Mobile Apps Archives | Forensic Blogs

April 30, 2020 by LCDI

Free Password Managers – Live Testing

One of the most useful tools a person can use in their online life is a password manager. A password manager is a tool used to store records of a person’s usernames and passwords for their accounts. This can be used for any account, from email to social media. Luckily, there are many free password managers available to use. Our project at the Leahy Center is to investigate free password managers. We are ranking five password managers on their security, user-friendliness, and customizability. However, because of the time it takes to complete live testing, so far we have only tested two password managers: KeePass and RoboForm.

Current Tests KeePass Step 1: Examine the layout

At first glance, KeePass seems outdated. The interface isn’t as simple as other password managers, and there are an abundance of tabs. The options under each tab seem to go on forever. That doesn’t even include the options under the application settings! But KeePass has a secret: customization. There are dozens of plugins available for download. Plugins are downloadable software add-ons that provide extra settings for base application. All in all, KeePass is one of the best password managers for layout, but if you are not very tech minded, our team would advise you to steer clear.

Step 2: Test the creation of accounts

Creating a password can seem intimidating, but is actually a simple process. The key is to let KeePass do most of the work. To start, right click on the open window and select “Add Entry” from the menu. This takes you to a window that allows you to add a title for the entry, a username, a URL and finally your password. Conveniently, KeePass will generate a password for you. This means you never have to worry about sufficient complexity or remembering an impossibly long password.

Once you have created the password it will appear on a table in the main KeePass window. You can also categorize your passwords through tags. On top of being able to create a password, you can also configure KeePass to automatically type in your passwords. This feature, unfortunately, requires a bit of fiddling to get working. If you are not a very techy person it will not be as easy to use.

Step 3: Use within browsers

Using KeePass in a browser can be inconvenient at times , but it is one of the most universal password managers. This is because it employs simulated key presses; you need to activate the auto type from within KeePass, but because of this it works in any browser as long as there is a text field. If you cannot get the auto type to work you can simply copy and paste the password from KeePass. However, like auto type, this requires you to keep switching between KeePass and your browser. There is a keyboard shortcut that can be applied (Ctrl-V), yet still it can be an inconvenience to keep switching. Overall, using KeePass can get tedious but its universality is unparalleled.

Preliminary Conclusion

In conclusion, KeePass is an excellent free password manager. It is open source and more secure than other free password managers. It takes advantage of simulated keypresses instead of cloud storage. There are some downsides to it though. You can’t sync your password vault across devices and it does take a bit of work to learn how to use KeePass to its full potential. While we would not recommend KeePass for widespread commercial use, if you are computer savvy and you don’t want to put your trust in cloud storage, then this would be the perfect manager for your personal use.

Verdict: Alan Turing Approves!

RoboForm Step 1: Examine the layout

RoboForm is similar to their predecessors in the organization style. Tabs along the left side display the account types and important settings, with the more advanced options in a drop-down bar at the top. This makes it easy for quick access, as more of the advanced options are underneath the drop-down bar.

However, that doesn’t make RoboForm a perfect fit; the only way to create accounts is from the browser extensions themselves. Even then, the records are only created after you sign into the account, which then RoboForm will prompt for you to save the account. The only ways to reach the Help section are available through the desktop application and by searching RoboForm’s website. There isn’t a Help section within the browser extension. This doesn’t mean that RoboForm is a bad password manager. All it means is that it is probably better to install both the browser extension and the desktop application for you to get the full experience.

Step 2: Test the creation of accounts

As mentioned previously, RoboForm will only allow you to create a record through the browser extension after you sign into an account. This can be a bit of a pain, as that means you can only create records this way. However, you can import records through the desktop application straight from a browser or other password manager, or even a CSV file. There isn’t the full range of import options available in other password managers, but it is a fair amount.

You can also launch the website from the manager, where it will autofill your data and log you in. It isn’t a revolutionary idea, but it does work. There’s also a variety of records that can be created. One special feature is that RoboForm can save records for other desktop applications. This isn’t seen as much for free password managers. The Security Center is also quite useful, telling you your password’s strength, age, and if it has been reused or is a duplicate. The feature is usually only available in paid password managers, so this is a great incentive for RoboForm!

Step 3: Use within browsers

RoboForm provides extensions for the four core web browsers: Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera. There are also extensions for Internet Explorer and Safari. As for the actual use of the extension, everything works. Auto-fill works, updating passwords after a change is automatic, and there is syncing across browsers, with a customizable password generator available when you create an account. Of course, you can only create records after signing in, but you can edit your records from the extension as well as print the list of records. You can even access the Security Center from the extension! All in all, the browser extension seems more developed than the desktop application. So, if you have to pick between the desktop application and the browser extension, I recommend the extension.

Preliminary Conclusion

RoboForm is a comprehensive password manager with both free and paid versions available. However, after examining the free version, I see no need currently to upgrade from the free, as there are a great many deal of features available already. The only benefits I can see to upgrading would be cloud storage and for syncing across devices. In conclusion, RoboForm is great for people who need a simplistic password manager that aren’t worried as much about customizing their record-keeping and manager.

Verdict: Get it for Mom!

The post Free Password Managers – Live Testing appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

December 13, 2018 by LCDI

Mobile App Forensics Final Update

Introduction

During this semester, the Mobile Forensics team analyzed social media apps such as Snapchat, Telegram, and LinkedIn.

Snapchat

As for a conclusion on our Snapchat analysis, we couldn’t find much outside of prior research within the community. A big concern we had was how much data would remain on a device twenty-four hours after it was generated. An immediate pull from the device yielded evidence of what stories the user viewed and also a log of messages exchanged with other users (but not the content of the message). This log showed who sent and received the message and the timestamp of the event. The text of messages was only viewable if either user had saved the message. Some pictures were also recovered that had the contents of stories that were viewed. This could provide some information on the interests of a user, but nothing incriminating. An interesting artifact found on the device that could not be decoded was location data found in /data/data/com.snapchat.android/cache. We could not parse these files and believe they may related to ArcGIS.

We aquired Snapchat after a few days to see what information would still be available. Logs of conversations were not deleted and remained on the device. However, there were still no contents of the conversation again with the exception of any messages that either user saved. It appears Snapchat does not store data from the user directly on the phone, it may simply be processed and erased while in memory. There was little evidence of user activity.

When testing Telegram we did two pulls of the tablets. We first did a pull with all three of the members and then a pull with just two members on the different operating systems. When we did the first pull, the data between the group was very easy to analyze, but the solo data was very confusing, so we did the second pull. When we tested Telegram, we were interested in the secret chats the most to see if we could find any information about them. Telegram advertises that the messages are encrypted and we were interested to see if we could verify this. The only chats that were encrypted were messages in a secret chat. This is definitely a note for a forensic investigator. When we did the pull, we could see each message in the chat log as well as any pictures and images. The one thing we could not find was any videos or voice messages that did not get saved.

While analyzing LinkedIn, we once again didn’t find all the data we were looking for. We had hoped to be able to find the user’s whole work profile but that was not the case. We were able to pull and reconstruct all their chat messages, a summary of their profile, and users they connected with, but we couldn’t find any search history, viewed articles, or viewed jobs. Even when looking in the chat, we didn’t find images or voice messages in the same location as the other chats. We had some temporary files for images, but we weren’t able to confirm what the images were. They could have been images from the chat logs or they could have been images from an articles or profile.

Versions

Readers of previous blog posts may note that we were comparing differences in Android operating system versions. There has been little to no evidence found that the version of the OS has an impact on our examined applications. The only major change we found was occasionally an app on Android 6 would generate a few extra folders, but they were always empty. However, it is important to note the biggest changes would be found with differing application versions.

Different operating systems don’t affect the data we pulled because OS updates focus more on new features and security fixes rather than how app data is stored on the device. If we looked into different versions of the application then there would be differences in the pulls. The updates of the apps will have bug fixes as well as security fixes that make the app more secure. If we could test an older version of one of the apps to the most current update then we would find different data.

This is clear in the below screenshots:

Snapchat on Android 6

Snapchat on Android 7

As you can see the files may be slightly different. Any files that were not common between the two extractions were empty.

Conclusion

Our work this semester has been a good test of our examined applications to ensure that they work as advertised. One may believe that mainstream applications are secure because of their size and amount of users. Previous reports, which can be found here and here, have shown that Snapchat has been less secure in the past, and we have seen clear improvements in the amount of data that is stored on the device. With Telegram, the application works as it should and doesn’t store data on the phone to be viewed later on. However, this was only the case when using “secure messaging” and is not on by default. With LinkedIn there was little data we were able to recover from the phone. That by no means infers that LinkedIn is not storing your personal data. This simply means that that data is not stored on the device.

There has been a lot of hands on with tools such as ADB and Cellebrite to find efficient ways to examine these phones, and one should always question the applications they use every day with their private information. We are glad to have formed a plan of analysis for these apps, and look forward to seeing what research will be performed on the apps we use every day. As always, stay up to date with the LCDI on our social media. Follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Mobile App Forensics Final Update appeared first on The Leahy Center for Digital Investigation.

November 26, 2018 by LCDI

Mobile Forensics Update 2

Introduction

If you read our last blog post, you know that the Mobile Forensic team ran into some issues early on. We are happy to share that we have since overcome those issues, and we’ve hit the ground running with our project. We are no longer using the LG G6 devices mentioned last month due to issues rooting these devices. Instead we are using Nexus 7 tablets running Android 6 and 7.

Two apps we pulled and analyzed data from are Snapchat and Telegram. Before we set up accounts, we had to create different personas for each team member. The personas we came up with were Johan Smith, Tony Pepperoni, and Mallow Operator.

Snapchat

Before we started collecting our data, we had to figure out what actions we would go through so we all had data we could compare. Some of the actions to generate data for Snapchat included adding each other as friends, creating a group chat, and posing to a story. When generating data for analysis, we kept track of who sent chats to whom, what time we did each action, and if anything went wrong. After pulling the data with adb, we compared the timestamps and actions from the pull with our datagen log. We were successfully able to see what Snapchat saves and what we can find on the phone.

When we were setting up Telegram, we had to setup Google Voice numbers in order to create our profiles. With Telegram we also had to figure out what actions we wanted to take so that each person could get similar pull results—hence the creation of another datagen. With Telegram our actions included adding contacts, joining different groups, and sending videos and stickers. We kept track of timestamps again and then compared the data and the pull. We decided to use both Cellebrite and adb to see if there was any benefit of one tool over the other. At the moment, we’re still analyzing Telegram to see if there is anything noteworthy so stay tuned!

Conclusion

With these pulls we were able to see what data Snapchat and Telegram save on your phone. We were looking to see if any unusual data was saved by the applications. So far nothing has stood out with either Snapchat or Telegram. The next app we will be doing a datagen and pulling is LinkedIn.

Stay tuned for more updates to come and follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Mobile Forensics Update 2 appeared first on The Leahy Center for Digital Investigation.