Projects Archives | Forensic Blogs

February 28, 2018 by LCDI

Application Analysis Introduction

Introduction

This semester, the Application Analysis team chose four Windows applications to perform a forensic analysis on – Spotify, Bitcoin Miner, Speedtest, and Dashlane. In the coming weeks, we will examine the artifacts generated by these applications.

Analysis: Web App Security

We will inspect the applications’ security features. Without proper security features, hackers can access data stored by the application. Noting how the applications handle data will illuminate security features.

The Applications

Spotify is a web-based music streaming application. It has a user base of well over 140 million paid and unpaid users, making it the largest music service available. With a music library of over 30 million songs, it’s clear to see why users love it so much. Spotify features connectivity with friends and celebrities. The team wonders if this could lead to a privacy issue. We will analyze this by recording the data the application stores about music preferences and other personal information.

Bitcoin Miner is the most popular bitcoin mining application in the Microsoft Store. Cryptocurrency has recently emerged as a lucrative investment opportunity. Applications offering users a friendly interface for exchanging and mining cryptocurrencies have followed. We are inquiring about the artifacts left over by mining cryptocurrency.

SpeedTest is an internet speed testing application that offers “easy, one-click connection testing in under 30 seconds.” It also claims to be “the most accurate and convenient way to test your speed.” Millions of users access this service. Analyzing an application such as this one should be simple. We will be looking into the data that the application stores about you and your device. This data includes age, gender, work experience, education, and browser history.

Dashlane acts as an online password bank. The application stores entered user and online account information. Never again do you need to remember all your passwords. You only need one master password to open Dashlane. The application will log-in to websites through its database and fill out forms with the information you provide. We will examine the artifacts generated by storing information, navigating to websites, and using the autofill feature. For this application, it will be important for us to be on the lookout for potential security risks.

Conclusion

Currently, we are generating and analyzing the artifacts as well as observing security features. We will report on our findings in the blog posts to come.

Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Application Analysis Introduction appeared first on The Leahy Center for Digital Investigation.

February 26, 2018 by LCDI

Exploration Forensics Blog 1

Introduction

This semester, the exploration forensics team is conducting research on hardware and software that tests for paranormal activity. We will test the devices and corresponding applications to discover if they gather readings and interact with a user’s data. The team will gather evidence on how the devices and applications operate. We will test how outputs are affected by environmental factors.

Background and Devices

The Paranormal Puck 2 and Ovilus V are products of Digital Dowsing, LLC. The company advertises the devices as an effective way to communicate with ghosts. The devices convert environmental factors such as temperature, humidity, barometric readings, electromagnetic fields, and movement into words.

Figure 1

When connected to an iPad, the Paranormal Puck 2 lists singular words from readings of environmental factors. Digital Dowsing’s website outlines the instrumental trans-communication (ITC) capabilities of the device. Environmental readings are converted into words, but not full sentences. The user can either ask questions aloud or type them into the app. The questions will then be “answered” based on environmental readings.

The Ovilus V is a standalone device that has capabilities like the Puck, except there isn’t a corresponding mobile application. The Ovilus monitors environmental factors and has several different modes to convert these readings into different forms: visual platforms, words, true or false answers, or sounds. The exploration forensics team plans to test the effectiveness of each of the modes.

First Few Weeks of Research

So far, the team has explored various forums to find research notes by people who have used the devices. While it was difficult to find credible sources, the team did find information about:

The Ovilus V uses electronic voice phenomena (EVP) to make approximations for words based on available phonetic sounds. The permissions of the mobile apps. The mechanics of the devices, like electromagnetic frequency (EMF) and the movement sensors.

The LCDI received the devices the week of February 5th. The team tested the devices on an exploratory basis to get an idea of how the devices actually work. During initial testing, the device rattled when moved by the team. A screw fell out through the grates and the device wouldn’t power on. The LCDI has sent the device back and Digital Dowsing should be sending a replacement soon. Research will continue with the Ovilus as the team waits for the replacement Paranormal Puck.

The team observed a correlation between the movement of the device and the readings the device produced. The device prompted names of people that no one on the team knew, and said words like “hide” and “disaster”. Digital Dowsings website advises users to disregard words that don’t make sense to the situation. The device may not be able to translate the environmental readings into meaningful words (Figure 2).

Figure 2

The team also tried to find more information about the hardware of the devices, but not much information is available. Analysis of the devices will continue to confirm the capabilities of the energy, temperature, barometric, and motion sensors by cross-referencing the results with readings from other devices.

Security of Mobile Apps

The team hopes to investigate the security permissions of the applications. If the devices have access to GPS location, the camera, and files on the mobile device, it could illustrate potential insights into how the devices are gathering evidence. One team member commented that using the devices in a graveyard would likely produce words like “marker” and “grave” if the app uses GPS. The team will investigate if the device receives information through GPS location or through the monitored environmental factors.

Proposed Method of Gathering Research

When testing the devices, the team will experiment with the devices in a constant environment. Monitoring the different modes on the devices will help pose a set of control questions that will be either spoken or written. Then, we will record the responses of the devices.

Conclusion

In the weeks to come, the team will test the capabilities of the Paranormal Puck 2 and Ovilus V devices. The team will also use the methods outlined above to gather evidence about the devices to be analyzed.

Sources

Hallowed_Grave. (2014, July 6). My weird experiences with the IOvilus [Online forum comment]. Message posted to https://www.reddit.com/r/Paranormal/comments/29xnzs/my_weird_experiences_with_the_iovilus/.

Digital Dowsing. (2015). Digital Dowsing, LLC. Retrieved from https://www.digitaldowsing.com/.

The post Exploration Forensics Blog 1 appeared first on The Leahy Center for Digital Investigation.

November 7, 2017 by LCDI

Bluetooth Device Tracking Update 2

Intro

In this second blog post we will be delving into the math and code that will calculate our Bluetooth device’s position. We will cover more in detail exactly how our calculations work and the background behind them. We will also address the choices on the values used to perform the calculations. The code has evolved since the last post, and we will cover what has changed in the code and the tools we are using. We will conclude with a debrief of the presentation we gave on the project at the Vermont Tech Jam event.

Math Write-Up

When calculating the location of a device, we need the RSSI, interference(N), and txPower(A) (strength of the signal at 1 meter). The issue is that RSSI is a poor indicator of distance. Also, txPower is unavailable to us as because device signal strengths vary. So, despite its inaccuracy, RSSI is the best indicator of distance we have access to. For testing purposes, N was set to a baseline of 20 dBm. A was set to -62dBm to account for the average interference of other devices in the area. In a future iteration, we will calculate N using the secondary nodes. To plot the position of a bluetooth device in an area we must use the RSSI to calculate distance. Then we trilaterate the coordinates of the bluetooth device using three points of reference.

Formulas

The best RSSI reading for calculating distance is the mode of many readings from the device. If a mode cannot be calculated the average RSSI is used instead. Using the formula RSSI (dBm) = -10n log10(d) + A in the form of d=10((A- RSSI(dBm)) / N) provides us with an estimation of range. Distance categories “near”, “middle”, or “far” are also defined using ranges of “near” <10 meters, 10 meters=< “mid” <=20 meters, and “far” >20 meters. This allows us to provide a position for the device. It also leaves room for error. To trilaterate the position, we place the estimated distances in a triangulation formula. The group based this formula off the report “Indoor Positioning System” with the points X and Y being the coordinates of the unknown device:

bluetooth

(Image from https://www.ece.lsu.edu/scalzo/FDR_Final.pdf)

The coordinates derived are the approximate (x,y) coordinate pair of the sniffed bluetooth device. Devices only seen by one or two nodes display with the “near”, “middle”, or “far” system using the nodes that see it.

(for more info on RSSI look at this blog post: https://blog.bluetooth.com/proximity-and-rssi)

Python Code

As discussed in our last blog post we are making some python scripts to do data aggregation and analysis for us. We are working on two scripts that will run on our microcomputers. As a side-update on the computers, we are using Odroids with the Ubuntu 16.04 minimal OS. One of the three Odroids is the master node, and will be the one doing the calculations. The other two Odroids will be running a stripped down versions of the code. These secondary nodes collect data and send it to the master node upon request.

The current plan is to run the code in a continual loop and redo calculations based on a user supplied time frame. See the diagram below for a pseudo-code example of the machines interacting. The idea behind aggregating all the data before performing calculations is to cut down on confusion between nodes. This way the nodes are not reporting the same device as separate devices.

bluetooth

We are also looking into ways to display the results in graphical manner. For the time being we are having the script output the calculated distance and a value of “near” “middle” or “far”. If we can replace this with a graphical representation it will be far easier to track a device.

Bluetooth Receiver Hardware Update

During our testing phases, we determined that Blue Hydra is not the most effective tool for our purposes. Instead, we have chosen to use the Ubertooth tools to parse and show the data we need. The Ubertooth tools provide more information that updates more. This allows for us to have a more accurate look into bluetooth devices in our area. The output of the Ubertooth tools is much messier. But the extra information it contains will benefit our project. We’ll have to go back and adapt our Python code. But it will benefit our project.

Tech Jam

September 20th and 21st, we brought our project to VT Tech Jam! Tech Jam is an annual technology expo featuring exhibits and talks from all sorts of technology companies around Vermont. The LCDI hosted our own booth on both days; featuring our project and some of our newest tech. On one of our displays, we showcased the 2.4ghz spectrum using spectools by Kismet. This way, onlookers could actually see how Bluetooth frequencies communicated around them. When interested, we showed people our prototype script that could calculate how far a Bluetooth device was from our laptop. We had a lot of curious visitors and had a blast talking to all the different companies from around Vermont. If you happen to be in Vermont next October, make sure to stop by and check out our new and exciting projects!

bluetooth

Conclusion

Overall we have made great progress on this project. We have calculated distances to bluetooth devices and are almost ready for a full scale test. With a few last touches to the scripts we expect to be able to run a test with all three nodes operating independently.

The post Bluetooth Device Tracking Update 2 appeared first on The Leahy Center for Digital Investigation.