Student projects Archives | Forensic Blogs

April 30, 2020 by LCDI

Building a Visualization Tool for mac_apt

Matthew Goldsborugh / Daniel Hellstern

Introduction

An important part of any forensic investigation is to find indicators left behind by an attacker on a compromised computer. This process can be very difficult, especially when the attacker takes steps to hide their tracks. Software that finds these artifacts as possible already exists, but our project revolves around one of them: mac_apt.

mac_apt is an open-source collection tool for macOS devices, created by Yogesh Khatri. The tool collects everything from known WiFi networks to old print jobs and paired Bluetooth devices. Unfortunately, mac_apt outputs a lot of raw data, which is often difficult to go through by hand. That’s why we’re working on building a tool to help investigators find important artifacts among those discovered by mac_apt.

Design goals

The primary goal of the mac_apt graphical user interface (GUI) is to augment what’s available with existing tools like EnCase. Investigators use these tools to analyze artifacts and find which could be compromising. The mac_apt GUI will work to provide a better experience when analyzing macOS artifacts.

We have made significant progress since we began this project. In 8 weeks, we chose a Python GUI framework that would fit our needs, designed the basic structure and elements of the GUI, and have implemented many of the desired features.

Our main obstacle thus far has been the limitations of the wxPython framework that we chose. Features such as infinite scrolling and dynamic widget resizing are not built into the framework. Implementing these features ourselves would require a significant amount of time. We have opted instead to focus our attention on getting other elements of the GUI up and running before committing our time to those features.

Our team has been using the Python sqlite3 database API to pull the relevant data from the mac_apt databases using SQLite queries. The program converts the data into a human readable format and populates it into a table. We are now working hard to make the table user friendly with features like sorting, filtering, and column manipulation.

We have also been working on the text and hexadecimal preview window to display the contents of individual cells. While displaying the contents of a cell was simple, dealing with the “Source” column of our data tables has proven more difficult. The source column holds the file path of the file from which the table data was collected. Our goal has been to display the contents of the source file in a human readable format. The difficulty arises from the many different file formats represented in the database. The previewer must handle text, plist, sqlite, history, gz, xml, and kext file type and convert them into human readable and hex formats. Currently we are having trouble getting the hex viewer to display the corresponding ASCII character for some hex values.

Conclusion

With most of the basic components of the mac_apt GUI working, the next step is to implement more advanced features to make the GUI more user-friendly. We would like to add a file system tree, advanced searches, copying cell data to clipboard, and the ability to open source files in another application. Eventually, we hope to build a powerful, user-friendly tool that investigators can rely on to whittle down collected data to exactly what they need.

The post Building a Visualization Tool for mac_apt appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

November 2, 2018 by LCDI

Application Analysis

Introduction:

The Application Analysis team is a group of technical interns at the Leahy Center for Digital Investigation. The LCDI offers great opportunities for students to gain knowledge and skills in digital forensics and cybersecurity. This project is how four intern students have gone about testing some consumer mobile tracking & monitoring software.

Experience:

The Application Analysis team has currently been researching four different mobile tracking & monitoring programs available in today’s market. The programs we are looking at are mSpy, FlexiSpy, Mobistealth, and Highster Mobile. We are researching the specifications that each of these applications claims to have. We have five Nexus 7 tablets, four of which are rooted using Nexus Root Toolkit and one that is being used as the control device. A control device is a device that you leave in its original state to compare with other devices so you can see what has changed. Sometimes unexpected things will change and that is how you can confirm that it has been altered. We have a laptop that is being used to monitor the traffic via WireShark and also used as the control panel for the software.

Our team is using the following apps: Google Hangouts, Facebook, Facebook Messenger, Kik, and Skype. We are generating data by sending information between the rooted device and the control device using these various applications. We are seeing if we are able to view all the information that we generated and are checking on whether any data is not collected.

In addition, we are testing if video calls are recorded and sent to the parents’ account. We have set a keyword to test the capability of specific programs to see if it alerts the parent when the keyword is used. Since the first program that we tested has the capability of Geo-Fencing, we decided to test for this capability as well. Geo-fencing means if a device leaves a certain location, there would be an alert sent to notify the parent that the device has left the specified location.

Conclusion:

We have created a variety of questions that we would like to look further into with each of the programs, including if the software can be hidden on the device. Stay tuned to read further updates on this project and the information we continue to gather from our devices.

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook, Twitter, or Instagram.

The post Application Analysis appeared first on The Leahy Center for Digital Investigation.

October 17, 2017 by LCDI

Network Automation Update 1

Network Automation Overview

The Network Automation project team has set out to create a script that scans computer networks and map them in a discrete, speedy, and automatic manner. This will be accomplished with a Raspberry Pi device running the script and several accompanying programs.

network automation

The project’s goal is to create a penetration testing tool that will combine programs like Nmap and Nikto to map networks and propagate automated reports about the discovered information. This program will be launched from a Raspberry Pi 2 Model B microcomputing device. While it lacks the powerful hardware found in most workstations, its customizability and portable size make it a perfect fit for our needs.

Script Overview

These scanners are extremely beneficial to network administrators: they allow you to scan for potential vulnerabilities and “visualize” their network. As of now, our script accomplishes this by monitoring the following ports: 53, 21-23, 25, 80, 88, 443, 110, 135, 137-139, 1433 and 1434. We choose to scan these ports because of their specific functions, such as port 80. Port 80 is where network traffic is often directed, and is also commonly exploited by attackers.

network automation

Conclusion

Now that we have a completed script, we will begin testing it and making sure it works properly. Once we’ve thoroughly tested the script, we will then perform a pen test on the LCDI network and see what we can find! Be on the lookout for our next blog post where we will review our testing phase and discuss any issues we come across.

The LCDI always welcomes feedback! Check us out on Facebook, Twitter, or read our other blogs! We can also be reached by email at: lcdi@champlain.edu.

The post Network Automation Update 1 appeared first on The Leahy Center for Digital Investigation.