Sunday, April 19, 2015

FREE iPhoneReader research tool


Research and development tools can provide students, newcomers and experienced examiners in the mobile forensics community with practical experience and exposure to logically recovered data isolating the various types of recovered data through a single GUI. Additionally, such tools help develop analytical and assessment skillsets. iPhoneReader.exe is one such tool that can help you do that.
 

 
Credit to University of New Haven - image GUI LiFE iPhoneReader.exe

This FREE research tool, developed in 2014 by researchers at University of New Haven (UNH) Cyber Forensics Research & Education Group / Lab (http://www.unhcfreg.com/ ), LiFE (Logical iOS Forensic Examiner) is an open source tool for iOS backup examination.

The research tool can be downloaded here:
https://www.dropbox.com/s/xkjw2zdfw9mls4s/LiFE.zip








Friday, April 10, 2015

Free Mobile JTAG Training and Tools

Visitors to trewmte.blogspot.com may recall a discussion thread posted back in 2012 regarding a JTAG Tutorial http://trewmte.blogspot.co.uk/2012/09/jtag-tutorial.html. The purpose of that thread was to enable students, newcomers and experienced mobile/smart phone examiners to get a feel for JTAG before undertaking such examinations or purchasing tools etc.

Today, Kevin Swartz from www.nowsecure.com has released a FREE three-part training course specifically for JTAGing smart phones. Kevin has dropped a line to me saying "Hi Greg, yes, please feel free to link to any of our free resources pages: https://www.nowsecure.com/resources/".

The FREE three-part training course:

PDF Download: https://www.nowsecure.com/resources/jtag-forensics-training/

JTAG 101 videos:
https://www.youtube.com/playlist?list=PLkotz0CYBQDrXpvO0UZlmrUpQLtegPgWI

JTAG 102 videos:
https://www.youtube.com/playlist?list=PLkotz0CYBQDp_YMS_jMXSjKsvgWtL8e_p

Thanks Kevin. You're a decent chap for your kind gesture to help out students, newcomers and experienced examiners in the community.

Wednesday, April 08, 2015

Quoting Statistics

Whether you are a prosecution or defence barrister quoting statistical facts has its benefits when quoted to the jury. Using Stats is not without its pros and cons. However, with the ever increasing size/quantity of network traffic and stored data it appears inevitable describing data in a meaningful way to a jury using statistical statements is being re-defined on a annual basis. For example, compare Big Data (http://en.wikipedia.org/wiki/Big_data) and analysis of data at the transport layer level (Internet Small Computer System Interface (iSCSI) Protocol (Consolidated) - http://www.rfc-editor.org/rfc/rfc7143.txt).

Example 1 - GSM SIM Card Authentication
Within the 2G digital mobile telephone (GSM) arena, as you know, makes use of a SIM card. The security implemented in SIM by those commissioned to create its security (Moule, M; & Pautet, M-B; published 1992) introduced the probability that with the subscriber identity (IMSI), secret key (Ki), random challenge (Rand) with a corresponding output generated from the security algorithms A3/A8 (COMP128) to produce a Signed RESponse (SRES) in consequence should generate the probability of any other subscriber producing the same SRES (to make a mobile call, with or without ciphering,), it has been said, can be in the order of 1 chance in 4 Billion.



A counter argument might be that with repeated used of TMSI, ciphering key etc the order of chance maybe considerably less but has yet to be shown to be under 1 chance in 2 billion in the ordinary use of the security. When making analysis of the 3G and 4G security authentication algorithms it can be understood the order of magnitude has again increased exponentially beyond 2G.

However, the above would have no relevance where a call is recorded in a call record where that call has been added but not as a consequence of the subscriber having made the call. An example, upon checking my son's billing record to find there were numerous entries of a regular event of £3.50 for a call being added at regular intervals but at exactly the same time of day after 3pm. The operator was not able to qualify that a call had even taken place, thus remove all those charges. This highlights how call records can and do get manipulated. Had the account been pre-paid what would have been the chances to have identified those calls?

Example 2 - DNA (Profiles, Loci et al)
The principal prosecutor, Assistant U.S. Attorney Michael T. Ambrosino (2006), countered that there was no scientific controversy and that prosecutors should not have to qualify their assertion that the rarity of Jenkins's profile among African Americans was one in 26 quintillion (26,000,000,000,000,000,000).
http://www.washingtonpost.com/wp-dyn/content/article/2006/04/14/AR2006041401602.html


Chimera
A chimera is an organism which exhibits chimerism. Chimerism is the occurrence of more than one genetically distinct cell lines in the same individual. Natural chimerism is quite rare in humans, but much more common in lower species. Natural chimerism occurs when the early embryos of two fraternal twins fuse into a single embryo, producing an individual with tissues of two different genetic compositions. Artificial chimerism is the result of organ or tissue transplants between individuals. The journal Nature had an excellent article on human chimerism in Volume 417, Pages 10-11 (02 May 2002).

Association of pigmentary anomalies with chromosomal and genetic mosaicism and chimerism.
Thomas IT, Frias JL, Cantu ES, Lafer CZ, Flannery DB, Graham JG Jr.
Department of Pediatrics, University of Nebraska Medical Center, Omaha.


We have evaluated eight patients with pigmentary anomalies reminiscent of incontinentia pigmenti or hypomelanosis of Ito. All demonstrated abnormal lymphocyte karyotypes with chromosomal mosaicism in lymphocytes and/or skin fibroblasts. In seven the skin was darkly pigmented, and in all of these seven cases the abnormal pigmentation followed (**)Blaschko lines. The literature contains at least 36 similar examples of an association between pigmentary anomalies and chromosomal mosaicism, as well as five examples of an association with chimerism. The pigmentary anomalies are pleomorphic, and the chromosomal anomalies involve autosomes and sex chromosomes. The pigmentation patterns are reminiscent of the archetypal paradigm seen in allophenic mice and demonstrate the clonal origin of melanoblasts from neural crest precursors. Patients with anomalous skin pigmentation, particularly when it follows a pattern of Blaschko lines, should be appropriately evaluated for a possible association with chromosomal or genetic mosaicism or chimerism.

(**)Blaschko lines are chevron type alternating patterns that appear in skin pigmentation associated with chimera giving a directly observable symptom of at least dermal chimerisation
Am J Hum Genet. 1989 Aug;45(2):193-205
http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=pubmed&dopt=Abstract&list_uids=2667350

http://www.ncbi.nlm.nih.gov/pubmed/2667350?dopt=Abstract

The above examples provide some observations about the pros/cons of quoting stats.

Digitally speaking, we some times have to refer to size/quantity of data, too. It is useful therefore to have some analogies that can be used to identify the size/quantity of data:

Example 3 - Bits, Nibbles and Bytes

http://highscalability.com/blog/2012/9/11/how-big-is-a-petabyte-exabyte-zettabyte-or-a-yottabyte.html

Bytes(8 bits)
◾0.1 bytes: A binary decision
◾1 byte: A single character
◾10 bytes: A single word
◾100 bytes: A telegram OR A punched card

Kilobyte (1000 bytes)
◾1 Kilobyte: A very short story
◾2 Kilobytes: A Typewritten page
◾10 Kilobytes: An encyclopaedic page OR A deck of punched cards
◾50 Kilobytes: A compressed document image page
◾100 Kilobytes: A low-resolution photograph
◾200 Kilobytes: A box of punched cards
◾500 Kilobytes: A very heavy box of punched cards

Megabyte (1 000 000 bytes)
◾1 Megabyte: A small novel OR A 3.5 inch floppy disk
◾2 Megabytes: A high resolution photograph
◾5 Megabytes: The complete works of Shakespeare OR 30 seconds of TV-quality video
◾10 Megabytes: A minute of high-fidelity sound OR A digital chest X-ray
◾20 Megabytes: A box of floppy disks
◾50 Megabytes: A digital mammogram
◾100 Megabytes: 1 meter of shelved books OR A two-volume encyclopaedic book
◾200 Megabytes: A reel of 9-track tape OR An IBM 3480 cartridge tape
◾500 Megabytes: A CD-ROM OR The hard disk of a PC

Gigabyte (1 000 000 000 bytes)
◾1 Gigabyte: A pickup truck filled with paper OR A symphony in high-fidelity sound OR A movie at TV quality
◾2 Gigabytes: 20 meters of shelved books OR A stack of 9-track tapes
◾5 Gigabytes: An 8mm Exabyte tape
◾10 Gigabytes:
◾20 Gigabytes: A good collection of the works of Beethoven OR 5 Exabyte tapes OR A VHS tape used for digital data
◾50 Gigabytes: A floor of books OR Hundreds of 9-track tapes
◾100 Gigabytes: A floor of academic journals OR A large ID-1 digital tape
◾200 Gigabytes: 50 Exabyte tapes

Terabyte (1 000 000 000 000 bytes)
◾1 Terabyte: An automated tape robot OR All the X-ray films in a large technological hospital OR 50000 trees made into paper and printed OR Daily rate of EOS data (1998)
◾2 Terabytes: An academic research library OR A cabinet full of Exabyte tapes
◾10 Terabytes: The printed collection of the US Library of Congress
◾50 Terabytes: The contents of a large Mass Storage System

Petabyte (1 000 000 000 000 000 bytes)
◾1 Petabyte: 5 years of EOS data (at 46 mbps)
◾2 Petabytes: All US academic research libraries
◾20 Petabytes: Production of hard-disk drives in 1995
◾200 Petabytes: All printed material OR Production of digital magnetic tape in 1995

Exabyte (1 000 000 000 000 000 000 bytes)
◾5 Exabytes: All words ever spoken by human beings.
◾From wikipedia: ◾The world's technological capacity to store information grew from 2.6 (optimally compressed) exabytes in 1986 to 15.8 in 1993, over 54.5 in 2000, and to 295 (optimally compressed) exabytes in 2007. This is equivalent to less than one 730-MB CD-ROM per person in 1986 (539 MB per person), roughly 4 CD-ROM per person of 1993, 12 CD-ROM per person in the year 2000, and almost 61 CD-ROM per person in 2007. Piling up the imagined 404 billion CD-ROM from 2007 would create a stack from the earth to the moon and a quarter of this distance beyond (with 1.2 mm thickness per CD).
◾The world’s technological capacity to receive information through one-way broadcast networks was 432 exabytes of (optimally compressed) information in 1986, 715 (optimally compressed) exabytes in 1993, 1,200 (optimally compressed) exabytes in 2000, and 1,900 in 2007.
◾According to the CSIRO, in the next decade, astronomers expect to be processing 10 petabytes of data every hour from the Square Kilometre Array (SKA) telescope.[11] The array is thus expected to generate approximately one exabyte every four days of operation. According to IBM, the new SKA telescope initiative will generate over an exabyte of data every day. IBM is designing hardware to process this information.

Zettabyte (1 000 000 000 000 000 000 000 bytes)
◾From wikipedia: ◾The world’s technological capacity to receive information through one-way broadcast networks was 0.432 zettabytes of (optimally compressed) information in 1986, 0.715 in 1993, 1.2 in 2000, and 1.9 (optimally compressed) zettabytes in 2007 (this is the informational equivalent to every person on earth receiving 174 newspapers per day).[9][10]
◾According to International Data Corporation, the total amount of global data is expected to grow to 2.7 zettabytes during 2012. This is 48% up from 2011.[11]
◾Mark Liberman calculated the storage requirements for all human speech ever spoken at 42 zettabytes if digitized as 16 kHz 16-bit audio. This was done in response to a popular expression that states "all words ever spoken by human beings" could be stored in approximately 5 exabytes of data (see exabyte for details). Liberman did "freely confess that maybe the authors [of the exabyte estimate] were thinking about text."[12]
◾Research from the University of Southern California reports that in 2007, humankind successfully sent 1.9 zettabytes of information through broadcast technology such as televisions and GPS.[13]
◾Research from the University of California, San Diego reports that in 2008, Americans consumed 3.6 zettabytes of information.

Yottabyte (1 000 000 000 000 000 000 000 000 bytes)

See - http://en.wikipedia.org/wiki/Talk%3AYottabyte#Xenottabyte.3F_Shilentnobyte.3F_Domegemegrottebyte.3F

Other interpretations, see  - http://geekologie.com/2010/06/how-big-is-a-yottabyte-spoiler.php

Saturday, April 04, 2015

Android Botnet for SMS

Another area where SMS text messages may not have received as much scrutiny is regarding messages sent by mobile botnets. If I may I will re-emphasise the following point, the purpose of the discussions here and below are not as a criticism about tools or processes that are used in extracting, harvesting and/or treating recovered data but that data analysis is still required and cannot be rushed. If the examiner doesn't perform the analysis task does the officer or investigator (who may have considerably less experience) left to perform that role?

To avoid confusion a starting point about reference to botnets is required. One contribution is this intro into botnets: https://www.usenix.org/legacy/event/leet11/tech/slides/xiang.pdf 

The video below shows how one hacker, Georgia Weidman (2011), developed an Android Smartphone Botnet to send SMS text messages.




A brief description of the code (botPoCrelease-android.c) that use the smartphone to spawn messages using a Master/Slave/Target combination to hide the identity of the Master to the Slave.

==============================================================
Compile with arm-gcc with the -static flag set
Copy to anywhere on the underlying OS that is writable (/data/ is good).
Rename /dev/smd0/ to /dev/smd0real/
Start the bot application
Kill the radio application (ps | grep rild)
The radio will automatically respawn and now the bot proxy will be working
==============================================================

The original botnet code has been in the hacking community since 2011 but currently the code is hard to find. There is a sanitised version available though.














This proof of concept mobile botnet to generate SMS text messages still relies upon knowing the target's mobile number. The analysis thus focussing on the sending party (Master) knowing the recipient mobile number (Target) to hand to the donor (Slave). In the alternative, harvested mobile numbers returned from ICMP (or similar) pings via the internet could generate a high harvest of returned MSISDNs without the Target knowing his/her MSISDN has been acquired to send messages(SMS spam, etc.).


Thursday, April 02, 2015

Smishing Maybe Smashed, but Fake Tache Goes On

Credit to Google Play Store - Combined screen shots of apps purporting to fake SMS and call logs

Continuing on the text messaging discussion about examining raw data. Previously the subject was associated with Emotion Icons  http://trewmte.blogspot.co.uk/2015/03/emotion-icons.html and generally determining the bit-encoding scheme, Unicode, encrypted messaging hidden within Icons sent with messages.

Back in 2012 Android was reported to have a vulnerability in its platform that was labelled in the research **"Smishing Vulnerability in Multiple Android Platforms (including Gingerbread, Ice Cream Sandwich, and Jelly Bean)" by Xuxian Jiang, Associate Professor, Department of Computing Science, NC State University - http://www.csc.ncsu.edu/faculty/jiang/smishing.html. The research raised two important points:

(1) **"This vulnerability allows a running app on an Android phone to fake arbitrary SMS text messages, which will then be received by phone users."..." The affected platforms that have been confirmed range from Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1)."

The Android Security Team produced a fix for this in Android 4.2, but the research does not confirm whether devices existing in the marketplace continuing to use Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1) would also be fixed or remain with the vulnerability?

(2) **"Note that any app on the phone can fake incoming messages, including both SMS and MMS messages".

By late 2013  Aditya Mahajan, Laxmikant Gudipaty, Dr. M. S. Dahiya continued research beyond the findings of Xuxian Jiang. Their analysis focused on "Identification of Fake SMS generated using Android Applications in Android Devices" 54d35df10cf28e0697281a74.pdf which concluded it is possible to show the presence of a potential fake SMS text message based upon the file header  content e.g. the reply paths etc. Moreover, if an original message was deleted but later recovered and the fake message purporting to represent the original message (but with altered content) were analysed side-by-side, so to speak, then disparity in content and file header content could assist an investigation. The test case apps used by the authors on a selection of Android Smartphones phones were “SUPER SMS FAKER (SSF)” & “LogMe”.

Within our mobile/smartphone examination, forensics and evidence community we are still plagued by the fact that there are a huge range of apps purporting to fake:

- SMS Text Messages
- MMS Messages
- Calls Logs
- Etc.

See - Fake Call & SMS & Call Logs search of google play store: https://play.google.com/store/search?q=Fake%20Call%20%26%20SMS%20%26%20Call%20Logs

The above suggests students and newcomer examiners maybe tricked into giving lower scrutiny priority to these sources of evidence. Skillsets available in automated tools to extract and harvest data content from databases such as SMS text message history found in e.g. "/data/data/com.android.providers.telephony/databases/mmssms.db" are highly useful but the message should not be obfuscated when informing students and newcomers to mobile/smartphone examination, forensics and evidence that extracted and harvest data requires deeper analysis. That is not merely at the investigation/interpretation stage but at the atomic collection stage, too.

As mentioned previously viewing harvested data can be a trompe l'oeil (a lie to the eye). A faked SMS text message can be as simple as a perpetrator dressing up an innocent-looking fake message with (metaphorically speaking) a false moustache (fake tache) with a intent to falsify the impression in the message to be communicated.


Fake caption: Heeeyyyy, Briiaan, why the fake moustache? Stu-eey!!!!! I am just off to the bathroom.

Friday, March 27, 2015

Last SIM Details

Has anyone else run any tests using LSD.exe free tool?

This program is from lastsimdetails.blogspot.co.uk/.

The concept behind this tool is very good and it is a great credit to the authors to allow free distribution of LSD.exe.


Screen dump for LSD.exe v1.2.0 - Samsung D500 flash file

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- HELP About
- Able to parse .bin and .pm data files.
 - Regex customiser allows you to define country and network parameters to eliminate false positives
 - Generic network search allows you to search for all Mobile Network Codes (MNC), however using this method may bring back more false positives
 - Advanced view provides the user with all IMSI matches and offsets within the data file
 - The summary view counts recurrences of IMSIs in order to display unique values

 Limitations
 -Limited testing has been performed on live data. Please verify your results
 This program was designed and developed by Jason Nicolaou and Daniel Roe.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There are in fact three Option tests that can be can be applied and not two as offered by the menu:

 1. Make no option selection at all
 2. Generic search
 3. Samsung mode

All return search data depending upon the flash file being read.

The authors have explicitly stated the limitations of the program. I emailed and left messages at the authors website but have not received any replies.

 =====================================================
 IMSI UK prefix *9 = (T) telecommunications / 234 = MCC United Kingdom / MNC = xxx
 =====================================================
 *This is different from TE.118 prefix 89 in use as Mobile Industry Identifier (MII) ISO/IEC 7812-1

The program's GUI search window, above, returns (along with other details) values e.g.

Offset: 3962356 IMSI: MCC/MNC/Subscriber detail = 234919011221080

HxD (used for examination of the raw flash file), below, the offset identifies

e.g. reverse nibble: 29 43 19 09 11 22 01 08

Screen dump for HxD.exe - Samsung D500 flash file

OBSERVATIONS
LSD.exe searches the flash file and performs translation. The translation (top of page) was obtained using Option: Generic search.

LSD.exe returns the MNC as "unknown" - verified.
LSD.exe returns known MNC also - verified

From flash file library stocks selection was made using two old Samsung models D500 and D600 to see if LSD.exe would work with older flash files. LSD.exe did work and false-positives were obtained as the authors point out.

LSD.exe also revealed that when comparisons were made between D500 and D600 there were repetition of identical IMSIs found in both D500/D600 one example being (which I have anonymised):

 - 2341007xxxxxxxx

The fact the D500 flash file and the D600 flash file were apparently not connected in any way introduced the proposition are the results positive-positive or false-positive.

Furthermore, if positive-positive are correct then the authors statement that the tool should be used for intelligence purposes lives up to that expectation.

Sunday, March 22, 2015

CSA Wi-Fi Testing

As modern smartphones (3G/4G) have the detectors to access multiple wireless technologies,  Wi-Fi coverage analysis extends the range of cell site analysis (CSA) radio measurements to be identified at site for location-based tests. See previous discussion http://trewmte.blogspot.co.uk/2014/08/csa-site-survey-method4cell-types.html






ITU 150th Anniversary (1865-2015)

 
The 150 ITU 1865 2015 logo is copyright to the International Telecommunications Union
and reproduced with kind permission

This May 2015 the International Telecommunications Union reaches its 150 Anniversary,   http://itu150.org/home/ .

So what has happened in the world between 1865-2015? I thought I would highlight some events that usually go under the radar:

- football clubs established at that time : http://en.wikipedia.org/wiki/Oldest_football_clubs
- some cyclists have been pedalling for a really long time : https://velocipedists.wordpress.com/
- as well as a bygone era in railway : http://talyllyn.co.uk/150-1865-2015Gala
- Nokia started out as a wood pulp mill : http://en.m.wikipedia.org/wiki/Nokia

For more well known events just search the world wide web (www).

The ITU plays an important global role producing technical reports, recommendations and guidance on telecommunications, cellular and satellite, to name just a few technology sectors. That influence should never be underestimated. Indeed, the work of the ITU impacts on mobile forensics and cybercrime too. I have recorded a few trewmte blogs as examples.

International Telecommunications Union and CSA
http://trewmte.blogspot.co.uk/2014/07/international-telecommunications-union.html

CSA - Site Survey Method 2
http://trewmte.blogspot.co.uk/2014/07/csa-site-survey-method-2.html

CSA - Site Survey Method 2/ITU
http://trewmte.blogspot.co.uk/2014/07/csa-site-survey-method-2itu.html


Cybercrime: procedures, deterrent and investigation
http://trewmte.blogspot.co.uk/2011/09/cybercrime-procedures-deterrent-and.html

It seems to me fitting that since I have gained so much knowledge and understanding from the work of the ITU that to pay tribute to them is to invite readers to visit their website celebrating the 150 anniversary of this phenomenal and great institution known as the International Telecommunications Union:

http://itu150.org/about/