Forensic Blogs

An aggregator for digital forensics blogs

by

Wearable Forensics Team 1

Smart Watches Can Solve Crimes

This semester, The Senator Patrick Leahy Center for Digital Investigation at Champlain College (LCDI) is continuing research from the spring of 2016 about wearable technology and the impact devices like the Apple Watch and Fitbit have on forensic investigations. The team hopes to create a guide law enforcement and forensic analysts can use to find information that could aid a criminal investigation. This could include data on the user’s location, movement, heart rate, and more.

Why Wearables?

These devices have exploded in popularity in recent years, with over 102 million wearable smart devices sold in 2016. As a result, forensic investigators and law enforcement have used data from these devices, especially Fitbit, to aid investigations and prosecute criminals in homicide cases.

Despite these successes, there is still little information available on how to pull information from the wearable devices themselves. Most often, investigations utilize data pulled from the paired phones or the account information stored in the cloud. The research team at the LCDI hopes to directly image the devices and see what information is available. This would provide a standard for cases where the phone isn’t available or information can’t be released by the company.

However, if the team is unable to pull information directly from the wearable devices, they will continue the research from the 2016 wearables team and investigate data available on the paired phones and information stored by the company in the cloud. These devices and accounts include various different databases with valuable information that can aid in criminal investigations.

Four Devices to Test

The team will work with four smart watches with fitness capabilities: the Samsung Galaxy Watch, the Fitbit Versa, the Garmin Fenix 5, and the Apple Watch Series 4.  These four devices are the top smartwatches currently available. This week, the team began with datagen for the Galaxy Watch and the Fitbit Versa. This included testing the movement and heart rate sensors, GPS, and third party applications. Beyond testing each device as a smart watch, a team member took the first two devices home for a night. Check back on the team’s next blog post to see what artifacts they were able to find!

The post Wearable Forensics Team 1 appeared first on The Leahy Center for Digital Investigation.

by

Automated Network Scanning ! Update

Our Progress

The Automated Network Scanning ! team ran into several issues writing our scanner. The first approach we took was incredibly slow and inefficient, as we scanned every host with a separate Nmap scan. This meant that our program had to start up a new Nmap process every time. While this approach worked well on our smaller network of four Raspberry Pis, it ran into issues with large-scale tests on the LCDI network; it took over two hours to scan sixteen hosts. Our team decided to switch to scanning every host simultaneously. As you can see in the diagram, we initialized Nmap very few times, increasing the efficiency of our scan.

 

Our initial solution compared to our revised version.

During this process, we ran into issues with our OS fingerprinting process and the heartbleed-ssl vulnerability scanning. The OS fingerprinting had extreme issues fingerprinting the Windows IOT Raspberry Pi as the scan would throw errors and not complete. Specifically, the SYN Stealth scans used in OS Fingerprinting would return a packet with a negative travel time. Although we ensured synchronicity of the times on the Pis, we were unable to overcome this issue. Due to this setback, we decided to remove OS fingerprinting from the scope of our network scanner.

Because of the change in structure of our scans, we removed our script’s heartbleed-ssl functionality. Initially, we were able to use a regular expression, or regex to find if the host scanned was vulnerable, as each heartbleed-ssl scan corresponded to a single host. However, once we scanned all of the hosts simultaneously, we had to change our approach to use inbuilt functions in the python-libnmap package we used. These functions were unable to retrieve the data from the script, so we ultimately had to remove this heartbleed-ssl functionality.

Conclusion

Although our team started development with great ideas, we had to scale back to create a more efficient network scanner. Sometimes, you have to take a step backwards before you can take two steps forward!

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post Automated Network Scanning ! Update appeared first on The Leahy Center for Digital Investigation.

by

Exploration Forensics Update 2

Introduction

This semester, the exploration forensics group is researching hardware and software that tests for paranormal activity. The team will test the devices and corresponding apps. Through these tests, they will discover how the devices gather readings and interact with a user’s data. In addition, the team will gather evidence on how the devices and applications operate and examine the accuracy of the sensors. If you haven’t read the team’s first blog post, find it here.

The last few weeks involved jail breaking the tablets, testing the devices, and becoming familiar with Radare2.

Radare2 and Testing on Free Apps

A large part of the last two weeks involved the team learning how to use Radare2. The ARM assembly language used for this software can be difficult to make sense of.

Figure 1: Radare2 interface

There are many free programs available to interpret IOS applications, but the team chose Radare2 because of its reputation as a respectable open-source disassembler. The first few days with the software was exploratory and experimental. The team tried “challenges” found online to gain understanding of the language and the program.

When the team felt ready to begin testing on the freeware IOS apps, there were problems locating the .ipa file. An .ipa file is an IOS archive file that stores the application information and data in binary. Due to this roadblock, no testing was done with the free applications before last week. The team instead focused efforts on figuring out how to extract the .ipa files from the iPad. Previous research indicated that extracting the files through iTunes would not be difficult. When the team tried to get the .ipa file for the apps Ghost Sensor and EMF recorder, the folder needed did not exist.

The team spent several days researching alternate ways to extract the .ipa files, but most tutorials use the previous versions of iTunes. Due to this, the team explored other programs used to decompile and extract information from apps.

The last shift before spring break was spent surfing various forums to find alternate ways into the .ipa files. Cydia, which was used to jailbreak the device, has additional add-ons available. The software “ipainstaller” allows for backup and management of ipa files on IOS devices. The team found a forum that explains how to use the extension. Once the extension was downloaded, finding the .ipa files were straightforward and the team was able to make copies of them.

Figure 2: The team used PuTTY and ipainstaller to extract the .ipa file

This week, the team will be investigating the .ipa files in Radare2 to examine the sensors and permissions.

Preliminary Testing

The team also began tests on the Ovilus V this period. While the original plan was to observe packets sent by the Ovilus, the newest Ovilus model does not have networking capabilities. This model replaced the network card with a larger speaker. Because of this, the team is investigating the capabilities of the device’s sensors instead.

The first test on the Ovilus attempted to create false-positives through the use of magnets. The Ovilus tests for many environmental factors, including temperature, humidity, barometric readings, electromagnetic fields, and movement. The device converts these readings into words, according to DigitalDowsing.com. The team hopes to cross-reference the measurements on the Ovilus to a second measurement to confirm accuracy. They also hope to try to spoof these readings to see the effect on the sensors.

The team took a magnet out of a broken hard drive in the lab to use in experimentation on the Ovilus. These powerful magnets should disrupt any magnetic field measurement, and we’re hoping to create false-positives to see how much these magnets can affect the sensors on the Ovilus.

Figure 3: Breaking open an old hard drive to salvage magnets Conclusion

Despite the roadblocks the team has experienced, there are many alternatives to the original research plan. Currently, investigation into alternate ways of accessing the iPad’s file system seems promising. In addition, the team plans to continue experimenting with the Paranormal Puck device and app, and testing on the Ovilus. Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Exploration Forensics Update 2 appeared first on The Leahy Center for Digital Investigation.