Forensic Blogs

An aggregator for digital forensics blogs

by

Intrusion Into the Internet of Things

Shelves lined with devices in the Internet of Things, all potential subjects of intrusion.

Welcome to the Internet of Things Intrusion team’s first blog. The Internet of Things—or IoT for short—is a fancy term for the interconnected devices that make up our world. Many consumers know these devices as “smart” devices. For example, your smartphone can connect to your smart fridge to let you know when you’re, say, out of Hood Simply Smart Milk.

The Internet of Things connects all elements of the user’s life. This connectivity comes at a cost, however; more often than not, security is an afterthought to functionality in these devices. In our modern age of frequent, high level hacking, these devices make easy targets for even a small time hacker. This project will be focusing on these flaws, looking at common IoT devices from the perspective of anyone with a couple of hours, an internet connection, and malicious intent.

The Intrusion Begins

Like every project here at the LCDI, we spent the majority of our first month researching. We began by looking into a bunch of different IoT devices, like the Google Home, Amazon Echo, Nest Protect, and Ring Video Doorbell. With many IoT devices available to us at the Leahy Center, we limited our preliminary research to a few devices, split into two categories: popular devices and devices with known flaws. Picking devices that are easy to break into serves as a good way to understand the process, while using the most popular devices will allow us to understand the weaknesses that put the most people at risk. After we put together our list, we decided to begin work with our first device: the TPLink Kasa Cam.

Our First Intrusion

Photo of live footage taken from TPLink Camera once set up

Partly due to our inexperience in IoT intrusion, the feat of breaking into the TPLink camera proved quite formidable. We found our first obstacle when connecting the camera to a network for setup. It took us a week to get a proper test network that we could connect it to. That week, however, was not wasted; we used the time to research our target in greater depth, including different ways to break into it.

After getting our test network up and running, we were able to set up the TPLink without issue; very user friendly! After set up was complete, we were ready to attempt to break in to the camera. This is where we hit a snag. To get access to the camera, you first need to connect to the camera’s IP address. We tried many different methods to get the IP address of the TPLink camera, including a Wireshark capture, googling for default IP’s, and searching through device settings, but no luck. On top of this, TPLink’s website is very unclear about how to find this information. That said, the month isn’t over, so we will use the rest of the time we have to keep trying. 

Conclusion

We have gained a lot of knowledge on IoT vulnerability in our first month here. Our plan for next month is to continue onto new devices. The information we learned from our first trial has helped us create a simple, efficient approach to each device. For each device, we will begin with research into both the device itself and ways to break in. From there, we will create an account to use with the device, set it up, and generate data. This data will vary based on the device—the data generated on an IP camera will be different than the data generated on a smart smoke alarm. Finally, we will attempt to put our intrusion methods into action and see if they work. Make sure to read our team’s next blog to stay up to date on the project!

BE SURE TO CHECK US OUT ON TWITTER @CHAMPFORENSICS, INSTAGRAM @CHAMPFORENSICS, AND FACEBOOK @CHAMPLAINFORENSICS TO SEE OTHER IMPORTANT INFORMATION PERTAINING TO OUR PROJECT!

The post Intrusion Into the Internet of Things appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Mobile App Intern Final Blog Post

Project Wrap Up

The Mobile App Intern team chose 3 travel apps to analyze. Kayak, Expedia, and Google Trips. All three apps stored their data within the internal storage of each device it was downloaded onto. However, Expedia proved to show very little artifacts that could be useful for forensic analysts. Most of the data kept by Expedia is not data meant for the user or analysts’; it is meant for the app itself (data logs etc). Google Trips saved the most user data out of all three of the apps. It kept user info (username and password hash), trip details (title, locations, etc), and location data. Kayak mainly stored location data, the names of hotels, and rental company information. For example, if one were to use Kayak in order to rent a Mercedes-Benz for $60 USD a day, they can set what dates to rent said car and Kayak will keep all of that information about the car and company stored. The same was true for plane and bus tickets. Company, price, dates of departure/arrival, and user timestamps are all stored.

Final Thoughts

The Mobile App Intern Team is grateful to the LCDI to have been given the chance to utilize their devices in order to perform projects and research. The team was able to acquire new skills (like rooting Android devices) and read many useful journal articles relating to mobile forensics. 

The post Mobile App Intern Final Blog Post appeared first on The Leahy Center for Digital Investigation.

by

Mobile App Forensics Final Update

Introduction

During this semester, the Mobile Forensics team analyzed social media apps such as Snapchat, Telegram, and LinkedIn. 

Snapchat

As for a conclusion on our Snapchat analysis, we couldn’t find much outside of prior research within the community. A big concern we had was how much data would remain on a device  twenty-four hours after it was generated. An immediate pull from the device yielded evidence of what stories the user viewed and also a log of messages exchanged with other users (but not the content of the message). This log showed who sent and received the message and the timestamp of the event. The text of messages was only viewable if either user had saved the message. Some pictures were also recovered that had the contents of stories that were viewed. This could provide some information on the interests of a user, but nothing incriminating. An interesting artifact found on the device that could not be decoded was location data found in  /data/data/com.snapchat.android/cache. We could not parse these files and believe they may related to ArcGIS.

We aquired Snapchat after a few days to see what information would still be available. Logs of conversations were not deleted and remained on the device. However, there were still no contents of the conversation again with the exception of any messages that either user saved. It appears Snapchat does not store data from the user directly on the phone, it may simply be processed and erased while in memory. There was little evidence of user activity.

Telegram

When testing Telegram we did two pulls of the tablets. We first did a pull with all three of the members and then a pull with just two members on the different operating systems. When we did the first pull, the data between the group was very easy to analyze, but the solo data was very confusing, so we did the second pull. When we tested Telegram, we were interested in the secret chats the most to see if we could find any information about them. Telegram advertises that the messages are encrypted and we were interested to see if we could verify this. The only chats that were encrypted were messages in a secret chat. This is definitely a note for a forensic investigator. When we did the pull, we could see each message in the chat log as well as any pictures and images. The one thing we could not find was any videos or voice messages that did not get saved.

LinkedIn

While analyzing LinkedIn, we once again didn’t find all the data we were looking for. We had hoped to be able to find the user’s whole work profile but that was not the case. We were able to pull and reconstruct all their chat messages, a summary of their profile, and users they connected with, but we couldn’t find any search history, viewed articles, or viewed jobs. Even when looking in the chat, we didn’t find images or voice messages in the same location as the other chats. We had some temporary files for images, but we weren’t able to confirm what the images were. They could have been images from the chat logs or they could have been images from an articles or profile.

Versions

Readers of previous blog posts may note that we were comparing differences in Android operating system versions. There has been little to no evidence found that the version of the OS has an impact on our examined applications. The only major change we found was occasionally an app on Android 6 would generate a few extra folders, but they were always empty. However, it is important to note the biggest changes would be found with differing application versions.

 

Different operating systems don’t affect the data we pulled because OS updates focus more on new features and security fixes rather than how app data is stored on the device. If we looked into different versions of the application then there would be differences in the pulls. The updates of the apps will have bug fixes as well as security fixes that make the app more secure. If we could test an older version of one of the apps to the most current update then we would find different data.

 

This is clear in the below screenshots:

Snapchat on Android 6

Snapchat on Android 7

As you can see the files may be slightly different. Any files that were not common between the two extractions were empty.

Conclusion

Our work this semester has been a good test of our examined applications to ensure that they work as advertised. One may believe that mainstream applications are secure because of their size and amount of users. Previous reports, which can be found here and here, have shown that Snapchat has been less secure in the past, and we have seen clear improvements in the amount of data that is stored on the device. With Telegram, the application works as it should and doesn’t store data on the phone to be viewed later on. However, this was only the case when using “secure messaging” and is not on by default. With LinkedIn there was little data we were able to recover from the phone. That by no means infers that LinkedIn is not storing your personal data. This simply means that that data is not stored on the device.

 

There has been a lot of hands on with tools such as ADB and Cellebrite to find efficient ways to examine these phones, and one should always question the applications they use every day with their private information. We are glad to have formed a plan of analysis for these apps, and look forward to seeing what research will be performed on the apps we use every day. As always, stay up to date with the LCDI on our social media.  Follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Mobile App Forensics Final Update appeared first on The Leahy Center for Digital Investigation.