Forensic Blogs

An aggregator for digital forensics blogs

by

Exploration Forensics Update 2

Introduction

This semester, the exploration forensics group is researching hardware and software that tests for paranormal activity. The team will test the devices and corresponding apps. Through these tests, they will discover how the devices gather readings and interact with a user’s data. In addition, the team will gather evidence on how the devices and applications operate and examine the accuracy of the sensors. If you haven’t read the team’s first blog post, find it here.

The last few weeks involved jail breaking the tablets, testing the devices, and becoming familiar with Radare2.

Radare2 and Testing on Free Apps

A large part of the last two weeks involved the team learning how to use Radare2. The ARM assembly language used for this software can be difficult to make sense of.

Figure 1: Radare2 interface

There are many free programs available to interpret IOS applications, but the team chose Radare2 because of its reputation as a respectable open-source disassembler. The first few days with the software was exploratory and experimental. The team tried “challenges” found online to gain understanding of the language and the program.

When the team felt ready to begin testing on the freeware IOS apps, there were problems locating the .ipa file. An .ipa file is an IOS archive file that stores the application information and data in binary. Due to this roadblock, no testing was done with the free applications before last week. The team instead focused efforts on figuring out how to extract the .ipa files from the iPad. Previous research indicated that extracting the files through iTunes would not be difficult. When the team tried to get the .ipa file for the apps Ghost Sensor and EMF recorder, the folder needed did not exist.

The team spent several days researching alternate ways to extract the .ipa files, but most tutorials use the previous versions of iTunes. Due to this, the team explored other programs used to decompile and extract information from apps.

The last shift before spring break was spent surfing various forums to find alternate ways into the .ipa files. Cydia, which was used to jailbreak the device, has additional add-ons available. The software “ipainstaller” allows for backup and management of ipa files on IOS devices. The team found a forum that explains how to use the extension. Once the extension was downloaded, finding the .ipa files were straightforward and the team was able to make copies of them.

Figure 2: The team used PuTTY and ipainstaller to extract the .ipa file

This week, the team will be investigating the .ipa files in Radare2 to examine the sensors and permissions.

Preliminary Testing

The team also began tests on the Ovilus V this period. While the original plan was to observe packets sent by the Ovilus, the newest Ovilus model does not have networking capabilities. This model replaced the network card with a larger speaker. Because of this, the team is investigating the capabilities of the device’s sensors instead.

The first test on the Ovilus attempted to create false-positives through the use of magnets. The Ovilus tests for many environmental factors, including temperature, humidity, barometric readings, electromagnetic fields, and movement. The device converts these readings into words, according to DigitalDowsing.com. The team hopes to cross-reference the measurements on the Ovilus to a second measurement to confirm accuracy. They also hope to try to spoof these readings to see the effect on the sensors.

The team took a magnet out of a broken hard drive in the lab to use in experimentation on the Ovilus. These powerful magnets should disrupt any magnetic field measurement, and we’re hoping to create false-positives to see how much these magnets can affect the sensors on the Ovilus.

Figure 3: Breaking open an old hard drive to salvage magnets Conclusion

Despite the roadblocks the team has experienced, there are many alternatives to the original research plan. Currently, investigation into alternate ways of accessing the iPad’s file system seems promising. In addition, the team plans to continue experimenting with the Paranormal Puck device and app, and testing on the Ovilus. Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Exploration Forensics Update 2 appeared first on The Leahy Center for Digital Investigation.

by

Exploration Forensics Blog 1

Introduction

This semester, the exploration forensics team is conducting research on hardware and software that tests for paranormal activity. We will test the devices and corresponding applications to discover if they gather readings and interact with a user’s data. The team will gather evidence on how the devices and applications operate. We will test how outputs are affected by environmental factors.

Background and Devices

The Paranormal Puck 2 and Ovilus V are products of Digital Dowsing, LLC. The company advertises the devices as an effective way to communicate with ghosts. The devices convert environmental factors such as temperature, humidity, barometric readings, electromagnetic fields, and movement into words.

 

Figure 1

When connected to an iPad, the Paranormal Puck 2 lists singular words from readings of environmental factors. Digital Dowsing’s website outlines the instrumental trans-communication (ITC) capabilities of the device. Environmental readings are converted into words, but not full sentences. The user can either ask questions aloud or type them into the app. The questions will then be “answered” based on environmental readings.

The Ovilus V is a standalone device that has capabilities like the Puck, except there isn’t a corresponding mobile application. The Ovilus monitors environmental factors and has several different modes to convert these readings into different forms: visual platforms, words, true or false answers, or sounds. The exploration forensics team plans to test the effectiveness of each of the modes.

First Few Weeks of Research

So far, the team has explored various forums to find research notes by people who have used the devices. While it was difficult to find credible sources, the team did find information about:

The Ovilus V uses electronic voice phenomena (EVP) to make approximations for words based on available phonetic sounds. The permissions of the mobile apps. The mechanics of the devices, like electromagnetic frequency (EMF) and the movement sensors.

The LCDI received the devices the week of February 5th. The team tested the devices on an exploratory basis to get an idea of how the devices actually work. During initial testing, the device rattled when moved by the team. A screw fell out through the grates and the device wouldn’t power on. The LCDI has sent the device back and Digital Dowsing should be sending a replacement soon. Research will continue with the Ovilus as the team waits for the replacement Paranormal Puck.

The team observed a correlation between the movement of the device and the readings the device produced. The device prompted names of people that no one on the team knew, and said words like “hide” and “disaster”. Digital Dowsings website advises users to disregard words that don’t make sense to the situation. The device may not be able to translate the environmental readings into meaningful words (Figure 2).

Figure 2

The team also tried to find more information about the hardware of the devices, but not much information is available. Analysis of the devices will continue to confirm the capabilities of the energy, temperature, barometric, and motion sensors by cross-referencing the results with readings from other devices.

Security of Mobile Apps

The team hopes to investigate the security permissions of the applications. If the devices have access to GPS location, the camera, and files on the mobile device, it could illustrate potential insights into how the devices are gathering evidence. One team member commented that using the devices in a graveyard would likely produce words like “marker” and “grave” if the app uses GPS. The team will investigate if the device receives information through GPS location or through the monitored environmental factors.

Proposed Method of Gathering Research

When testing the devices, the team will experiment with the devices in a constant environment. Monitoring the different modes on the devices will help pose a set of control questions that will be either spoken or written. Then, we will record the responses of the devices.

Conclusion

In the weeks to come, the team will test the capabilities of the Paranormal Puck 2 and Ovilus V devices. The team will also use the methods outlined above to gather evidence about the devices to be analyzed.

Sources

Hallowed_Grave. (2014, July 6). My weird experiences with the IOvilus [Online forum comment]. Message posted to https://www.reddit.com/r/Paranormal/comments/29xnzs/my_weird_experiences_with_the_iovilus/.

Digital Dowsing. (2015). Digital Dowsing, LLC. Retrieved from https://www.digitaldowsing.com/.

The post Exploration Forensics Blog 1 appeared first on The Leahy Center for Digital Investigation.

by

Windows Fall Creator Introduction

Pick Up Where I Left Off: Windows Innovative New Feature Coming Soon?

This spring, the Windows Fall Creator team will research a new Microsoft feature coming out over the next few months. The Windows Fall Creator/Redstone 4 update will provide users with the ability to continue right where they left off on other devices, as well as after power state changes. It is similar to Apple’s Auto Resume feature, except that it will be cross-platform enabled.

 

 

The Project

Before the release of the Windows Fall Creators Update, Pick Up Where I Left Off was discussed as a cross-platform version of Apple’s Handoff and Auto Resume features.   Our focus is on how it works, where the information is stored, and the security risks involved.  The official launch of “Pick Up Where I Left Off” has been delayed until the Windows Redstone 4 Update.  This update should be rolling out at some point this spring. While the Pick Up Where I Left Off feature isn’t available yet, pieces are through which we can start to see its functionality.

Our Procedure

We have researched and played around with the pieces of Pick Up Where I Left Off that are available.  After that, we joined the Windows Insider Program to get preview builds of the Redstone 4 update. This will allow us to test the actual feature before it’s released to the general public. We have created 4 virtual machines to run this preview build of Windows 10. These machines will be used to test different aspects of the feature. The following scenarios will be tested: the feature with only one person who uses the computer, the feature with two people who use the same computer, and one person who uses two different computers with the feature. After, we will test the feature out with cross-platform smartphones and a Microsoft Surface Pro.

Conclusion

The next step for our project will be researching the current Insider’s build for Windows 10. We will experiment using the new features it has to offer. After the Redstone 4 Update is released, we will experiment using the feature on that version of Windows.  By the end of this project, we hope to have an understanding of what Pick Up Where I Left Off is doing behind the scenes. We also hope to learn about its functionality and implications. Stay tuned for more updates to come and follow us on Twitter @ChampForensics,  Instagram @ChampForensics and Facebook @ChamplainLCDI.

References

Bowden, Z. (2015, October 30). Windows 10 Redstone: Continuum to be big focal point with new ‘Continuity-like’ features. Retrieved February 12, 2018, from https://www.onmsft.com/news/windows-10-redstone-continuum-to-be-big-focal-point-with-continuity-like-features

Bright, P. (2017, May 11). Microsoft reaches beyond Windows with Timeline and Pick Up Where I Left Off. Retrieved February 12, 2018, from https://arstechnica.com/information-technology/2017/05/timeline-and-cortana-make-windows-better-even-when-youre-not-using-it/

Brink, S. (2018, January 09). Turn On or Off Cortana Pick up where I left off in Windows 10. Retrieved February 12, 2018, from https://www.tenforums.com/tutorials/82752-turn-off-cortana-pick-up-where-i-left-off-windows-10-a.html

Brink, S.  (2017, April 11). Windows 10 help and support forum. Retrieved February 12, 2018, from https://www.tenforums.com/windows-10-news/81566-what-s-new-windows-10-creators-update.html

Hay, R. (2017, August 31). Cortana’s “Pick up where you left off” Feature is almost Windows Timeline Light. Retrieved February 12, 2018, from http://www.itprotoday.com/windows-10/cortanas-pick-where-you-left-feature-almost-windows-timeline-light

Martin, J. (2018, January 23). Microsoft is experimenting with some radical new features in Windows 10, including sets. Retrieved February 12, 2018, from https://www.techadvisor.co.uk/new-product/windows/windows-10-fall-creators-update-3496959/

TinsleyNET Admin. (2017, October 25). Windows 10 “Fall Creators Update” [Web log post]. Retrieved February 8, 2018, from https://www.tinsleynet.co.uk/2017/windows-10-1709/#more-1397

The post Windows Fall Creator Introduction appeared first on The Leahy Center for Digital Investigation.