Sunday, March 27, 2016

The Rise of (IoT) Domestic Appliance Forensic Examiners

The future looks bright for forensic digital examiners as the world of Internet of Things (IoT) has brought the rush of products on to the markets to compete in the IoT domestic appliances market. Already, due to time-to-market products flaws in the secure processes that allow users to initiate personal identity protocols to active appliances have been identified.

Just follow the links to read these articles for some enlightenment on what Pen Testing discovered.

iKettle and Coffee Machine

Protocol for the iKettle

Hacking a Wi-Fi Coffee Machine

Hacking Kettles

Internet map used to showed location of IoT appliances

This could all seem laughable save-to-say that the idea of bleeding details or house locations was an issue raised over 10 years ago when, due to a large spate of house burglaries, it was suggested householders should put device specific RFID tags on their household goods just in case of theft. It didn't take long for people to work out that a burglar could create a shopping list of items to theft order by walking down a street with an RFID scanner and GPS tracker.

The next stage is domestic appliances hijacked for malicious damage to devices, burglaries for those using unsafe appliances bleedings personal details and so on.

With IoT appliances expect to see a boon for law enforcement labs with examinations of kettles, tumble driers, washing machines etc. Of course, test equipment will be necessary.

A training course to assist in the examination process is soon to be available.

Saturday, March 26, 2016

iMessage shown to have encryption flaw

Discussion article here:

Apparently, the research has found:

"It took a few months, but they succeeded, targeting phones that were not using the latest operating system on iMessage, which launched in 2011.

"To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

"Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

“And we kept doing that,” Green said, “until we had the key.

"With the key, the team was able to retrieve the photo from Apple’s server. If it had been a true attack, the user would not have known.

"To prevent the attack from working, users should update their devices to iOS 9.3. Otherwise, their phones and laptops could still be vulnerable, Green said."

The research report is here:

The Internet of Things (IoT)

Quality. The reality of IoT future?

Sunday, March 20, 2016

British Exports

Just flying the flag for Great Britain and British Exports.

We're not just known for Brexit, you know.

Great Britain - probably the World's greatest leader in manufacturing and services.


Frequently data recovery work undertaken is on eMMC (embedded MultiMediaCard) found in a large number of the smartphones and memory sticks etc. on the market. I was asked what tool I would use for working with e.g. eMMC. One tool that is most frequently turned to is Up-n-Up UP828P Ultra Programmer ('P' is the latest version).

The hardware reader which can be found here It supports the newest types of FLASH, NAND FLASH, SERIAL FLASH, MoviNAND, iNAND , eMMC etc., in addition, the BOOT area of iNAND, eMMC and MoviNAND can be read and written

Also required are the chip adaptors

And if you want to try your hand with iPhone there are adaptors for them too.

Of course, once an image has been acquired soft tools are still needed to read and interpret the data. Chip removal from iPhone (depending upon version involved A6, A8) would be problematical where data are encrypted.

Evidentially, do not experiment with exhibits (seized items) to avoid contaminating or corrupting data on the chip. Instead take the common path to chip exploration and obtain second-hand devices to gain your experience.

The above does not include additional hardware and tools used for the actual chip removals.

Hope this helps.

Saturday, March 19, 2016

Emergency Cases - Smartphone Examination

Capturing the target subject's smartphone activities is not as easy as is thought, as we are all finding out with the current Apple and law enforcement debacle.  The Apple case though is not the norm as the two opposing sides are fighting about the "right to access". The public are engaged with this story that continues to unfold as to what "Privacy" actual means, should terrorism enjoy the comfort of privacy and so on. However, there is a sub-text going on here (as well) concerning examination procedures for smartphones and methodology in emergency cases. Having been involved with mobile phone evidence in criminal and civil proceedings for over 30-years I can tell you it isn't as easy at all.

Consider the current Apple case (and the articles still keep coming) and mistakes that are said to have occurred. The - TECH INSIDER - reported (

"The fact that the password was reset means that Apple was unable to retrieve info from the iPhone's unencrypted iCloud backup like it has for past investigations, according to reporters Apple spoke with. If the password hadn't somehow been reset while in law enforcement custody, the FBI likely wouldn't need Apple to create a tool that lets it brute force hack the iPhone's lock screen passcode and gain access to the device's encrypted contents."

It is the words "password hadn't somehow" that has significance for me because in those words it doesn't take account of the intense situation people are operating under, speed of investigation operations, timescales, prevention for potential further attacks and pressure to resolve the case etc.  So the sub-text here is learning from adverse outcomes in emergency cases. Put on hold demands for back-door access as the golden cure because, in itself, it is not. There can be a plethora of superlative elements that will be sifted, considered and discarded where found not  to be relevant. For elements that may be relevant they still need to be sifted, considered and conceptualised.

From a range of materials I use in my training courses I use the following which I originated back in 2006 (and I published it back in 2010).

Primer(C now) = Point in time and Space (which is a constant reference point) in the present tense when the examiner is contacted for an investigation and from which the examiner uses to look back in time at and into the future regarding mobile telephone evidence.
(T) = Time is the timeline, limited by how far the examiner can see into the past and future based upon discovery.
(S) = Space is the space line that is used as a constant reference point from which all other events occurring in space can be considered based upon discovery (seizure of device, chain of custody of an exhibit etc)
(F) = Future relates to things that have yet to happen (future events). This is based upon things that maybe discovered from the time the examiner is contacted
(F d) = F d represents, as far as possible, thus not set to a specific period of time, how far into the future the examiner can identify events beyond which no further discovery is possible.
(PU usage) = Past User usage (below Blue line represents past recorded events, and below the red dotted line events unfolding during and after investigation)
(PR usage) = Past Record usage (below Blue line represents past recorded events, and below the red dotted line events unfolding during and after investigation)

The proposition in Smith Diag 1 is intended to represent, by use of visualization, how mobile telephone usage can be investigated. The diagram tests your powers of observation and, more importantly, your depth of knowledge. So do not be fooled by what you believe to be my poor graphics skills. I deliberately intended that (PU usage) area to be shown larger than the (PR usage) area in order to suggest more data may be found in the mobile telephone than maybe obtained from the network records. That is because not all activity on a mobile telephone leads to activity in the radio and fixed mobile network. Network records are not limited to billing records therefore issues associated with cell site analysis also need to be considered. It does not automatically follow there shall be parity between data obtained from the mobile telephone and the network records and vice versa. The diagram below (Smith Diag 2) represents a number of suggested data elements commonly arising during an investigation.

The third diagram (Smith Diag 3) uses the classic representation of Time (T) and Space (S). Use of a Time line may be obvious but the Space line may not be so obvious. The point of using Space is as a determinate for e.g. the seized exhibit in the examiner's possession. Let's say the examiner receives the mobile telephone exhibit on the 30th March 2008 at 3.00pm. The exhibit was seized 10th March 2008 at 11.00am. So, the examiner has two facts to work with (a) the exhibit in the laboratory (in time and space) and (b) the exhibit seized at a location from premises or person (in time and space).. So at the point the examiner has initial Contact (C now) with the exhibit then past events can now start to be determined. By way of illustration, following examination let’s say the examiner finds that the data recovered from the device reveals activity not connected with Space where the mobile telephone was seized at (b). Space would therefore be highly relevant, because (i) the examiner would need to demonstrate that as a fact and (ii) to demonstrate the separation in Space between each of the locations (a) laboratory, (b) the seizure, and the intervening factor between (a) and (b). This may be supported, for instance, by the last location and frequency details stored on the SIM card or may be the handset has GPS or one of the smartphone mapping system that might be set to automatic logging.

Have a go at designing one of these diagrams and show how you would handle the Apple phone (in this case) - the seizure and examination procedure. Just as a heads up F d is intended to represent a text message in the future that has been sent but not yet delivered to the target's handset. So how would you know if a text message is pending and who would you have to cooperate with to get that information (and the text content too)?

Hope this helps.

Exploration - missing the micro-evidence

If you are new to or have all but forgotten the humble (U)SIM Card now maybe as good time as any to refresh on the physical state of (U)SIM Card, in particular the hardware, so to speak.

To assist that refresh process, below are links to previously published materials that investigators and examiners might find useful:

It has been noted that such is the sophistication of attackers skillsets in areas, e.g. in-card listening devices, the skillsets applied borders on high-academic results that to the untrained eye could miss a forgery. [Images courtesy of Houda Ferradi, Rémi Gérau d, David Naccache, and Assia Tria: When Organized Crime Applies Academic Results. A Forensic Analysis of an In-Card Listening Device]

Hope this helps

Saturday, March 12, 2016

Global Emergency and Disaster Website

This has been one of my go-to website regarding global emergencies and disasters for many years. Even terrorist evens show up. The map refreshes every 5-mins. One surprising aspect is to note how many earthquakes are happening at any one time.