the application stores about you and your device. This data includes age, gender, work experience, education, and browser history.

Dashlane acts as an online password bank. The application stores entered user and online account information. Never again do you need to remember all your passwords. You only need one master password to open Dashlane. The application will log-in to websites through its database and fill out forms with the information you provide. We will examine the artifacts generated by storing information, navigating to websites, and using the autofill feature. For this application, it will be important for us to be on the lookout for potential security risks.

Conclusion

Currently, we are generating and analyzing the artifacts as well as observing security features. We will report on our findings in the blog posts to come.

Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Application Analysis Introduction appeared first on The Leahy Center for Digital Investigation.

by

VPN/Proxy Chain Update 3

Introduction

Hey everyone, it’s been a little bit since our last update. We hope you all had a great Thanksgiving. We’ve been continuing our work on our VPN/proxy chain project and have run into a few problems since our last update. Two members of our team have been working on the VPN element of our project. There has been difficulty connecting to the various other elements of our project.

VPN Difficulties

We wanted to mask the IP address of the client machine. The client would show that it connected to the VPN, but refused to mask the IP. As a result we changed almost everything at least once. We adjusted the config files for the VPN, changed settings on the clients, and tried to use different VPN solutions other than OpenVPN, but we were never able to fix our problem. At the end, we determined that the problem most likely lied in how we had to build our mini-network. By using the LCDI’s network, we dealt with issues that wouldn’t have appeared in another situation.

Solutions

As a result, we reflashed the Raspberry Pi with the PiVPN setup to receive a clean slate. Then, we reinstalled Raspbian Stretch. We proceeded with a regular install for an OpenVPN Server as if we weren’t even using the Raspberry Pi (we didn’t use PiVPN). PiVPN is meant for easy setup where a majority of the files are created for you through automation. By using a regular OpenVPN install we were able to change each individual file and configuration that we needed to change to reflect our network. This fix would work for anyone that’s not working inside a security intensive network. The problems we had was a result of us conducting our research in a network that is not optimized for standard network users. The prior research we followed will be listed in our final report and will most likely work on a rudimentary network setup.

Conclusion

The end of the semester is fast approaching and with it, the end of our project. We hope to have everything working, but if we don’t, we will give you all the information you’ll need to work something like this. Our final report should be coming out in a few weeks, so look forward to reading up on our total progress.

Thank you and have a great holiday season and rest of your year.

We welcome all feedback! Feel free to comment here or email us at lcdi@champlain.edu. You can also follow us on Facebook or Twitter for the most recent updates on projects, such as App Analysis, VPN Proxy Chain, and more!

The post VPN/Proxy Chain Update 3 appeared first on The Leahy Center for Digital Investigation.