Forensic Blogs

An aggregator for digital forensics blogs

by

Intrusion into the IoT: The Final Blog

D-Link intrusion footage screenshot Recap: Intrusion Blogs 1/2

In last month’s blog, the IoT Intrusion team hit a major roadblock with the TP-Link Kasa camera, but were able to overcome it through research into Man in the Middle Attacks. Now, armed with more knowledge than before, our team pressed on to new devices. We moved much faster this month than last. We started investigations into the intrusion of two devices, one of which we completed. These devices proved to be good subjects for investigation, but there are so many at the LCDI that we would have liked to look into. Hopefully, the end of the year does not bring the end of the project.

Picture of the D-Link DCS 5030L

D-Link DCS 5030L

After our struggles with the TP-Link, the team decided to work on a different IoT security camera: the D-Link DCS 5030L. We were originally attracted to this device by a statement that the FTC put out saying that D-Link needs to increase their security in order to market themselves as offering, “advanced network security.” This gave us hope that the device might not be secure. This proved to be true, as we were able to exploit features letting users control their camera from a browser. We were able to gain access to all elements of the camera. We were able to change the password as well as view a live feed.

Malicious Intrusion Opportunity

Through this, we were able to brainstorm all the ways a malicious hacker could use this intrusion to their advantage. They could hold the device for ransom and require the owner to pay in order to regain access. An attacker could physically break into a room that had one of these cameras in it and then upon leaving erase the camera footage from the SD card. The quick success that our team had the D-Link camera allowed us to move on to another device this month. 

picture of the WeMo Insight Switch

WeMo Insight Switch 

The next device we decided to work on was the WeMo Insight Switch from Belkin. This device showed up on our radar as a potential subject back in our initial research phase of the project. A serious issue with the device was reported by Bitdefender saying that they had discovered a vulnerability that the switch leaks out wifi passwords. This was based on research done by McAfee that found a vulnerability in the UPnP ports listening on the local network in the device. Our team wants to see what we can do with this information on the device. We have it all set up and ready to test.

The Future of IoT Intrusion

Although this may be the team’s final blog post, this is not the end of our project. We still have a few more weeks scheduled at the Leahy Center. After we attempt our intrusion on the WeMo Insight Switch, we will complete our final report. Make sure to look out for that here when it is published. As our project comes to a close, we ponder what the future may hold. We were only able to scratch the surface of this very in depth and involved line of research. That said, we hope this project laid the groundwork for future research.

Stay up to date with Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI so you always know what we’re up to!

The post Intrusion into the IoT: The Final Blog appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Application Analysis Blog 2

Application Analysis Continued

On the Application Analysis team, we have been busy recovering data from deleted programs. Please refer to this link for our previous blog post and more information about what we do!

Google Drive

Since our last update, the team has been busy digging through Google Drive. While we found a lot of information, we also learned about some unknown features of the application. When a user starts the installation for Google Drive, the application creates a new folder. Also added is a syncing program to download and upload the files locally. This is important to be aware of because once one deletes a program, this local folder and all the files within are still available.  This is a good feature for user interface, even if it is at the cost of security. If the user has files on their drive and still need them offline, it provides easy access. The problem arises if the user wanted all traces of their google drive gone from their computer in a single deletion.  

In our experiment, we created test profiles and tested all of the capabilities of the application. Then, we investigated what information we could access after deleting the application from the computer.  The separate folder had all of the information that was linked and downloaded to Google Drive and its local folder. The problem with drive storage versus cloud storage is that anything that you have downloaded lacks the need for a user login and password.  In addition, the folder created during installation is shown under “Quick Access” even after deletion, making it easily visible to unwanted users.  

Introducing Axiom

When the team started investigating the evidence in Magnet Axiom (a commercial digital forensics investigation tool), the beneficial applications of this method became apparent. The deletion of the application doesn’t retain the Google user’s information (password, email, name, etc), but the URL to the Google document is.

Picture of analysis tool results for Google Drive

The link to the Google Drive is to the right under Evidence Information

All of the files that were stored under the “Google Drive” folder locally were accessible from Axiom. In addition, all files contained a link back to the drive that can be opened in browser.  When you go to open the file online links from Axiom to the Google Drive, unless you possess the login information, the rest of the information is safe.  In a way this ensures future data security, as any future iterations of files are not accessible after the deletion of the app unless the user is accessing it.  It is a bit of both worlds for accessibility and security, as expected from such a large and well-developed company.

Dropbox

The team has also spent time sifting through Dropbox data from a similarly structured experiment. After we loaded the virtual machine file into Axiom, we saw that the system stores all Dropbox-based files, even after deleting the program from the computer. 

Screenshot showing the dropbox files visible in Axiom

Screenshot showing the dropbox files visible in Axiom

Axiom processes a variety of information: when the user logged into the program, when they downloaded the default Dropbox files, the files/folders Dropbox stores and creates, when they were created, and the direct file paths of the files. 

Screenshot showing specific information about one of the Dropbox files

Screenshot showing specific information about one of the Dropbox files

The system Google implemented is still very much present in Dropbox.  The program created a folder in the file system locally that remained after the deletion of the application.  However, the information in the image above does not include a link back to Dropbox. If there was not a folder for the information, there would be very little distinguishing information within the files showing that Dropbox downloaded them. Dropbox however unlike Google, does not have its own format(Google Documents, Google Presentation, etc) or online application for documents and files, a factor which likely influenced this approach.

Conclusion

Considering the type of user interaction these services provide, this outcome is surprising, but not entirely difficult to understand. It is important information to anyone who may be trying to compromise your data. In order to rid your system of all the above information, the user will need to do it manually. It is clear to see that one can’t delete all of the information by uninstalling the desktop version of the program. 

In the coming weeks we will be investigating Steam. As the largest video game platform worldwide, it would need to keep its users’ data safe.  

We will be sure to let everyone know the verdict on our next Application Analysis blog!

Stay up to date with Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI so you always know what we’re up to!

 

The post Application Analysis Blog 2 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Leahy Center Student Showcase: Liam DiFalco

Introduction to the Leahy Center Student Showcase

The Leahy Center for Digital Forensics & Cybersecurity employs students from a wide array of different states, backgrounds, and skillsets. Through this diversity, we can constantly challenge our status quo and stay at the cutting edge of forensic research. Above this, however, we are able to build a fantastic, inclusive community, one that allows anyone to foster their love for digital forensics and cybersecurity into workable skills and make meaningful connections in the workplace. We would like to shine a spotlight on those who help make the Leahy Center the place it is. The student interns that work at the Leahy Center are not only learning the skills they need for a future in digital forensics, but also contribute fresh perspectives and work to make the Leahy Center a lively place.

Our first student is Liam DiFalco, a high school student from Burlington High School. Working with college students and trained professionals is intimidating, so we took a look into how Liam interacts with the Leahy Center to further his education. Thank you, Liam, for allowing us to interview you!

#1: Liam DiFalco

Editor: “Hey Liam, how’s it going?”

Liam: “Pretty good.”

Editor: “So tell us a little about yourself. Where are you from? What do you do, what are your interests?”

Liam: “Well I live in Burlington, Vermont, but I was born in Bristol. I go to school at Burlington High School, and I have interests in computers and cars. In fact, building cars is a hobby of mine. I’m trying to get Digital Forensics as my major going to Champlain College.”

Editor: “Living in Burlington, how easy is it for you to pursue those interests in data recovery and computer stuff?”

Liam: “Well, I mean, it’s certainly not as populated a state as, say, California. There’s not as many tools or resources as there are in very populated cities, but living in Burlington, it’s nice to have access to the Leahy Center and all of these tools, as well as people that know what they’re doing to help teach you how to use them.”

Editor: “How did you hear about the Leahy Center?”

Liam: “Well, I actually have a relative who works in this building, so I’ve been here several times. I’ve seen this place as I go back and forth, and I ask, “What do they do? It looks really impressive.” It wasn’t until last summer, when I heard about DFCS Academy, where I was like, “OK, I want to do this so I can get more involved with whatever is going on over here,” and I learned more about digital forensics and cybersecurity in those two weeks than I have in my entire life.”

Experience at the Leahy Center

Editor: “Speaking of your experience here, what kind of things are you doing? What kinds of projects are you working on?”

Liam: “Even though it’s been a few weeks, I’m still getting a hold of everything that I need to be learning, including using VMWare, learning the lingo, and learning all the different tools I need to use. It’s still pretty fascinating to me. I could spend days on end in that lab, searching through a drive or just doing research on what I need to do. It’s just interesting, there’s so much I could learn from it.”

“I learned more about digital forensics and cybersecurity in those two weeks than I have in my entire life.”

Editor: “Can you go into a bit more detail on the different tools that are available to you here that you might not have access to elsewhere?”

Liam: “Just in data recovery, there’s Axiom, EnCase, all the VMWare tools, thousands of dollars worth of software that I would never be able to use at my house. There are 3-D printers, powerful and expensive computers, write blockers, different kinds of forensic tools that I can delve into, it’s a trove of tools you can use to stop cyber-crime and learn something.”

Editor: “Talk to us about the community here. What is it like working on projects with the people who are on your shift with you?”

Liam: “Working with the people in my group, the data recovery group, is pretty good. They’re very independent. They know what they’re doing. It’s interesting to see and watch what they’re doing through the Trello boards different blog posts we have. During my first couple of days here, I was pretty intimidated. I was a little bit shorter than everyone else, I didn’t really know anybody, but everybody here is extremely friendly, extremely kind. “

Balancing School and Work

Editor: “How does the stuff you’re doing in high school tie in with the stuff you’re doing here at the Leahy Center? Is there any interconnected material between both of them?”

Liam: “Well, surprisingly, yes and no. In almost every class I can bring up something that I learned about here. This is a weird example, but when I’m talking to students about deleting files on your phone or computer, they don’t understand the concept that it’s still there, it’s still gonna be there. It’s kind of interesting to see how much more I know about this stuff than them and seeing all the stuff they know about that I don’t.”

Editor: “You seem pretty driven in your work here. You’re still going to school, how are you balancing coming here and doing your work at the Leahy Center while also being a high school student?”

Liam: “Well, I contacted my advisers through the school. We managed to get it so I could have fewer shifts here, two-hour shifts instead of three or four, and only come into school before or after my shifts. I had my classes picked out for the day to balance this and school. I feel this could be more important than just getting the credits to graduate.”

Wrapping Up

Editor: “Where do you see yourself in the future after college, after you take these classes at Champlain? How do you feel your experience here helps you with that?”

Liam: “Well, I hope to see myself getting into a fairly decent job after college, ideally within the first few months, maybe working with the Leahy Center or a private firm. I don’t know the path that’s waiting for me after college. With this job, it could be anything, from a small business to a firm or corporation, but I hope to be able to use these skills to my advantage every single day.”

Editor: “Fantastic. I just have one more question for you: how do you like it here?”

Liam: “If I had to come up with one word, I would say it’s very comfortable here. I feel like this is the place where I’m supposed to be during the day. I’m relaxed, people around me know what they’re doing, and I’m learning what I’m doing. I don’t feel like I’m stressed out coming here, or glad that I’m leaving; I’m kind of sad when I leave. I think it’s a pretty great place.”

Editor: “Cool, well it was nice talking to you!”

Liam: “Yeah, thank you!”

*As of 11/20/19 Liam has accepted to the Computer & Digital Forensics program at Champlain College and will be attending as a full-time student in the fall of 2020.

All Photos by Deja Miller, ‘22 // Marketing

Stay up to date with Twitter, Instagram, and Facebook by following @ChampForensics so you always know what we’re up to!

 

The post Leahy Center Student Showcase: Liam DiFalco appeared first on The Leahy Center for Digital Forensics & Cybersecurity.