Sunday, September 10, 2017

Dolphin Ultrasonic Commands Voice Assistance


A newly issued report makes me wonder whether a Dog Whistle could issue commands to voice assistance devices?  Dolphin ultrasonic audio, not within human hearing range, can issue commands to voice assistance Amazon, Apple and Google devices according to a news report  from the BBC - http://www.bbc.co.uk/news/technology-41188557.

The basis of the BBC report is underpinned from Chinese research that can be found here: Dolphin Attack: Inaudible Voice Commands - https://endchan.xyz/.media/50cf379143925a3926298f881d3c19ab-applicationpdf.pdf.

Tuesday, August 22, 2017

Universal Network Investigations Updates

Universal Network Investigations (at LinkedIn) is a discussion group exists to assist telecoms, cyber, forensics, information security, pen testing, and fault-finding investigations: to exchange observations and sharing 'intel' in a closed forum discussing fixed and mobile network investigations - trace data and other forms of evidence (including but not limited to PCAP, CDRs, traffic logs, exchange and switch data, cell details, dumps, etc.). Investigations can start with examining a device or network activity, so all aspects will be posted in the group.

To join - https://www.linkedin.com/groups/13536130

Group Rules:
1) Chatham House Rule applies.
2) An essential aspect of joining the Group is to participate and share knowledge, skills and experience.
3) No selling, no spamming.

Latest Posts
- Dropped phones
- Tool for the Investigator ISMS Toolbox
- Apple Secure Enclave Processer (SEP) - Hacked
- Purging Data HDD (InfoSec)
- Rack and Ruin
- When a Genuine Product is used as a Rogue Device
- GDPR
- GDPR-1
- Framework for Digital Forensic Employment KSE (knowledge, skills, experience)
- VOIP Basics (updated)

- Tool for the Investigator ISMS Toolbox
- BGP
- Cisco IOS Versions
- EIGRP
- First Hop Redundancy
- Frame Mode MPLS
- IEEE 802.11 WLAN
- IOS Interior Routing Protocols
- IOS IPv4 Access Lists
- IOS Zone Based Firewall
- IPSec
- IPv4 Multicast
- IPv6
- IS-IS
- NAT
- OSPF
- Physical Terminations
- PPP
- QoS
- RIP
- Scapy
- Spanning Tree
- TCP Dump
- VLANs
- Wireshark Display Filters
- BILL - Internet of Things IoT Cybersecurity Improvement Act
- 1995-2017 Computer Security (Information Security)
- So what does the TIMSI get me?
- Federal data collection MRMCD
- Tech Against Terrorism
- Telecommunications (Interception and Access) Act 1979 (2017) (Australia)
- 27,482 cyber security incidents reported in H1 2017
- Surveillance Drones Report
- Smartphone Cybercrime
- PSCR Network Identifiers Demonstration Guidelines
- Plan MNC
- Ping Test
- MNC Probe Metrics
- ITU-T GSM Country Codes
- IMSI Prepaid MVNO
- G42UMTS Security
- Cyber Threats to Mobile Phones
- Building Mobile Tools for Rights Defenders and Activists
- USER INVASION TESTS ON SAMSUNG GALAXY J3-6 J320FN
- UTC Document Register
- IMSI Assignment and Management Guidelines and Procedures
- Evolution in the Use of E.212 Mobile Network Codes
- 3rd Party Access to Number Portability Data
- Evolution in CLI usage
- Wrong Evidence Capture Tools
- Phone Hacks
- Multi-Traceroute (MTR) in NST
- NST
- Detecting Hidden Networks created with USB Devices
- Infrastructure - human access - fake fingerprint
- Operator 'Law Enforcement Disclosure' reporting
- Covert Tactical Measures
- NUMBERING PLAN ASSISTS TRACE
- Annual Cybersecurity Report - 2017
- Infrastructure Security Report - Worldwide
- Real Intelligence Threat Analysis (RITA)
- GSM Security Threat Risks
- Where to begin?
- RSOE EDIS Emergency and Disaster Information Service
- GSM Security Threat Risks
- NOC NOC - Fault Management and Troubleshooting
- SS7 and 2FA
- Detection in a multilayer network
- Diameter - Online Charging Systems (OCS)
- Big / Fresh / Deep - Data : Huaewi overview
- Hot technologies to know about
- ARP.pcap
- bgp.pcap
- https.pcap
- ICMP-ARP-OpenFlow1.0.pcap
- ICMP-DHCP-DNS.pcap
- Russians target Telegram App
- Wireshark
- Protocols Relevant to U-N-I
- Industrial Networks Hit By WannaCry
- IM Telegram Replay Attack - Android
- Whisper Signal WhatsApp
- Subpico Intelligent Application Layer Software
- Subpico LI with evidential integrity
- TraceWrangler
- old_GUTI_IMSI_Critical_Reject (updated)

Saturday, August 12, 2017

Field Project Investigations

Conducting a technology review/audit prior to commencing field projects is an important task in order to understand the 'technology estate' owned and/or operated by an organisation. It is for revelation purposes and to comprehend [legacy] technology as stand-alone or interconnected/intra-connected with [current] technology and significantly if or how legacy has been ported-over to operate via applications/software to work with current. So more information has been posted. This is for the purposes as mentioned previously dealing with cases requiring 'field project investigations' (from installs to troubleshooting). I am sharing these .pdfs because I found forensics became one of the tools to be applied during investigations and not the main tool. Knowing the background details (tech spec, set-up, logs files, install procedures, etc.) assists understand "why an artefact was there".


To read the posts - https://www.linkedin.com/groups/2436720

Latest Updates: Institute for Digital Forensics

- Windows Registry Reference
- Apple Reference Cards and iPad iOS7 Quick Guide
- USB Guide & USB Key Guide
- Hardware Configuration Dell Precision WorkStation
- Legacy DOS
- 100 Windows 8 Keyboard Shortcuts
- 100 Chrome Tips


Institute for Digital Forensics - Previous Updates

- Tron Commands
- Malware, Junkware, Virus
- Checking Implemented Security
- Backups
- Troubleshooting, Tips and Guides
- Windows NT Server Resource Reference
- Admin Tools To Know and Explained
- Corrupted Registry
- Windows Resource Kit Reference
- Fasteners
- Projects - Win 10
- Projects - Win 8
- Projects - Win 7
- Vulnerabilities in Critical Evidence Collection
- Imaging with Image-X: The Ghost Killer
- A Guide for the Forensically Sound Examination of a Macintosh Computer
- Interpol's Forensic Report on FARC Computers and Hardware
- Reducing Data Lifetime Through Secure De-allocation
- Realising - Risk Sensitive Evidence Collection
- Notes on Computer Systems and Operating Systems
- Finding Child Porn in the Workplace
- Drafting Electronic Evidence Protocols
- Data Hiding in Journaling File Systems
- Investigation of Protected Electronic Information
- Electronic Evidence: The Ten Commandments
- Electronic Evidence Best Practices
- Laws of evidence in criminal proceedings throughout the European Union
- Evaluating Commercial Counter-Forensic Software
- Hacking into computer systems
- Windows device interface security
- NSA Redacting with Confidence: How to Safely Publish Sanitized Reports
- Reproducibility of Digital Evidence
- Windows Memory Analysis
- Secure Deletion Myths
- Spoliation of Evidence
- Forensic Discovery
- VMware to boot cloned/mounted hard disk images
- Volume Serial Numbers: Format Verification Date/Time

Wednesday, July 26, 2017

Eternal Blues - SMBv1

Newspapers, TV, Radio and Internet have been full of reports about ransomware attacks WannaCry, NotPetya and so on. This short article is not going to repeat those reports but to acknowledge that there is a new FREE tool "Eternal Blues" that helps businesses and consumers to find out, at the push of a button and scan of the network, whether the access point Server Message Block (SMB) version 1 (SMBv1) to determine the enabled state of the host; thus might be vulnerable to attack. Knowing this it enables businesses and consumers to take action to close down a potential threat. As Elad Erez confirmed to trewmte blogspot:
"Please note that having the SMBv1 in use, does not mean a host is vulnerable. SMBv1 was patched by Microsoft 4 months ago. So, the tool helps you find if hosts are in one of these states:
- SMBv1 enabled, but patch not applied, therefore host is vulnerable (the riskiest scenario)
- SMBv1 enabled and patch applied, therefore host is not vulnerable (but it is still risky to keep SMBv1 enabled, even according to Microsoft)." 
 
To get a brief insight to SMBv1, here is the link to Microsoft's website discussing how to disable it:
 
To find out about Eternal Blues visit website: http://omerez.com/eternal-blues-worldwide-statistics/
 
To get this FREE tool go to Download webpage: http://omerez.com/eternalblues/
 
When running this discovery tool consumers can see an IP Address range. A really easy to follow and understandable advice can be found here: "192.168.1.0 - Private Network IP Address Notation" https://www.lifewire.com/192-168-1-0-818388
 
 
For businesses with different IP Address ranges check out, as a starting point, FAQs webpage here: http://www.faqs.org/rfcs/rfc1918.html
 
 
 
Good luck, stay safe!

Big shout out for Elad Erez (Eternal Blues) for creating this FREE tool.

Tuesday, July 25, 2017

New IPhone 7 passcode unlock tool



Obviously this is causing a bit of excitement. 

I have been keeping an eye on two websites selling this product but yet to find any customer feedback. Enquiries so far have drawn a blank response.

http://www.vipprogrammer.com/unlock-passcode-on-iphone-77-plus-crack-the-forgotten-screen-password-programmer-3638

http://myicloud.info/unlock-iphone7-plus-passcode-tool/

Interesting to see what Apple will have to say on this access method?

Sunday, July 23, 2017

USER INVASION TESTS ON SAMSUNG GALAXY J3-6 J320FN

 
Smart Switch is a useful back-up and restore tool for particular user-content on various (but not all) Samsung smartphones. To coin a phrase the program "does what it says on the tin". For general user back-up and restore of certain data it avoids the need for uploading to the cloud.
 
We've been running some tests to see if Samsung Smart Switch back-up/restore utility could be used for capturing forensic images from e.g. the J3. The program was initially checked using CFF to check the internals to find files guarded by MD5 and SHA-1:
 
 
Before forensic examinations are undertaken we ran tests as a user and purchased 3 x J3.
 
 
The J3 handsets were UK versions:
 
 
We see the US versions are compatible for use with Samsung Knox for BYOD:
 
 
This is an early evaluation, so the post is just a heads-up so you can check within your organisation/s.
 
This post is not a legal notice or  anything else.

Saturday, July 08, 2017

What's happening with Contemporaneous Notes


Contemporaneous note (CN) taking is an essential process and procedure. The title is often used as a widely applied statement to include other associated processes and procedures, such as Simultaneous Notes (SN), etc.; as some of you know CN, SN, IN and VN are covered in my training courses for e-Discovery, (forensic) examination and evidence E3.  

I have taken the opportunity to bring on board Robert Merriott, Founder of Forensic Notes, to provide an overview of some of the methods and tools out there for preparing and producing Contemporaneous Notes. From Robert's well informed discussion (below) this clearly is a subject where strong opinions are held and a subject which we will return in future discussions.


Robert Merriott
Digital Forensic Examination Notes

The purpose of this post isn’t to provide a singular and definitive answer to the question of what ‘examination notes’ should look like.   In fact, every country or region will have its own accepted practices developed to satisfy the laws of the land.   Instead, this article is presented to discuss the many facets of this important subject and to help you find a solution that will best meet your needs.
A recent discussion regarding Contemporaneous Notes on Forensic Focus showed that there are differing views on how strict guidelines should be in relation to examination notes.  This difference of opinion reveals how much the process of conducting digital forensic examinations can vary from one office to the next.

Importance of Documentation

The importance of documenting your examinations can not be understated.  Although you may never need to defend your case in court, you should complete every case as if you would be testifying as an expert in Supreme Court.
Recently, experts and influential leaders in Digital Forensics provided quotes on the Importance of Documentation.
As Greg stated…
“Contemporaneous Notes are unavoidable, thus inescapable, when it comes to examining evidence and are akin to the standard of Ethics.
They hold the examiner to their own account of conduct when no one else is around to witness what is happening.”

Examination Notes – Current Solutions

Investigators dealing with digital evidence will document their examinations in one of several ways:
-          Traditional paper notebook and pen
-          Word processors such as MS Word or OneNote
-          Purpose built electronic note-taking system
-          Scrap pieces of paper
-          Do not document!

Paper Notebook and Pen

The classic way of writing contemporaneous notes. 
This form of documentation has been relied upon in law enforcement and scientific labs for decades and has continued to standup to the scrutiny of the courts when properly completed.

Although widely accepted in courts, writing your notes in a paper notebook can be slow and result in notes that are illegible and incomplete.  For many young examiners that can quickly type out long messages on a virtual mobile keyboard, the idea of handwriting notes seems like a step back in productivity.
Attempts to correct spelling and grammatic mistakes only further complicate the process of writing and disclosing notes.

MS Word or OneNote

Electronic documentation is becoming more common even in traditional settings like law enforcement were only paper notebooks and pens were previously trusted.
Electronic documentation offers many advantages including the ability to edit and modify the content of the notes as required.
Being able to edit the content of an electronic note allows the examiner to correct any spelling, grammatical errors or omissions. As a result, some examiners feel electronic documentation provides a more professional form of their notes as they are able to correct these issues prior to providing them to colleagues or the courts.
But if notes can be changed at a later date with no previous history of the contents originally entered, can they really be considered contemporaneous?
And does this open up Pandora’s Box for defense lawyer questioning? 
If you admit you modified some of your notes for “grammar” and “typos”, will defense begin to argue you changed other aspects of your notes as well?  And what if you did change something else for reason beyond simple grammar or typos, how will you explain that change in court?
Criminal courts would never allow a law enforcement officer to wite-out® portions of his notes in a paper notebook and then overwrite that information with new information. So why should the courts trust electronic notes to be a true representation of your thoughts at the time stated if they can be edited without including the previous entries?
Although many Digital Forensic Examiners are using MS Word and OneNote successfully in courts throughout North America and Europe, we as examiners know that the majority of courts have failed to keep up with the complexities of digital data and how easily files can be manipulated.
Of course, there are ways to make electronic notes immutable with the use of Digital Signatures and digital timestamps, but few organizations are properly setup to implement this solution.
Will you be able to defend the authenticity of your MS Word or OneNote examination notes in court if questioned?

Electronic Note-Taking Application

Electronic Note-Taking applications offer the best of both worlds if designed and used properly.  But remember, not all applications are created equal.
When deciding on what electronic note-taking application you want to use, you will have to consider your specific needs and requirements not only now, but in the future when your cases finally go to trial.
-          Can you easily print notes in sequential order for court?
-          Can you edit existing notes while retaining the original note for Full Disclosure?
-          Can you arrange your notes in a logical manner during the investigation to keep your information organized?
-          Can you search through your notes to find answers quickly?
-          Is your information securely saved and encrypted?
-          Do Audit Logs exist allowing you to clearly see who else accessed a particular note or notebook?
-          Is the application able to timestamp individual notes from a trusted and independent Timestamping Authority (TSA)?
-          Will the courts be able to authenticate your notes if required without calling in another expert?
-          Can you access your notes on multiple devices, including mobile, so that you can take notes outside of your office such as during live analysis at the scene or meetings with other investigators?
-          If you include screen captures and images in your notes, will you be able to print the image in a high-quality format at a later date if it becomes a key piece of evidence?
-          Are the owners of the application trusted members of the digital forensic community?
When choosing an Electronic Note-Taking Application, you should select an application that works the way you work instead of being forced to work within the constraints of the application they provide.

Scrap Pieces of Paper

Although it’s common to use scrap pieces of paper to quickly jot down information, they should not be used as a place to write notes during an examination unless other options discussed above are not available.
If scrap pieces of paper are used to document important information, this should be transcribed into your proper notes as soon as possible. Often, if done in a reasonable time frame, these transcribed notes will be considered contemporaneously written.

Do Not Document Examination

Some examiners do not see a need to document their examinations. This is often as result of poor training, inexperience or laziness. If your examination involves criminal or civil litigation, then it’s imperative that you conduct your examinations in a professional manner.   Poorly documented investigations can lead to bad caselaw that affects us all.

Should Standards Exist for Examination Notes?

Preston Coleman provides a valid and well thought out response to the idea of standards for examination notes.
 
As Preston points out, if standards were to be created for examination notes, then they should be general in nature to allow for the flexibility needed within most examinations.  At a minimum, the following “universal elements should be observed”
-          Contemporaneous Notes
Document actions and results sequentially as they occur
-          Timestamp Notes
Include Date & Time with every note made
-          Immutability
Notes should be fixed and non-editable upon completion of the examination
-          Available
Provide to others, including the courts, if required
Depending on your particular circumstances and the types of files that you are investigating, you may decide on more stringent requirements for your own note taking.

Odds n’ Ends

Now let’s discuss a few more questions regarding examination notes…

Simultaneous Notes

As discussed within the “Forensic Chip Off – Notes in Progress” post, Greg asked the question “how would you keep contemporaneous notes (CN) simultaneously whilst removing a chip?”
If Simultaneous Notes (SN) were required during a technical hands-on examination, then a video of the examination (as shown in the blog post) could be used to allow the examiner to concentrate on the task at hand while still properly documenting the actions being taken. Upon completion, the video file could be hashed with the resulting hash being noted within your Contemporaneous Notes.
A purpose-built forensic Electronic Note-Taking application would allow you to attach the original video to the note and automatically Hash and Timestamp the video in only a couple steps.

Destroy Notes After an Examination Is Complete?

In some American states, it is apparently common practice to destroy both paper and electronic notes once a final examination report has been written.
If the destruction of examination notes is currently allowed where you work, you should ask yourself:
-          What happens if the accuracy or credibility of the report is questioned?
-          What reasoning will you provide if questioned on why you felt it was necessary to destroy your notes?
o   The opposing party may ask “What were you trying to hide in those notes that it was so important that you destroy them prior to court?”

Restrictive Warrants

In many regions, warrants authorizing forensic examinations are becoming restrictive with respect to the type of data that can be analyzed and included in forensic reports.  In practice, you may observe other evidence in plain view (eg: Child abuse material) that does not fit within the restrictions of the warrant.
In this case, it is suggested that you immediately stop your current examination and re-apply for a warrant that includes the evidence you observed in plain view.
If you fail to take proper contemporaneous notes or destroy your notes upon completion of a report, would you be able to properly articulate how you came to observe the images or data that you weren’t authorized to have searched which resulted in a more comprehensive warrant being sought?
If not, you risk having all your evidence excluded from the trial.
Many investigators fail to recognize that obtaining a new warrant is easy in comparison to defending the merits of the new warrant at trial. Are you willing to lose all that hard work due to a lack of proper documentation?

Conclusion

The digital forensic community needs a “Best Practice” guideline in creating contemporaneous notes during an examination. Without a clear guideline, Digital Forensic Examiners are left to rely on potentially false or misleading information from fellow members who do not fully recognize the need or value in creating proper notes during an examination.
At a minimum, all professional Digital Forensic Examiners should use the following list as the current “Best Practice” guideline:
-          Contemporaneous Notes
-          Timestamp Notes (Date & Time)
-          Immutability
-          Available
By continuing to discuss this important subject, we as a community can further improve “Best Practice” guidelines that will help ensure existing and new examiners take the necessary steps during digital forensic examinations.
After evaluating the “Best Practice” guidelines, you can make an informed decision on what is the best solution for recording Examination Notes given your particular circumstances and needs.
Will you stick with the classic pen and paper, utilize a word processing application such as MS Word or OneNote or go with a more forensic solution such as a purpose-built electronic note-taking system like Forensic Notes?
About Author:
Robert Merriott founded TwiceSafe Software Solutions Inc. (Forensic Notes) after realizing the need for a digital note-taking application that would meet the high standards of digital forensic evidence in the courts. Robert has a Degree in Computer Information Systems and obtained both Microsoft MVP and ASPInsider status during the infancy of ASP.Net. He now works as a Digital Forensic Examiner.
DISCLAIMER: This article is not meant to provide legal advice or information. Legal statements made are only provided as guidance for the reader to seek professional legal advice within their jurisdiction. No information contained within this article should be acted upon without discussing the merits of such information with a legal professional. The author of this article is NOT A LAWYER and takes no legal responsibility for the information presented. In addition, the information provided is based on personal beliefs and ideas and does not represent his employer.

 

Wednesday, June 28, 2017

IM Telegram Replay Attack - Android

Hopefully, readers will have had the opportunity and time to read about WhatsApp here at the trewmte.blogspot:

WhatsApp network forensics - http://trewmte.blogspot.co.uk/2017/06/whatsapp-network-forensics.html
Whisper Signal WhatsApp - http://trewmte.blogspot.co.uk/2017/06/whisper-signal-whatsapp.html

So it's time to move on to the next instant messaging app known as Telegram. It is relevant to mention this app at this time as it appears the Russians are targeting this app as well -
http://www.bbc.co.uk/news/world-europe-40404842 - and the thought must be what will they discover by way of a flaw or vulnerability or do they what they are already?
 
The IM Telegram Replay Attack - Android uncovered from the following research published in Tomáš Sušánka thesis can be found here:  https://www.susanka.eu/files/master-thesis-final.pdf .
 
As a primer, a replay attack is an attack where an attacker sniffs data sent by the application and then resends them at a different time with a malicious intent. Unlike WhatsApp where all accounts are controlled by source; Telegram relies upon some third party developers to implement security updates that Telegram has informed them about; if developers don't update after that many devices using Telegram could be unsafe even today potentially enabling attacks across networks.
 
Deobfuscator.cpp file
 
To gain a background understanding to IM and security related issues the thesis considers other IM apps, including WhatsApp, and noted security issues with them.
 
One interesting comment noted in a paragraph in the conclusion reveals the influences foreign policy subjects itself on software developers regarding censorship: "We have scrutinized the code base of the official application for Android and concluded that the state of the application is at serious odds with the documentation. This concerns mainly the undocumented obfuscation method Telegram uses. The MTProto traffic is encrypted one more time with the key and IV prepended to the data. This has no effect on the data security and is easily debunked by the deobfuscation program we have implemented. When the Telegram team was confronted with these claims, they noted the method is used to circumvent some of the less sophisticated methods of censorship in certain countries."
The author's research relating to apparent Telegram vulnerability, that has been published, he has also provided his background research e.g. source code etc., (so you better get it before it goes) https://www.susanka.eu/files/master-thesis-cd.zip :
 
CD's directory structure is:
-  data
- Telegram source code
-  src 
- Telegram Deobfuscator
- Telegram Extractor
- Trudy Go module
- LaTeX source codes
- diagrams
source codes
- text
- appendices
- thesis.pdf
Excellent research and discovery!
 

U-N-I update on posts

- Diameter - Online Charging Systems (OCS)
- Big / Fresh / Deep - Data : Huaewi overview
- Hot technologies to know about
- ARP.pcap
- bgp.pcap
- https.pcap
- ICMP-ARP-OpenFlow1.0.pcap
- ICMP-DHCP-DNS.pcap
- Russians target Telegram App
- Wireshark
- Protocols Relevant to U-N-I
- Industrial Networks Hit By WannaCry
- IM Telegram Replay Attack - Android
- Whisper Signal WhatsApp
- Subpico Intelligent Appication Layer Software
- Subpico LI with evidential integrity
- TraceWrangler
- old_GUTI_IMSI_Critical_Reject (updated)


https://www.linkedin.com/groups/13536130

Whisper Signal WhatsApp

Following on from this post WhatsApp network forensics 2017/06/whatsapp-network-forensics.html you may know WhatsApp changed the protocol to 'Open Whisper System's Signal Protocol end-to-end encryption'. A useful analysis of "Signal" can be found here regarding capturing the “ratcheting” key update structure:

A Formal Security Analysis of the Signal Messaging Protocol
https://eprint.iacr.org/2016/1013.pdf.

Vulnerability attacks have already started to determine Signal weaknesses. The "last resort key" looks interesting as does internal messaging attacks that have produced some results:

HUNTING FOR VULNERABILITIES IN SIGNAL - HITBSECCONF2017
https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Markus%20Vervier%20-%20Hunting%20for%20Vulnerabilities%20in%20Signal.pdf


WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages
https://sci-hub.io/
http://www.sciencedirect.com/science/article/pii/S1742287615000985?via%3Dihub

Friday, June 23, 2017

Universal Network Investigations

Just started a new LinkedIn group called 'Universal Network Investigations (UNI)'. It is a group only for those involved in the wider area of fixed, mobile and large-scale computer networks. The group exists to assist cyber, forensics and fault-finding investigations: to exchange observations and sharing 'intel' in a closed forum discussing fixed and mobile network investigations - trace data and other forms of evidence (including but not limited to PCAP, CDRs, traffic logs, exchange and switch data, cell details, dumps, etc.) If you are a member of LinkedIn and want to participate in the group here is the link: https://www.linkedin.com/groups/13536130

Sunday, June 18, 2017

Mobile Forensic Metamodel


Previous studies have mostly discussed mobile forensics only in data acquisition terms and only in a problem solving scenario, as a subset to computer forensics. These studies did not take mobile forensics beyond the paradigm that is known as computer forensics. Additionally, they have not addressed the elements of MF comprehensively, and the previous research in the MF domain did not focus on modeling the case domain information involved in investigations.

This paper develops a Mobile Forensic Metamodel (MFM) in order to clarify all the necessary activities required by investigators for conducting their task. In addition, it creates a unified view of mobile forensic in the form of a metamodel that can be seen as a language for this domain. A metamodeling approach is applied to ensure that the metamodel which is the outcome is complete and consistent.

A metamodel for mobile forensics investigation domain
CLICK TO DOWNLOAD .PDF

Thursday, June 15, 2017

WhatsApp network forensics

With many companies allowing employees to use their own smartphones in the workplace it has been noted confidential information maybe being unwitting leaked as users take to using their smartphone cameras to take photos of Whiteboard content, potentially risking disclosure (mentioned by the Information Security Community). Smartphones can also scan data, reducing the need for organisation to require Whiteboard printouts (thus saving money?). Whilst a user might not intentionally leak information, WhatsApp does provide for exchange of information during in-party calls, potentially allowing confidential data to be circulated.

However, let us avoid that scare story of sending confidential information and the story at work with the situation where a WhatsApp user has called another WhatsApp user and discloses Global Organisation X is in talks with World Dominant Corp. B to take them over. Both are on the Stock Exchange and both hold Worldwide Patents used in the medical industry. Such a leak could wrongfully 'influence' the markets. Could a WhatsApp call leak be possible? Maybe, but is that relevant to WhatsApp network forensics and this article? No. Finding out potential avenues where information leakage might take place enables pre-planning, handling risk and helps in designing a rescue plan.

Screen from my desktop using Wireshark

What is relevant is that for those conducting network forensics, accordingly to F. Karpisek, I. Baggili, F. Breitinger (ISSN 1742-2876, http://dx.doi.org/10.1016/j.diin.2015.09.002) they were able to "...decrypt the network traffic and obtain forensic artifacts that relate to this new calling feature which included the: a) WhatsApp phone numbers, b) WhatsApp server IPs, c) WhatsApp audio codec (Opus), d) WhatsApp call duration, and e) WhatsApp's call termination." From a network investigators point of view essential information producing evidential artifacts of identifying network activity. Taking this further, PenTesters might even find this information useful, also. Even where security flaws get updated, doesn't stop modified attacks occurring creating further vulnerabilities; so learning is the name of the game. 
 
Often we read from articles/reports about vulnerabilities etc. but only the content in the articles/reports are available. What is extremely helpful here F. Karpisek, I. Baggili, F. Breitinger have made available 'trace data' so that when combined with the tools referred to in 'WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages', enables Investigators and PenTesters to gain experience and refine testing approaches. Access to the trace information is here: https://www.dropbox.com/s/szrk5f3axwt5bi7/reference_files_WhatsApp.zip . You may want to get a copy soon as often with dropbox downloads they get deleted by the dropbox user after a time.

Wednesday, June 14, 2017

iPhone - TDEL034 Tool Testing


Many discussions take place during training which unearth useful guidance for practices and procedures. Also, tips and tricks are also revealed. From the MTEB Tool Testing training papers 2015 - iPhone TDEL034 (test device entry level) strategies and pre-planning - it is used to illustrate potential stages for obtaining images that produce a baseline test data to enable repeated testing to identify possible changes in the working operation of forensic tool suites importing a pre-existing test image.

However, TDEL034 is, as stated above, for strategies and pre-planning. Acquisition tools and Analysis (reader/reveal) tools are dealt with later in the training. What is uncovered during discussions are peoples perceptions given their involvement within the examination process. 

It is in these sessions during training the reality dawns as to the time and expense it takes just to deal with one brand-name 'Make' of smartphone and then adding into the equation the various models that have been created and may be created in the future. If that isn't enough, there is then the various versions of OS implemented in various models (https://en.wikipedia.org/wiki/IOS_version_history).

The discovery doesn't end there. Tasks involving removal of barriers and revelation equally may impact when discussing discovery (https://en.wikipedia.org/wiki/IOS_jailbreaking).

Digital forensics is a reality and not a junk science. This field of endeavour is unlike traditional sciences incl. many forensic sciences. How many traditional sciences can you identify evolve and update rapidly e.g. every 6mths-12mths? It is against this backdrop that digital forensics is expected to function and operate across a digital arena of many makes/models of devices and services. Understanding the fantastic job that people do working in digital forensics and battling with constant change illustrates how digital forensics is highly unique.

Generic standards do not work as well with digital forensics as would 'specific' standards. That is because with generic standards they are tantamount to informing everyone this is what has been created and it is your responsibility to make it work. This is analogous to an organisation purchasing a SATNAV and Driving Route System which when operational fails to inform the driver of 'No Entry' roads, dead end roads, instructing a driver to take the action even when the sign states 'No Left Turn' or using as-the-crow-flies navigation so the driver is placed at a point e.g. x-miles from true destination, because the system doesn't understand vehicles cannot drive through people houses, gardens or buildings to get to the other side. The organisation then expects the driver to workout the problems so that when reaching the destination it looks like the SATNAV and Driving Route System was working correctly.

This is why training is essential not just at the tool level, but also at the conceptual level to assist in the design of an examination approach that fits the need of the device and at the same time relieve the pressure placed on the tools that are expected to, alone, get it right. Having the right digital forensic standard should provide the baseline and should define process approach to assist achieve results.

I will return to this subject to offer observations a little later, but for now other matters are now pressing and need attention.

Sunday, June 11, 2017

Do Cyber Events Follow A Philosophy

I was intending to raise this point some months back but due to other pressing issues I had forgotten to do so. It relates to a quote used in a presentation from Nokia 'The known unknowns of SS7 and beyond: Evolution of Telco Attacks'.


 Are cyber events such as DDoS, Malware, SS7 attacks, Dirty/Nasty USSD, dirty data_ark  and so on following some sort of noble objectives to be comprehended from quotes e.g. Sun Tze's philosophy "The supreme art of war is to subdue the enemy without fighting"?



Even if that were correct or true how does it help define which events are isolated and which events are or have characteristics of intended aggregation to bring about a sustained campaign of subjugation?

Tuesday, June 06, 2017

Not Comfortable Fit for Digital Forensics - ISO17025



Within the digital forensics arena there is discomfort amongst labs, academia, businesses and practitioners that ISO/IEC 17025 'General requirements for the competence of testing and calibration laboratories' is not a comfortable fit for digital forensics. Very few digital forensics laboratories and businesses have been accredited so far. To get an understanding of concerns obtained from a pretty good base-data of opinion from replies to UK ISO 17025 Digital Forensics Survey 4/24/2017 created by Professor Peter Sommer, the results have been published and are available here http://goo.gl/KP0HOn .

Not to second guess the Forensic Science Regulator (FSR) there is , of course, the October 2017 deadline looming and the outcomes of that deadline might impact on the way forward. However, I regularly keep an eye on Lab Accreditation and Best Practice Guides (as you can see from some of the pdf tabs open in the above screen shot) in context with digital forensics in order to note the changing approach to digital forensics. The new breeze appears to suggest digital forensics blowing towards ISO standards e.g.

ISO/IEC 27042: 2015. Information Technology - Security Techniques - Guidelines for the Analysis and Interpretation of Digital Evidence.

ISO/IEC 27037: 2012. Information Technology - Security Techniques - Guidelines for Identification, Collection, Acquisition and Preservation of Digital Evidence.

Currently, but this may change, these standards are not substitutes for accreditation. That does not mean though digital forensics may not branch off and have its own unique accreditation and standards. It may well be the British Standards Institute (BSI) may need to produce an equivalent standard for the UK based upon an example of the old BS5750 approach. BS5750 and ISO9000 do enable the UK Government's requirement to be met for "inclusion" of single-person organisations and SMEs to play apart in the economy and not be excluded from it due to globalism or restraint of trade practices or over-burdensome control measures.

Previously, I drew attention to how in the US, Karin Athanas, Program Manager at the American Association for Laboratory Accreditation (A2LA), produced an article titled "Accreditation for the One-Person Organization - The smallest laboratories can teach us the biggest lessons.". This article defined that smaller business entities could achieve accreditation to ISO/IEC17025: http://trewmte.blogspot.co.uk/2016/10/isoiec-1702517020-one-person.html


The UK ISO 17025 Digital Forensics Survey 4/24/2017 isn't the first time attention has been drawn to ISO/IEC17025 that it should works for all, not the few. If the latter accreditation doesn't work then maybe another route will need to be found.