Sunday, June 14, 2015

Android Copy and Paste - what risks?

This discussion may be relevant and useful to the process of evidence gathering, eDiscovery investigations and examiner procedures. Experienced examiners or investigators, new to industry or students that may be unaware of this subject matter.

The Android clipboard-based framework (Android Content Provider) enables copy and paste directly to and from the clipboard not only of simple text but also complex data structures, text and binary stream data and application assets.


Key Classes

- ClipboardManager
- ClipData
- ClipData.Item
- ClipDescription
- Uri
- ContentProvider
- Intent
This content provider enables the distribution of objects stored on the clipboard to be distributed among user applications subject to the permission granted for copying and pasting outside of a particular application.
The practical application for using clipboard copy and paste might be generally understood by smartphone users but the less experienced smartphone user may not know or realise that items stored on the clipboard may still reside in memory on particular smartphones long after the paste function was used. The same might also apply to examiners relying on extracted and harvested data from a DUT (device under test) using a particular examination tool of choice. The tool may not logically recover clipboard objects. Moreover, the copied data may not be distinguishable from a deleted SMS message when carving data from a physical extracted dump (JTAG/chip off), so checking the clipboard identifies is important.
 
 
Conduct a test on a smartphone of your choice. Tests run on a random number of makes/models not all were found to allow revisiting pasted data from previous copying, not all allowed data copied in one application (e.g. WhatsApp) to be made available to another (e.g. text messaging). Thus, manual examination might need to be applied during an examination process in order to determine during discovery any vital data (evidence) excluded during a tool’s recovery procedure.
As there are variances between makes/models it equally raises concerns of any missed opportunities to recover data during past examination.
DUT – Samsung GT-I9100P
 
 
Android OS version – Ice Cream Sandwich

COPY AND PASTE

The manual examination test applied: select a new, blank SMS test message page and apply continued finger pressure to the text message field. The DUT vibrates and the dialogue box offers two options: PASTE or CLIPBOARD (see image below). Select CLIPBOARD.



The DUT responds with multiple choice of previously copied data that may be reused.  The first entry box is a copy message from the Samsung SMS text message application. The copied data with a stated date and time stamp in the fourth entry box is data copied from a message in WhatsApp.



Note the format change of the date and the clock is out by one minute, when cross-referenced to the WhatsApp image below. Is this down conversion from one application to another?  Are there two clocks being used on the same smartphone? Was the SMS message created first and copied and pasted into WhatsApp? Or is it something else?



Further issues to be considered. Subject to the matter as mentioned above regarding permission granted to copy and paste outside of a particular application; Android in itself does not require any permission to be entered to write data to or read data from the clipboard. Consequently, this can leave a security loophole in place where an application requires a user to copy their credentials (passwords, PINs etc.) first before the user may make use of an application.
Moreover, the android.content.ClipboardManager.OnPrimaryClipChangedListener is an interface within Android SDK enabling listener call-back that is invoked each time a clipboard item changes. A change in password, PIN etc updated by a particular application could update the clipboard previously stored data. This could be problematical by causing a breach in security if malware were to be unintentionally installed to the smartphone and then credentials leaked to an outside source. The smartphone security for copy and paste therefore can only be as good as the permission granted within the applications being installed and used.

Observations. When making analysis of security an examiner/investigator simply referring to the latest makes/models of smartphones or apps on the market may well be flawed in using that analytical approach. There are a considerable number of handsets out there which are in use on a day-to-day basis for work and personal activity. These can be e.g. 5yrs to 10yrs old. Operators are currently offering an alternative to subsidised handsets by offering SIM ONLY contracts. The smartphone won’t be updated. Companies may well fail in their fiduciary responsibilities and duty of care at board level owed to the company to offload natural company expenditure by avoiding providing communication devices to company employees. To foster the notion to employees to BYOD (bring your own device) the employee is in fact playing a part in subsidising a company’s communications system and therefore its security; retains the opportunity for security loopholes to be created by employers assuming that smartphone users know everything about their smartphone, which is a fallacy.

Sunday, June 07, 2015

Metrology - USB part 1

With smartphones, tablets and other devices fitting the description Size-Scaled Digital Technology (SSDT) using USB physical connectivity provides for the simplest of examination DUT illustrations e.g the combination of three separate entities involved in inter-connection during an examination.


1) DUT (the target device (SSDT) containing suspected evidence
2) The physical medium (USB) to carry the source data to the examination tool
3) The examination tool (ET) used to extract and harvest evidence

It is possible to extrapolate even greater numbers of inter-connected entities but then it would be simpler, if I were to do that, to simply write a book instead of writing this blog post. Moreover, greater numbers of inter-connections exponentially introduce the potential for higher risk of failure relevant to an entity's MTBF (mean time between failure) and MTTF (mean time to failure). 

                [”British scientist, Sir William Thomson (Lord Kelvin, 1824 - 1907),
                   concisely captured the aspect of knowledge so that others can study
                   the observations and apply the results without having to repeat the
                   experiment, when he wrote: “When you can measure what you are
                   speaking about and express it in numbers, you know what you are
                   talking about.”]

SSDT - USB - ET provides a useful basis upon which to consider metrological traceability:

"A core concept in metrology is metrological traceability,[7] defined by the Joint Committee for Guides in Metrology as "property of a measurement result whereby the result can be related to a reference through a documented unbroken chain of calibrations, each contributing to the measurement uncertainty".[8] Metrological traceability permits comparison of measurements, whether the result is compared to the previous result in the same laboratory, a measurement result a year ago, or to the result of a measurement performed anywhere else in the world."
http://en.wikipedia.org/wiki/Metrology#Metrological_traceability

An excellent source of reference for definitions for the science of measurement is:

International vocabulary of metrology — Basic and general concepts and associated terms (VIM)

Vocabulaire international de métrologie — Concepts fondamentaux et généraux et termes associés (VIM)
http://www.bipm.org/utils/common/documents/jcgm/JCGM_200_2008.pdf


International vocabulary of metrology – Basic and general concepts and associated terms  (VIM) 3rd edition  (2008 version with minor corrections)
Vocabulaire international de métrologie – Concepts fondamentaux et généraux et termes associés (VIM)
3e édition  (Version 2008 avec corrections mineures).
http://www.bipm.org/utils/common/documents/jcgm/JCGM_200_2012.pdf

Why have I shown two versions of the same document? Traceability is the answer. Building a quality system requires identification of reference materials upon which test measurements are (or have been in the past) conducted.  Anyone involved in lab preparation and of running a lab should be aware that standards iso17025 and iso9001 identify principles that may be adopted for a wide range of industries etc. It is only when drilling down into how these principles should be applied in practice does one become aware of how, metaphorically speaking, naked one is without something or someone else pointing to a path to follow.

VIM is an acknowledged and established international standard that can be referenced for defining the naming conventions for testing. Of course, there is still the need for knowledge, skill and experience for operating under lab conditions. Early works of Scroggie and Johnstone even today provide useful observations about various aspects of testing involved in a laboratory environment can be found in Radio and Electronic Laboratory Handbook 1980 edition (Marcus Graham Scroggie and George Gordon Johnstone ISBN 0-408-00373-1 and ISBN 13: 9780408003735). The book is available from Amazon and from reputable booksellers.



There are a range of other reference materials from testing through to calibration. For instance NASA (Deep Space Network) http://deepspace.jpl.nasa.gov/dsndocs/810-005/214/214-1.pdf ;  Laboratories for the Design and Assembly of Electronic Devices using Surface Mount Components conferencepaper.pdf ;  Handbook of Laboratory Experiments in Electrical and Electronics Vol.3 (Adamu Murtala Zungeru; James G. Ambafi ISBN 9781497507203) ; and the list goes on. These reference materials are in addition to publications produced by the FBI, NIST, ACPO etc...

This discussion started out by referring to the physical medium USB to carry the source data from the DUT to the examination tool (ET). The relevance of doing so is that if the examiner eliminates the medium as the cause for failure or corrupted evidence then the logical conundrum that remains, is the DUT can be at fault, is the ET can be at fault or are both DUT/ET together faulty?

To understand the technical properties for USB look here:

USB Type C
http://www.usb.org/developers/usbtypec/
http://www.usb.org/developers/docs/
http://www.usb.org/developers/docs/usb_31_060115.zip

This version of USB specification is identified, not simply from personal experience, but due to industry adoption of the standard:

(a) http://www.usb.org/press/USB_Type-C_Specification_Announcement_Final.pdf  

(b) http://arstechnica.com/gadgets/2014/08/small-reversible-usb-type-c-connector-finalized/



Image credited to http://arstechnica.com/gadgets/2014/08/small-reversible-usb-type-c-connector-finalized/

(c) https://support.apple.com/en-gb/HT204360 etc...

A testing schedule for MTBF and MTTF cannot be created unless the device class using a version of the USB specifications is corroborated:

Device Classes (some useful resource materials)
http://www.usb.org/developers/docs/devclass_docs/
http://www.atmel.com/dyn/resources/prod_documents/doc4322.pdf
http://www.linux-usb.org/usbnet/
http://cscott.net/usb_dev/data/devclass/usbcdc11.pdf

Moreover, if USB 3.0 is backward compatible with USB 2.0 could USB 3.0 be used as the de facto standard for all SSDTs to assist defining MTBF and MTTF?

What about USB plug/port sizes, would these create different test requirements?

Lastly, and to close Part 1 of this blog discussion, there is another question equally worth asking: "Does a manufacturer's/supplier's warranty for 12 or 24 months mean that lab testing is not necessary for that period of the warranty in question?


Previous discussion under Metrology
http://trewmte.blogspot.co.uk/2015/05/metrology.html

Knowing DUT memory
http://trewmte.blogspot.co.uk/2015/05/knowing-dut-memory.html