Forensic Blogs

An aggregator for digital forensics blogs

by

Researching IoT Devices

Art depicting the connectivity of common devices Introduction

It is safe to say that everyone is constantly connected, through our smartphones, social media accounts, and even smart homes. Every day, more and more innovative devices are released to the public. Any device that is able to have a relationship with another is part of Internet of Things (IoT). Forbes goes so far as to state that “the relationship will be between people-people, people-things, and things-things”. While these devices offer easy-to-use functionality and instant access to information, how secure are they? In this blog, students at the Leahy Center will review some common devices and discuss some of their vulnerabilities.

IoT Smart Locks

Smart locks are great for remote access to your home’s doors. They’re a faster way to open them, as well as allow a user to keep a record of each action. However, Katie Hopkins, part of the IoT research team, is in the midst of a deep dive into smart lock vulnerabilities—discovering how to make a device that is supposed to keep your home secure vulnerable to hackers. Her research was specifically on Kwikset Kevo Smart Lock devices. Despite how secure one may think these devices are, Katie found that these vulnerabilities may subvert that expectation.

Image of a smart lock

Some vulnerabilities are very simple, such as a denial of service attack using a smartphone. The InfoSec Handbook, a guide to network security concepts, offers a useful definition. A denial of service attack is one that limits or rejects access due to an overflow of data from an outside device. In this case, an attacker can use the Kevo app to send large amounts of open/close requests to the lock. This confuses the device and causes it to not react to a physical key that comes with the device. Another vulnerability is that the lock’s batteries only last about two weeks. This leaves a window of opportunity for an attacker to gain control of the lock.

Some companies also claim that they encrypt passwords for these devices but end up not doing so; great information for a hacker, bad news for you! There are many more ways to exploit these devices, but these are just a few of the simpler ones. NewSky Security wrote a blog post that breaks down more exploits in detail.

Overall, these locks may be useful for securing your home, but their functionality causes new problems.

Google Home

One of the landmark accomplishments in smart devices has to be the creation of personal assistants. One of the more sophisticated virtual helpers is Google Assistant, a competitor to Apple’s Siri and Amazon’s Alexa personal assistants. This software can exist on most devices with a microphone and a speaker since Google Assistant interacts through voice. The user may give the device commands such as, “set an alarm”, or “open my garage door”.

Google Assistant can also interact with your other smart devices in a smart home. To do this, one can purchase a Google Home. Home runs the Google Assistant software and serves as a hub for all your smart devices. 

Image of a Google Home

IoT team member, Joe McCormack, has been doing research on the Google Home and did not find as many vulnerabilities with the software or hardware as Katie found in her research of the smart locks. But, just like the Kevo Smart Locks, there is always a flaw. Discovered by a group at the University of Michigan, the process which utilizes the microphone and translates it so the Google Assistant can execute those commands can be exploited. By using a low-powered laser, an attacker can shine different frequencies into the Google Home’s microphone and execute commands without a sound. This means a criminal can use this to do things like disarm smart home security systems and open smart locks without a sound. The technology required to do this is fairly complex but can be done by anyone with the proper knowledge.

D-Link WiFi Camera

The best way to catch a criminal is to actually see them in the act of a crime. It is also common for parents to keep an eye on their children while they are working or are left with a babysitter. Security cameras are a great way to automatically record the happenings of an area. Most come with motion detection, night vision, and the ability to record entire days worth of footage. One camera that the IoT Security team has been researching is from D-Link, a reputable manufacturer that specializes in network devices, including security cameras. The D-Link WiFi Camera model (DCS-5030L) is a cheap and effective way to monitor your home or office, but if the user does not update the camera regularly, there can be trouble.

Image of a D-Link wifi camera

Someone who is familiar with code can find specific files online that allow unauthorized access to the camera. That means that a person can gain control of the camera, look at recordings saved in the memory, and even move the position of the camera. However, it is actually pretty easy to prevent an attack. All you have to do is keep your firmware updated as D-Link has fixed many security issues over the lifespan of the device. This is normally the case for many devices.

Conclusion

There are vulnerabilities to most, if not all, of the IoT devices that you might use in your home. A capable hacker can exploit devices that you use every day; from your smart door lock to your smart refrigerator. We must be more aware of the issues that are present with new and exciting technology or our personal data could be compromised. It is always good to keep the device’s firmware up to date and have strong network security. By fortifying your devices and the network it resides on, you can prevent the possibility of an attacker taking control of your smart home, smart camera, or any other smart device. For the sake of your personal information, physical security, as well as privacy, remember that the convenience that smart devices offer might not be worth the risk.

The post Researching IoT Devices appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Building a Visualization Tool for mac_apt

Matthew Goldsborugh / Daniel Hellstern

Image of mac_apt results

Introduction

An important part of any forensic investigation is to find indicators left behind by an attacker on a compromised computer. This process can be very difficult, especially when the attacker takes steps to hide their tracks. Software that finds these artifacts as possible already exists, but our project revolves around one of them: mac_apt. 

mac_apt is an open-source collection tool for macOS devices, created by Yogesh Khatri. The tool collects everything from known WiFi networks to old print jobs and paired Bluetooth devices. Unfortunately, mac_apt outputs a lot of raw data, which is often difficult to go through by hand. That’s why we’re working on building a tool to help investigators find important artifacts among those discovered by mac_apt.

Design goals

The primary goal of the mac_apt graphical user interface (GUI) is to augment what’s available with existing tools like EnCase. Investigators use these tools to analyze artifacts and find which could be compromising. The mac_apt GUI will work to provide a better experience when analyzing macOS artifacts.

We have made significant progress since we began this project. In 8 weeks, we chose a Python GUI framework that would fit our needs, designed the basic structure and elements of the GUI, and have implemented many of the desired features.

Our main obstacle thus far has been the limitations of the wxPython framework that we chose. Features such as infinite scrolling and dynamic widget resizing are not built into the framework. Implementing these features ourselves would require a significant amount of time. We have opted instead to focus our attention on getting other elements of the GUI up and running before committing our time to those features.

Our team has been using the Python sqlite3 database API to pull the relevant data from the mac_apt databases using SQLite queries. The program converts the data into a human readable format and populates it into a table. We are now working hard to make the table user friendly with features like sorting, filtering, and column manipulation.

We have also been working on the text and hexadecimal preview window to display the contents of individual cells. While displaying the contents of a cell was simple, dealing with the “Source” column of our data tables has proven more difficult. The source column holds the file path of the file from which the table data was collected. Our goal has been to display the contents of the source file in a human readable format. The difficulty arises from the many different file formats represented in the database. The previewer must handle text, plist, sqlite, history, gz, xml, and kext file type and convert them into human readable and hex formats. Currently we are having trouble getting the hex viewer to display the corresponding ASCII character for some hex values.

Conclusion

With most of the basic components of the mac_apt GUI working, the next step is to implement more advanced features to make the GUI more user-friendly. We would like to add a file system tree, advanced searches, copying cell data to clipboard, and the ability to open source files in another application. Eventually, we hope to build a powerful, user-friendly tool that investigators can rely on to whittle down collected data to exactly what they need.

The post Building a Visualization Tool for mac_apt appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Data Recovery Blog 2

Data on a screen, various numbers highlighted green, with a red open lock Data Is Not As “Deleted” As You Think

Here at The Leahy Center for Digital Forensics and Cybersecurity, the Data Recovery team has been hard at work searching through hard drives. These drives have been wiped using different methods in order to find any Personally Identifiable Information, or PII, that can be tied back to an individual.

At this point, ten out of the twenty eight drives purchased have been fully analyzed for the purposes of recovering data. Three drives, numbered 7, 9, and 10, all contained PII data. Drive 7 used the wiping method of DBAN, which stands for Darik’s Boot and Nuke, and is a free Linux utility. Drives 9 and 10 use the Xerase method, put forth by EPS. Both of these utilities claim to offer “secure absolute destruction”, yet how secure can they be if a team of analysts is able to recover data using tools that are freely available to the public?

The Recovery Process

For this project, we are using four “freeware” tools to recover data. These tools are SluethKit’s Autopsy, FTK Imager, Bulk Extractor, and Eric Zimmerman’s “bstrings” utility for Windows. Every drive that was purchased was run through all of these tools, not only to ensure visibility of data, but to determine if one tool has superior discovery abilities for deleted data. The tools are relatively simple to begin using, but require a bit of technical knowledge to become comfortable with. We have built a beginner-friendly user guide for how to start all four tools for acquisitions of data, which can be seen below.

Autopsy: Open Autopsy.  Fill out the stating form as needed.  Select “Add Data Source” –> “Unallocated Space Image File”.  Select the first piece of the drive. 

Wait for the image to finish scanning. This will take a while.

Bstrings: Open the command line in the folder in which you extracted bstrings. Type out the command to run it on a folder recursively to search an entire drive at once. Example:  bstrings.exe -d Disk Location > File Where Data Found Is Saved\bstrings.txt Adjust the conventions to match the image that you are working on. Bulk Extractor:  Point Bulk Extractor to the desired image Ex: HDD02.001, and a directory where you would like the output to go. Turn on all scanners by checking all of their boxes Press the ‘start bulk_extractor’ button to being the scan FTK Imager: Upload disk image from the F:\Drive into FTK Imager v3.4.0.5.  On the left hand side, click on the location i.e HD1, then select the file path (it will be the only option in the evidence tree).  Upon clicking, there will be a file list in the middle column, and a column full of text and UNICODE on the far right. This is where all of the data is.  Since there is no file system, the program pulls data haphazardly.  In FTK Imager, you can use “Ctrl + F” to search from strings, but be wary of what language you are searching in.  Select the “wrap” option as well, to ensure that if a string crosses more than one line, it will be recorded in the results. Analyze Which Data Recovery Tools Reign Supreme?

At the current point in the project, Autopsy is proving to be the most effective tool for data recovery. Autopsy has a very user friendly interface. This provides ease of access and lower frustrations when dealing with drives that have been wiped. Also, Autopsy is very thorough in the way that it searches, parsing through nearly every single file, and every bit of unallocated space. FTK Imager is a very good tool as well, yet does not have a very easy interface to work with. This is not what would be known as a “deal breaker”, but plays into our analysis as we spend a lot of time analyzing these drives, so ease of access is a crucial part. Bulk Extractor is a utility that runs off of command line, but has a GUI—or Graphical User Interface—to facilitate the process for those who are not comfortable with command line utilities. This tool runs the drive analysis as raw data, and finds everything that is on the drive, which is very helpful for data recovery. 

The last tool we have used is bstrings by Eric Zimmerman. Bstrings is a command line utility that only runs as such, making it a bit more difficult than the other tools to be comfortable with. It is ridiculously thorough, as it pulls anything and everything off of the drive that’s considered a string. However, due to CPU constraints, this tool does take the longest to fully finish, often over 24 hours. 

Image of a trophy with a 1 on it

Stay up to date with Twitter, Instagram, and Facebook by following @ChampForensics so you always know what we’re up to!

The post Data Recovery Blog 2 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.