Forensic Blogs

An aggregator for digital forensics blogs

by

Wearable Forensics Team Blog 3

Forensic Analysis of Wearable Technology

Previously, the Leahy Center for Digital Investigations Wearables Team posted in their second blog about their progress this semester with the Samsung Galaxy Watch, the Fitbit Versa, the Garmin Fenix 5, and the Apple Watch Series 4.

A Second Datagen

The team decided it would be a good call to redo their data generation from the previous weeks to prove that the data they collected would be in the same files. The team performed a second round of data gen with the same actions as the first one. Thankfully, this round of data gen went exactly the same as the last one.

When they returned the next day, the team began the exciting process of analyzing the data. The results they got were very similar to the first round of data gen. Previous artifacts were confirmed and no new information was found within the phones. After they confirmed their findings, they decided to move on to test one new capability of the watches: mobile payments.

NFC Payment & Google Fi

The team looked into mobile payments with the Samsung Galaxy Watch using a Visa gift card. Unfortunately, the Galaxy Watch was paired up with a Google Pixel 3, and the Samsung Pay is incompatible with any phone besides another Samsung phone. As a result, the team was unable to test NFC payment on the Samsung Watch. The team was also unable to test this capability with the Fitbit versa. It is only available on the special edition, which the team did not have.

Caption: The team tested notifications with the Google Fi account by sending and receiving text messages. The team responded to some of these from the watches, but it was all available in the exported application data.

To test notifications on each of the watches, the team created a Google Fi account for the Google Pixel phones. The team used other phones to message the Google Pixel 3 phones and noted the notifications on the watches. They also performed a phone application acquisition pull for each of the paired devices to find what information was located on the phone itself.

Wrapping Up…

As the team wraps up their work on the Samsung Galaxy Watch and Fitbit Versa, they look forward to working with the last two devices: the Apple Watch Series 4 and the Garmin Fenix. They plan on following a similar methodology to the Fitbit and Galaxy watches, create data, and pull the applications from their respective devices in order to examine and analyze the watches. They’ll be posting another blog post with another status update soon, so be sure to check us out on Twitter @ChampForensics, Instagram@ChampForensics, and Facebook@ChamplainLCDI to keep up to date with our progress!

The post Wearable Forensics Team Blog 3 appeared first on The Leahy Center for Digital Investigation.

by

Data Recovery Blog 2

Putting Hard Drives to the Test

At the LCDI, we believe your data is important, and surely most would agree. The pictures of your family vacation are important, but what about your passwords? The hard drives that are in most computers store your data, leaving it open for anyone with the proper knowledge to find it and use it if not disposed of properly. This is not a new problem, as online computer news articles from almost 20 years ago described past experiences of people who purchased old hard drives and discovered the data of the last user.

The foundation of our goal is to ensure an understanding of deleting and storing data. Through our research, we have found free and available data recovery programs and sleuth kits to check data drives. Our investigation required a set of samples to test our techniques and programs. We bought a myriad of used hard drives from all over the internet. These previously belonged to other people, so it’s likely that remnants of the past user are still on them. The majority of online sources claim the drives they sell are clean “wiped”, but we’ll put that to the test. How clean can a hard drive be and what do these standards look like?

Using Sleuth Kits to Recover Data

In our last blog post, we explored the National Institute of Standards and Technology and the Department of Defense’s deletion standards which would be a clear indicator of security. The drives we purchased allow us to explore the effectiveness of each method compared to each other. After we’ve used the wiping standards, we must test the ease at which someone could recover the deleted data. In the lab, we have been busy looking at the Sleuth Kit tools to get that job done. The software we use is freeware and open ware, ensuring availability without special permission or a fee.

We have gone through a variety of software already, including Autopsy and Wise Data Recovery, two professionally used Sleuth Kits.

Autopsy examining deleted files

In the above image, we have pulled up a sample image file in Autopsy. In this sample, the previous user had deleted 10 images. The tool used a computer image file to carve data present but unlabeled, which we could then review.  The image file we loaded contained the deleted files. Although the computer preserved the data of the file, it lost the links for the file system to access it. These deleted files turned out to be various jpgs of different colors and text. The tool carved the data left within the computer and presented it to us similarly to the sample image below.

Wise Data Recovery loading files

Though this program is not as in depth as Autopsy, Wise Data Recovery was still able to get a good amount of information. This program allowed us to scan the Local C Drive, and we were able to load the files into the program for research and investigation.

These programs are used in professional settings and are free to download. However, the question arises: if these are available to everyone, what does that mean for your data? Anyone who has a computer and a way to attach your drive could snoop through your old data, which is the exact reason we work to share this information. What’s more alarming is these two programs don’t show the full extent of the files that could collect your data. There is no way to be sure that the next person will not have the ability to collect your data, or even how much they could gleam from the drive. 

Exploring Physical Drives and Virtual Machines

The recovery of data is very accessible and it should be taken into account when deleting data. In the coming weeks, we look forward to working with the physical drives and exploring the techniques and depth of data that can be extrapolated from something as small as a picture.

To stay updated with our progress, check out our Twitter, Instagram, and Facebook.

The post Data Recovery Blog 2 appeared first on The Leahy Center for Digital Investigation.

by

Wearable Forensics Update

Forensic Analysis of Wearable Technology

If you haven’t already read the Wearables Team’s first blog, read it here. The team is researching the capabilities and evidence left from wearable technology, in particular four devices: the Samsung Galaxy Watch, the Fitbit Versa, the Garmin Fenix 5, and the Apple Watch Series 4.

Datagen

When the team finished their research, they moved on to data generation. The wearables team began by testing what they could at the lab here at the LCDI. They tested a wide range of capabilities such as: attempting to download applications to the watches, performing a stress test, taking a screenshot, and completing breathing tests. After their in house data generation, one team member took the Samsung Galaxy Watch and the Fitbit Versa home for a full day of datagen. The test subject recorded walking around Burlington, doing a swim workout, doing yoga, and sleeping. This gave the team plenty of data to use for their project.

…and Databases.

After the data generation, the team got to work on acquiring and imaging the phones. They specifically targeted the associated data with the health and watch applications for each device. The data the team found was mostly stored in SQL databases, a common format for mobile devices to keep data in. Within these databases, the team discovered many interesting artifacts that could be applied in forensic investigations. For instance, one of the artifacts the Wearables team found was device data for the Galaxy Watch. The database shows some key device information such as the name, model, and what appears to be a unique MAC (Media Access Control) address for the bluetooth adapter. Investigators could use this to prove the connection between a user’s phone and their Galaxy Watch.

The rest of the team’s artifact findings will be featured in our report at the end of our project.

Where to Next?

The Wearables Team is proud to share a small piece of their research! In the coming weeks, the team plans to perform another round of data generation on the Galaxy Watch and Fitbit Versa. This time, they plan on utilizing the NFC (Near-field communication) payment and messaging capabilities of these devices. Though the Galaxy Watch and Fitbit Versa portion of their research is concluding, the team is excited to continue their research with the Garmin Fenix 5 and Apple Watch Series 4. Be sure to check back in for more blog posts on their progress!

The post Wearable Forensics Update appeared first on The Leahy Center for Digital Investigation.