Bring Your Own (BYO) what?
Take away the scenario of government and local authorities involvement and merely consider private industry then the latter may have no enforcement rights to control BYOD (bring your own device) smartphone usage as these employees and out-source workers are being used and are paying for company communications out of their wages/salary merely so that a natural business costs can be reduced or removed. Reported patterns of abuse by BYOD employees are scarce as are, funnily enough, the cost savings made by companies and as a consequence of the saving the beneficiaries of those company cost savings. What is the employment position to refuse BYOD? And what about employees and staff on wages and salaries under e.g. £40K down to national minimum wage; are they protected?
This "Bring Your Own" approach in business seemingly is not limited to devices. There is an instance of even an employer seeking to reduce vehicle fleet insurance costs by seeking the employee to have the company vehicle insured in their own name. So do we call this BYOI (bring your own insurance)? Significant problems could arise though if those company vehicles carry hazard items not disclosed to the insurance company. Moreover, would employees find themselves being coerced in the workplace if they refuse to comply?
Given the vast increase in personal mobile devices in the workplace the UK Parliament may need to consider preventative legislation to stop employer abuses in all cases of "Bring Your Own" (BYO) whether device orientated or not without punishing the employee to pursue some form of equitable estopple (a doctrine preventing one party from taking unfair advantage of another perhaps through false language or conduct) legal action where the employers tries to treat employees as if the employee is somehow holding out in the course of a business (UCTA 1977).
God forbid the next thing is BYOM (bring your own mortgage) to pay for the company office building.
BYOD - CJIS MOBILE APPENDIX - FBI
FBI analysis of BYOD. There are many references to BYOD in the report, but two statements applicable to employees and out-source workers where they use their own devices are noteworthy at 1.7.3 and 1.10.2 below.
1.7.3 Bring Your Own device (BYOD) employment
BYOD environments pose significant challenges to the management of secure device configurations. In many cases it may be impossible to apply effective security that is acceptable to the device owner or it may require extremely costly compensating controls to allow access to CJI on personally owned devices. While allowed by the CJIS Security Policy, agencies are advised to conduct a detailed cost analysis of the ancillary costs of compliance with CJIS Security Policy on personally owned devices when they are approved for use. In some cases, a BYOD user may agree to abide by the same device configurations and limitations as imposed on an agency owned device, but signed user agreements should still be in place to ensure the agency has a legal right to recover or clear the device of all data prior to device disposal or employee termination. In other cases, robust secure applications may provide acceptable levels of compliance in a BYOD environment for limited CJI access but application design and architecture should assume the device itself is un-trusted. If MDM/EMM software capable of detecting rooting or jailbreaking of the device is not installed, any CJIS or data access occurring from the device is at a substantially higher risk of compromise.
1.10.2 Malicious code protection/Restriction of installed applications and application permissions
The most common method of malicious code installation is enticing the user to manually install the malicious app which can be mitigated on organizational devices using an MDM or other application installation restrictions which prevent the user from installing unauthorized or unknown applications. Mitigation of this issue within BYOD environments may not be possible and will present a significantly enhanced risk to the device.
https://www.fbi.gov/about-us/cjis/CJIS%20Mobile%20Mobile%20Appendix%2020121214.pdf
Previous Discussions:
BYOD: Cyber Classification
http://trewmte.blogspot.co.uk/2015/08/byod-cyber-classification.html
Android Copy and Paste - what risks?
http://trewmte.blogspot.co.uk/2015/06/android-copy-and-paste-what-risks.html
BYOD risks and minefields
http://trewmte.blogspot.co.uk/2014/03/byod-risks-and-minefields.html
One hit, hits all
http://trewmte.blogspot.co.uk/2013/02/one-hit-hits-all.html
Smartphone BYOD
http://trewmte.blogspot.co.uk/2013/01/smartphone-byod.html
Saturday, November 21, 2015
Sunday, October 25, 2015
Digital Evidence - Disciples and Pilgrams
A career in the Digital Evidence field is a journey of lifelong learning. The length of that journey depends on you, no matter whether you are young or old. There are no masters, no experts, just you and me on this road of discovery. We are disciples and pilgrims of and for this art we enjoy and wish to follow, running to keep pace in a technological-world of constant change.
Painting by Eugène Burnand hangs in the Musée d’Orsay Gallery in Paris. Les
disciples Jean et Pierre accourant au sépulcre le matin de la résurrection.
disciples Jean et Pierre accourant au sépulcre le matin de la résurrection.
Sunday, September 13, 2015
Metrology - USB part 2
Continuing with the discussion relating to Metrology and Universal Serial Bus (USB) cables.
Metrology - http://trewmte.blogspot.co.uk/2015/05/metrology.html
In the first discussion it raised the observations iso9001 has been mentioned and this standard provides a useful guide on record keeping. In most cases users take for granted that the cable/lead/plug is ok and just swap it out if it is deemed not working? Simple questions:
1) Is there a cable/lead tester on the market?
2) What results can be obtained?
3) How to determine output results?
4) Compare manufacturing guidelines for MTTF and MTBF?
5) Can the results scrutinised be improved?
6) Can a minimum standard be achieved.
Metrology - USB part 1 - http://trewmte.blogspot.co.uk/2015/06/metrology-usb-part-1.html
Later the discussion raised the notion that smartphones, tablets and other devices fitting the description Size-Scaled Digital Technology (SSDT) using USB physical connectivity provides for the simplest of examination DUT illustrations e.g. the combination of three separate entities involved in inter-connection during an examination:
1) DUT (the target device (SSDT) containing suspected evidence
2) The physical medium (USB) to carry the source data to the examination tool
3) The examination tool (ET) used to extract and harvest evidence
And ended with the point that the discussion started out by referring to the physical medium USB to carry the source data from the DUT to the examination tool (ET). The relevance of doing so is that if the examiner eliminates the medium as the cause for failure or corrupted evidence then the logical conundrum that remains, is the DUT at fault, is the ET at fault or are both DUT/ET together faulty?
In order to eliminate the USB cable's involvement in the acquisition process as the source of causing corrupted data or inducing faults into the DUT requires expanding the investigation of what is known about USB tolerances or identified faults.
Mechanical Failures
Types of USB connector left to right (ruler in centimetres): micro-B plug, UC-E6 proprietary (non-USB) plug, mini-B plug, standard-A receptacle (upside down), standard-A plug, standard-B plug
The procedure required to dissect and strip back a USB plug from its cable. In itself, there is nothing special in this task being performed other than for revelation purposes to allow observations of what is happening underneath the main moulded cable covering, due to the fact that the human eye does not possess x-ray vision. This USB cable was chosen as it had visible signs of wear and tear at the USB plug end that connects to the device (DUT) and charging of a DUT was known to be intermittent.
The USB cable was terminated at either end with a mini-B plug and standard-A plug. The photo below shows the mini-B plug end has been dissected and stripped back.
The standard coloured wiring is expressed as:
It was noticeable from a study of the separate coloured internal wire covers - Green, Red, Black and White ( For a quick reference source refer to https://en.wikipedia.org/wiki/USB. ) - that the Red wire cover was in fact a Pink in colour with deterioration (more brittle, easy to pull off covering) than the other coloured coverings.
Given that the mini-B plug is the end that is connected into the DUT raises concerns as to whether the wear and tear could cause damage to the DUT, too. As the Red(Pink) coloured cover concerns the power VCC (+5 V, red wire) it is not difficult to speculate the potential for damage or failure and that on the balance of probability (at one of the end of the scale) the quality assurance programme should have identified this as a problem or issue to be addressed, (and at the other end of the scale) that beyond reasonable doubt the quality control processes should have removed this physical medium (USB cable) from the pool of tools/devices that could be used during an examination process.
The sampling rates for conducted Vbus and Vcc etc tests can be deduced from the USB standards. Full USB compliance test equipment maybe expensive for those who are trading as a one-man business. There are some simple test rigs out there which require the use of a digital multimeter and test cables that may offer a lower cost solution worth investigating.
One such rig is USB Tester from Fried Circuits http://friedcircuits.us/docs/usb-tester
Another rig from the same source is USB Tester and Phone Charging http://friedcircuits.us/docs/usb-tester-and-phone-charging/
Inexpensive rigs like these should not be a problem but it is essential to carefully document their use in your QA procedures and their requirement to be calibrated.
There are still numerous matters to discuss that have been identified regarding Metrology and USB, which shall be published shortly. The total sum of these discussion Parts build eventually to an identified set of criteria that examiners may wish to apply for QA purposes to reduce or remove the medium USB as having an adverse impact during data acquisition between a DUT and the ET.
Metrology - http://trewmte.blogspot.co.uk/2015/05/metrology.html
In the first discussion it raised the observations iso9001 has been mentioned and this standard provides a useful guide on record keeping. In most cases users take for granted that the cable/lead/plug is ok and just swap it out if it is deemed not working? Simple questions:
1) Is there a cable/lead tester on the market?
2) What results can be obtained?
3) How to determine output results?
4) Compare manufacturing guidelines for MTTF and MTBF?
5) Can the results scrutinised be improved?
6) Can a minimum standard be achieved.
Metrology - USB part 1 - http://trewmte.blogspot.co.uk/2015/06/metrology-usb-part-1.html
Later the discussion raised the notion that smartphones, tablets and other devices fitting the description Size-Scaled Digital Technology (SSDT) using USB physical connectivity provides for the simplest of examination DUT illustrations e.g. the combination of three separate entities involved in inter-connection during an examination:
1) DUT (the target device (SSDT) containing suspected evidence
2) The physical medium (USB) to carry the source data to the examination tool
3) The examination tool (ET) used to extract and harvest evidence
And ended with the point that the discussion started out by referring to the physical medium USB to carry the source data from the DUT to the examination tool (ET). The relevance of doing so is that if the examiner eliminates the medium as the cause for failure or corrupted evidence then the logical conundrum that remains, is the DUT at fault, is the ET at fault or are both DUT/ET together faulty?
In order to eliminate the USB cable's involvement in the acquisition process as the source of causing corrupted data or inducing faults into the DUT requires expanding the investigation of what is known about USB tolerances or identified faults.
Mechanical Failures
The procedure required to dissect and strip back a USB plug from its cable. In itself, there is nothing special in this task being performed other than for revelation purposes to allow observations of what is happening underneath the main moulded cable covering, due to the fact that the human eye does not possess x-ray vision. This USB cable was chosen as it had visible signs of wear and tear at the USB plug end that connects to the device (DUT) and charging of a DUT was known to be intermittent.
The USB cable was terminated at either end with a mini-B plug and standard-A plug. The photo below shows the mini-B plug end has been dissected and stripped back.
The standard coloured wiring is expressed as:
| Pin 1 | VCC (+5 V, red wire) | |
|---|---|---|
| Pin 2 | Data− (white wire) | |
| Pin 3 | Data+ (green wire) | |
| Pin 4 | Ground (black wire) |
It was noticeable from a study of the separate coloured internal wire covers - Green, Red, Black and White ( For a quick reference source refer to https://en.wikipedia.org/wiki/USB. ) - that the Red wire cover was in fact a Pink in colour with deterioration (more brittle, easy to pull off covering) than the other coloured coverings.
Given that the mini-B plug is the end that is connected into the DUT raises concerns as to whether the wear and tear could cause damage to the DUT, too. As the Red(Pink) coloured cover concerns the power VCC (+5 V, red wire) it is not difficult to speculate the potential for damage or failure and that on the balance of probability (at one of the end of the scale) the quality assurance programme should have identified this as a problem or issue to be addressed, (and at the other end of the scale) that beyond reasonable doubt the quality control processes should have removed this physical medium (USB cable) from the pool of tools/devices that could be used during an examination process.
The sampling rates for conducted Vbus and Vcc etc tests can be deduced from the USB standards. Full USB compliance test equipment maybe expensive for those who are trading as a one-man business. There are some simple test rigs out there which require the use of a digital multimeter and test cables that may offer a lower cost solution worth investigating.
One such rig is USB Tester from Fried Circuits http://friedcircuits.us/docs/usb-tester
Another rig from the same source is USB Tester and Phone Charging http://friedcircuits.us/docs/usb-tester-and-phone-charging/
Inexpensive rigs like these should not be a problem but it is essential to carefully document their use in your QA procedures and their requirement to be calibrated.
There are still numerous matters to discuss that have been identified regarding Metrology and USB, which shall be published shortly. The total sum of these discussion Parts build eventually to an identified set of criteria that examiners may wish to apply for QA purposes to reduce or remove the medium USB as having an adverse impact during data acquisition between a DUT and the ET.
Monday, August 31, 2015
First woman to write a computer program
Next year 2016 it will be 200th birthday of Augusta Ada King, Countess of Lovelace, born 1816. Ada Lovelace is said to be the first woman said to have written the first computer program in October 1843 translated from Menabrea’s paper "Notions sur la machine analytique de M. Charles Babbage" (1842).
Ada's work recorded in Sketch of the Analytical Engine invented by Charles Babbage -Translation originally published in 1843 in the Scientific Memoirs, 3, 666-73 and one folding chart. This work represented the first edition in English of the first published account of Babbage’s Analytical Engine, and, significantly, of its logical design (http://psychclassics.yorku.ca/Lovelace/menabrea.htm).
Bromley, Allan G; referred toAda's translation as “the most important paper in the history of digital computing before modern times” - "The Evolution of Babbage's Calculating Engines, xv" Annals of the History of Computing, 9 (1987).
A more pragmatic explanation (The Cogwheel Brain at 165 by Swade, Doron David published in 2000) of Ada's work that when supplied with algorithms for the solution of various problems, Ada illustrated in her notes in the form of charts detailing step-wise sequence of events as the machine progressed through a string of instructions input from punched cards. It is Ada's finite work that many have referred as recognised in the 20th Century as the first published example of a [computer] "program".
Great woman, unique story and fascinating event in computing history and for the development of information systems.
The information in this discussion is condensed from numerous sources and searches.
History Links
http://psychclassics.yorku.ca/Lovelace/menabrea.htm
https://en.wikipedia.org/wiki/Ada_Lovelace
http://www.historyofinformation.com/expanded.php?id=547
http://www.sophiararebooks.com/pictures/3544a.jpg
Lovelace's diagram from Note G - photo courtesy of http://www.sophiararebooks.com/pictures/3544a.jpg
Ada's work recorded in Sketch of the Analytical Engine invented by Charles Babbage -Translation originally published in 1843 in the Scientific Memoirs, 3, 666-73 and one folding chart. This work represented the first edition in English of the first published account of Babbage’s Analytical Engine, and, significantly, of its logical design (http://psychclassics.yorku.ca/Lovelace/menabrea.htm).
Bromley, Allan G; referred toAda's translation as “the most important paper in the history of digital computing before modern times” - "The Evolution of Babbage's Calculating Engines, xv" Annals of the History of Computing, 9 (1987).
A more pragmatic explanation (The Cogwheel Brain at 165 by Swade, Doron David published in 2000) of Ada's work that when supplied with algorithms for the solution of various problems, Ada illustrated in her notes in the form of charts detailing step-wise sequence of events as the machine progressed through a string of instructions input from punched cards. It is Ada's finite work that many have referred as recognised in the 20th Century as the first published example of a [computer] "program".
Great woman, unique story and fascinating event in computing history and for the development of information systems.
The information in this discussion is condensed from numerous sources and searches.
History Links
http://psychclassics.yorku.ca/Lovelace/menabrea.htm
https://en.wikipedia.org/wiki/Ada_Lovelace
http://www.historyofinformation.com/expanded.php?id=547
http://www.sophiararebooks.com/pictures/3544a.jpg
Tuesday, August 11, 2015
BYOD: Cyber Classification
Having an effective Cyber defence requires " identification " of the methodology proposed for each measures adopted in the Critical Security Controls (CSC) programme. The Critical Security Controls listed below has been developed from the combined knowledge of actual attacks and effective defences of experts from every part of the cyber security ecosystem.
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Malware Defences
CSC 6: Application Software Security
CSC 7: Wireless Access Control
CSC 8: Data Recovery Capability
CSC 9: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 11: Limitation and Control of Network Ports, Protocols, and Services
CSC 12: Controlled Use of Administrative Privileges
CSC 13: Boundary Defence
CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 15: Controlled Access Based on the Need to Know
CSC 16: Account Monitoring and Control
CSC 17: Data Protection
CSC 18: Incident Response and Management
CSC 19: Secure Network Engineering
CSC 20: Penetration Tests and Red Team Exercises
It is not surprising that given the adoption of CSC classifications it would be in the interests of organisations to adopt the short form code associated with the Critical Security Control in place found to have been breached. For instance where a BYOD is found to be the cause of the breach it may be said a CSC-7 breach took place. The use of a short form code
(i) informs immediately those who are aware of the short form code of the style of breach taken place.
(ii) creates standardization across the organisation
(iii) enables an organisation's first responder to identify and locate BYODs
(iv) labels a breach in accordance with internationally recognised CSC classification
(v) removes the need for organisations to generate in-house difficult and complex classifications that later require translation e.g. technically, legally, commercially......
CSC 7: Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANs), access points, and wireless client systems.
Why Is This Control Critical?
Major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building, bypassing organizations' security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying traveling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafes. Such exploited systems are then used as back doors when they are reconnected to the network of a target organization. Still other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.
CSC 7 Procedures and Tools
Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial wireless intrusion detection systems.
Additionally, the security team should periodically capture wireless traffic from within the borders of a facility and use free and commercial analysis tools to determine whether the wireless traffic was transmitted using weaker protocols or encryption than the organization mandates. When devices relying on weak wireless security settings are identified, they should be found within the organization's asset inventory and either reconfigured more securely or denied access to the
organization network.
Additionally, the security team should employ remote management tools on the wired network to pull information about the wireless capabilities and devices connected to managed systems.
CSC 7 Effectiveness Metrics
In order to test the effectiveness of the automated implementation of this control, organizations should measure the following:
1) Are systems capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's systems or connected to their networks (yes or no)?
2) How long does it take to generate alerts about unauthorized wireless devices that are detected (time in minutes)?
3) How long does it take for unauthorized wireless devices to be blocked from connecting or isolated from the network (time in minutes)?
4) Are additional alerts generated every 24 hours after the initial alert until the system is isolated or removed from the network (yes or no)?
5) Is the system able to identify the location, department, and other details of where authorized and unauthorized wireless devices are plugged into the network (yes or no)?
CSC 7 Automation Metrics
In order to automate the collection of relevant data from these systems, organizations should gather the following information with automated technical sensors:
1) How many rogue wireless access points have been discovered recently in the organization (by business unit)? This should include non-persistent, temporary and transient access points.
2) What is the average time that it takes to remove rogue access points from the organization's network (by business unit)?
3) How many wireless access points or clients have been discovered using an unauthorized wireless configuration recently in the organization (by business unit)?
CSC 7 Effectiveness Test
To evaluate the implementation of Control 7 on a periodic basis, the evaluation team has to configure 10 unauthorized but hardened wireless clients and wireless access points to the organization's network and attempt to connect them to its wireless networks. In the case of wireless access points, these access points have to not be directly connected to the organization's trusted network. Instead, they have to simply be configured to act as a wireless gateway without physically connecting to a wired network interface. In the case of scanning for wireless access points from a wired interface, the connected access point has to have the wireless radio disabled for the duration of the test. These systems have to be configured to test each of the following scenarios:
• A wireless client with an unauthorized service set identifier configured on it.
• A wireless client with improper encryption configured.
• A wireless client with improper authentication configured.
• A wireless access point with improper encryption configured.
• A wireless access point with improper authentication configured.
• A completely rogue wireless access point using an unauthorized configuration.
When any of the above-noted systems attempt to connect to the wireless network, an alert has to be generated and enterprise staff has to respond to the alerts to isolate the detected device or remove the device from the network.
CSC 7 System Entity Relationship Diagram
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.
A control system is a device or set of devices used to manage, command, direct, or regulate the behaviour of other devices or systems. In this case, we are examining the configuration and management of wireless devices, wireless IDS/scanners, wireless device management systems, and vulnerability scanners. The list of the steps shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.
• Step 1: Hardened configurations applied to wireless devices.
• Step 2: Hardened configurations managed by a configuration management system.
• Step 3: Configuration management system manages the configurations on wireless devices.
• Step 4: Wireless IDS monitor usage of wireless communications.
• Step 5: Vulnerability scanners scan wireless devices for potential vulnerabilities.
• Step 6: Wireless clients utilize wireless infrastructure systems in a secure manner.
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Malware Defences
CSC 6: Application Software Security
CSC 7: Wireless Access Control
CSC 8: Data Recovery Capability
CSC 9: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 11: Limitation and Control of Network Ports, Protocols, and Services
CSC 12: Controlled Use of Administrative Privileges
CSC 13: Boundary Defence
CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 15: Controlled Access Based on the Need to Know
CSC 16: Account Monitoring and Control
CSC 17: Data Protection
CSC 18: Incident Response and Management
CSC 19: Secure Network Engineering
CSC 20: Penetration Tests and Red Team Exercises
It is not surprising that given the adoption of CSC classifications it would be in the interests of organisations to adopt the short form code associated with the Critical Security Control in place found to have been breached. For instance where a BYOD is found to be the cause of the breach it may be said a CSC-7 breach took place. The use of a short form code
(i) informs immediately those who are aware of the short form code of the style of breach taken place.
(ii) creates standardization across the organisation
(iii) enables an organisation's first responder to identify and locate BYODs
(iv) labels a breach in accordance with internationally recognised CSC classification
(v) removes the need for organisations to generate in-house difficult and complex classifications that later require translation e.g. technically, legally, commercially......
CSC 7: Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANs), access points, and wireless client systems.
Why Is This Control Critical?
Major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building, bypassing organizations' security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying traveling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafes. Such exploited systems are then used as back doors when they are reconnected to the network of a target organization. Still other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.
CSC 7 Procedures and Tools
Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial wireless intrusion detection systems.
Additionally, the security team should periodically capture wireless traffic from within the borders of a facility and use free and commercial analysis tools to determine whether the wireless traffic was transmitted using weaker protocols or encryption than the organization mandates. When devices relying on weak wireless security settings are identified, they should be found within the organization's asset inventory and either reconfigured more securely or denied access to the
organization network.
Additionally, the security team should employ remote management tools on the wired network to pull information about the wireless capabilities and devices connected to managed systems.
CSC 7 Effectiveness Metrics
In order to test the effectiveness of the automated implementation of this control, organizations should measure the following:
1) Are systems capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's systems or connected to their networks (yes or no)?
2) How long does it take to generate alerts about unauthorized wireless devices that are detected (time in minutes)?
3) How long does it take for unauthorized wireless devices to be blocked from connecting or isolated from the network (time in minutes)?
4) Are additional alerts generated every 24 hours after the initial alert until the system is isolated or removed from the network (yes or no)?
5) Is the system able to identify the location, department, and other details of where authorized and unauthorized wireless devices are plugged into the network (yes or no)?
CSC 7 Automation Metrics
In order to automate the collection of relevant data from these systems, organizations should gather the following information with automated technical sensors:
1) How many rogue wireless access points have been discovered recently in the organization (by business unit)? This should include non-persistent, temporary and transient access points.
2) What is the average time that it takes to remove rogue access points from the organization's network (by business unit)?
3) How many wireless access points or clients have been discovered using an unauthorized wireless configuration recently in the organization (by business unit)?
CSC 7 Effectiveness Test
To evaluate the implementation of Control 7 on a periodic basis, the evaluation team has to configure 10 unauthorized but hardened wireless clients and wireless access points to the organization's network and attempt to connect them to its wireless networks. In the case of wireless access points, these access points have to not be directly connected to the organization's trusted network. Instead, they have to simply be configured to act as a wireless gateway without physically connecting to a wired network interface. In the case of scanning for wireless access points from a wired interface, the connected access point has to have the wireless radio disabled for the duration of the test. These systems have to be configured to test each of the following scenarios:
• A wireless client with an unauthorized service set identifier configured on it.
• A wireless client with improper encryption configured.
• A wireless client with improper authentication configured.
• A wireless access point with improper encryption configured.
• A wireless access point with improper authentication configured.
• A completely rogue wireless access point using an unauthorized configuration.
When any of the above-noted systems attempt to connect to the wireless network, an alert has to be generated and enterprise staff has to respond to the alerts to isolate the detected device or remove the device from the network.
CSC 7 System Entity Relationship Diagram
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.
• Step 1: Hardened configurations applied to wireless devices.
• Step 2: Hardened configurations managed by a configuration management system.
• Step 3: Configuration management system manages the configurations on wireless devices.
• Step 4: Wireless IDS monitor usage of wireless communications.
• Step 5: Vulnerability scanners scan wireless devices for potential vulnerabilities.
• Step 6: Wireless clients utilize wireless infrastructure systems in a secure manner.
Sunday, August 02, 2015
National Digital Science and Justice Office (NDSJO)
A recent forum discussion I read recently mentioned a Digital Forensics Capability Review. The discussion also identified the document that forms the basis of this review: http://www.researchgate.net/publication/269332581_Digital_Forensics__Capability_Review
There were some good responses from forum members. Those responses combined with the initial enquiry and the download reference document suggested to me that keep tinkering here and there with different elements in "digital forensics" is perhaps why there is no real substantive change consolidating "digital forensics". There is a desire to galvanise a unifying system but as digital forensics is made up of so many constituent elements it maybe quite difficult to know where to start.
Some observations:
1) Industry specific foundation materials are need to make work ISO/IEC 17025; the latter document tries to be all things to all men - ISO/IEC 17025 is used by many industries from chemical production, metals, drugs, fertilisers through to food products etc. People may passionately argue it is the right standard to follow. ISO/IEC 17025 is a commercially orientated document for business. It outlines what is expected to get business but not how to go about achieving the results it defines should be met. Achieving the result requires specific i) competencies ii) knowledge iii) skillsets and iv) experiences which are not defined when simply applying over-arching generic principles.
2) A document that should be replaced is the "Association of Chief Police Officers (ACPO) Principles (ACPO, 2012)". There should be in its place an industry document for digital forensic principles similar to the US NIST documents. This document should be for all and created by all and not created by public servants. Just because a document is not 'authorised' as the de facto standard doesn't mean to say it isn't being used in that way to ensure public funds are misguidedly placed in only certain sectors. This means an industry document would apply to everyone following the same criteria set by a 'body' as opposed to "don't do what we do, do what we say" brigade.
3) There needs to be a body such as National Digital Science and Justice Office (NDSJO) that is not run by public or private cronies or apparatchik but by an elected office with elections every five years and no employment-for-life positions. It is important that at least one Active or Retired Senior Judge should be elected to post responsible for safeguarding independence, objectivity and impartiality and with the legal authority to enforce that. 3.1) The NDSJO shall avoid discrimination of any sort and the NDSJO to publish lists of those engaged by the NDSJO measured against criterion such as "age", "sex", "ethnicity" etc. and identify and put deterrents in place to prevent favour to one particular group of persons or political pressures. 3.2) The NDSJO to feed knowledge into national schools, academies, and colleges science education system for the future development of our children. 3.3) The NDSJO shall also provide for a membership and membership fee to ensure wisdom, knowledge, skills and experience thrives within the NDSJO. 3.4) The NDSJO shall work with the Competition Commission etc. to detect and stop cartels or monopolies taking place on public sector contracts. The higher proportion of public sector contracts to go to small and medium sized businesses to help them grow and to avoid large organisations dumping high levels of staff that can undermine the British economy. 3.5) To prevent major contract holders (a) suppressing salaries, wages or self-employed payments and skimming off profits whilst forcing sub-contractors to constantly find savings causing significant detriment to work performance, salaries/wages/self employed payment that when unfettered influence upturn in the British economy. 3.6) The NDSJO shall be responsible for preparing and producing particular digital science industry documents.
4) All manufacturers providing purchased or free tools (software and hardware) to be used for acquiring evidence whether commercial or forensic tools shall be registered with the NDSJO. Manufacturers shall legally self-certify their product as fit for purpose and those who sell tools provide the necessary insurance for all claims. The NDSJO to identify insurance schemes for free tools that have been produced through goodwill but having an effective and affective role when used in acquiring evidence. The latter may equally involve the user of the free tool providing an insurance that might be encapsulated as part of the membership fee of the NDSJO.
...is it true that someone is smiling on the plans above? Well it could act as a needed fillip to the British economy.
There were some good responses from forum members. Those responses combined with the initial enquiry and the download reference document suggested to me that keep tinkering here and there with different elements in "digital forensics" is perhaps why there is no real substantive change consolidating "digital forensics". There is a desire to galvanise a unifying system but as digital forensics is made up of so many constituent elements it maybe quite difficult to know where to start.
Some observations:
1) Industry specific foundation materials are need to make work ISO/IEC 17025; the latter document tries to be all things to all men - ISO/IEC 17025 is used by many industries from chemical production, metals, drugs, fertilisers through to food products etc. People may passionately argue it is the right standard to follow. ISO/IEC 17025 is a commercially orientated document for business. It outlines what is expected to get business but not how to go about achieving the results it defines should be met. Achieving the result requires specific i) competencies ii) knowledge iii) skillsets and iv) experiences which are not defined when simply applying over-arching generic principles.
2) A document that should be replaced is the "Association of Chief Police Officers (ACPO) Principles (ACPO, 2012)". There should be in its place an industry document for digital forensic principles similar to the US NIST documents. This document should be for all and created by all and not created by public servants. Just because a document is not 'authorised' as the de facto standard doesn't mean to say it isn't being used in that way to ensure public funds are misguidedly placed in only certain sectors. This means an industry document would apply to everyone following the same criteria set by a 'body' as opposed to "don't do what we do, do what we say" brigade.
3) There needs to be a body such as National Digital Science and Justice Office (NDSJO) that is not run by public or private cronies or apparatchik but by an elected office with elections every five years and no employment-for-life positions. It is important that at least one Active or Retired Senior Judge should be elected to post responsible for safeguarding independence, objectivity and impartiality and with the legal authority to enforce that. 3.1) The NDSJO shall avoid discrimination of any sort and the NDSJO to publish lists of those engaged by the NDSJO measured against criterion such as "age", "sex", "ethnicity" etc. and identify and put deterrents in place to prevent favour to one particular group of persons or political pressures. 3.2) The NDSJO to feed knowledge into national schools, academies, and colleges science education system for the future development of our children. 3.3) The NDSJO shall also provide for a membership and membership fee to ensure wisdom, knowledge, skills and experience thrives within the NDSJO. 3.4) The NDSJO shall work with the Competition Commission etc. to detect and stop cartels or monopolies taking place on public sector contracts. The higher proportion of public sector contracts to go to small and medium sized businesses to help them grow and to avoid large organisations dumping high levels of staff that can undermine the British economy. 3.5) To prevent major contract holders (a) suppressing salaries, wages or self-employed payments and skimming off profits whilst forcing sub-contractors to constantly find savings causing significant detriment to work performance, salaries/wages/self employed payment that when unfettered influence upturn in the British economy. 3.6) The NDSJO shall be responsible for preparing and producing particular digital science industry documents.
4) All manufacturers providing purchased or free tools (software and hardware) to be used for acquiring evidence whether commercial or forensic tools shall be registered with the NDSJO. Manufacturers shall legally self-certify their product as fit for purpose and those who sell tools provide the necessary insurance for all claims. The NDSJO to identify insurance schemes for free tools that have been produced through goodwill but having an effective and affective role when used in acquiring evidence. The latter may equally involve the user of the free tool providing an insurance that might be encapsulated as part of the membership fee of the NDSJO.
...is it true that someone is smiling on the plans above? Well it could act as a needed fillip to the British economy.
Sunday, July 05, 2015
USB2USB File Management
Now here is a brilliant design highly lauded by the design media back in 2012/2013 that for some reason has yet to see the light of day. Which is a pity really as this has the potential to provide the answer to a number of student final year project ideas. For instance:
[Idea by Kkie21] "I was thinking about writing a program that would be put onto a USB stick and then once connected to a android device it will forensically image it. Everything will be placed on the USB stick which will be write protected once the data is copied."
There had been the suggestion that a USB stick has no screen thus making it difficult to see any form of displayed comparison between DUT storage device and recording device transferred data etc.
I had suggested "Before you give up on your idea, are you are willing to compromise on your physical device?
ChipDrive from Towitoko has previously been used for mobile SIM Card reading. Maybe check with the company to see if they have a USB version. If so then this would be a GUI sufficient to display commands, icons and/or progress indicator. Also there are control keys around the edge that could be used for stop/start etc.
As mentioned above, this device has been used previously and programmed for reading and writing in fields other than time keeping and SIM card reading.
Have a look and see whether it meets your 13-weeks project management schedule.
http://www.chipdrive.de/index.php/en/smart-card-solutions/time-tracking-solutions/chipdrive-time-recording-kit.htm"
However, when I look at this prototype design below and the ability of USB2USB to connect with varying interfaces, user navigation buttons and screen etc etc could make this product, subject to spec, suitable for the above project idea. I really like the design of this product.
- 3 millimeters thick
- fits easily into your wallet
- equipped with an OLED touchscreen
- SD card slot
- 2 USB connectors.
[*Yankodesign said] This device reads most popular types of external memory cards and flash drives. Users only need to plug in the external cards or flashdrives to view the files and folders. Then they can browse the contents of the USB flashdrive and a preview of the selected file will be displayed on the background of the touchscreen display. The files can be transferred or copied by using its drag-and-drop function. The USB connectors, which come with flexible rubberized wires that integrate with the shape of the device, are detachable when in use. This device can be charged directly using the USB connector.
Designers: Saharudin Busri, Mohd Nizam Najmuddin, Mohd Rohaizam Mohd Tahar, Nuzairi Yasin, Nazjimee Amat Omar - MIMOS Berhad http://www.mimos.my/
*http://www.yankodesign.com/2013/01/02/usb-2-usb-and-more%E2%80%A6/
[Idea by Kkie21] "I was thinking about writing a program that would be put onto a USB stick and then once connected to a android device it will forensically image it. Everything will be placed on the USB stick which will be write protected once the data is copied."
There had been the suggestion that a USB stick has no screen thus making it difficult to see any form of displayed comparison between DUT storage device and recording device transferred data etc.
I had suggested "Before you give up on your idea, are you are willing to compromise on your physical device?
ChipDrive from Towitoko has previously been used for mobile SIM Card reading. Maybe check with the company to see if they have a USB version. If so then this would be a GUI sufficient to display commands, icons and/or progress indicator. Also there are control keys around the edge that could be used for stop/start etc.
As mentioned above, this device has been used previously and programmed for reading and writing in fields other than time keeping and SIM card reading.
Have a look and see whether it meets your 13-weeks project management schedule.
http://www.chipdrive.de/index.php/en/smart-card-solutions/time-tracking-solutions/chipdrive-time-recording-kit.htm"
However, when I look at this prototype design below and the ability of USB2USB to connect with varying interfaces, user navigation buttons and screen etc etc could make this product, subject to spec, suitable for the above project idea. I really like the design of this product.
- 3 millimeters thick
- fits easily into your wallet
- equipped with an OLED touchscreen
- SD card slot
- 2 USB connectors.
[*Yankodesign said] This device reads most popular types of external memory cards and flash drives. Users only need to plug in the external cards or flashdrives to view the files and folders. Then they can browse the contents of the USB flashdrive and a preview of the selected file will be displayed on the background of the touchscreen display. The files can be transferred or copied by using its drag-and-drop function. The USB connectors, which come with flexible rubberized wires that integrate with the shape of the device, are detachable when in use. This device can be charged directly using the USB connector.
Designers: Saharudin Busri, Mohd Nizam Najmuddin, Mohd Rohaizam Mohd Tahar, Nuzairi Yasin, Nazjimee Amat Omar - MIMOS Berhad http://www.mimos.my/
*http://www.yankodesign.com/2013/01/02/usb-2-usb-and-more%E2%80%A6/
Sunday, June 14, 2015
Android Copy and Paste - what risks?
This discussion may be relevant and useful to the process of evidence
gathering, eDiscovery investigations and examiner procedures. Experienced
examiners or investigators, new to industry or students that may be unaware of
this subject matter.
Key Classes
COPY AND PASTE
The manual examination test applied: select a new, blank SMS test message page and apply continued finger pressure to the text message field. The DUT vibrates and the dialogue box offers two options: PASTE or CLIPBOARD (see image below). Select CLIPBOARD.
The DUT responds with multiple choice of previously copied data that may be reused. The first entry box is a copy message from the Samsung SMS text message application. The copied data with a stated date and time stamp in the fourth entry box is data copied from a message in WhatsApp.
The Android clipboard-based framework (Android Content Provider)
enables copy and paste directly to and from the clipboard not only of simple
text but also complex data structures, text and binary stream data and application
assets.
Key Classes
- ClipboardManager
- ClipData
- ClipData.Item
- ClipDescription
- Uri
- ContentProvider
- Intent
This content provider enables the distribution of objects stored on the clipboard to be distributed among user applications subject to the permission granted for copying and pasting outside of a particular application.
The practical application for using clipboard copy and paste
might be generally understood by smartphone users but the less experienced
smartphone user may not know or realise that items stored on the clipboard may
still reside in memory on particular smartphones long after the paste function
was used. The same might also apply to examiners relying on extracted and
harvested data from a DUT (device under test) using a particular examination
tool of choice. The tool may not logically recover clipboard objects. Moreover,
the copied data may not be distinguishable from a deleted SMS message when
carving data from a physical extracted dump (JTAG/chip off), so checking the clipboard identifies is important.
Conduct a test on a smartphone of your choice. Tests run on
a random number of makes/models not all were found to allow revisiting pasted
data from previous copying, not all allowed data copied in one application
(e.g. WhatsApp) to be made available to another (e.g. text messaging). Thus,
manual examination might need to be applied during an examination process in
order to determine during discovery any vital data (evidence) excluded during a
tool’s recovery procedure.
As there are variances between makes/models it equally
raises concerns of any missed opportunities to recover data during past
examination.
DUT – Samsung GT-I9100P
COPY AND PASTE
The manual examination test applied: select a new, blank SMS test message page and apply continued finger pressure to the text message field. The DUT vibrates and the dialogue box offers two options: PASTE or CLIPBOARD (see image below). Select CLIPBOARD.
The DUT responds with multiple choice of previously copied data that may be reused. The first entry box is a copy message from the Samsung SMS text message application. The copied data with a stated date and time stamp in the fourth entry box is data copied from a message in WhatsApp.
Note the format change of the date and the clock is out by
one minute, when cross-referenced to the WhatsApp image below. Is this down conversion from one application to another? Are there two clocks being used on the same
smartphone? Was the SMS message created first and copied and pasted into WhatsApp? Or is it something
else?
Further issues to be considered. Subject to the matter as
mentioned above regarding permission granted to copy and paste outside of a
particular application; Android in itself does not require any permission to be
entered to write data to or read data from the clipboard. Consequently, this can
leave a security loophole in place where an application requires a user to copy their credentials
(passwords, PINs etc.) first before the user may make use of an application.
Moreover, the android.content.ClipboardManager.OnPrimaryClipChangedListener
is an interface within Android SDK enabling listener call-back that is invoked each
time a clipboard item changes. A change in password, PIN etc updated by a
particular application could update the clipboard previously stored data. This
could be problematical by causing a breach in security if malware were to be
unintentionally installed to the smartphone and then credentials leaked to an outside source. The smartphone security for copy and paste therefore can only be
as good as the permission granted within the applications being installed and
used.
Observations. When making analysis of security an examiner/investigator simply referring
to the latest makes/models of smartphones or apps on the market may well be flawed in
using that analytical approach. There are a considerable number of handsets out
there which are in use on a day-to-day basis for work and personal activity.
These can be e.g. 5yrs to 10yrs old. Operators are currently offering an
alternative to subsidised handsets by offering SIM ONLY contracts. The smartphone
won’t be updated. Companies may well fail in their fiduciary responsibilities
and duty of care at board level owed to the company to offload natural company
expenditure by avoiding providing communication devices to company employees. To
foster the notion to employees to BYOD (bring your own device) the employee is in fact playing
a part in subsidising a company’s communications system and therefore its security; retains the
opportunity for security loopholes to be created by employers assuming that smartphone users know everything about their smartphone, which is a fallacy.
Sunday, June 07, 2015
Metrology - USB part 1
With smartphones, tablets and other devices fitting the description Size-Scaled Digital Technology (SSDT) using USB physical connectivity provides for the simplest of examination DUT illustrations e.g the combination of three separate entities involved in inter-connection during an examination.
1) DUT (the target device (SSDT) containing suspected evidence
2) The physical medium (USB) to carry the source data to the examination tool
3) The examination tool (ET) used to extract and harvest evidence
It is possible to extrapolate even greater numbers of inter-connected entities but then it would be simpler, if I were to do that, to simply write a book instead of writing this blog post. Moreover, greater numbers of inter-connections exponentially introduce the potential for higher risk of failure relevant to an entity's MTBF (mean time between failure) and MTTF (mean time to failure).
[”British scientist, Sir William Thomson (Lord Kelvin, 1824 - 1907),
concisely captured the aspect of knowledge so that others can study
the observations and apply the results without having to repeat the
experiment, when he wrote: “When you can measure what you are
speaking about and express it in numbers, you know what you are
talking about.”]
SSDT - USB - ET provides a useful basis upon which to consider metrological traceability:
"A core concept in metrology is metrological traceability,[7] defined by the Joint Committee for Guides in Metrology as "property of a measurement result whereby the result can be related to a reference through a documented unbroken chain of calibrations, each contributing to the measurement uncertainty".[8] Metrological traceability permits comparison of measurements, whether the result is compared to the previous result in the same laboratory, a measurement result a year ago, or to the result of a measurement performed anywhere else in the world."
http://en.wikipedia.org/wiki/Metrology#Metrological_traceability
An excellent source of reference for definitions for the science of measurement is:
International vocabulary of metrology — Basic and general concepts and associated terms (VIM)
Vocabulaire international de métrologie — Concepts fondamentaux et généraux et termes associés (VIM)
http://www.bipm.org/utils/common/documents/jcgm/JCGM_200_2008.pdf
International vocabulary of metrology – Basic and general concepts and associated terms (VIM) 3rd edition (2008 version with minor corrections)
Vocabulaire international de métrologie – Concepts fondamentaux et généraux et termes associés (VIM)
3e édition (Version 2008 avec corrections mineures).
http://www.bipm.org/utils/common/documents/jcgm/JCGM_200_2012.pdf
Why have I shown two versions of the same document? Traceability is the answer. Building a quality system requires identification of reference materials upon which test measurements are (or have been in the past) conducted. Anyone involved in lab preparation and of running a lab should be aware that standards iso17025 and iso9001 identify principles that may be adopted for a wide range of industries etc. It is only when drilling down into how these principles should be applied in practice does one become aware of how, metaphorically speaking, naked one is without something or someone else pointing to a path to follow.
VIM is an acknowledged and established international standard that can be referenced for defining the naming conventions for testing. Of course, there is still the need for knowledge, skill and experience for operating under lab conditions. Early works of Scroggie and Johnstone even today provide useful observations about various aspects of testing involved in a laboratory environment can be found in Radio and Electronic Laboratory Handbook 1980 edition (Marcus Graham Scroggie and George Gordon Johnstone ISBN 0-408-00373-1 and ISBN 13: 9780408003735). The book is available from Amazon and from reputable booksellers.
There are a range of other reference materials from testing through to calibration. For instance NASA (Deep Space Network) http://deepspace.jpl.nasa.gov/dsndocs/810-005/214/214-1.pdf ; Laboratories for the Design and Assembly of Electronic Devices using Surface Mount Components conferencepaper.pdf ; Handbook of Laboratory Experiments in Electrical and Electronics Vol.3 (Adamu Murtala Zungeru; James G. Ambafi ISBN 9781497507203) ; and the list goes on. These reference materials are in addition to publications produced by the FBI, NIST, ACPO etc...
This discussion started out by referring to the physical medium USB to carry the source data from the DUT to the examination tool (ET). The relevance of doing so is that if the examiner eliminates the medium as the cause for failure or corrupted evidence then the logical conundrum that remains, is the DUT can be at fault, is the ET can be at fault or are both DUT/ET together faulty?
To understand the technical properties for USB look here:
USB Type C
http://www.usb.org/developers/usbtypec/
http://www.usb.org/developers/docs/
http://www.usb.org/developers/docs/usb_31_060115.zip
This version of USB specification is identified, not simply from personal experience, but due to industry adoption of the standard:
(a) http://www.usb.org/press/USB_Type-C_Specification_Announcement_Final.pdf
(b) http://arstechnica.com/gadgets/2014/08/small-reversible-usb-type-c-connector-finalized/
Image credited to http://arstechnica.com/gadgets/2014/08/small-reversible-usb-type-c-connector-finalized/
(c) https://support.apple.com/en-gb/HT204360 etc...
A testing schedule for MTBF and MTTF cannot be created unless the device class using a version of the USB specifications is corroborated:
Device Classes (some useful resource materials)
http://www.usb.org/developers/docs/devclass_docs/
http://www.atmel.com/dyn/resources/prod_documents/doc4322.pdf
http://www.linux-usb.org/usbnet/
http://cscott.net/usb_dev/data/devclass/usbcdc11.pdf
Moreover, if USB 3.0 is backward compatible with USB 2.0 could USB 3.0 be used as the de facto standard for all SSDTs to assist defining MTBF and MTTF?
What about USB plug/port sizes, would these create different test requirements?
Lastly, and to close Part 1 of this blog discussion, there is another question equally worth asking: "Does a manufacturer's/supplier's warranty for 12 or 24 months mean that lab testing is not necessary for that period of the warranty in question?
Previous discussion under Metrology
http://trewmte.blogspot.co.uk/2015/05/metrology.html
Knowing DUT memory
http://trewmte.blogspot.co.uk/2015/05/knowing-dut-memory.html
1) DUT (the target device (SSDT) containing suspected evidence
2) The physical medium (USB) to carry the source data to the examination tool
3) The examination tool (ET) used to extract and harvest evidence
It is possible to extrapolate even greater numbers of inter-connected entities but then it would be simpler, if I were to do that, to simply write a book instead of writing this blog post. Moreover, greater numbers of inter-connections exponentially introduce the potential for higher risk of failure relevant to an entity's MTBF (mean time between failure) and MTTF (mean time to failure).
[”British scientist, Sir William Thomson (Lord Kelvin, 1824 - 1907),
concisely captured the aspect of knowledge so that others can study
the observations and apply the results without having to repeat the
experiment, when he wrote: “When you can measure what you are
speaking about and express it in numbers, you know what you are
talking about.”]
SSDT - USB - ET provides a useful basis upon which to consider metrological traceability:
"A core concept in metrology is metrological traceability,[7] defined by the Joint Committee for Guides in Metrology as "property of a measurement result whereby the result can be related to a reference through a documented unbroken chain of calibrations, each contributing to the measurement uncertainty".[8] Metrological traceability permits comparison of measurements, whether the result is compared to the previous result in the same laboratory, a measurement result a year ago, or to the result of a measurement performed anywhere else in the world."
http://en.wikipedia.org/wiki/Metrology#Metrological_traceability
An excellent source of reference for definitions for the science of measurement is:
International vocabulary of metrology — Basic and general concepts and associated terms (VIM)
Vocabulaire international de métrologie — Concepts fondamentaux et généraux et termes associés (VIM)
http://www.bipm.org/utils/common/documents/jcgm/JCGM_200_2008.pdf
International vocabulary of metrology – Basic and general concepts and associated terms (VIM) 3rd edition (2008 version with minor corrections)
Vocabulaire international de métrologie – Concepts fondamentaux et généraux et termes associés (VIM)
3e édition (Version 2008 avec corrections mineures).
http://www.bipm.org/utils/common/documents/jcgm/JCGM_200_2012.pdf
Why have I shown two versions of the same document? Traceability is the answer. Building a quality system requires identification of reference materials upon which test measurements are (or have been in the past) conducted. Anyone involved in lab preparation and of running a lab should be aware that standards iso17025 and iso9001 identify principles that may be adopted for a wide range of industries etc. It is only when drilling down into how these principles should be applied in practice does one become aware of how, metaphorically speaking, naked one is without something or someone else pointing to a path to follow.
VIM is an acknowledged and established international standard that can be referenced for defining the naming conventions for testing. Of course, there is still the need for knowledge, skill and experience for operating under lab conditions. Early works of Scroggie and Johnstone even today provide useful observations about various aspects of testing involved in a laboratory environment can be found in Radio and Electronic Laboratory Handbook 1980 edition (Marcus Graham Scroggie and George Gordon Johnstone ISBN 0-408-00373-1 and ISBN 13: 9780408003735). The book is available from Amazon and from reputable booksellers.
There are a range of other reference materials from testing through to calibration. For instance NASA (Deep Space Network) http://deepspace.jpl.nasa.gov/dsndocs/810-005/214/214-1.pdf ; Laboratories for the Design and Assembly of Electronic Devices using Surface Mount Components conferencepaper.pdf ; Handbook of Laboratory Experiments in Electrical and Electronics Vol.3 (Adamu Murtala Zungeru; James G. Ambafi ISBN 9781497507203) ; and the list goes on. These reference materials are in addition to publications produced by the FBI, NIST, ACPO etc...
This discussion started out by referring to the physical medium USB to carry the source data from the DUT to the examination tool (ET). The relevance of doing so is that if the examiner eliminates the medium as the cause for failure or corrupted evidence then the logical conundrum that remains, is the DUT can be at fault, is the ET can be at fault or are both DUT/ET together faulty?
To understand the technical properties for USB look here:
USB Type C
http://www.usb.org/developers/usbtypec/
http://www.usb.org/developers/docs/
http://www.usb.org/developers/docs/usb_31_060115.zip
This version of USB specification is identified, not simply from personal experience, but due to industry adoption of the standard:
(a) http://www.usb.org/press/USB_Type-C_Specification_Announcement_Final.pdf
(b) http://arstechnica.com/gadgets/2014/08/small-reversible-usb-type-c-connector-finalized/
Image credited to http://arstechnica.com/gadgets/2014/08/small-reversible-usb-type-c-connector-finalized/
(c) https://support.apple.com/en-gb/HT204360 etc...
A testing schedule for MTBF and MTTF cannot be created unless the device class using a version of the USB specifications is corroborated:
Device Classes (some useful resource materials)
http://www.usb.org/developers/docs/devclass_docs/
http://www.atmel.com/dyn/resources/prod_documents/doc4322.pdf
http://www.linux-usb.org/usbnet/
http://cscott.net/usb_dev/data/devclass/usbcdc11.pdf
Moreover, if USB 3.0 is backward compatible with USB 2.0 could USB 3.0 be used as the de facto standard for all SSDTs to assist defining MTBF and MTTF?
What about USB plug/port sizes, would these create different test requirements?
Lastly, and to close Part 1 of this blog discussion, there is another question equally worth asking: "Does a manufacturer's/supplier's warranty for 12 or 24 months mean that lab testing is not necessary for that period of the warranty in question?
Previous discussion under Metrology
http://trewmte.blogspot.co.uk/2015/05/metrology.html
Knowing DUT memory
http://trewmte.blogspot.co.uk/2015/05/knowing-dut-memory.html
Saturday, May 30, 2015
Metrology
I haven't produced breakout web-links to the other forum discussions as this post is only raising a point about Metrology and standardisation in digital forensics.
A recent forum question posted by a PhD student sought ideas for a research area. I suggested the following:
You may wish to consider the process of:
(a) examination of mobile/feature/smart phones, embedded devices etc with respect to
(b) evidential examination aligned to iso17025 et al with specific attention interest and engagement to
(c) Metrology - tools used, processes in place and procedures followed
(d) to determine possible impact on evidential results and outcomes.
There is little published study in this area for digital forensics.
The above suggestion, along with suggestions made by others, produced a second forum thread specifically asking about standardisation in digital forensics testing and referred to my comments in the other forum thread. So I made further observations:
The reason why I mentioned Metrology is to actually see whether it is possible to have a minimum standard. In other words, start small and work in areas where commonality in agreement is high amongst those working in digital forensics.
Even before even writing test scripts or anything else start with e.g. the humble physical leads/cables and terminating plugs. They interface with the test tool and the target device. What forensics requirement should there be for these cables/leads/plugs e.g. VGA, DVI, HDMI, Ethernet etc etc. How many people keep a traceable record of what is being used to acquire evidence in the test lab.
iso9001 has been mentioned and this standard provides a useful guide on record keeping. In most cases user take for granted that the cable/lead/plug is ok and just swap it out if it is deemed not working? Simple questions:
1) Is there a cable/lead tester on the market?
2) What results can be obtained?
3) How to determine output results?
4) Compare manufacturing guidelines for MTTF and MTBF?
5) Can the results scrutinised be improved?
6) Can a minimum standard be achieved.
Mundane and tedious testing is never welcomed, but long before digital forensics raised its head these tests were going on. My own earlier experiences were in telecomms manufacturing. We worked with factory type approval guidelines BABT340 and iso9001. Record keeping and testing of tools was fundamental and mandatory to retain quality. Devices were subjected to standards such as bs6301, bs6305, bs6317, bs6789 etc. I still believe that BABT340 and other standards and guidelines for the manufacturing and supply of telecomms and datacomms products for placing on the marketplace are far more aligned to digital forensics and provide industry-specific stepping stones guidance towards minimum standards because all manufacturers were being channelled through the same process.
Just because some of the examples given by the above standards have been replaced with EU or other standards, doesn't mean to say we cannot learn from those industry-specific experience and adopt a similar system.
From what I see going on and hear from others in digital forensics labs cables/leads/plugs can be a source of problems in the acquisition process yet no common ground has been established for their use. There are ISO framework standards adopted for digital forensic labs, but those have been adopted after the fact of produced evidence. But what are the framework standards or common ground documentation directed towards the tools actually being used prior to acquisition and generation of evidence?
A recent forum question posted by a PhD student sought ideas for a research area. I suggested the following:
You may wish to consider the process of:
(a) examination of mobile/feature/smart phones, embedded devices etc with respect to
(b) evidential examination aligned to iso17025 et al with specific attention interest and engagement to
(c) Metrology - tools used, processes in place and procedures followed
(d) to determine possible impact on evidential results and outcomes.
There is little published study in this area for digital forensics.
The above suggestion, along with suggestions made by others, produced a second forum thread specifically asking about standardisation in digital forensics testing and referred to my comments in the other forum thread. So I made further observations:
The reason why I mentioned Metrology is to actually see whether it is possible to have a minimum standard. In other words, start small and work in areas where commonality in agreement is high amongst those working in digital forensics.
Even before even writing test scripts or anything else start with e.g. the humble physical leads/cables and terminating plugs. They interface with the test tool and the target device. What forensics requirement should there be for these cables/leads/plugs e.g. VGA, DVI, HDMI, Ethernet etc etc. How many people keep a traceable record of what is being used to acquire evidence in the test lab.
iso9001 has been mentioned and this standard provides a useful guide on record keeping. In most cases user take for granted that the cable/lead/plug is ok and just swap it out if it is deemed not working? Simple questions:
1) Is there a cable/lead tester on the market?
2) What results can be obtained?
3) How to determine output results?
4) Compare manufacturing guidelines for MTTF and MTBF?
5) Can the results scrutinised be improved?
6) Can a minimum standard be achieved.
Mundane and tedious testing is never welcomed, but long before digital forensics raised its head these tests were going on. My own earlier experiences were in telecomms manufacturing. We worked with factory type approval guidelines BABT340 and iso9001. Record keeping and testing of tools was fundamental and mandatory to retain quality. Devices were subjected to standards such as bs6301, bs6305, bs6317, bs6789 etc. I still believe that BABT340 and other standards and guidelines for the manufacturing and supply of telecomms and datacomms products for placing on the marketplace are far more aligned to digital forensics and provide industry-specific stepping stones guidance towards minimum standards because all manufacturers were being channelled through the same process.
Just because some of the examples given by the above standards have been replaced with EU or other standards, doesn't mean to say we cannot learn from those industry-specific experience and adopt a similar system.
From what I see going on and hear from others in digital forensics labs cables/leads/plugs can be a source of problems in the acquisition process yet no common ground has been established for their use. There are ISO framework standards adopted for digital forensic labs, but those have been adopted after the fact of produced evidence. But what are the framework standards or common ground documentation directed towards the tools actually being used prior to acquisition and generation of evidence?
Knowing DUT memory
A newcomer to mobile phone examination asked a question on another forum:
"My first question is a general one: how can I know that the data I get in an extraction is everything that was on the device? For example, I recently acquired an image from a ZTE Z667G with prior knowledge that there were messages between 2 subjects using Facebook Messenger. The device was not able to be rooted with Oxygen's root exploit, so I used the Android backup method. When I began to analyze the data, I noted that Facebook messenger was not in the listed applications; also, none of the database files for that app were acquired. Had I not been told about the messages by the detective working that case, that data would have likely been missed. Without going through the device manually, how can I know for sure that what I'm getting is everything that is there?"
There is a temptation to reply with "try another tool". However, the opening question was "how can I know that the data I get in an extraction is everything that was on the device?", which suggests a knowledge of the memory where a mobile handset can store messages.
Knowing the memory available and areas where data maybe stored is another aspect an examiner may wish to consider as a planned exercise before commencing examination of the target DUT (device under test). As a simple exercise consider:
a) Handset memory
b) (U)SIM memory
c) SD card memory
Query: the examiner is interested to know the memory available in an e.g. Samsung Galaxy S6 edge (GSM)?
One popular website used by mobile phone examiners is Phonescoop:
http://www.phonescoop.com/phones/phone.php?p=4716
The site identifies the following:
Memory
32 GB internal storage, raw hardware
23 GB internal storage, available to user
3 GB RAM
also available in 64 and 128 GB versions
SIM card size
Nano (4FF)
Is there any info that identifies whether an SD card may be used? Check for yourself at the link above.
The newcomer referred to the ZTE Z667G. Would this be the correct model at Phonescoop?
http://www.phonescoop.com/phones/phone.php?p=4450
However, a Z667g user manual suggests a different name:
http://wontek.com/static-img/phones/ZTE-Flame-Z667G.pdf
and another website identifies the Z667g under a different name:
http://androidface.com/forums/topic/zte-whirl-2-zte-z667g/
Could that suggest variances between the different model names??
As an examiner can you verify or validate the accuracy of the Phonescoop details elsewhere?
e.g. are there any other website that may provide details? There are many, so here is another link:
http://specdevice.com/showspec.php?id=a7b9-7cb0-ec56-3c90041b97dc
Finally, what does the ZTE manufacturer website state about the ZTE Z667G?
There are a range of tools out there each to assist the examiner extract and harvest data; but be mindful, a tool may provide answers but a tool should not determine the questions and by extension think for you.
"My first question is a general one: how can I know that the data I get in an extraction is everything that was on the device? For example, I recently acquired an image from a ZTE Z667G with prior knowledge that there were messages between 2 subjects using Facebook Messenger. The device was not able to be rooted with Oxygen's root exploit, so I used the Android backup method. When I began to analyze the data, I noted that Facebook messenger was not in the listed applications; also, none of the database files for that app were acquired. Had I not been told about the messages by the detective working that case, that data would have likely been missed. Without going through the device manually, how can I know for sure that what I'm getting is everything that is there?"
There is a temptation to reply with "try another tool". However, the opening question was "how can I know that the data I get in an extraction is everything that was on the device?", which suggests a knowledge of the memory where a mobile handset can store messages.
Knowing the memory available and areas where data maybe stored is another aspect an examiner may wish to consider as a planned exercise before commencing examination of the target DUT (device under test). As a simple exercise consider:
a) Handset memory
b) (U)SIM memory
c) SD card memory
Query: the examiner is interested to know the memory available in an e.g. Samsung Galaxy S6 edge (GSM)?
One popular website used by mobile phone examiners is Phonescoop:
http://www.phonescoop.com/phones/phone.php?p=4716
The site identifies the following:
Memory
32 GB internal storage, raw hardware
23 GB internal storage, available to user
3 GB RAM
also available in 64 and 128 GB versions
SIM card size
Nano (4FF)
Is there any info that identifies whether an SD card may be used? Check for yourself at the link above.
The newcomer referred to the ZTE Z667G. Would this be the correct model at Phonescoop?
http://www.phonescoop.com/phones/phone.php?p=4450
However, a Z667g user manual suggests a different name:
http://wontek.com/static-img/phones/ZTE-Flame-Z667G.pdf
and another website identifies the Z667g under a different name:
http://androidface.com/forums/topic/zte-whirl-2-zte-z667g/
Could that suggest variances between the different model names??
As an examiner can you verify or validate the accuracy of the Phonescoop details elsewhere?
e.g. are there any other website that may provide details? There are many, so here is another link:
http://specdevice.com/showspec.php?id=a7b9-7cb0-ec56-3c90041b97dc
Finally, what does the ZTE manufacturer website state about the ZTE Z667G?
There are a range of tools out there each to assist the examiner extract and harvest data; but be mindful, a tool may provide answers but a tool should not determine the questions and by extension think for you.
Sunday, April 19, 2015
FREE iPhoneReader research tool
Research and development tools can provide students, newcomers and experienced examiners in the mobile forensics community with practical experience and exposure to logically recovered data isolating the various types of recovered data through a single GUI. Additionally, such tools help develop analytical and assessment skillsets. iPhoneReader.exe is one such tool that can help you do that.
Credit to University of New Haven - image GUI LiFE iPhoneReader.exe
This FREE research tool, developed in 2014 by researchers at University of New Haven (UNH) Cyber Forensics Research & Education Group / Lab (http://www.unhcfreg.com/ ), LiFE (Logical iOS Forensic Examiner) is an open source tool for iOS backup examination.
The research tool can be downloaded here:
https://www.dropbox.com/s/xkjw2zdfw9mls4s/LiFE.zip
Friday, April 10, 2015
Free Mobile JTAG Training and Tools
Visitors to trewmte.blogspot.com may recall a discussion thread posted back in 2012 regarding a JTAG Tutorial http://trewmte.blogspot.co.uk/2012/09/jtag-tutorial.html. The purpose of that thread was to enable students, newcomers and experienced mobile/smart phone examiners to get a feel for JTAG before undertaking such examinations or purchasing tools etc.
Today, Kevin Swartz from www.nowsecure.com has released a FREE three-part training course specifically for JTAGing smart phones. Kevin has dropped a line to me saying "Hi Greg, yes, please feel free to link to any of our free resources pages: https://www.nowsecure.com/resources/".
The FREE three-part training course:
PDF Download: https://www.nowsecure.com/resources/jtag-forensics-training/
JTAG 101 videos:
https://www.youtube.com/playlist?list=PLkotz0CYBQDrXpvO0UZlmrUpQLtegPgWI
JTAG 102 videos:
https://www.youtube.com/playlist?list=PLkotz0CYBQDp_YMS_jMXSjKsvgWtL8e_p
Thanks Kevin. You're a decent chap for your kind gesture to help out students, newcomers and experienced examiners in the community.
Today, Kevin Swartz from www.nowsecure.com has released a FREE three-part training course specifically for JTAGing smart phones. Kevin has dropped a line to me saying "Hi Greg, yes, please feel free to link to any of our free resources pages: https://www.nowsecure.com/resources/".
The FREE three-part training course:
PDF Download: https://www.nowsecure.com/resources/jtag-forensics-training/
JTAG 101 videos:
https://www.youtube.com/playlist?list=PLkotz0CYBQDrXpvO0UZlmrUpQLtegPgWI
JTAG 102 videos:
https://www.youtube.com/playlist?list=PLkotz0CYBQDp_YMS_jMXSjKsvgWtL8e_p
Thanks Kevin. You're a decent chap for your kind gesture to help out students, newcomers and experienced examiners in the community.
Wednesday, April 08, 2015
Quoting Statistics
Whether you are a prosecution or defence barrister quoting statistical facts has its benefits when quoted to the jury. Using Stats is not without its pros and cons. However, with the ever increasing size/quantity of network traffic and stored data it appears inevitable describing data in a meaningful way to a jury using statistical statements is being re-defined on a annual basis. For example, compare Big Data (http://en.wikipedia.org/wiki/Big_data) and analysis of data at the transport layer level (Internet Small Computer System Interface (iSCSI) Protocol (Consolidated) - http://www.rfc-editor.org/rfc/rfc7143.txt).
Example 1 - GSM SIM Card Authentication
Within the 2G digital mobile telephone (GSM) arena, as you know, makes use of a SIM card. The security implemented in SIM by those commissioned to create its security (Moule, M; & Pautet, M-B; published 1992) introduced the probability that with the subscriber identity (IMSI), secret key (Ki), random challenge (Rand) with a corresponding output generated from the security algorithms A3/A8 (COMP128) to produce a Signed RESponse (SRES) in consequence should generate the probability of any other subscriber producing the same SRES (to make a mobile call, with or without ciphering,), it has been said, can be in the order of 1 chance in 4 Billion.
A counter argument might be that with repeated used of TMSI, ciphering key etc the order of chance maybe considerably less but has yet to be shown to be under 1 chance in 2 billion in the ordinary use of the security. When making analysis of the 3G and 4G security authentication algorithms it can be understood the order of magnitude has again increased exponentially beyond 2G.
However, the above would have no relevance where a call is recorded in a call record where that call has been added but not as a consequence of the subscriber having made the call. An example, upon checking my son's billing record to find there were numerous entries of a regular event of £3.50 for a call being added at regular intervals but at exactly the same time of day after 3pm. The operator was not able to qualify that a call had even taken place, thus remove all those charges. This highlights how call records can and do get manipulated. Had the account been pre-paid what would have been the chances to have identified those calls?
Example 2 - DNA (Profiles, Loci et al)
The principal prosecutor, Assistant U.S. Attorney Michael T. Ambrosino (2006), countered that there was no scientific controversy and that prosecutors should not have to qualify their assertion that the rarity of Jenkins's profile among African Americans was one in 26 quintillion (26,000,000,000,000,000,000).
http://www.washingtonpost.com/wp-dyn/content/article/2006/04/14/AR2006041401602.html
Chimera
A chimera is an organism which exhibits chimerism. Chimerism is the occurrence of more than one genetically distinct cell lines in the same individual. Natural chimerism is quite rare in humans, but much more common in lower species. Natural chimerism occurs when the early embryos of two fraternal twins fuse into a single embryo, producing an individual with tissues of two different genetic compositions. Artificial chimerism is the result of organ or tissue transplants between individuals. The journal Nature had an excellent article on human chimerism in Volume 417, Pages 10-11 (02 May 2002).
Association of pigmentary anomalies with chromosomal and genetic mosaicism and chimerism.
Thomas IT, Frias JL, Cantu ES, Lafer CZ, Flannery DB, Graham JG Jr.
Department of Pediatrics, University of Nebraska Medical Center, Omaha.
We have evaluated eight patients with pigmentary anomalies reminiscent of incontinentia pigmenti or hypomelanosis of Ito. All demonstrated abnormal lymphocyte karyotypes with chromosomal mosaicism in lymphocytes and/or skin fibroblasts. In seven the skin was darkly pigmented, and in all of these seven cases the abnormal pigmentation followed (**)Blaschko lines. The literature contains at least 36 similar examples of an association between pigmentary anomalies and chromosomal mosaicism, as well as five examples of an association with chimerism. The pigmentary anomalies are pleomorphic, and the chromosomal anomalies involve autosomes and sex chromosomes. The pigmentation patterns are reminiscent of the archetypal paradigm seen in allophenic mice and demonstrate the clonal origin of melanoblasts from neural crest precursors. Patients with anomalous skin pigmentation, particularly when it follows a pattern of Blaschko lines, should be appropriately evaluated for a possible association with chromosomal or genetic mosaicism or chimerism.
(**)Blaschko lines are chevron type alternating patterns that appear in skin pigmentation associated with chimera giving a directly observable symptom of at least dermal chimerisation
Am J Hum Genet. 1989 Aug;45(2):193-205
http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=pubmed&dopt=Abstract&list_uids=2667350
http://www.ncbi.nlm.nih.gov/pubmed/2667350?dopt=Abstract
The above examples provide some observations about the pros/cons of quoting stats.
Digitally speaking, we some times have to refer to size/quantity of data, too. It is useful therefore to have some analogies that can be used to identify the size/quantity of data:
Example 3 - Bits, Nibbles and Bytes
http://highscalability.com/blog/2012/9/11/how-big-is-a-petabyte-exabyte-zettabyte-or-a-yottabyte.html
Bytes(8 bits)
◾0.1 bytes: A binary decision
◾1 byte: A single character
◾10 bytes: A single word
◾100 bytes: A telegram OR A punched card
Kilobyte (1000 bytes)
◾1 Kilobyte: A very short story
◾2 Kilobytes: A Typewritten page
◾10 Kilobytes: An encyclopaedic page OR A deck of punched cards
◾50 Kilobytes: A compressed document image page
◾100 Kilobytes: A low-resolution photograph
◾200 Kilobytes: A box of punched cards
◾500 Kilobytes: A very heavy box of punched cards
Megabyte (1 000 000 bytes)
◾1 Megabyte: A small novel OR A 3.5 inch floppy disk
◾2 Megabytes: A high resolution photograph
◾5 Megabytes: The complete works of Shakespeare OR 30 seconds of TV-quality video
◾10 Megabytes: A minute of high-fidelity sound OR A digital chest X-ray
◾20 Megabytes: A box of floppy disks
◾50 Megabytes: A digital mammogram
◾100 Megabytes: 1 meter of shelved books OR A two-volume encyclopaedic book
◾200 Megabytes: A reel of 9-track tape OR An IBM 3480 cartridge tape
◾500 Megabytes: A CD-ROM OR The hard disk of a PC
Gigabyte (1 000 000 000 bytes)
◾1 Gigabyte: A pickup truck filled with paper OR A symphony in high-fidelity sound OR A movie at TV quality
◾2 Gigabytes: 20 meters of shelved books OR A stack of 9-track tapes
◾5 Gigabytes: An 8mm Exabyte tape
◾10 Gigabytes:
◾20 Gigabytes: A good collection of the works of Beethoven OR 5 Exabyte tapes OR A VHS tape used for digital data
◾50 Gigabytes: A floor of books OR Hundreds of 9-track tapes
◾100 Gigabytes: A floor of academic journals OR A large ID-1 digital tape
◾200 Gigabytes: 50 Exabyte tapes
Terabyte (1 000 000 000 000 bytes)
◾1 Terabyte: An automated tape robot OR All the X-ray films in a large technological hospital OR 50000 trees made into paper and printed OR Daily rate of EOS data (1998)
◾2 Terabytes: An academic research library OR A cabinet full of Exabyte tapes
◾10 Terabytes: The printed collection of the US Library of Congress
◾50 Terabytes: The contents of a large Mass Storage System
Petabyte (1 000 000 000 000 000 bytes)
◾1 Petabyte: 5 years of EOS data (at 46 mbps)
◾2 Petabytes: All US academic research libraries
◾20 Petabytes: Production of hard-disk drives in 1995
◾200 Petabytes: All printed material OR Production of digital magnetic tape in 1995
Exabyte (1 000 000 000 000 000 000 bytes)
◾5 Exabytes: All words ever spoken by human beings.
◾From wikipedia: ◾The world's technological capacity to store information grew from 2.6 (optimally compressed) exabytes in 1986 to 15.8 in 1993, over 54.5 in 2000, and to 295 (optimally compressed) exabytes in 2007. This is equivalent to less than one 730-MB CD-ROM per person in 1986 (539 MB per person), roughly 4 CD-ROM per person of 1993, 12 CD-ROM per person in the year 2000, and almost 61 CD-ROM per person in 2007. Piling up the imagined 404 billion CD-ROM from 2007 would create a stack from the earth to the moon and a quarter of this distance beyond (with 1.2 mm thickness per CD).
◾The world’s technological capacity to receive information through one-way broadcast networks was 432 exabytes of (optimally compressed) information in 1986, 715 (optimally compressed) exabytes in 1993, 1,200 (optimally compressed) exabytes in 2000, and 1,900 in 2007.
◾According to the CSIRO, in the next decade, astronomers expect to be processing 10 petabytes of data every hour from the Square Kilometre Array (SKA) telescope.[11] The array is thus expected to generate approximately one exabyte every four days of operation. According to IBM, the new SKA telescope initiative will generate over an exabyte of data every day. IBM is designing hardware to process this information.
Zettabyte (1 000 000 000 000 000 000 000 bytes)
◾From wikipedia: ◾The world’s technological capacity to receive information through one-way broadcast networks was 0.432 zettabytes of (optimally compressed) information in 1986, 0.715 in 1993, 1.2 in 2000, and 1.9 (optimally compressed) zettabytes in 2007 (this is the informational equivalent to every person on earth receiving 174 newspapers per day).[9][10]
◾According to International Data Corporation, the total amount of global data is expected to grow to 2.7 zettabytes during 2012. This is 48% up from 2011.[11]
◾Mark Liberman calculated the storage requirements for all human speech ever spoken at 42 zettabytes if digitized as 16 kHz 16-bit audio. This was done in response to a popular expression that states "all words ever spoken by human beings" could be stored in approximately 5 exabytes of data (see exabyte for details). Liberman did "freely confess that maybe the authors [of the exabyte estimate] were thinking about text."[12]
◾Research from the University of Southern California reports that in 2007, humankind successfully sent 1.9 zettabytes of information through broadcast technology such as televisions and GPS.[13]
◾Research from the University of California, San Diego reports that in 2008, Americans consumed 3.6 zettabytes of information.
Yottabyte (1 000 000 000 000 000 000 000 000 bytes)
See - http://en.wikipedia.org/wiki/Talk%3AYottabyte#Xenottabyte.3F_Shilentnobyte.3F_Domegemegrottebyte.3F
Other interpretations, see - http://geekologie.com/2010/06/how-big-is-a-yottabyte-spoiler.php
Example 1 - GSM SIM Card Authentication
Within the 2G digital mobile telephone (GSM) arena, as you know, makes use of a SIM card. The security implemented in SIM by those commissioned to create its security (Moule, M; & Pautet, M-B; published 1992) introduced the probability that with the subscriber identity (IMSI), secret key (Ki), random challenge (Rand) with a corresponding output generated from the security algorithms A3/A8 (COMP128) to produce a Signed RESponse (SRES) in consequence should generate the probability of any other subscriber producing the same SRES (to make a mobile call, with or without ciphering,), it has been said, can be in the order of 1 chance in 4 Billion.
A counter argument might be that with repeated used of TMSI, ciphering key etc the order of chance maybe considerably less but has yet to be shown to be under 1 chance in 2 billion in the ordinary use of the security. When making analysis of the 3G and 4G security authentication algorithms it can be understood the order of magnitude has again increased exponentially beyond 2G.
However, the above would have no relevance where a call is recorded in a call record where that call has been added but not as a consequence of the subscriber having made the call. An example, upon checking my son's billing record to find there were numerous entries of a regular event of £3.50 for a call being added at regular intervals but at exactly the same time of day after 3pm. The operator was not able to qualify that a call had even taken place, thus remove all those charges. This highlights how call records can and do get manipulated. Had the account been pre-paid what would have been the chances to have identified those calls?
Example 2 - DNA (Profiles, Loci et al)
The principal prosecutor, Assistant U.S. Attorney Michael T. Ambrosino (2006), countered that there was no scientific controversy and that prosecutors should not have to qualify their assertion that the rarity of Jenkins's profile among African Americans was one in 26 quintillion (26,000,000,000,000,000,000).
http://www.washingtonpost.com/wp-dyn/content/article/2006/04/14/AR2006041401602.html
Chimera
A chimera is an organism which exhibits chimerism. Chimerism is the occurrence of more than one genetically distinct cell lines in the same individual. Natural chimerism is quite rare in humans, but much more common in lower species. Natural chimerism occurs when the early embryos of two fraternal twins fuse into a single embryo, producing an individual with tissues of two different genetic compositions. Artificial chimerism is the result of organ or tissue transplants between individuals. The journal Nature had an excellent article on human chimerism in Volume 417, Pages 10-11 (02 May 2002).
Association of pigmentary anomalies with chromosomal and genetic mosaicism and chimerism.
Thomas IT, Frias JL, Cantu ES, Lafer CZ, Flannery DB, Graham JG Jr.
Department of Pediatrics, University of Nebraska Medical Center, Omaha.
We have evaluated eight patients with pigmentary anomalies reminiscent of incontinentia pigmenti or hypomelanosis of Ito. All demonstrated abnormal lymphocyte karyotypes with chromosomal mosaicism in lymphocytes and/or skin fibroblasts. In seven the skin was darkly pigmented, and in all of these seven cases the abnormal pigmentation followed (**)Blaschko lines. The literature contains at least 36 similar examples of an association between pigmentary anomalies and chromosomal mosaicism, as well as five examples of an association with chimerism. The pigmentary anomalies are pleomorphic, and the chromosomal anomalies involve autosomes and sex chromosomes. The pigmentation patterns are reminiscent of the archetypal paradigm seen in allophenic mice and demonstrate the clonal origin of melanoblasts from neural crest precursors. Patients with anomalous skin pigmentation, particularly when it follows a pattern of Blaschko lines, should be appropriately evaluated for a possible association with chromosomal or genetic mosaicism or chimerism.
(**)Blaschko lines are chevron type alternating patterns that appear in skin pigmentation associated with chimera giving a directly observable symptom of at least dermal chimerisation
Am J Hum Genet. 1989 Aug;45(2):193-205
http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=pubmed&dopt=Abstract&list_uids=2667350
http://www.ncbi.nlm.nih.gov/pubmed/2667350?dopt=Abstract
The above examples provide some observations about the pros/cons of quoting stats.
Digitally speaking, we some times have to refer to size/quantity of data, too. It is useful therefore to have some analogies that can be used to identify the size/quantity of data:
Example 3 - Bits, Nibbles and Bytes
http://highscalability.com/blog/2012/9/11/how-big-is-a-petabyte-exabyte-zettabyte-or-a-yottabyte.html
Bytes(8 bits)
◾0.1 bytes: A binary decision
◾1 byte: A single character
◾10 bytes: A single word
◾100 bytes: A telegram OR A punched card
Kilobyte (1000 bytes)
◾1 Kilobyte: A very short story
◾2 Kilobytes: A Typewritten page
◾10 Kilobytes: An encyclopaedic page OR A deck of punched cards
◾50 Kilobytes: A compressed document image page
◾100 Kilobytes: A low-resolution photograph
◾200 Kilobytes: A box of punched cards
◾500 Kilobytes: A very heavy box of punched cards
Megabyte (1 000 000 bytes)
◾1 Megabyte: A small novel OR A 3.5 inch floppy disk
◾2 Megabytes: A high resolution photograph
◾5 Megabytes: The complete works of Shakespeare OR 30 seconds of TV-quality video
◾10 Megabytes: A minute of high-fidelity sound OR A digital chest X-ray
◾20 Megabytes: A box of floppy disks
◾50 Megabytes: A digital mammogram
◾100 Megabytes: 1 meter of shelved books OR A two-volume encyclopaedic book
◾200 Megabytes: A reel of 9-track tape OR An IBM 3480 cartridge tape
◾500 Megabytes: A CD-ROM OR The hard disk of a PC
Gigabyte (1 000 000 000 bytes)
◾1 Gigabyte: A pickup truck filled with paper OR A symphony in high-fidelity sound OR A movie at TV quality
◾2 Gigabytes: 20 meters of shelved books OR A stack of 9-track tapes
◾5 Gigabytes: An 8mm Exabyte tape
◾10 Gigabytes:
◾20 Gigabytes: A good collection of the works of Beethoven OR 5 Exabyte tapes OR A VHS tape used for digital data
◾50 Gigabytes: A floor of books OR Hundreds of 9-track tapes
◾100 Gigabytes: A floor of academic journals OR A large ID-1 digital tape
◾200 Gigabytes: 50 Exabyte tapes
Terabyte (1 000 000 000 000 bytes)
◾1 Terabyte: An automated tape robot OR All the X-ray films in a large technological hospital OR 50000 trees made into paper and printed OR Daily rate of EOS data (1998)
◾2 Terabytes: An academic research library OR A cabinet full of Exabyte tapes
◾10 Terabytes: The printed collection of the US Library of Congress
◾50 Terabytes: The contents of a large Mass Storage System
Petabyte (1 000 000 000 000 000 bytes)
◾1 Petabyte: 5 years of EOS data (at 46 mbps)
◾2 Petabytes: All US academic research libraries
◾20 Petabytes: Production of hard-disk drives in 1995
◾200 Petabytes: All printed material OR Production of digital magnetic tape in 1995
Exabyte (1 000 000 000 000 000 000 bytes)
◾5 Exabytes: All words ever spoken by human beings.
◾From wikipedia: ◾The world's technological capacity to store information grew from 2.6 (optimally compressed) exabytes in 1986 to 15.8 in 1993, over 54.5 in 2000, and to 295 (optimally compressed) exabytes in 2007. This is equivalent to less than one 730-MB CD-ROM per person in 1986 (539 MB per person), roughly 4 CD-ROM per person of 1993, 12 CD-ROM per person in the year 2000, and almost 61 CD-ROM per person in 2007. Piling up the imagined 404 billion CD-ROM from 2007 would create a stack from the earth to the moon and a quarter of this distance beyond (with 1.2 mm thickness per CD).
◾The world’s technological capacity to receive information through one-way broadcast networks was 432 exabytes of (optimally compressed) information in 1986, 715 (optimally compressed) exabytes in 1993, 1,200 (optimally compressed) exabytes in 2000, and 1,900 in 2007.
◾According to the CSIRO, in the next decade, astronomers expect to be processing 10 petabytes of data every hour from the Square Kilometre Array (SKA) telescope.[11] The array is thus expected to generate approximately one exabyte every four days of operation. According to IBM, the new SKA telescope initiative will generate over an exabyte of data every day. IBM is designing hardware to process this information.
Zettabyte (1 000 000 000 000 000 000 000 bytes)
◾From wikipedia: ◾The world’s technological capacity to receive information through one-way broadcast networks was 0.432 zettabytes of (optimally compressed) information in 1986, 0.715 in 1993, 1.2 in 2000, and 1.9 (optimally compressed) zettabytes in 2007 (this is the informational equivalent to every person on earth receiving 174 newspapers per day).[9][10]
◾According to International Data Corporation, the total amount of global data is expected to grow to 2.7 zettabytes during 2012. This is 48% up from 2011.[11]
◾Mark Liberman calculated the storage requirements for all human speech ever spoken at 42 zettabytes if digitized as 16 kHz 16-bit audio. This was done in response to a popular expression that states "all words ever spoken by human beings" could be stored in approximately 5 exabytes of data (see exabyte for details). Liberman did "freely confess that maybe the authors [of the exabyte estimate] were thinking about text."[12]
◾Research from the University of Southern California reports that in 2007, humankind successfully sent 1.9 zettabytes of information through broadcast technology such as televisions and GPS.[13]
◾Research from the University of California, San Diego reports that in 2008, Americans consumed 3.6 zettabytes of information.
Yottabyte (1 000 000 000 000 000 000 000 000 bytes)
See - http://en.wikipedia.org/wiki/Talk%3AYottabyte#Xenottabyte.3F_Shilentnobyte.3F_Domegemegrottebyte.3F
Other interpretations, see - http://geekologie.com/2010/06/how-big-is-a-yottabyte-spoiler.php
Saturday, April 04, 2015
Android Botnet for SMS
Another area where SMS text messages may not have received as much scrutiny is regarding messages sent by mobile botnets. If I may I will re-emphasise the following point, the purpose of the discussions here and below are not as a criticism about tools or processes that are used in extracting, harvesting and/or treating recovered data but that data analysis is still required and cannot be rushed. If the examiner doesn't perform the analysis task does the officer or investigator (who may have considerably less experience) left to perform that role?
To avoid confusion a starting point about reference to botnets is required. One contribution is this intro into botnets: https://www.usenix.org/legacy/event/leet11/tech/slides/xiang.pdf
The video below shows how one hacker, Georgia Weidman (2011), developed an Android Smartphone Botnet to send SMS text messages.
A brief description of the code (botPoCrelease-android.c) that use the smartphone to spawn messages using a Master/Slave/Target combination to hide the identity of the Master to the Slave.
==============================================================
Compile with arm-gcc with the -static flag set
Copy to anywhere on the underlying OS that is writable (/data/ is good).
Rename /dev/smd0/ to /dev/smd0real/
Start the bot application
Kill the radio application (ps | grep rild)
The radio will automatically respawn and now the bot proxy will be working
==============================================================
The original botnet code has been in the hacking community since 2011 but currently the code is hard to find. There is a sanitised version available though.
This proof of concept mobile botnet to generate SMS text messages still relies upon knowing the target's mobile number. The analysis thus focussing on the sending party (Master) knowing the recipient mobile number (Target) to hand to the donor (Slave). In the alternative, harvested mobile numbers returned from ICMP (or similar) pings via the internet could generate a high harvest of returned MSISDNs without the Target knowing his/her MSISDN has been acquired to send messages(SMS spam, etc.).
To avoid confusion a starting point about reference to botnets is required. One contribution is this intro into botnets: https://www.usenix.org/legacy/event/leet11/tech/slides/xiang.pdf
The video below shows how one hacker, Georgia Weidman (2011), developed an Android Smartphone Botnet to send SMS text messages.
A brief description of the code (botPoCrelease-android.c) that use the smartphone to spawn messages using a Master/Slave/Target combination to hide the identity of the Master to the Slave.
==============================================================
Compile with arm-gcc with the -static flag set
Copy to anywhere on the underlying OS that is writable (/data/ is good).
Rename /dev/smd0/ to /dev/smd0real/
Start the bot application
Kill the radio application (ps | grep rild)
The radio will automatically respawn and now the bot proxy will be working
==============================================================
The original botnet code has been in the hacking community since 2011 but currently the code is hard to find. There is a sanitised version available though.
This proof of concept mobile botnet to generate SMS text messages still relies upon knowing the target's mobile number. The analysis thus focussing on the sending party (Master) knowing the recipient mobile number (Target) to hand to the donor (Slave). In the alternative, harvested mobile numbers returned from ICMP (or similar) pings via the internet could generate a high harvest of returned MSISDNs without the Target knowing his/her MSISDN has been acquired to send messages(SMS spam, etc.).
Thursday, April 02, 2015
Smishing Maybe Smashed, but Fake Tache Goes On
Credit to Google Play Store - Combined screen shots of apps purporting to fake SMS and call logs
Continuing on the text messaging discussion about examining raw data. Previously the subject was associated with Emotion Icons http://trewmte.blogspot.co.uk/2015/03/emotion-icons.html and generally determining the bit-encoding scheme, Unicode, encrypted messaging hidden within Icons sent with messages.
Back in 2012 Android was reported to have a vulnerability in its platform that was labelled in the research **"Smishing Vulnerability in Multiple Android Platforms (including Gingerbread, Ice Cream Sandwich, and Jelly Bean)" by Xuxian Jiang, Associate Professor, Department of Computing Science, NC State University - http://www.csc.ncsu.edu/faculty/jiang/smishing.html. The research raised two important points:
(1) **"This vulnerability allows a running app on an Android phone to fake arbitrary SMS text messages, which will then be received by phone users."..." The affected platforms that have been confirmed range from Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1)."
The Android Security Team produced a fix for this in Android 4.2, but the research does not confirm whether devices existing in the marketplace continuing to use Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1) would also be fixed or remain with the vulnerability?
(2) **"Note that any app on the phone can fake incoming messages, including both SMS and MMS messages".
By late 2013 Aditya Mahajan, Laxmikant Gudipaty, Dr. M. S. Dahiya continued research beyond the findings of Xuxian Jiang. Their analysis focused on "Identification of Fake SMS generated using Android Applications in Android Devices" 54d35df10cf28e0697281a74.pdf which concluded it is possible to show the presence of a potential fake SMS text message based upon the file header content e.g. the reply paths etc. Moreover, if an original message was deleted but later recovered and the fake message purporting to represent the original message (but with altered content) were analysed side-by-side, so to speak, then disparity in content and file header content could assist an investigation. The test case apps used by the authors on a selection of Android Smartphones phones were “SUPER SMS FAKER (SSF)” & “LogMe”.
Within our mobile/smartphone examination, forensics and evidence community we are still plagued by the fact that there are a huge range of apps purporting to fake:
- SMS Text Messages
- MMS Messages
- Calls Logs
- Etc.
See - Fake Call & SMS & Call Logs search of google play store: https://play.google.com/store/search?q=Fake%20Call%20%26%20SMS%20%26%20Call%20Logs
The above suggests students and newcomer examiners maybe tricked into giving lower scrutiny priority to these sources of evidence. Skillsets available in automated tools to extract and harvest data content from databases such as SMS text message history found in e.g. "/data/data/com.android.providers.telephony/databases/mmssms.db" are highly useful but the message should not be obfuscated when informing students and newcomers to mobile/smartphone examination, forensics and evidence that extracted and harvest data requires deeper analysis. That is not merely at the investigation/interpretation stage but at the atomic collection stage, too.
As mentioned previously viewing harvested data can be a trompe l'oeil (a lie to the eye). A faked SMS text message can be as simple as a perpetrator dressing up an innocent-looking fake message with (metaphorically speaking) a false moustache (fake tache) with a intent to falsify the impression in the message to be communicated.
Photo courtesy of http://www.adultswim.com/videos/family-guy/you-got-my-money-now/
Fake caption: Heeeyyyy, Briiaan, why the fake moustache? Stu-eey!!!!! I am just off to the bathroom.
Subscribe to:
Posts (Atom)