Forensic Blogs

An aggregator for digital forensics blogs

by

Exploration Forensics Update 2

Introduction

This semester, the exploration forensics group is researching hardware and software that tests for paranormal activity. The team will test the devices and corresponding apps. Through these tests, they will discover how the devices gather readings and interact with a user’s data. In addition, the team will gather evidence on how the devices and applications operate and examine the accuracy of the sensors. If you haven’t read the team’s first blog post, find it here.

The last few weeks involved jail breaking the tablets, testing the devices, and becoming familiar with Radare2.

Radare2 and Testing on Free Apps

A large part of the last two weeks involved the team learning how to use Radare2. The ARM assembly language used for this software can be difficult to make sense of.

Figure 1: Radare2 interface

There are many free programs available to interpret IOS applications, but the team chose Radare2 because of its reputation as a respectable open-source disassembler. The first few days with the software was exploratory and experimental. The team tried “challenges” found online to gain understanding of the language and the program.

When the team felt ready to begin testing on the freeware IOS apps, there were problems locating the .ipa file. An .ipa file is an IOS archive file that stores the application information and data in binary. Due to this roadblock, no testing was done with the free applications before last week. The team instead focused efforts on figuring out how to extract the .ipa files from the iPad. Previous research indicated that extracting the files through iTunes would not be difficult. When the team tried to get the .ipa file for the apps Ghost Sensor and EMF recorder, the folder needed did not exist.

The team spent several days researching alternate ways to extract the .ipa files, but most tutorials use the previous versions of iTunes. Due to this, the team explored other programs used to decompile and extract information from apps.

The last shift before spring break was spent surfing various forums to find alternate ways into the .ipa files. Cydia, which was used to jailbreak the device, has additional add-ons available. The software “ipainstaller” allows for backup and management of ipa files on IOS devices. The team found a forum that explains how to use the extension. Once the extension was downloaded, finding the .ipa files were straightforward and the team was able to make copies of them.

Figure 2: The team used PuTTY and ipainstaller to extract the .ipa file

This week, the team will be investigating the .ipa files in Radare2 to examine the sensors and permissions.

Preliminary Testing

The team also began tests on the Ovilus V this period. While the original plan was to observe packets sent by the Ovilus, the newest Ovilus model does not have networking capabilities. This model replaced the network card with a larger speaker. Because of this, the team is investigating the capabilities of the device’s sensors instead.

The first test on the Ovilus attempted to create false-positives through the use of magnets. The Ovilus tests for many environmental factors, including temperature, humidity, barometric readings, electromagnetic fields, and movement. The device converts these readings into words, according to DigitalDowsing.com. The team hopes to cross-reference the measurements on the Ovilus to a second measurement to confirm accuracy. They also hope to try to spoof these readings to see the effect on the sensors.

The team took a magnet out of a broken hard drive in the lab to use in experimentation on the Ovilus. These powerful magnets should disrupt any magnetic field measurement, and we’re hoping to create false-positives to see how much these magnets can affect the sensors on the Ovilus.

Figure 3: Breaking open an old hard drive to salvage magnets Conclusion

Despite the roadblocks the team has experienced, there are many alternatives to the original research plan. Currently, investigation into alternate ways of accessing the iPad’s file system seems promising. In addition, the team plans to continue experimenting with the Paranormal Puck device and app, and testing on the Ovilus. Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Exploration Forensics Update 2 appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis Introduction

Introduction

This semester, the Application Analysis team chose four Windows applications to perform a forensic analysis on – Spotify, Bitcoin Miner, Speedtest, and Dashlane. In the coming weeks, we will examine the artifacts generated by these applications.

Analysis: Web App Security

We will inspect the applications’ security features. Without proper security features, hackers can access data stored by the application. Noting how the applications handle data will illuminate security features.

The Applications

Spotify is a web-based music streaming application. It has a user base of well over 140 million paid and unpaid users, making it the largest music service available. With a music library of over 30 million songs, it’s clear to see why users love it so much. Spotify features connectivity with friends and celebrities. The team wonders if this could lead to a privacy issue. We will analyze this by recording the data the application stores about music preferences and other personal information.

Bitcoin Miner is the most popular bitcoin mining application in the Microsoft Store. Cryptocurrency has recently emerged as a lucrative investment opportunity. Applications offering users a friendly interface for exchanging and mining cryptocurrencies have followed. We are inquiring about the artifacts left over by mining cryptocurrency.   

SpeedTest is an internet speed testing application that offers “easy, one-click connection testing in under 30 seconds.” It also claims to be “the most accurate and convenient way to test your speed.” Millions of users access this service. Analyzing an application such as this one should be simple. We will be looking into the data that the application stores about you and your device. This data includes age, gender, work experience, education, and browser history.

Dashlane acts as an online password bank. The application stores entered user and online account information. Never again do you need to remember all your passwords. You only need one master password to open Dashlane. The application will log-in to websites through its database and fill out forms with the information you provide. We will examine the artifacts generated by storing information, navigating to websites, and using the autofill feature. For this application, it will be important for us to be on the lookout for potential security risks.

Conclusion

Currently, we are generating and analyzing the artifacts as well as observing security features. We will report on our findings in the blog posts to come.

Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Application Analysis Introduction appeared first on The Leahy Center for Digital Investigation.

by

Exploration Forensics Blog 1

Introduction

This semester, the exploration forensics team is conducting research on hardware and software that tests for paranormal activity. We will test the devices and corresponding applications to discover if they gather readings and interact with a user’s data. The team will gather evidence on how the devices and applications operate. We will test how outputs are affected by environmental factors.

Background and Devices

The Paranormal Puck 2 and Ovilus V are products of Digital Dowsing, LLC. The company advertises the devices as an effective way to communicate with ghosts. The devices convert environmental factors such as temperature, humidity, barometric readings, electromagnetic fields, and movement into words.

 

Figure 1

When connected to an iPad, the Paranormal Puck 2 lists singular words from readings of environmental factors. Digital Dowsing’s website outlines the instrumental trans-communication (ITC) capabilities of the device. Environmental readings are converted into words, but not full sentences. The user can either ask questions aloud or type them into the app. The questions will then be “answered” based on environmental readings.

The Ovilus V is a standalone device that has capabilities like the Puck, except there isn’t a corresponding mobile application. The Ovilus monitors environmental factors and has several different modes to convert these readings into different forms: visual platforms, words, true or false answers, or sounds. The exploration forensics team plans to test the effectiveness of each of the modes.

First Few Weeks of Research

So far, the team has explored various forums to find research notes by people who have used the devices. While it was difficult to find credible sources, the team did find information about:

The Ovilus V uses electronic voice phenomena (EVP) to make approximations for words based on available phonetic sounds. The permissions of the mobile apps. The mechanics of the devices, like electromagnetic frequency (EMF) and the movement sensors.

The LCDI received the devices the week of February 5th. The team tested the devices on an exploratory basis to get an idea of how the devices actually work. During initial testing, the device rattled when moved by the team. A screw fell out through the grates and the device wouldn’t power on. The LCDI has sent the device back and Digital Dowsing should be sending a replacement soon. Research will continue with the Ovilus as the team waits for the replacement Paranormal Puck.

The team observed a correlation between the movement of the device and the readings the device produced. The device prompted names of people that no one on the team knew, and said words like “hide” and “disaster”. Digital Dowsings website advises users to disregard words that don’t make sense to the situation. The device may not be able to translate the environmental readings into meaningful words (Figure 2).

Figure 2

The team also tried to find more information about the hardware of the devices, but not much information is available. Analysis of the devices will continue to confirm the capabilities of the energy, temperature, barometric, and motion sensors by cross-referencing the results with readings from other devices.

Security of Mobile Apps

The team hopes to investigate the security permissions of the applications. If the devices have access to GPS location, the camera, and files on the mobile device, it could illustrate potential insights into how the devices are gathering evidence. One team member commented that using the devices in a graveyard would likely produce words like “marker” and “grave” if the app uses GPS. The team will investigate if the device receives information through GPS location or through the monitored environmental factors.

Proposed Method of Gathering Research

When testing the devices, the team will experiment with the devices in a constant environment. Monitoring the different modes on the devices will help pose a set of control questions that will be either spoken or written. Then, we will record the responses of the devices.

Conclusion

In the weeks to come, the team will test the capabilities of the Paranormal Puck 2 and Ovilus V devices. The team will also use the methods outlined above to gather evidence about the devices to be analyzed.

Sources

Hallowed_Grave. (2014, July 6). My weird experiences with the IOvilus [Online forum comment]. Message posted to https://www.reddit.com/r/Paranormal/comments/29xnzs/my_weird_experiences_with_the_iovilus/.

Digital Dowsing. (2015). Digital Dowsing, LLC. Retrieved from https://www.digitaldowsing.com/.

The post Exploration Forensics Blog 1 appeared first on The Leahy Center for Digital Investigation.