Forensic Blogs

An aggregator for digital forensics blogs

by

Bluetooth Tracking Reboot

New Team, New Goals, Same Tools

Frequent readers of this blog may remember last semester’s Bluetooth Tracking Project. It focused on developing methods to trilaterate the position of a Bluetooth device based off signal strength.

This semester, the goal has shifted. Our team will build and implement a network of stand-alone Bluetooth monitoring devices. We are basing this off of research and methodologies developed last semester. These devices will use publicly available toolsets and low cost hardware. They will collect and report information on Bluetooth devices to a central hub. This will make the findings easy to view.

Tools used last semester are being used for this project. Last semester the Bluetooth team used  blue_hydra and ubertooth in conjunction. Both provided key information regarding the functioning of the trilateration. Because we no longer need the same feedback, we decided to focus on using blue_hydra as the scanning tool. The hardware Ubertooth, and he underlying software library, will still be utilized. This will simplify the scripting process of our project immensely. Unlike last semester, we’ve decided to use the Raspberry Pi model 3 as the base of our sensor nodes. The current team is more familiar with this type of hardware. It’s also compatible with all the hardware and software required for the project. Plus, we have them handy.

 

Current Bluetooth Progress

We started out familiarizing ourselves with our new goals and the research from last semester’s Bluetooth project. We used the installation guide from last semester. This ensured that all our hardware is properly configured. Over the past few weeks, we have focused on testing and configuring the hardware and software. We are progressing nicely. When we have a functioning model, future reports will outline the code.

Another big aspect we have been tackling is creating a server infrastructure for collecting all the data. By nature, the sensor nodes distribute across a large physical area. They will need a way of reporting the data they have collected. We decided to take a more structured approach. We implemented an elasticsearch cluster that the nodes can connect to. Elasticsearch has a wealth of built in features, the biggest being an inherent compatibility with kibana dashboards and the elasticsearch python library. The Elasticsearch Python library ships data from our nodes to our Elasticsearch cluster. Kibana allows us to visualize, manipulate, and collect metrics. This makes it easy to view Bluetooth devices that have been collected from our nodes.

Wrap Up

When laying the groundwork for this project, we took into account previous work. It was important to set up the project in a way future teams would be able to build without making radical design changes. Last semester’s Bluetooth team had thorough methodologies and research. This enabled us to start making infrastructure choices immediately. Our next steps will focus on executing our code outlines and building out the server infrastructure.

Stay tuned for more updates to come and follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Bluetooth Tracking Reboot appeared first on The Leahy Center for Digital Investigation.

by

Cracking Encrypted PDFs – Conclusion

TL;DR: PDFs protected with 40-bit keys can not guarantee confidentiality, even with strong passwords. When you protect your PDFs with a password, you have to encrypt your PDFs with strong passwords and use long enough keys. The PDF specification has evolved over time, and with it, the encryption options you have. There are many encryption options today, you are no longer restricted to 40-bit keys. You can use 128-bit or 256-bit keys too.

There is a trade-off too: the more advanced encryption option you use, the more recent the PDF reader must be to support the encryption option you selected. Older PDF readers are not able to handle 256-bit AES for example.

Since each application capable of creating PDFs will have different options and descriptions for encryption, I can not tell you what options to use for your particular application. There are just too many different applications and versions. But if you are not sure if you selected an encryption option that will use long enough keys, you can always check the /Encrypt dictionary of the PDF you created, for example with my pdf-parser (in this example /Length 128 tells us a 128-bit key is used):

Or you can use QPDF to encrypt an existing PDF (I’ll publish a blog post later with encryption examples for QPDF).

But don’t use 40-bit keys, unless confidentiality is not important to you:

I first showed (almost 4 years ago) how PDFs with 40-bit keys can be decrypted in minutes, using a commercial tool with rainbow tables. This video illustrates this.

Later I showed how this can be done with free, open source tools: Hashcat and John the Ripper. But although I could recover the encryption key using Hashcat, I still had to use a commercial tool to do the actual decryption with the key recovered by Hashcat.

Today, this is no longer the case: in this series of blog posts, I show how to recover the password, how to recover the key and how to decrypt with the key, all with free, open source tools.

Overview of the complete blog post series:

Cracking Encrypted PDFs – Part 1: cracking the password of a PDF and decrypting it Cracking Encrypted PDFs – Part 2: cracking the encryption key of a PDF Cracking Encrypted PDFs – Part 3: decrypting a PDF with its encryption key : don’t use 40-bit keys (what you are reading now)

 


by

Cracking Encrypted PDFs – Part 3

I performed a brute-force attack on the password of an encrypted PDF and a brute-force attack on the key of (another) encrypted PDF, both PDFs are part of a challenge published by John August.

The encryption key is derived from the password. it’s not just based on the password only, but also on metadata. This implies that different PDFs encrypted with the same user password, will have different encryption keys.

When you recover the user password of an encrypted PDF, you can just use it with PDF readers like Adobe Reader: they will ask you for the password, you provide it and the PDF will be decrypted and rendered.

But when you recover the key of an encrypted PDF, you can not use it with PDF reader: there is no feature that will allow you to input a key in stead of a password. The only method I knew to decrypt a PDF document with its encryption key, was to use Elcomsoft’s PDF cracking tool:

Now I worked out a second method: I modified the source code of QPDF so that it will accept encryption keys too. It’s a quick and dirty hack, I did not add a new option to QPDF but I “hijacked” the –password option. If the value to the option –password starts with string “key:”, then QPDF will not derive the key from the provided password, but it will use the key provided as hexadecimal characters. Here is how I use it to decrypt the “tough” PDF:

pic 2

I also made a small modification to the –show-encryption option, to display the encryption key:

If you are interested in this modified version of QPDF, you can find the modified source code files and Windows binaries here:

qpdf-patched.zip (https)
MD5: 57E1A5A232E12B45D0A927181A1E8C3B
SHA256: 6F17E095B38AE72F229A6662216DDCE86057D2BA1C567B07FEF78B8A93413495