Forensic Blogs

An aggregator for digital forensics blogs

by

Automated Network Scanning ! Update

Our Progress

The Automated Network Scanning ! team ran into several issues writing our scanner. The first approach we took was incredibly slow and inefficient, as we scanned every host with a separate Nmap scan. This meant that our program had to start up a new Nmap process every time. While this approach worked well on our smaller network of four Raspberry Pis, it ran into issues with large-scale tests on the LCDI network; it took over two hours to scan sixteen hosts. Our team decided to switch to scanning every host simultaneously. As you can see in the diagram, we initialized Nmap very few times, increasing the efficiency of our scan.

 

Our initial solution compared to our revised version.

During this process, we ran into issues with our OS fingerprinting process and the heartbleed-ssl vulnerability scanning. The OS fingerprinting had extreme issues fingerprinting the Windows IOT Raspberry Pi as the scan would throw errors and not complete. Specifically, the SYN Stealth scans used in OS Fingerprinting would return a packet with a negative travel time. Although we ensured synchronicity of the times on the Pis, we were unable to overcome this issue. Due to this setback, we decided to remove OS fingerprinting from the scope of our network scanner.

Because of the change in structure of our scans, we removed our script’s heartbleed-ssl functionality. Initially, we were able to use a regular expression, or regex to find if the host scanned was vulnerable, as each heartbleed-ssl scan corresponded to a single host. However, once we scanned all of the hosts simultaneously, we had to change our approach to use inbuilt functions in the python-libnmap package we used. These functions were unable to retrieve the data from the script, so we ultimately had to remove this heartbleed-ssl functionality.

Conclusion

Although our team started development with great ideas, we had to scale back to create a more efficient network scanner. Sometimes, you have to take a step backwards before you can take two steps forward!

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post Automated Network Scanning ! Update appeared first on The Leahy Center for Digital Investigation.

by

Exploration Forensics Update 2

Introduction

This semester, the exploration forensics group is researching hardware and software that tests for paranormal activity. The team will test the devices and corresponding apps. Through these tests, they will discover how the devices gather readings and interact with a user’s data. In addition, the team will gather evidence on how the devices and applications operate and examine the accuracy of the sensors. If you haven’t read the team’s first blog post, find it here.

The last few weeks involved jail breaking the tablets, testing the devices, and becoming familiar with Radare2.

Radare2 and Testing on Free Apps

A large part of the last two weeks involved the team learning how to use Radare2. The ARM assembly language used for this software can be difficult to make sense of.

Figure 1: Radare2 interface

There are many free programs available to interpret IOS applications, but the team chose Radare2 because of its reputation as a respectable open-source disassembler. The first few days with the software was exploratory and experimental. The team tried “challenges” found online to gain understanding of the language and the program.

When the team felt ready to begin testing on the freeware IOS apps, there were problems locating the .ipa file. An .ipa file is an IOS archive file that stores the application information and data in binary. Due to this roadblock, no testing was done with the free applications before last week. The team instead focused efforts on figuring out how to extract the .ipa files from the iPad. Previous research indicated that extracting the files through iTunes would not be difficult. When the team tried to get the .ipa file for the apps Ghost Sensor and EMF recorder, the folder needed did not exist.

The team spent several days researching alternate ways to extract the .ipa files, but most tutorials use the previous versions of iTunes. Due to this, the team explored other programs used to decompile and extract information from apps.

The last shift before spring break was spent surfing various forums to find alternate ways into the .ipa files. Cydia, which was used to jailbreak the device, has additional add-ons available. The software “ipainstaller” allows for backup and management of ipa files on IOS devices. The team found a forum that explains how to use the extension. Once the extension was downloaded, finding the .ipa files were straightforward and the team was able to make copies of them.

Figure 2: The team used PuTTY and ipainstaller to extract the .ipa file

This week, the team will be investigating the .ipa files in Radare2 to examine the sensors and permissions.

Preliminary Testing

The team also began tests on the Ovilus V this period. While the original plan was to observe packets sent by the Ovilus, the newest Ovilus model does not have networking capabilities. This model replaced the network card with a larger speaker. Because of this, the team is investigating the capabilities of the device’s sensors instead.

The first test on the Ovilus attempted to create false-positives through the use of magnets. The Ovilus tests for many environmental factors, including temperature, humidity, barometric readings, electromagnetic fields, and movement. The device converts these readings into words, according to DigitalDowsing.com. The team hopes to cross-reference the measurements on the Ovilus to a second measurement to confirm accuracy. They also hope to try to spoof these readings to see the effect on the sensors.

The team took a magnet out of a broken hard drive in the lab to use in experimentation on the Ovilus. These powerful magnets should disrupt any magnetic field measurement, and we’re hoping to create false-positives to see how much these magnets can affect the sensors on the Ovilus.

Figure 3: Breaking open an old hard drive to salvage magnets Conclusion

Despite the roadblocks the team has experienced, there are many alternatives to the original research plan. Currently, investigation into alternate ways of accessing the iPad’s file system seems promising. In addition, the team plans to continue experimenting with the Paranormal Puck device and app, and testing on the Ovilus. Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Exploration Forensics Update 2 appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis Introduction

Introduction

This semester, the Application Analysis team chose four Windows applications to perform a forensic analysis on – Spotify, Bitcoin Miner, Speedtest, and Dashlane. In the coming weeks, we will examine the artifacts generated by these applications.

Analysis: Web App Security

We will inspect the applications’ security features. Without proper security features, hackers can access data stored by the application. Noting how the applications handle data will illuminate security features.

The Applications

Spotify is a web-based music streaming application. It has a user base of well over 140 million paid and unpaid users, making it the largest music service available. With a music library of over 30 million songs, it’s clear to see why users love it so much. Spotify features connectivity with friends and celebrities. The team wonders if this could lead to a privacy issue. We will analyze this by recording the data the application stores about music preferences and other personal information.

Bitcoin Miner is the most popular bitcoin mining application in the Microsoft Store. Cryptocurrency has recently emerged as a lucrative investment opportunity. Applications offering users a friendly interface for exchanging and mining cryptocurrencies have followed. We are inquiring about the artifacts left over by mining cryptocurrency.   

SpeedTest is an internet speed testing application that offers “easy, one-click connection testing in under 30 seconds.” It also claims to be “the most accurate and convenient way to test your speed.” Millions of users access this service. Analyzing an application such as this one should be simple. We will be looking into the data that the application stores about you and your device. This data includes age, gender, work experience, education, and browser history.

Dashlane acts as an online password bank. The application stores entered user and online account information. Never again do you need to remember all your passwords. You only need one master password to open Dashlane. The application will log-in to websites through its database and fill out forms with the information you provide. We will examine the artifacts generated by storing information, navigating to websites, and using the autofill feature. For this application, it will be important for us to be on the lookout for potential security risks.

Conclusion

Currently, we are generating and analyzing the artifacts as well as observing security features. We will report on our findings in the blog posts to come.

Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Application Analysis Introduction appeared first on The Leahy Center for Digital Investigation.