Forensic Blogs

An aggregator for digital forensics blogs

by

Bluetooth Tracking Reboot

New Team, New Goals, Same Tools

Frequent readers of this blog may remember last semester’s Bluetooth Tracking Project. It focused on developing methods to trilaterate the position of a Bluetooth device based off signal strength.

This semester, the goal has shifted. Our team will build and implement a network of stand-alone Bluetooth monitoring devices. We are basing this off of research and methodologies developed last semester. These devices will use publicly available toolsets and low cost hardware. They will collect and report information on Bluetooth devices to a central hub. This will make the findings easy to view.

Tools used last semester are being used for this project. Last semester the Bluetooth team used  blue_hydra and ubertooth in conjunction. Both provided key information regarding the functioning of the trilateration. Because we no longer need the same feedback, we decided to focus on using blue_hydra as the scanning tool. The hardware Ubertooth, and he underlying software library, will still be utilized. This will simplify the scripting process of our project immensely. Unlike last semester, we’ve decided to use the Raspberry Pi model 3 as the base of our sensor nodes. The current team is more familiar with this type of hardware. It’s also compatible with all the hardware and software required for the project. Plus, we have them handy.

 

Current Bluetooth Progress

We started out familiarizing ourselves with our new goals and the research from last semester’s Bluetooth project. We used the installation guide from last semester. This ensured that all our hardware is properly configured. Over the past few weeks, we have focused on testing and configuring the hardware and software. We are progressing nicely. When we have a functioning model, future reports will outline the code.

Another big aspect we have been tackling is creating a server infrastructure for collecting all the data. By nature, the sensor nodes distribute across a large physical area. They will need a way of reporting the data they have collected. We decided to take a more structured approach. We implemented an elasticsearch cluster that the nodes can connect to. Elasticsearch has a wealth of built in features, the biggest being an inherent compatibility with kibana dashboards and the elasticsearch python library. The Elasticsearch Python library ships data from our nodes to our Elasticsearch cluster. Kibana allows us to visualize, manipulate, and collect metrics. This makes it easy to view Bluetooth devices that have been collected from our nodes.

Wrap Up

When laying the groundwork for this project, we took into account previous work. It was important to set up the project in a way future teams would be able to build without making radical design changes. Last semester’s Bluetooth team had thorough methodologies and research. This enabled us to start making infrastructure choices immediately. Our next steps will focus on executing our code outlines and building out the server infrastructure.

Stay tuned for more updates to come and follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Bluetooth Tracking Reboot appeared first on The Leahy Center for Digital Investigation.

by

Bluetooth Device Tracking Update 2

Intro

In this second blog post we will be delving into the math and code that will calculate our Bluetooth device’s position. We will cover more in detail exactly how our calculations work and the background behind them. We will also address the choices on the values used to perform the calculations. The code has evolved since the last post, and we will cover what has changed in the code and the tools we are using. We will conclude with a debrief of the presentation we gave on the project at the Vermont Tech Jam event.

Math Write-Up

When calculating the location of a device, we need the RSSI,  interference(N), and txPower(A) (strength of the signal at 1 meter). The issue is that RSSI is a poor indicator of distance. Also, txPower is unavailable to us as because device signal strengths vary. So, despite its inaccuracy, RSSI is the best indicator of distance we have access to. For testing purposes, N was set to a baseline of 20 dBm. A was set to -62dBm to account for the average interference of other devices in the area. In a future iteration, we will calculate N using the secondary nodes. To plot the position of a bluetooth device in an area we must use the RSSI to calculate distance. Then we trilaterate the coordinates of the bluetooth device using three points of reference.

Formulas

The best RSSI reading for calculating distance is the mode of many readings from the device.  If a mode cannot be calculated the average RSSI is used instead. Using the formula RSSI (dBm) = -10n log10(d) + A in the form of  d=10((A- RSSI(dBm)) / N)  provides us with an estimation of range. Distance categories “near”, “middle”, or “far” are also defined using ranges of “near” <10 meters, 10 meters=< “mid” <=20 meters, and “far” >20 meters. This allows us to provide a position for the device. It also leaves room for error. To trilaterate the position, we place the estimated distances in a triangulation formula. The group based this formula off the report “Indoor Positioning System” with the points X and Y being the coordinates of the unknown device:

bluetooth

(Image from https://www.ece.lsu.edu/scalzo/FDR_Final.pdf)

The coordinates derived are the approximate (x,y) coordinate pair of the sniffed bluetooth device. Devices only seen by one or two nodes display with the “near”, “middle”, or “far” system using the nodes that see it.

(for more info on RSSI look at this blog post: https://blog.bluetooth.com/proximity-and-rssi)

Python Code

As discussed in our last blog post we are making some python scripts to do data aggregation and analysis for us. We are working on two scripts that will run on our microcomputers. As a side-update on the computers, we are using Odroids with the Ubuntu 16.04 minimal OS. One of the three Odroids is the master node, and will be the one doing the calculations. The other two Odroids will be running a stripped down versions of the code. These secondary nodes collect data and send it to the master node upon request.

The current plan is to run the code in a continual loop and redo calculations based on a user supplied time frame. See the diagram below for a pseudo-code example of the machines interacting. The idea behind aggregating all the data before performing calculations is to cut down on confusion between nodes. This way the nodes are not reporting the same device as separate devices.

bluetooth

We are also looking into ways to display the results in graphical manner. For the time being we are having the script output the calculated distance and a value of “near” “middle” or “far”. If we can replace this with a graphical representation it will be far easier to track a device.

Bluetooth Receiver Hardware Update

During our testing phases, we determined that Blue Hydra is not the most effective tool for our purposes. Instead, we have chosen to use the Ubertooth tools to parse and show the data we need. The Ubertooth tools provide more information that updates more. This allows for us to have a more accurate look into bluetooth devices in our area. The output of the Ubertooth tools is much messier. But the extra information it contains will benefit our project. We’ll have to go back and adapt our Python code. But it will benefit our project.

Tech Jam

September 20th and 21st, we brought our project to VT Tech Jam! Tech Jam is an annual technology expo featuring exhibits and talks from all sorts of technology companies around Vermont. The LCDI hosted our own booth on both days; featuring our project and some of our newest tech. On one of our displays, we showcased the 2.4ghz spectrum using spectools by Kismet. This way, onlookers could actually see how Bluetooth frequencies communicated around them. When interested, we showed people our prototype script that could calculate how far a Bluetooth device was from our laptop. We had a lot of curious visitors and had a blast talking to all the different companies from around Vermont. If you happen to be in Vermont next October, make sure to stop by and check out our new and exciting projects!

bluetooth

Conclusion

Overall we have made great progress on this project. We have calculated distances to bluetooth devices and are almost ready for a full scale test. With a few last touches to the scripts we expect to be able to run a test with all three nodes operating independently.

 

The post Bluetooth Device Tracking Update 2 appeared first on The Leahy Center for Digital Investigation.

by

Bluetooth Device Tracking with Trilateration

Overview

This project focuses on developing a system that will allow Bluetooth device tracking in a prepared area. We intend to create a set of small, portable units that can be placed in a building to quickly set up a network to monitor Bluetooth signals and calculate a position for said devices.

Device Overview

The units described above will consist of a computer and Bluetooth adapter. Using this setup we can gather information about each device in order to locate it. Our current design for each unit is a set of three devices arranged in the shape of a right triangle. The device on the right angle of the triangle is the master unit, where the positioning calculations are performed and where the two secondary units send their own data. It is also this master unit that will report the calculations to the user. At the time of this blog post we are using laptops running Kali Linux with an attached Ubertooth One. The laptops provide us with an abundance of processing power and the convenience of a built in battery. In a more practical implementation, each laptop could be substituted with a micro-computer like a Raspberry Pi and a battery bank.

Ubertooth

The Ubertooth One is a small USB device developed by Great Scott Gadgets that serves as a platform for Project Ubertooth. Project Ubertooth is an open source wireless development program that allows for Bluetooth experimentation when used with any Ubertooth device. Ubertooth devices stand out because of their small size and cost in comparison to other Class 1 Bluetooth devices. Still, if you don’t want to drop $100 on one, the design is all open source! A post on the creator’s blog provides a guide on how to go about building your own. For our project, we are utilizing the basic Ubertooth tools in tandem with a program by Pwnie Express called Blue Hydra.

Blue Hydra

Blue Hydra is the name of the tool we are using to gather information about the devices around us through Bluetooth. The program is written in Python and Ruby. While running, Blue Hydra retrieves information about the device’s name, type, manufacturer, Bluetooth Address, Bluetooth version, and RSSI values. It then formats all of the discovered data into a database file that can be opened and viewed at any time. When combined with an Ubertooth device, Blue Hydra can even capture data from undiscoverable devices, or devices which are already connected to one another.

Bluetooth Device Tracking

Trilateration VS. Triangulation

One of the first decisions we had to make was exactly how to calculate a position for detected devices. The first impression was that triangulation would work fine, and we began looking at various methods of doing so. However, we discovered that the values we would need for triangulation were not easily obtainable from the information gathered by our hardware. In the process of researching these calculations, however, we found another method of calculation called trilateration. The difference between triangulation and trilateration is in what they measure: triangulation calculates positions based on the angles of a triangle, and trilateration measures the distances between a known point and an unknown point.

Although the difference may seem arbitrary, it is actually a critical factor to our project’s success. Since trilateration allows a distance calculation for an unknown point, it means that trilateration technically calculates range as a circle around the known point. By calculating the distance to an unknown point from three known points, where these circles intersect is the area in which our unknown device is located. This is shown in the image below:

Conclusion

Our team is making significant progress towards being able to track Bluetooth devices through a building. In future blog posts we will be covering the nuts and bolts of how our system works, and providing more detailed examples. We are also working on a full guide on setting up an Ubertooth device and interfacing with Blue Hydra software. Out plan is to provide our own code for the trilateration of Bluetooth devices later this semester. Stay tuned for more updates and breakthroughs in the coming weeks!

We welcome all feedback! Feel free to comment here or email us at lcdi@champlain.edu. You can also follow us on Facebook or Twitter for the most recent updates on projects, such as App Analysis, VPN Proxy Chain, and more!

The post Bluetooth Device Tracking with Trilateration appeared first on The Leahy Center for Digital Investigation.