Tuesday, November 07, 2017

100 Years - Remembrance Day 11/11/2017

I do not know the artist but the message in the painting below is understood. If you haven't done so and you see a person selling Poppies do stop and buy one; even if you give 5p it goes to a good cause.

11th NOVEMBER (1917-2017)

We stand on the shoulders of those who fought and gave us "freedom and liberties" which are so easily taken for granted today.

Sunday, October 29, 2017

Understanding Metadata

NISA 2017 - UNDERSTANDING METADATA - WHAT IS METADATA, AND WHAT IS IT FOR? is available. Surprisingly, not read anywhere else that this update was out, being that it is a highly relevant subject to digital (mobile, computer, audio, etc.) forensics.

Android CDD

As of the 1st September 2017 Android published their updated Compatibility Definitions Document version 8.

9.8.1 . Usage History - Android stores the history of the user's choices and manages such history by UsageStatsManager . Device implementations: [C-1 -1 ] MUST keep a reasonable retention period of such user history. [SR] Are STRONGLY RECOMMENDED to keep the 1 4 days retention period as configured by default in the AOSP implementation.

See also: 9.9. Data Storage Encryption, 9.9.2. File Based Encryption, 9.9.3. Full Disk Encryption,

Face Recognition

Following Apple's Face ID launch this is one of those hot topics at the moment. This technology is not without its sceptics and questions still remain whether it can become full proof. In today's world, that is a big ask.

I have collected some bits and pieces worth reading.

Apple's September 2017 paper on face ID and security - [https://images.apple.com/business/docs/FaceID_Security_Guide.pdf]

Kairos produce a useful comparison chart of facial recognition services[https://www.kairos.com/blog/face-recognition-kairos-vs-microsoft-vs-google-vs-amazon-vs-opencv]

The Guardian Newspaper published an article of Samsung's flawed Iris scanner - [https://www.theguardian.com/technology/2017/may/23/samsung-galaxy-s8-iris-scanner-german-hackers-biometric-security]

New research proposal just out 'Bypassing 3D Facial Recognition Authentication on Mobile Devices' - [https://www.os3.nl/_media/2017-2018/courses/ssn/projects/ssn_proposal_01.pdf]

NCSC Cyber Security: Small Business Guide

Cyber security can feel like a daunting challenge for many small business owners. But it needn’t be. Following the five quick and easy steps outlined in this guide could save time, money and even your business’ reputation.


National Crime Agency - Suspicious Activity Reports (SARs) 2017

A lot of good work being achieved by the NCA.


Threema - white paper

Latest white paper Sept 2017


Threema is the world’s favourite secure messenger and keeps your data out of the hands of hackers, corporations and governments. Threema can be used completely anonymously, allows to make end-to-end encrypted voice calls, and offers every feature one would expect from a state-of-the-art instant messenger.

Useful for running lab tests.

Childrens' Smart Watch Tracking Movements

Is a stranger hacking your child's smart watch? Warning that loopholes in the devices are being targeted to track youngsters' movements.

Daily Mail Science Tech Article 4991102

Mobile Data Traffic 2016-2021

Very Low Cost Training $99.00 - US Marketplace

Just been reading a post from Dennis Carroll Special Agent / Law Enforcement Instructor about some very low cost training in the States

"The Fox Valley Technical College in partnership with the National Criminal Justice Training Center (NCJTC) have approved my three day cellular device investigations course. The first course is being offered in Appleton Wisconsin in December as a pilot and then throughout the US as requested. The FVTC and NCJTC have obtained a grant to lower the cost of this course to $99. This is the lowest price you will find for a three day comprehensive cellular device investigation course. There is a link to request this course at your host agency on the link below. Please share if you would."

5G in Five Minutes

New Cyber Report recognises legal actions

June 2015 I sketched foreseen legal actions impacting on cybercrime. I posted a diagram-infographic in Feb 2016 "LEGALLY SPEAKING – OBSERVATIONS CHART FOR JUDGES BARRISTERS AND SOLICIT0RS" - http://trewmte.blogspot.co.uk/2016/02/threatware-legally-speaking.html.

I am pleased to see that ETSI (European Telecommunications Standards Institute) have also picked up on my themes in their 2017 published technical report (TR) CYBER; Implementation of the Network and Information Security (NIS) Directive ETSI TR 103 456 V1.1.1 (2017-10) with reference to Contract, Tort and Crime.

Sunday, September 10, 2017

Dolphin Ultrasonic Commands Voice Assistance

A newly issued report makes me wonder whether a Dog Whistle could issue commands to voice assistance devices?  Dolphin ultrasonic audio, not within human hearing range, can issue commands to voice assistance Amazon, Apple and Google devices according to a news report  from the BBC - http://www.bbc.co.uk/news/technology-41188557.

The basis of the BBC report is underpinned from Chinese research that can be found here: Dolphin Attack: Inaudible Voice Commands - https://endchan.xyz/.media/50cf379143925a3926298f881d3c19ab-applicationpdf.pdf.

Tuesday, August 22, 2017

Universal Network Investigations Updates

Universal Network Investigations (at LinkedIn) is a discussion group exists to assist telecoms, cyber, forensics, information security, pen testing, and fault-finding investigations: to exchange observations and sharing 'intel' in a closed forum discussing fixed and mobile network investigations - trace data and other forms of evidence (including but not limited to PCAP, CDRs, traffic logs, exchange and switch data, cell details, dumps, etc.). Investigations can start with examining a device or network activity, so all aspects will be posted in the group.

To join - https://www.linkedin.com/groups/13536130

Group Rules:
1) Chatham House Rule applies.
2) An essential aspect of joining the Group is to participate and share knowledge, skills and experience.
3) No selling, no spamming.

Latest Posts
- Dropped phones
- Tool for the Investigator ISMS Toolbox
- Apple Secure Enclave Processer (SEP) - Hacked
- Purging Data HDD (InfoSec)
- Rack and Ruin
- When a Genuine Product is used as a Rogue Device
- GDPR-1
- Framework for Digital Forensic Employment KSE (knowledge, skills, experience)
- VOIP Basics (updated)

- Tool for the Investigator ISMS Toolbox
- Cisco IOS Versions
- First Hop Redundancy
- Frame Mode MPLS
- IEEE 802.11 WLAN
- IOS Interior Routing Protocols
- IOS IPv4 Access Lists
- IOS Zone Based Firewall
- IPSec
- IPv4 Multicast
- IPv6
- Physical Terminations
- QoS
- Scapy
- Spanning Tree
- TCP Dump
- Wireshark Display Filters
- BILL - Internet of Things IoT Cybersecurity Improvement Act
- 1995-2017 Computer Security (Information Security)
- So what does the TIMSI get me?
- Federal data collection MRMCD
- Tech Against Terrorism
- Telecommunications (Interception and Access) Act 1979 (2017) (Australia)
- 27,482 cyber security incidents reported in H1 2017
- Surveillance Drones Report
- Smartphone Cybercrime
- PSCR Network Identifiers Demonstration Guidelines
- Plan MNC
- Ping Test
- MNC Probe Metrics
- ITU-T GSM Country Codes
- IMSI Prepaid MVNO
- G42UMTS Security
- Cyber Threats to Mobile Phones
- Building Mobile Tools for Rights Defenders and Activists
- UTC Document Register
- IMSI Assignment and Management Guidelines and Procedures
- Evolution in the Use of E.212 Mobile Network Codes
- 3rd Party Access to Number Portability Data
- Evolution in CLI usage
- Wrong Evidence Capture Tools
- Phone Hacks
- Multi-Traceroute (MTR) in NST
- Detecting Hidden Networks created with USB Devices
- Infrastructure - human access - fake fingerprint
- Operator 'Law Enforcement Disclosure' reporting
- Covert Tactical Measures
- Annual Cybersecurity Report - 2017
- Infrastructure Security Report - Worldwide
- Real Intelligence Threat Analysis (RITA)
- GSM Security Threat Risks
- Where to begin?
- RSOE EDIS Emergency and Disaster Information Service
- GSM Security Threat Risks
- NOC NOC - Fault Management and Troubleshooting
- SS7 and 2FA
- Detection in a multilayer network
- Diameter - Online Charging Systems (OCS)
- Big / Fresh / Deep - Data : Huaewi overview
- Hot technologies to know about
- ARP.pcap
- bgp.pcap
- https.pcap
- ICMP-ARP-OpenFlow1.0.pcap
- Russians target Telegram App
- Wireshark
- Protocols Relevant to U-N-I
- Industrial Networks Hit By WannaCry
- IM Telegram Replay Attack - Android
- Whisper Signal WhatsApp
- Subpico Intelligent Application Layer Software
- Subpico LI with evidential integrity
- TraceWrangler
- old_GUTI_IMSI_Critical_Reject (updated)

Saturday, August 12, 2017

Field Project Investigations

Conducting a technology review/audit prior to commencing field projects is an important task in order to understand the 'technology estate' owned and/or operated by an organisation. It is for revelation purposes and to comprehend [legacy] technology as stand-alone or interconnected/intra-connected with [current] technology and significantly if or how legacy has been ported-over to operate via applications/software to work with current. So more information has been posted. This is for the purposes as mentioned previously dealing with cases requiring 'field project investigations' (from installs to troubleshooting). I am sharing these .pdfs because I found forensics became one of the tools to be applied during investigations and not the main tool. Knowing the background details (tech spec, set-up, logs files, install procedures, etc.) assists understand "why an artefact was there".

To read the posts - https://www.linkedin.com/groups/2436720

Latest Updates: Institute for Digital Forensics

- Windows Registry Reference
- Apple Reference Cards and iPad iOS7 Quick Guide
- USB Guide & USB Key Guide
- Hardware Configuration Dell Precision WorkStation
- Legacy DOS
- 100 Windows 8 Keyboard Shortcuts
- 100 Chrome Tips

Institute for Digital Forensics - Previous Updates

- Tron Commands
- Malware, Junkware, Virus
- Checking Implemented Security
- Backups
- Troubleshooting, Tips and Guides
- Windows NT Server Resource Reference
- Admin Tools To Know and Explained
- Corrupted Registry
- Windows Resource Kit Reference
- Fasteners
- Projects - Win 10
- Projects - Win 8
- Projects - Win 7
- Vulnerabilities in Critical Evidence Collection
- Imaging with Image-X: The Ghost Killer
- A Guide for the Forensically Sound Examination of a Macintosh Computer
- Interpol's Forensic Report on FARC Computers and Hardware
- Reducing Data Lifetime Through Secure De-allocation
- Realising - Risk Sensitive Evidence Collection
- Notes on Computer Systems and Operating Systems
- Finding Child Porn in the Workplace
- Drafting Electronic Evidence Protocols
- Data Hiding in Journaling File Systems
- Investigation of Protected Electronic Information
- Electronic Evidence: The Ten Commandments
- Electronic Evidence Best Practices
- Laws of evidence in criminal proceedings throughout the European Union
- Evaluating Commercial Counter-Forensic Software
- Hacking into computer systems
- Windows device interface security
- NSA Redacting with Confidence: How to Safely Publish Sanitized Reports
- Reproducibility of Digital Evidence
- Windows Memory Analysis
- Secure Deletion Myths
- Spoliation of Evidence
- Forensic Discovery
- VMware to boot cloned/mounted hard disk images
- Volume Serial Numbers: Format Verification Date/Time

Wednesday, July 26, 2017

Eternal Blues - SMBv1

Newspapers, TV, Radio and Internet have been full of reports about ransomware attacks WannaCry, NotPetya and so on. This short article is not going to repeat those reports but to acknowledge that there is a new FREE tool "Eternal Blues" that helps businesses and consumers to find out, at the push of a button and scan of the network, whether the access point Server Message Block (SMB) version 1 (SMBv1) to determine the enabled state of the host; thus might be vulnerable to attack. Knowing this it enables businesses and consumers to take action to close down a potential threat. As Elad Erez confirmed to trewmte blogspot:
"Please note that having the SMBv1 in use, does not mean a host is vulnerable. SMBv1 was patched by Microsoft 4 months ago. So, the tool helps you find if hosts are in one of these states:
- SMBv1 enabled, but patch not applied, therefore host is vulnerable (the riskiest scenario)
- SMBv1 enabled and patch applied, therefore host is not vulnerable (but it is still risky to keep SMBv1 enabled, even according to Microsoft)." 
To get a brief insight to SMBv1, here is the link to Microsoft's website discussing how to disable it:
To find out about Eternal Blues visit website: http://omerez.com/eternal-blues-worldwide-statistics/
To get this FREE tool go to Download webpage: http://omerez.com/eternalblues/
When running this discovery tool consumers can see an IP Address range. A really easy to follow and understandable advice can be found here: " - Private Network IP Address Notation" https://www.lifewire.com/192-168-1-0-818388
For businesses with different IP Address ranges check out, as a starting point, FAQs webpage here: http://www.faqs.org/rfcs/rfc1918.html
Good luck, stay safe!

Big shout out for Elad Erez (Eternal Blues) for creating this FREE tool.

Tuesday, July 25, 2017

New IPhone 7 passcode unlock tool

Obviously this is causing a bit of excitement. 

I have been keeping an eye on two websites selling this product but yet to find any customer feedback. Enquiries so far have drawn a blank response.



Interesting to see what Apple will have to say on this access method?

Sunday, July 23, 2017


Smart Switch is a useful back-up and restore tool for particular user-content on various (but not all) Samsung smartphones. To coin a phrase the program "does what it says on the tin". For general user back-up and restore of certain data it avoids the need for uploading to the cloud.
We've been running some tests to see if Samsung Smart Switch back-up/restore utility could be used for capturing forensic images from e.g. the J3. The program was initially checked using CFF to check the internals to find files guarded by MD5 and SHA-1:
Before forensic examinations are undertaken we ran tests as a user and purchased 3 x J3.
The J3 handsets were UK versions:
We see the US versions are compatible for use with Samsung Knox for BYOD:
This is an early evaluation, so the post is just a heads-up so you can check within your organisation/s.
This post is not a legal notice or  anything else.

Saturday, July 08, 2017

What's happening with Contemporaneous Notes

Contemporaneous note (CN) taking is an essential process and procedure. The title is often used as a widely applied statement to include other associated processes and procedures, such as Simultaneous Notes (SN), etc.; as some of you know CN, SN, IN and VN are covered in my training courses for e-Discovery, (forensic) examination and evidence E3.  

I have taken the opportunity to bring on board Robert Merriott, Founder of Forensic Notes, to provide an overview of some of the methods and tools out there for preparing and producing Contemporaneous Notes. From Robert's well informed discussion (below) this clearly is a subject where strong opinions are held and a subject which we will return in future discussions.

Robert Merriott
Digital Forensic Examination Notes

The purpose of this post isn’t to provide a singular and definitive answer to the question of what ‘examination notes’ should look like.   In fact, every country or region will have its own accepted practices developed to satisfy the laws of the land.   Instead, this article is presented to discuss the many facets of this important subject and to help you find a solution that will best meet your needs.
A recent discussion regarding Contemporaneous Notes on Forensic Focus showed that there are differing views on how strict guidelines should be in relation to examination notes.  This difference of opinion reveals how much the process of conducting digital forensic examinations can vary from one office to the next.

Importance of Documentation

The importance of documenting your examinations can not be understated.  Although you may never need to defend your case in court, you should complete every case as if you would be testifying as an expert in Supreme Court.
Recently, experts and influential leaders in Digital Forensics provided quotes on the Importance of Documentation.
As Greg stated…
“Contemporaneous Notes are unavoidable, thus inescapable, when it comes to examining evidence and are akin to the standard of Ethics.
They hold the examiner to their own account of conduct when no one else is around to witness what is happening.”

Examination Notes – Current Solutions

Investigators dealing with digital evidence will document their examinations in one of several ways:
-          Traditional paper notebook and pen
-          Word processors such as MS Word or OneNote
-          Purpose built electronic note-taking system
-          Scrap pieces of paper
-          Do not document!

Paper Notebook and Pen

The classic way of writing contemporaneous notes. 
This form of documentation has been relied upon in law enforcement and scientific labs for decades and has continued to standup to the scrutiny of the courts when properly completed.

Although widely accepted in courts, writing your notes in a paper notebook can be slow and result in notes that are illegible and incomplete.  For many young examiners that can quickly type out long messages on a virtual mobile keyboard, the idea of handwriting notes seems like a step back in productivity.
Attempts to correct spelling and grammatic mistakes only further complicate the process of writing and disclosing notes.

MS Word or OneNote

Electronic documentation is becoming more common even in traditional settings like law enforcement were only paper notebooks and pens were previously trusted.
Electronic documentation offers many advantages including the ability to edit and modify the content of the notes as required.
Being able to edit the content of an electronic note allows the examiner to correct any spelling, grammatical errors or omissions. As a result, some examiners feel electronic documentation provides a more professional form of their notes as they are able to correct these issues prior to providing them to colleagues or the courts.
But if notes can be changed at a later date with no previous history of the contents originally entered, can they really be considered contemporaneous?
And does this open up Pandora’s Box for defense lawyer questioning? 
If you admit you modified some of your notes for “grammar” and “typos”, will defense begin to argue you changed other aspects of your notes as well?  And what if you did change something else for reason beyond simple grammar or typos, how will you explain that change in court?
Criminal courts would never allow a law enforcement officer to wite-out® portions of his notes in a paper notebook and then overwrite that information with new information. So why should the courts trust electronic notes to be a true representation of your thoughts at the time stated if they can be edited without including the previous entries?
Although many Digital Forensic Examiners are using MS Word and OneNote successfully in courts throughout North America and Europe, we as examiners know that the majority of courts have failed to keep up with the complexities of digital data and how easily files can be manipulated.
Of course, there are ways to make electronic notes immutable with the use of Digital Signatures and digital timestamps, but few organizations are properly setup to implement this solution.
Will you be able to defend the authenticity of your MS Word or OneNote examination notes in court if questioned?

Electronic Note-Taking Application

Electronic Note-Taking applications offer the best of both worlds if designed and used properly.  But remember, not all applications are created equal.
When deciding on what electronic note-taking application you want to use, you will have to consider your specific needs and requirements not only now, but in the future when your cases finally go to trial.
-          Can you easily print notes in sequential order for court?
-          Can you edit existing notes while retaining the original note for Full Disclosure?
-          Can you arrange your notes in a logical manner during the investigation to keep your information organized?
-          Can you search through your notes to find answers quickly?
-          Is your information securely saved and encrypted?
-          Do Audit Logs exist allowing you to clearly see who else accessed a particular note or notebook?
-          Is the application able to timestamp individual notes from a trusted and independent Timestamping Authority (TSA)?
-          Will the courts be able to authenticate your notes if required without calling in another expert?
-          Can you access your notes on multiple devices, including mobile, so that you can take notes outside of your office such as during live analysis at the scene or meetings with other investigators?
-          If you include screen captures and images in your notes, will you be able to print the image in a high-quality format at a later date if it becomes a key piece of evidence?
-          Are the owners of the application trusted members of the digital forensic community?
When choosing an Electronic Note-Taking Application, you should select an application that works the way you work instead of being forced to work within the constraints of the application they provide.

Scrap Pieces of Paper

Although it’s common to use scrap pieces of paper to quickly jot down information, they should not be used as a place to write notes during an examination unless other options discussed above are not available.
If scrap pieces of paper are used to document important information, this should be transcribed into your proper notes as soon as possible. Often, if done in a reasonable time frame, these transcribed notes will be considered contemporaneously written.

Do Not Document Examination

Some examiners do not see a need to document their examinations. This is often as result of poor training, inexperience or laziness. If your examination involves criminal or civil litigation, then it’s imperative that you conduct your examinations in a professional manner.   Poorly documented investigations can lead to bad caselaw that affects us all.

Should Standards Exist for Examination Notes?

Preston Coleman provides a valid and well thought out response to the idea of standards for examination notes.
As Preston points out, if standards were to be created for examination notes, then they should be general in nature to allow for the flexibility needed within most examinations.  At a minimum, the following “universal elements should be observed”
-          Contemporaneous Notes
Document actions and results sequentially as they occur
-          Timestamp Notes
Include Date & Time with every note made
-          Immutability
Notes should be fixed and non-editable upon completion of the examination
-          Available
Provide to others, including the courts, if required
Depending on your particular circumstances and the types of files that you are investigating, you may decide on more stringent requirements for your own note taking.

Odds n’ Ends

Now let’s discuss a few more questions regarding examination notes…

Simultaneous Notes

As discussed within the “Forensic Chip Off – Notes in Progress” post, Greg asked the question “how would you keep contemporaneous notes (CN) simultaneously whilst removing a chip?”
If Simultaneous Notes (SN) were required during a technical hands-on examination, then a video of the examination (as shown in the blog post) could be used to allow the examiner to concentrate on the task at hand while still properly documenting the actions being taken. Upon completion, the video file could be hashed with the resulting hash being noted within your Contemporaneous Notes.
A purpose-built forensic Electronic Note-Taking application would allow you to attach the original video to the note and automatically Hash and Timestamp the video in only a couple steps.

Destroy Notes After an Examination Is Complete?

In some American states, it is apparently common practice to destroy both paper and electronic notes once a final examination report has been written.
If the destruction of examination notes is currently allowed where you work, you should ask yourself:
-          What happens if the accuracy or credibility of the report is questioned?
-          What reasoning will you provide if questioned on why you felt it was necessary to destroy your notes?
o   The opposing party may ask “What were you trying to hide in those notes that it was so important that you destroy them prior to court?”

Restrictive Warrants

In many regions, warrants authorizing forensic examinations are becoming restrictive with respect to the type of data that can be analyzed and included in forensic reports.  In practice, you may observe other evidence in plain view (eg: Child abuse material) that does not fit within the restrictions of the warrant.
In this case, it is suggested that you immediately stop your current examination and re-apply for a warrant that includes the evidence you observed in plain view.
If you fail to take proper contemporaneous notes or destroy your notes upon completion of a report, would you be able to properly articulate how you came to observe the images or data that you weren’t authorized to have searched which resulted in a more comprehensive warrant being sought?
If not, you risk having all your evidence excluded from the trial.
Many investigators fail to recognize that obtaining a new warrant is easy in comparison to defending the merits of the new warrant at trial. Are you willing to lose all that hard work due to a lack of proper documentation?


The digital forensic community needs a “Best Practice” guideline in creating contemporaneous notes during an examination. Without a clear guideline, Digital Forensic Examiners are left to rely on potentially false or misleading information from fellow members who do not fully recognize the need or value in creating proper notes during an examination.
At a minimum, all professional Digital Forensic Examiners should use the following list as the current “Best Practice” guideline:
-          Contemporaneous Notes
-          Timestamp Notes (Date & Time)
-          Immutability
-          Available
By continuing to discuss this important subject, we as a community can further improve “Best Practice” guidelines that will help ensure existing and new examiners take the necessary steps during digital forensic examinations.
After evaluating the “Best Practice” guidelines, you can make an informed decision on what is the best solution for recording Examination Notes given your particular circumstances and needs.
Will you stick with the classic pen and paper, utilize a word processing application such as MS Word or OneNote or go with a more forensic solution such as a purpose-built electronic note-taking system like Forensic Notes?
About Author:
Robert Merriott founded TwiceSafe Software Solutions Inc. (Forensic Notes) after realizing the need for a digital note-taking application that would meet the high standards of digital forensic evidence in the courts. Robert has a Degree in Computer Information Systems and obtained both Microsoft MVP and ASPInsider status during the infancy of ASP.Net. He now works as a Digital Forensic Examiner.
DISCLAIMER: This article is not meant to provide legal advice or information. Legal statements made are only provided as guidance for the reader to seek professional legal advice within their jurisdiction. No information contained within this article should be acted upon without discussing the merits of such information with a legal professional. The author of this article is NOT A LAWYER and takes no legal responsibility for the information presented. In addition, the information provided is based on personal beliefs and ideas and does not represent his employer.


Wednesday, June 28, 2017

IM Telegram Replay Attack - Android

Hopefully, readers will have had the opportunity and time to read about WhatsApp here at the trewmte.blogspot:

WhatsApp network forensics - http://trewmte.blogspot.co.uk/2017/06/whatsapp-network-forensics.html
Whisper Signal WhatsApp - http://trewmte.blogspot.co.uk/2017/06/whisper-signal-whatsapp.html

So it's time to move on to the next instant messaging app known as Telegram. It is relevant to mention this app at this time as it appears the Russians are targeting this app as well -
http://www.bbc.co.uk/news/world-europe-40404842 - and the thought must be what will they discover by way of a flaw or vulnerability or do they what they are already?
The IM Telegram Replay Attack - Android uncovered from the following research published in Tomáš Sušánka thesis can be found here:  https://www.susanka.eu/files/master-thesis-final.pdf .
As a primer, a replay attack is an attack where an attacker sniffs data sent by the application and then resends them at a different time with a malicious intent. Unlike WhatsApp where all accounts are controlled by source; Telegram relies upon some third party developers to implement security updates that Telegram has informed them about; if developers don't update after that many devices using Telegram could be unsafe even today potentially enabling attacks across networks.
Deobfuscator.cpp file
To gain a background understanding to IM and security related issues the thesis considers other IM apps, including WhatsApp, and noted security issues with them.
One interesting comment noted in a paragraph in the conclusion reveals the influences foreign policy subjects itself on software developers regarding censorship: "We have scrutinized the code base of the official application for Android and concluded that the state of the application is at serious odds with the documentation. This concerns mainly the undocumented obfuscation method Telegram uses. The MTProto traffic is encrypted one more time with the key and IV prepended to the data. This has no effect on the data security and is easily debunked by the deobfuscation program we have implemented. When the Telegram team was confronted with these claims, they noted the method is used to circumvent some of the less sophisticated methods of censorship in certain countries."
The author's research relating to apparent Telegram vulnerability, that has been published, he has also provided his background research e.g. source code etc., (so you better get it before it goes) https://www.susanka.eu/files/master-thesis-cd.zip :
CD's directory structure is:
-  data
- Telegram source code
-  src 
- Telegram Deobfuscator
- Telegram Extractor
- Trudy Go module
- LaTeX source codes
- diagrams
source codes
- text
- appendices
- thesis.pdf
Excellent research and discovery!

U-N-I update on posts

- Diameter - Online Charging Systems (OCS)
- Big / Fresh / Deep - Data : Huaewi overview
- Hot technologies to know about
- ARP.pcap
- bgp.pcap
- https.pcap
- ICMP-ARP-OpenFlow1.0.pcap
- Russians target Telegram App
- Wireshark
- Protocols Relevant to U-N-I
- Industrial Networks Hit By WannaCry
- IM Telegram Replay Attack - Android
- Whisper Signal WhatsApp
- Subpico Intelligent Appication Layer Software
- Subpico LI with evidential integrity
- TraceWrangler
- old_GUTI_IMSI_Critical_Reject (updated)


Whisper Signal WhatsApp

Following on from this post WhatsApp network forensics 2017/06/whatsapp-network-forensics.html you may know WhatsApp changed the protocol to 'Open Whisper System's Signal Protocol end-to-end encryption'. A useful analysis of "Signal" can be found here regarding capturing the “ratcheting” key update structure:

A Formal Security Analysis of the Signal Messaging Protocol

Vulnerability attacks have already started to determine Signal weaknesses. The "last resort key" looks interesting as does internal messaging attacks that have produced some results:


WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages

Friday, June 23, 2017

Universal Network Investigations

Just started a new LinkedIn group called 'Universal Network Investigations (UNI)'. It is a group only for those involved in the wider area of fixed, mobile and large-scale computer networks. The group exists to assist cyber, forensics and fault-finding investigations: to exchange observations and sharing 'intel' in a closed forum discussing fixed and mobile network investigations - trace data and other forms of evidence (including but not limited to PCAP, CDRs, traffic logs, exchange and switch data, cell details, dumps, etc.) If you are a member of LinkedIn and want to participate in the group here is the link: https://www.linkedin.com/groups/13536130

Sunday, June 18, 2017

Mobile Forensic Metamodel

Previous studies have mostly discussed mobile forensics only in data acquisition terms and only in a problem solving scenario, as a subset to computer forensics. These studies did not take mobile forensics beyond the paradigm that is known as computer forensics. Additionally, they have not addressed the elements of MF comprehensively, and the previous research in the MF domain did not focus on modeling the case domain information involved in investigations.

This paper develops a Mobile Forensic Metamodel (MFM) in order to clarify all the necessary activities required by investigators for conducting their task. In addition, it creates a unified view of mobile forensic in the form of a metamodel that can be seen as a language for this domain. A metamodeling approach is applied to ensure that the metamodel which is the outcome is complete and consistent.

A metamodel for mobile forensics investigation domain

Thursday, June 15, 2017

WhatsApp network forensics

With many companies allowing employees to use their own smartphones in the workplace it has been noted confidential information maybe being unwitting leaked as users take to using their smartphone cameras to take photos of Whiteboard content, potentially risking disclosure (mentioned by the Information Security Community). Smartphones can also scan data, reducing the need for organisation to require Whiteboard printouts (thus saving money?). Whilst a user might not intentionally leak information, WhatsApp does provide for exchange of information during in-party calls, potentially allowing confidential data to be circulated.

However, let us avoid that scare story of sending confidential information and the story at work with the situation where a WhatsApp user has called another WhatsApp user and discloses Global Organisation X is in talks with World Dominant Corp. B to take them over. Both are on the Stock Exchange and both hold Worldwide Patents used in the medical industry. Such a leak could wrongfully 'influence' the markets. Could a WhatsApp call leak be possible? Maybe, but is that relevant to WhatsApp network forensics and this article? No. Finding out potential avenues where information leakage might take place enables pre-planning, handling risk and helps in designing a rescue plan.

Screen from my desktop using Wireshark

What is relevant is that for those conducting network forensics, accordingly to F. Karpisek, I. Baggili, F. Breitinger (ISSN 1742-2876, http://dx.doi.org/10.1016/j.diin.2015.09.002) they were able to "...decrypt the network traffic and obtain forensic artifacts that relate to this new calling feature which included the: a) WhatsApp phone numbers, b) WhatsApp server IPs, c) WhatsApp audio codec (Opus), d) WhatsApp call duration, and e) WhatsApp's call termination." From a network investigators point of view essential information producing evidential artifacts of identifying network activity. Taking this further, PenTesters might even find this information useful, also. Even where security flaws get updated, doesn't stop modified attacks occurring creating further vulnerabilities; so learning is the name of the game. 
Often we read from articles/reports about vulnerabilities etc. but only the content in the articles/reports are available. What is extremely helpful here F. Karpisek, I. Baggili, F. Breitinger have made available 'trace data' so that when combined with the tools referred to in 'WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages', enables Investigators and PenTesters to gain experience and refine testing approaches. Access to the trace information is here: https://www.dropbox.com/s/szrk5f3axwt5bi7/reference_files_WhatsApp.zip . You may want to get a copy soon as often with dropbox downloads they get deleted by the dropbox user after a time.