Methods and Instruments for the New Digital

Forensics EnvironmentsMario Piccinelli

Ph.D. Candidate in Computer SciencesUniversity of Brescia, dept. of Information EngineeringApril 10, 2014

Branch of forensics science that studies the identification, extraction and analysis of digital data for use in a court of law.

Digital Forensics

In the beginning (from the 80s until now) it was all about (Personal) Computers.

They were all (almost) alike, and there were plenty of standard tools.

From Computer Forensics...

In the last 5-10 years everything began to store digital data.

..to Digital Forensics

A variegated World

Digital Forensics in the Wild

Field skillsAcquisition

AnalysisReporting

Evidence handlingUse of specific tools

...

Theoretical

KnowledgeCriptography,

Filesystems structure,Communication

protocols,...

Digital Forensics Research

iPhone Forensics eBook Reader Forensics Voyage Data Recorder Forensics

Research topics

What do these devices have in common?• Modern devices which contain digital data• Their data could be required during an investigation• No consolidated literature about them

The rationale behind this thesis is the ever-growing need to perform digital investigations on devices and systems that have not already been studied from this point of view.

iOS ForensicsWhat can we find in an iOS device and how can we bring it to a court...

iOS Forensics: why?

Mobile and tablet worldwide market share of operating system usage for November 2013. Net Market Share collects browser data from a worldwide network of over 40,000 websites. (Credit: Net Market Share)

There is no simple way to extract data from an iOS device.

iOS Forensics: issues

No easy way to access its contents without jailbreaking (which, by the way, we can’t).

Encrypted filesystem (HFS+)

Not sharing anything with the rest of the World

No debug interfaces

Easiest way to peek inside the filesystem: the backup system.

iOS Backup Feature

iOS Forensics: the backup

Manifest files

Everything else...

Backup folders (device ID)

iOS Forensics: decoding the backup (manifest.mbdb)

iOS Forensics: hierarchyBackup files are organized in a hierarchy, the first level of it being the «Domain»:• Media domain: media files,

mms attachments, …• Keychain domain: account

data and encrypted passwords…

• Home domain: data for standard apps (contacts, mail client, calendars, …)

• Wireless domain: data about the telephone system (call logs, connection logs, …)

• …

PLIST Files (plain text and binary)

SQLite files ASCII files Data files Media files

iOS Forensics: file types

iOS Forensics: apps data

Installed applications’ data is stored in «Apps» domain (for third party applications) or «Home» domain (for standard ones).The hierarchy of each application’s folder follows a standard structure.

Strong integration with Webkit offline

storage.

iOS Forensics: sample dataSample application data: SMS application

iOS Forensics: sample dataLocalization data (prior to iOS 5)

iOS Forensics: sample dataThumbnails: generated from the media gallery for fast visualization

iOS Forensics: sample dataAddress book data (Home domain)

Knowing about the data location and structure is the first step.

Next step: making it easily usable for the ones who need it.

iPBA2 is a tool developed to: Study the backup

content. Make it easier to

understand for practitioners.

iOS Forensics: iPBA2

Right now it is the only complete open source suite for analysing iOS backup data, and it is used by both researchers and practitioners from all over the world.

http://www.ipbackupanalyzer.com

iPBA2 framework plugins

eBook Reader Forensics

Why an eBook reader is not worthless in a forensics context…

eBook Reader Forensics: why?

• Because is a widely used digital device.• Because it holds digital data.• Because no piece of data can be deemed

«worthless» in advance during an investigation.• Because almost any practitioner says it’s

worthless… which by the way it’s not.

Locard’s exchange principle

"Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. […]"

Forensics profiling refers to the study and exploitation of traces in order to draw a profile relevant to the investigation about criminal or litigious activities.

While traces may not be strictly dedicated to a court use, they may increase knowledge of the subject under investigation.

Forensics profiling

eBook Forensics: a sample device

For our research, we chose a widely available modern device, the PRS-650 by Sony.Of course, many of our results can probably be achieved after further studies also with different devices from different vendors.

• E-paper display (6 inches, 800x600).• Resistive touchscreen.• 5 buttons.• Montavista Linux.• 2GB internal flash memory.• Removable SDHC and Memory Stick

PRO Duo.

Books, documents, images, audio files.

Annotations. Current position of documents. Bookmarks. Notes (written and audio). Dictionary lookups. Last reading of a document. Pages read for each document.

eBook Reader Forensics: what’s inside?

Everything has a timestamp!

eBook Forensics: sample data

We can access the main storage by USB storage interface

For the whole device..

For each document…

eBook Forensics: sample dataFreehand annotations

«Thumbnails» folder

eBook Forensics: sample data

For each document:• current position (page)• timestamp of the last access

eBook Forensics: sample data

For each document:• History of the last 100

page turns, with page number and timestamp.

eBook Forensics: collecting dataTo perform the analysis, we build a Python script which parses cache.xml, media.xml and cacheExt.xml and build a graph of the interactions between the user and the device.

The script extracts the timestamps and produces a data file with all the timestamps found, to be plotted on a timeline.

http://github.com/PicciMario/Sony-Ebook-Reader-Time-Profiler

eBook Forensics: sample results

eBook reader usage in a two-months time span.

• X axis: time• Y axis: ID of the document involved

eBook Forensics: sample results

Usage of the reader in a ten-minutes span, for a single book.

• X axis: time

Virtually each action performed on the device is logged.

It is possible to build a forensically sound timeline.

The evidence gathered this way could be used in court to:◦ Draw a behavioural profile of a suspected

offender.◦ Support or deny an alibi.◦ Provide additional useful information about the

owner.

eBook Forensics: conclusions

Voyage Data Recorder Forensics

Digital data in a naval accident

What does a Computer Forensics expert do on a modern ship?

So many digital devices!

Digital devices at sea

GPSShip automation Echo sounder

Compass NAPARadar

And much more...

Voyage Data RecorderThe Voyage Data Recorder (VDR) is a mandatory device for all medium-to-big sized modern ship. Its job is to keep a record of ship data to be used in an accident investigation.

• Position, speed, heading• Date and time• Radar plot• Audio from bridge and VHF• Sonar depth• Hull openings (watertight doors, fire

doors)• Rudder position, propellers speed• Meteo station data (wind, ...)• Onboard alarms• ...

VDR Forensics: data sources

Data collecting unitAn industrial computer which collects all data and temporalily stores it in a magnetic disk.

Final Recording MediumA rugged box containing a solid-state memory, designed to survive a catastrophic accident and be recovered for further investigations.

VDR Forensics: the Costa Concordia shipwreck case

VDR Forensics

Starting point: the complete copy of the internal disk of the data collecting unit.

No previous knowledge (all proprietary data).

VDR ForensicsAnalysis of the disk structure.

Partition scheme

Mounting the partition

Partition content

VDR ForensicsAnalysis of the disk content: the «frame» directory

Unknown data files

VDR ForensicsExtraction of an image from the data file

VDR Forensics

The same goes for the «NMEA» directory.

∼800 MB of ASCII data in NMEA format

VDR Forensics: NMEA protocolNMEA 0183 is a data exchange protocol used primarily in the navigation field. It is the preferred way to exchange data between navigational aids.

• $: starting character.• PREFIX: origin and type of data

• First 2 characters: originating device• Other 3 characters: type of sentence

• Checksum: 2-digit hex XOR of the whole sentence.

NMEA sentence:

$PREFIX, data0, data1, …, dataN*CHECKSUM

NMEA sentences are standard, but vendors are allowed to add custom ones for specific purposes.

VDR Forensics

Timestamp: Unix time

= 4F 10 88 90 (hex) = 1’326’483’600 (dec) = Jan 13, 2012 @ 19:40:00 UTC= Jan 13, 2012 @ 20:40:00 local time (UTC+1)

VDR Forensics

Example of standard sentence:$RAZDA,194001.00,13,01,2012,-01,*41

RA: origin (radar) ZDA: date and time 194001.00: time 13,01,2012: date -01: difference between local time and UTC *41: checksum

VDR Forensics

Example of non standard sentence:$PSWTD,07,C----,*34

P: non-standard prefix S: vendor (Seanet) WTD: watertight doors 07: door number C-----: door status (closed, no warnings) *34: checksum

Once we were able to recover the raw data, we proceeded to work on it to: Understand the meaning of the standard

and non-standard elements. Understand the relative importance of each

element. Build tools to parse the data and report the

results in a useful format.

VDR Forensics

VDR Forensics: sample data analysis

Position of the rudders (order and response) before and during the accident.

VDR Forensics: sample data analysis

Evolution of the watertight doors (WTD) status.

Why does the last signal we have for door 8 reads ‘O’ (open)?

VDR Forensics: sample data analysis

Trackpilot settings on both the radar stations.

VDR Forensics: sample data analysis

Interactive data replay tool.

VDR Forensics: sample data analysis

Ship position and heading.

VDR Forensics: sample data analysis

Simulation of the impact by position and heading data.

VDR Forensics

The steps we described are related to this specific VDR model, but they also show a general approach which could probably be applied, with further studies, to any other model and vendor.

The analysis of the VDR data is of course easy to perform with closed and proprietary software from the vendor, but we were the first to publish about a forensically sound approach.

Mario Piccinelli

Methods and Instruments for the New Digital Forensics

Environments

Thanks for listening!

ps: any questions?

mario.piccinelli@gmail.com