This second update concerns HERREVAD Databases Geo Location Artefacts referred to by me in my previous posts:
Update - HERREVAD Databases Geo Location Artefacts (2018)
http://trewmte.blogspot.com/2018/07/update-herrevad-databases-geo-location.html
and
HERREVAD Databases Geo Location Artefacts (2017)
http://trewmte.blogspot.com/2017/02/herrevad-databases-geo-location.html
Due to lack of reporting and information about HERREVAD Databases I have kept monitoring the information superhighway to see if any additional information comes up about HERREVAD.
In March 2019 the GmsCore.apk (Android Marshmallow) had an Incident Response Report at Hybrid Analysis concerning MITRE ATT&CK Techniques Detection identifying malicious indicator. The lengthy report suggests Fingerprintng location information that HERRAVAD is associated:
com.google.android.gms.herrevad.receivers.CaptivePortalReceiver // android.net.conn.NETWORK_CONDITIONS_MEASURED
com.google.android.gms.herrevad.receivers.GservicesReceiver // com.google.gservices.intent.action.GSERVICES_CHANGED
https://www.hybrid-analysis.com/sample/d75d4607b04ef24459cda329739b7222c5b70c53886316620c45bc3b7ddc6a3b?environmentId=200#signature-ff7edd80fdd3ee84d005809e9b2df85e
Tuesday, May 21, 2019
DRONE FORENSICS
There is a good article about Drone Forensics in eForensics Magazine. The synopsis for the article states:
"The project begins to look into the broad range of UAVs that are likely to be encountered by police forces in the UK, specifically targeting the more budget end of the spectrum whilst still having all the functionality required to commit a range of crimes. The project focuses on post criminal activity analysis of the UAV and controller and while there is some discussion of commercial counter UAV tools it is not the focus of this project. One example of this analysis comes from media files stored on the drone and the kind of information that can be gathered from them through metadata. Using a purely practical, experimentation and analysis based approach, a thorough examination was made of both the UAV and its controlling Android and iOS devices. The project concludes that metadata is the best way to obtain information regarding flights, particularly where the Bebop’s “Drone Academy” feature is disabled as it specifically states that this will track your drone’s flights, though there is an analysis of the files created by the “Drone Academy” feature."
https://eforensicsmag.com/product/drone-forensics/
However, there a huge range of technology to consider with evidential value and later on I will present additional supporting info to the community. In the meantime here is a great Infographics by (c) Jethro Hazelhurst of the Pixhawk PX4 autopilot.
"The project begins to look into the broad range of UAVs that are likely to be encountered by police forces in the UK, specifically targeting the more budget end of the spectrum whilst still having all the functionality required to commit a range of crimes. The project focuses on post criminal activity analysis of the UAV and controller and while there is some discussion of commercial counter UAV tools it is not the focus of this project. One example of this analysis comes from media files stored on the drone and the kind of information that can be gathered from them through metadata. Using a purely practical, experimentation and analysis based approach, a thorough examination was made of both the UAV and its controlling Android and iOS devices. The project concludes that metadata is the best way to obtain information regarding flights, particularly where the Bebop’s “Drone Academy” feature is disabled as it specifically states that this will track your drone’s flights, though there is an analysis of the files created by the “Drone Academy” feature."
https://eforensicsmag.com/product/drone-forensics/
However, there a huge range of technology to consider with evidential value and later on I will present additional supporting info to the community. In the meantime here is a great Infographics by (c) Jethro Hazelhurst of the Pixhawk PX4 autopilot.
Thursday, May 09, 2019
Observations from the digital backyard...
I have been meaning to post on this subject for a while so without being side tracked again, here goes..
Very good work by Brett Shavers over at 'DFIR Training (Brett Shavers)' who is aiming to create 'The most complete DFIR resource on the planet.' Brett has sure done a great job so far and receives regular plaudits for his work; so be ensure you have time to drop in on his site https://www.dfir.training/info/about.
Note: DFIR (Digital Forensics & Incident Response) is a broad church of highly skilled and experience people from a wider background field than digital forensics but has good cross-compatibility with pure digital forensics.
Phill Moore (RandomAccess) another outstanding character in our field has a highly successful website called 'Knowledge Base - This week in 4N6', that provides highlights occurring in the digital forensics world... https://thisweekin4n6.com/. For up-to-date news do visit Phill's website; Phill has a good reputation for quality news. Phill's just asked me to remind readers to also have a look at his additional blog https://thinkdfir.com/.
Mobile forensics is not without its new discoveries as Mike "forensicmike" Williamson found out and detailed his findings in his article 'MPT – LG’s incognito version of KnowledgeC' https://www.forensicmike1.com/2019/04/27/mpt-lgs-incognito-version-of-knowledgec/. Mike is a nice guy and generously shares of his knowledge with others as he has in this discussion about uncovering LG hidden MPT partition and its value to investigations. His findings have also been recognised and published in Interpol's Digital 4N6 Pulse Issue II. Top man for sharing, Mike!
Yet another name known in the digital forensics arena is 'San4n6', who is in fact Darryl Santry at IACIS (International Association of Computer Investigative Specialists): Staff Mobile Forensics, Adjunct Prof; who has undertaken a wonderful initiative (training project) to educate young teenagers in Cyber issues. Darryl is taking the complex, complicated and convoluted knowledge and experiences of the Cyber arena and delivering that information through his teaching in terms that young students can understand. Darryl's doing a great job and what a first class guy for doing this. IACIS will be having upcoming conferences and I will update readers on those dates when I know. https://www.iacis.com/
Andrew "rathbuna" Rathbun, a forensic computer examiner, who launched DISCORD Digital Forensics (a server containing a confederation of digital and technical chat forums) which has seen a staggering membership uptake of 1500 members in less than an year. The Discord members provide really good quality advice. Superb work in bringing this together Andrew!! I will update this discussion shortly with how to join.
I cannot forgot to mention my friend Jamie Morris and his established website https://www.ForensicFocus.com. It now has nearly 36,000 members and is still going from strength to strength after all these years; whilst many similar websites have gone by the wayside. Well done, Jamie!
I will have more names to add in my next post on this subject.
Very good work by Brett Shavers over at 'DFIR Training (Brett Shavers)' who is aiming to create 'The most complete DFIR resource on the planet.' Brett has sure done a great job so far and receives regular plaudits for his work; so be ensure you have time to drop in on his site https://www.dfir.training/info/about.
Note: DFIR (Digital Forensics & Incident Response) is a broad church of highly skilled and experience people from a wider background field than digital forensics but has good cross-compatibility with pure digital forensics.
Phill Moore (RandomAccess) another outstanding character in our field has a highly successful website called 'Knowledge Base - This week in 4N6', that provides highlights occurring in the digital forensics world... https://thisweekin4n6.com/. For up-to-date news do visit Phill's website; Phill has a good reputation for quality news. Phill's just asked me to remind readers to also have a look at his additional blog https://thinkdfir.com/.
Mobile forensics is not without its new discoveries as Mike "forensicmike" Williamson found out and detailed his findings in his article 'MPT – LG’s incognito version of KnowledgeC' https://www.forensicmike1.com/2019/04/27/mpt-lgs-incognito-version-of-knowledgec/. Mike is a nice guy and generously shares of his knowledge with others as he has in this discussion about uncovering LG hidden MPT partition and its value to investigations. His findings have also been recognised and published in Interpol's Digital 4N6 Pulse Issue II. Top man for sharing, Mike!
Yet another name known in the digital forensics arena is 'San4n6', who is in fact Darryl Santry at IACIS (International Association of Computer Investigative Specialists): Staff Mobile Forensics, Adjunct Prof; who has undertaken a wonderful initiative (training project) to educate young teenagers in Cyber issues. Darryl is taking the complex, complicated and convoluted knowledge and experiences of the Cyber arena and delivering that information through his teaching in terms that young students can understand. Darryl's doing a great job and what a first class guy for doing this. IACIS will be having upcoming conferences and I will update readers on those dates when I know. https://www.iacis.com/
Andrew "rathbuna" Rathbun, a forensic computer examiner, who launched DISCORD Digital Forensics (a server containing a confederation of digital and technical chat forums) which has seen a staggering membership uptake of 1500 members in less than an year. The Discord members provide really good quality advice. Superb work in bringing this together Andrew!! I will update this discussion shortly with how to join.
I cannot forgot to mention my friend Jamie Morris and his established website https://www.ForensicFocus.com. It now has nearly 36,000 members and is still going from strength to strength after all these years; whilst many similar websites have gone by the wayside. Well done, Jamie!
I will have more names to add in my next post on this subject.
Subscribe to:
Posts (Atom)