Friday, January 30, 2015

Read This Before You Use the IP Box



January 30, 2015

Read This Before You Use the IP Box
 
As a loyal and proud member of the International Associationof Computer Investigative Specialists (IACIS), I am fortunate enough to have a virtual plethora of digital forensic professionals who offer advice, tips, tricks and explore current trends in digital forensics via the IACIS List Serve.  A hot topic the past few months going around the list serve has been the use of the IP box to bypass a passcode locked i-device (iPhone, iPod touch, iPad, etc.).  It occurred to me (and perhaps to others) today that there are some serious considerations to take into account when employing this device.  We’ll explore them here:

Background

In the latter part of 2014, Apple announced with the release of iOS 8 and the iPhone 6 family, they will no longer be able to assist law enforcement agencies who send devices to them for bypass of a passcode or thumb print lock to obtain data from the device, even with appropriate legal service (search warrant, etc.).  This understandably caused quite a negative reaction from those in law enforcement who had previously relied upon this option as a last resort to access data on iOS devices. 

Enter the IP box.  Very shortly thereafter, the IP box became a possible alternative option for law enforcement to get past the passcode locked iOS devices.  The IP box is a no-frills Chinese tool with leads which physically attach to the exterior of the iOS device and electronically attempt every possible code from 0000 to 9999 to gain access to user portion of the device.  It’s a brute-force bypass tool.  If you search on YouTube, you’ll find any number of (mostly foreign) videos demonstrating how this tool works – and it does work… sort of.

Concerns With the Use of the IP Box

There are several concerns with the use of the IP box for digital forensic practitioners.  Many of these have been voiced on the IACIS list serve and other online forums, but I fear one has not.  The more technical issues lie in that the IP box is not a forensic tool, it’s a hacker tool.  In Digital forensics, we need to be able to articulate, validate & replicate all of our steps, otherwise they are not scientifically valid.  Hacker tools by their very nature do not fall anywhere close to these categories, but the IP box is a simple tool, so it may have a slight exception to this rule.  That is up for debate.

The second concern with the IP box is that an iOS user has to option to set their device to automatically wipe the data after 10 unsuccessful attempts at the passcode.  This is an obvious problem because you may have no clue what your subject used for a passcode and now you only have 10 chances to figure it out or POOF! Your data is gone.  This leads us right into what is probably the larger, and certainly less articulated concern with the potential use of the IP box and these are especially poignant for digital forensic professionals in the law enforcement community…

If you seize an i-device with a passcode lock and your subject/suspect refuses to turn over the passcode, your options are now limited to attempt using the IP box.  However, the subject may have turned on the 10-and-out wipe option on the device and may or may not tell you if he/she did.  So in your attempt to get the data, you hook up the evidence to the IP box and try 10 times and POOF! The device auto-wipes after your 10 unsuccessful attempts. 

Guess what you just did?  Destroyed evidence.

Commentary

Having been in law enforcement for 15 years and still clinging very closely to many of the ideals that drove my career for that time, I understand the need to want to “get the data” at all costs.  You may be working a child abduction or exploitation case or a homicide or rape and that data is vital to your investigation.  However, now having been in private practice, I also have the fortunate ability to step back a bit from the law enforcement world and take a look at some practices and audit them with a somewhat dispassionate view.  Toward that end, I submit that the use of the IP box by anyone in law enforcement charged with the collection, preservation & analysis of evidence is not only ill-advised, but woefully negligent. 

Think about it – you know what could potentially happen to your seized data if you use the IP box, up to and including destruction of that evidence.  What possible justification can you place on that?  The bottom line is, there is evidence on that device.  The fact that you can’t access it doesn’t mean it’s not there.  And that evidence may have value to someone else besides you, like the defense.  Perhaps there’s exculpatory evidence on that device and you just wiped it.  I submit that the use of the IP box is in direct violation of our charge as responsible handlers of evidence.  I further submit, as one who caters to both government and private clients, that there is potential liability in law enforcement’s use of the IP box – both civilly and criminally.  Destruction of evidence, especially when you are fully aware that the potential destruction may occur AND you continue to take actions in furtherance of that potential destruction, is criminal - whether you’re in law enforcement or not.

Finally and given these facts, I can unequivocally say that if I were in law enforcement and were on the witness stand in a major trial and a savvy defense attorney was cross-examining me about the steps I took, I would have a hard time explaining my use of this device, especially given the fact that I know it could erase all the data.  The ends do not justify the means.

Conclusion

There’s no doubt that in virtually every case the potential for solid evidence to exist on a mobile device is real.  However, when we start to sacrifice our responsibility to protect that evidence in order to “get the data” at all costs, we start to devalue the forensic methodologies and best practices that we have dedicated ourselves to as digital forensic professionals. 

Look at it as the digital forensic equivalent of the Hippocratic Oath – Above all, do no harm… and protect the evidence.


Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Twitter: @ProDigital4n6



Det. Cindy Murphy of the Madison, WI Police Department performed some tests on the IP Box and published a white paper with results.  It may be found here:
http://www.teeltech.com/wp-content/uploads/2014/11/IP-Box-documentation-rev2-1-16-2015.pdf

Video Blog: Live Demo of mobile forensic tool Lantern

January 30, 2015

Please follow the link below to access our YouTube link for the video blog where we do a live demo of Lantern by Katana Forensics from acquisition to reporting.

http://youtu.be/GVAPs8VK3WY

Please feel free to check out our other videos on our YouTube channel as well as our website!

Author/Creator:

Patrick J. Siewert
Owner, Lead Forensic Examiner
Pro Digital Forensic Consulting
Based in Richmond, VA.  Available Globally
Web: ProDigital4n6.com
Twitter: @ProDigital4n6
Google Plus: +Professional Digital Forensic Consulting, LLC 
Email: ProDigitalConsulting@gmail.com


Thursday, January 22, 2015

Case Study: Commonwealth v. Emanuele



In the never-ending search of something new and different (not to mention at least somewhat interesting) to write about regarding digital forensics, I thought I’d use this blog opportunity to relay a case study in which digital forensics played an interesting role.  The case involved mountains of data, multiple search warrants and some “meatball” on-scene forensics, which was fortunately documented on film (see below).  Regardless, it’s a good illustration of how cases progress.  It should be noted that this case has been concluded in the court system and none of the information contained in this case study is considered confidential or privileged.

Background

The subject of our case study is Joseph Emanuele (formerly) of Louisa, Virginia.  Mr. Emanuele was no stranger to law enforcement when we came upon him (again) in 2012.  He was already a twice-convicted sex offender, having been convicted initially of Incest in 2003 and again of Failure to Register as a Sex Offender in 2010.  Mr. Emanuele was also a self-professed computer expert and technician. 

He claimed upon our initial encounter with him for this case that people would hire him to fix their computers and further claimed that he had some formal training in this realm.  Louisa is a rural community in Virginia, not unlike many other rural communities around the country.  It has its fair share of drugs, gangs, sex offenders and various other miscreant types.

Investigation

In March of 2012, the Charlottesville Police Department, which is not far from Louisa, received a CyberTip from the National Center forMissing & Exploited Children (NCMEC).  The CyberTip indicated that a person using a particular email address was soliciting for contraband pictures in an incest-related chat room on Motherless.com.  If you’re unaware of Motherless.com, it’s basically an online gathering place for sexual deviants of all kinds, including those interested in incest and child pornography (which often go hand-in-hand).  Fortunately, as part of the CyberTip, the email address of the person soliciting pictures was included, so the Charlottesville PD issued an administrative subpoena to the email service provider and, voila! Joseph Emanuele of Louisa, VA was the registered owner.  The Charlottesville PD contacted me as the local law enforcement investigator in Louisa who handled these cases and we coordinated our next steps.

At this point, no probable cause existed to apply for a search warrant.  We had a CyberTip from a remote entity, an email address, a registered user and a bad criminal history on that user, but none of that was evidence of an current crime.  So what do we do?  Go to his house and see if he’ll cooperate with us.  I, along with two other investigators from the Charlottesville PD went to Mr. Emanuele’s house and he agreed to speak with us, let us in and agreed to allow me and another investigator us OS Triage to scan his computer for any illicit images.  While the third detective interviewed Mr. Emanuele, we were presented with a cluttered room full of CDs/DVDs and other assorted media and a homemade computer with several terabytes of on-board and external storage.  There were loose internal hard drives, SD cards, memory sticks – you name it, it was strewn about Mr. Emanuele’s bedroom, which was not kept as clean as we would have liked.

Not too long after we initiated the scan, OS Triage found several notable files (thank you Eric Zimmerman) and we decided to ask for consent to take those items, which shockingly, Mr. Emanuele agreed to.  We loaded up several computers, hard drives, etc., provided him a receipt and left to do further examination.  But I knew he wasn’t going to be that nice forever and now that we had probable cause, I applied for and received a search warrant to seize and examiner the computer system so the consent couldn’t be retracted, which (again shockingly) Mr. Emanuele tried to do the next day.  Instead, he was served his copy of the warrant.

So here we are, we have several computers & hard drives and terabytes worth of data to examine, so I start diving into it.  At the time, I was using EnCase as my primary forensic tool, so I had my work flow pretty well down.  Not too long after I got into the case I realized several key things.  First, there were multiple (hundreds, if not thousands) child and adult pornography videos and pictures on the main system and external HD.  Second, amongst the mountain of adult pornography, many of the illicit images were also repeated several times meaning that Mr. Emanuele downloaded and saved copies of movies that he already had at least once, if not several times.  Some of the originating dates on the files when back to 2005 when Mr. Emanuele was still married and living in a different location. Having the “plus one” rule firmly in mind (meaning if you find one piece of contraband, always look for at least one more), I asked Mr. Emanuele if he had any computer equipment at his ex-wife’s house and he indicated there may be some at that location.  Plus, we left hundreds of CDs and DVDs at the original house during our initial visit.  Knowing from experience how much purveyors of child pornography like to collect these images, I applied for and received two more search warrants – one for the original location and one for Mr. Emanuele’s former residence, also in Louisa County.

The return visit to Mr. Emanuele’s home was tedious at best.  I’m a huge proponent of on-site previews, but when previewing hundreds of CDs and DVDs, it can take a while, even with the best computer.  But we did it and we took only what we needed.
The search warrant at Emanuele’s ex-residence was much more challenging.  By now, it was the dead of June in Virginia and very hot.  We went to the house, secured it and there wasn’t much inside the home, but Mr. Emanuele’s ex-wife indicated that there may be some items in the shed outside.  When we went into the shed, it was packed to the ceiling with junk - Furniture, kid’s toys (Mr. Emanuele had two sons), crap and more crap.  We carved out a walkway and began looking.  We found several loose internal hard drives and began previewing on-site.  This picture shows our “meatball” forensic setup.  Please note that I’m sitting on a defunct computer tower case and the power is being provided by two separate vehicles. The junk shed is the blue structure in the background.  Hey, at least they cut the grass! 



Best practices, anyone?

Just as the preview of this hellish nightmare (and I mean hellish, it was 95 degrees and humid) was winding down, I discovered one internal laptop HD with child pornography in the “My Documents” of “Joe” from an old Windows XP system.  Bingo.
Back at the lab, I began documenting the registered users of all systems involved in the case and locating any suspected child pornography.  NCMEC was extremely helpful in this because I was able to hash the suspected files & upload those hash values and NCMEC in turn sent a listing of which files were known child pornography images.  I then conducted a hash comparison against ALL of the evidence in the case, including the original system HD and external HD, the CDs recovered from search warrant #2 and laptop HD recovered from search warrant #3, to identify the worst of the worst, at the Prosecutor’s direction.  We picked 10 of the worst files and indicted Mr. Emanuele on those.  The direct indictments were handed down in December, 2012 and Emanuele pleaded guilty in April, 2013 to multiple counts of possession of child pornography.  He will serve a minimum mandatory 15 years in prison and will be on probation for the rest of his life, not to mention a 3-time sex offender.

Epitaph

This case demonstrates many key points.  First and foremost is teamwork. For investigations at any level in any organization to be successful, there has to be a teamwork concept.  If traditional cop egos and pride were a factor in this case and the others who originated and assisted in this case really cared about who got the credit, my guess is it wouldn’t have been as successful as it was.  Second is communication.  The original case was brought by an outside agency who had no real obligation to tell us what they were doing or why, but they did it because that’s what professionals do.  We communicated well and consistently with each other to make sure everyone was on-board with the next steps in the case.  A third key point was having a knowledgeable, competent prosecutor.  Louisa County Commonwealth’s Attorney was (and still is) Rusty McGuire.  I have never worked with a more hands-on, professional, knowledgeable prosecutor in the 15 years I was in law enforcement.  He took the time to take some digital forensic training and has made it a point to stay abreast of current case law in this field as well as work toward enacting legislation to help law enforcement more effectively investigate these crimes in Virginia.  Finally, the resources of the National Center for Missing & Exploited Children proved invaluable in this case.  Not only was the original CyberTip from NCMEC, but during the forensic examination of this case, they helped streamline the focus of the investigation, helping us come to a conclusion faster instead of looking for a needle in a stack of needles. 

As the primary investigator in this case, I assure you I could not have done it alone.  Several former colleagues at both the Charlottesville, Albemarle and Richmond Police Departments helped me immensely on this case, as well as others, and I am truly grateful for their dedication, help and professionalism. 


Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Web: www.ProDigital4n6.com
Twitter: @ProDigital4n6
Google Plus: +Professional Digital Forensic Consulting, LLC 

Wednesday, January 14, 2015

Searching for Artifacts in Private Messaging App: Cyber Dust





January 14, 2015

Searching for Artifacts in Private Messaging App: Cyber Dust

As a burgeoning entrepreneur, I'm a big fan of the TV Show "Shark Tank".  I often tell people that when I was a young cop, I used to watch "Cops" to see what to do and, more importantly, what NOT to do.  The same is true for my affinity for "Shark Tank".  Several very successful business people from various industries get to bid or pass on business opportunities from likely entrepreneurs.  It's not only great advertising for the young business owners, but it has the potential to be very lucrative if one of the "Sharks" happens to make them an offer on their proposal.  One of the more entertaining Sharks is Mark Cuban, outspoken owner of the Dallas Mavericks NBA team and shrewd, modern business man. 
 
Recently, Cuban has been hard at work promoting a mobile app that was brought to him while on “Shark Tank” called Cyber Dust.  According to his own description from The Tonight Show, “…it’s text messaging, but within 24 seconds after it’s read, the message disappears. So that way you can talk to your agent, you can talk about your friends, you can talk about anything… I don’t want to leave a digital footprint, so we came up with Cyber Dust.Once it’s gone, it’s gone.”  In fact, when I recently posed the question about a possible forensic footprint being left behind by Cyber Dust to Cuban on Twitter, he replied promptly:


Being the consummate contrarian that I am, I decided to take Cuban up on his quasi-challenge and use a couple of different mobile forensic tools to try and recover data from a mobile device that was using Cyber Dust.  My results were admittedly mixed, but interesting nonetheless.

Background

Cyber Dust is available in both iOS and Android platforms and indeed was examined on both (detailed later).  The app is a simple messaging app where users can send messages that have a half-life and disappear 24 seconds after being opened.  Pictures can also be sent back-and-forth and, if you are “sneaky” enough to try and take a screen shot of the picture that the other party sent, it notifies them of this.  Messages you send can also be “pinned” (saved for a time) on your device, but you cannot “pin” the messages of the person with whom you are communicating.  There are other features too like “blast” messaging and searching for users by user name.  It’s a fairly simple, easy-to-use app that has it’s plusses and minuses, as with all things.

For this [admittedly] very basic experiment, I downloaded the Cyber Dust app on both my iPhone 5s running iOS 8.1.2 and my lab test phone, a pre-pay Samsung Android phone (model SPH-M830) running OS version 4.1.2 (Jelly Bean).  Full disclosure: I am NOT an Android user as my primary device. 

I used two mobile forensic tools to try and locate data on the devices – Lantern v. 4.5.4 and Cellebrite Universal Forensic Extraction Device (UFED) for PC, v. 4.1.0.178. 

Testing Parameters

I actually conducted two tests in this case.  For both, I compiled a list of key words which would be used in the message strings between me and another user (iPhone) and between me and myself on a separate account (Android).  These key words were:

  • Cyberdust (all one word)

  • Bababooey

  • Xylophone (which was also “pinned” in the message string)

  • BlogMaverick (all one word, with the B and M capitalized, “pinned” in the message string”.  This is Mark Cuban’s public user name on Cyber Dust)

  • SharkTank (all one word, S and T capitalized)

Additionally, I sent one picture of the cover of a book entitled “Google Hacking” from the iPhone to the Android device via Cyber Dust.

The theory behind inputting specific key words and a unique picture into the message string(s) was to be able to quickly search for and identify artifacts that are unique in nature to our “case” after a successful extraction of the data on the devices.  My results were admittedly mixed.

iPhone Results

As many in the mobile forensic world may know, a full physical extraction on any iPhone model 4s and later is not currently possible with commercially-available or open-source forensic tools.  Nevertheless, I attempted to recover data from Cyber Dust on an iPhone 5s running the most current iOS as of the writing of this article using what I have found to be the most effective iOS examination tool on the market - Lantern.  To be blunt, I found nothing.  Of course, there was evidence that the app was installed on the device, which in and of itself should tell a trained examiner something, but that’s about it.  I surmised that the reason for this is probably that the user-input portion of the app runs mainly in the device RAM volatile memory and therefore, absent a full physical extraction, I was not able to recover any probative data from the device.  Often times, some artifacts from device RAM may be written to the empty or unallocated space on the storage medium, but as I was unable to examine that part of the system memory on the iPhone, none of those artifacts could be recovered, even if present.

Android Results

The results from the Android pre-pay/test phone were much more interesting.  I used Cellebrite UFED for PC to make a full physical extraction of the Samsung phone for examination.  I further created a logical extraction and a file system extraction, just to see if there would be any additional evidence found.  Naturally, in an app of this nature, not much data was recovered from either the logical or file system extractions, but the physical extraction yielded some interesting artifacts.

I conducted key word searches at the physical level to try and find all of the above-listed key words on the device.  The search was conducted for both ANSII and Unicode characters to account for any variance.  I did not make the search case-sensitive because I knew that any hits would return, whether capitalized or not.  The key word "Xylophone" was searched first.  Two hits were located, but not from within any app data of Cyber Dust.  Rather, they were recovered from the Samsung key log file, which logs all recent key strokes input into the device and is active by default (file: root/data/com.sec.android.inputmethod/…).  In fact, there were two unique hits for the same key word (Xylophone) in the same key logger.  This is interesting because, while on it’s face, the claim that Cyber Dust does not keep your data may be true, these artifacts(as well as other) were located in a secondary source.  This gives a digital forensic examiner something to work with because it tells us that the data may be recoverable from more than one area. It should be noted, however, that only the sender’s messages (those that were typed on the device being examined) were recovered, not the messages received on the device by whomever he was messaging.

The same evidence was found in the same place for the key words “Bababooey” and “BlogMaverick.”  Both of these key words, as well as the entire text string from the messages containing those key words (as well as some older messages from standard SMS), were recovered from the Samsung key logger file.  While the logger is on by default on Samsung phones, it can sometimes be turned off or replaced by another keyboard.  The limitations of this pre-pay phone prevented us from testing this further with alternative key boards.  I captured some screen shots in Cellebrite UFED that show the key word hits below:

Key Word: Xylophone


Key Word: Bababooey



One interesting thing of note is the presence of the key word “BlogMaverick”.  This turned out to be the only key word that was found in more than one place.  As mentioned earlier, BlogMaverick is Mark Cuban’s public user name on Cyber Dust.  When a user downloads and installs Cyber Dust on his device, several “friends” are added by default.  Among these are “BlogMaverick” and “CDteam” (short for Cyber Dust Team).  Interestingly enough, those two screen names were located within the Cyber Dust app files at: Root/dalvik-cache/data@app@com.radicalapps.cyberdust-1.apk@classes.dex.   

The screen shot of this artifact is below:


Naturally, I’m not a programmer, so I can’t answer the question whether or not these user names were part of the Cyber Dust app by default and permanently implanted in the code or if they appear in this file because messages were routinely received from both of these user names, but the fact remains that there were these two artifacts recovered from within the Cyber Dust app which indicates two contact names at the very least.  If other screen names are added to this list through constant contact as a user, it could prove to be worthwhile recoverable data in the course of an investigation.  Obviously, more prolonged testing should be conducted to help answer these questions.


Picture Recovery on Android Device

As stated earlier, one picture of the cover of a book was sent from the iPhone 5s to the Samsung Android phone for testing purposes.  After conducting a review of the allocated images from the physical extraction as well as the carved unallocated images from the extraction, I found no evidence of the picture.  I further performed a key word search at the physical level for the file name of the picture (IMG_4153.jpg) and no traces of that file name were recovered.  I purposely did not take a screen shot of the picture, suspecting it would be found very easily in the picture database on the device.  Albeit a basic test, this seems to verify that the pictures received on Cyber Dust do not get saved in any form on the device without affirmative action being taken by the user.  It is theoretically possible that a highly trained examiner might be able to recover the image(s) from the device RAM with the proper training and tools, however I’m not aware of any such tools that capture volatile memory from a mobile device. 

This search was not attempted on the iPhone 5s because of the limitations on data recovery on iOS devices as stated previously.

Conclusions

This test has served to not only demonstrate some of the potentially recoverable artifacts on a device using Cyber Dust, but also demonstrates the differences in mobile device security and indeed, some of the purported security of the Cyber Dust app itself.  It’s obvious that Cyber Dust users on an iOS (Apple) platform with a model 4s or later can probably rest easy that their messages are deleted after having been sent and received for 24 seconds.

However, the multitude of difference in Android-platform devices presents us with a little more muddled conclusion as to whether any evidence can be obtained from the use of Cyber Dust.  This initial test dealt with the use of a basic Samsung smart phone running an older operating system.  This begs the questions:  What (if anything) could be recovered from other manufacturer’s devices?  What could be recovered from a Samsung with a newer operating system and/or a device where only a logical extraction is possible?  What might a theoretical examination of the volatile memory of the device present insofar as evidence?  All of these questions and more lead us to the inevitable conclusion that further testing and reverse-engineering of Cyber Dust needs to be conducted. Make no mistake, there were artifacts recovered from the full physical image of the Android device using Cellebrite UFED for PC.  But the artifacts were not all recovered from the Cyber Dust app database and the recovered artifacts were somewhat sporadic in nature (the term SharkTank was not found, although a visual inspection showed it as part of the Samsung key logger file as well).


For Digital Forensic Examiners, the take-away from this test is clear: Even if you are dealing with a case that involves Cyber Dust (or any other private messaging app), it may still be possible to recover data that is valuable to your case.  Will you get the entire picture?  Probably not. But the role of a Digital Forensic Examiner is often to put pieces of a puzzle together and these pieces may certainly prove valuable in many types of investigations.



It’s certain that Mark Cuban and company have come up with a pretty decent app as far as privacy goes.  What’s too early to tell is whether the reverse-engineers and programmers at companies like Cellebrite, XRY, Oxygen Forensics, Magnet Forensics, AccessData and/or Katana Forensics will uncover the need and the skills to work around the app engineering and what implication that may have on future iterations of Cyber Dust.  One thing is universally true in Mobile App Development and thus, Mobile Device Forensics – things are always changing, so it’s a constant game of catch-up between developers and forensic tool engineers to see who can keep up.

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Web: www.ProDigital4n6.com
Twitter: @ProDigital4n6
Google Plus: +Professional Digital Forensic Consulting, LLC 

AUTHOR'S NOTE: I welcome any and all feedback on these tests as this is the first time I’ve attempted anything like this.  I do realize this was not an all-encompassing scientific exploration, more of an experiment, but I welcome your feedback and comments on this and possibly future testing of apps and tools.

Update: May, 2015:  This is still the most viewed article on our blog, which indicates there's a high degree of interest in it.  We did a follow-up to this article you may want to check out.  It's linked right here: http://prodigital4n6.blogspot.com/2015/04/cyber-dust-privacy-claims-debunked.html
Thanks for all your interest!