You are currently browsing the category archive for the 'Forensics' category.
A presentation and paper on Reverse engineering JTAG at the 26th Chaos Communication Congress is now available to download here:
http://events.ccc.de/congress/2009/Fahrplan/track/Hacking/3670.en.html
Other Hacking and reverse engineering papers and talks from the conference can be found here:
http://events.ccc.de/congress/2009/Fahrplan/index.en.html
The hacking track is here:
http://events.ccc.de/congress/2009/Fahrplan/track/Hacking/index.en.html
More on the story here:
This report concerns the theoretical and practical issues with automatically populating mobile devices with reference test data for use as reference materials in validation of forensic tools.
It describes an application and data set developed to populate identity modules and highlights subtleties involved in the process. Intriguing results attained by recent versions of commonly-used forensic tools when used to recover the populated data are also discussed. The results indicate that reference materials can be used to identify a variety of inaccuracies that exist in present-day forensic tools.
The Paper can be downloaded in PDF format from here:
http://csrc.nist.gov/publications/nistir/ir7617/nistir-7617.pdf
More on the paper here:
http://www.testandmeasurement.com/article.mvc/NIST-Develops-Experimental-Validation-Tool-0001?VNETCOOKIE=NO
The tool itself can be downloaded from here:
http://csrc.nist.gov/groups/SNS/mobile_security/mobile_forensics_software.html
The tool is called SIMfill, and it’s a java application that populates Subscriber Identity Modules (SIMs) with reference data and can be used to assess the data recovery capabilities of forensic SIM tools. The package includes an initial set of reference data for use with SIMfill, the source and compiled code, a readme file, a user’s guide, and a video demonstration. It can be downloaded free from:
http://csrc.nist.gov/groups/SNS/mobile_security/mobile_forensics_software.html
The research team, which included Edith Cowan University of Australia and BT, revealed some early results yesterday in news reports by the BBC and British television affiliates.
To read more about the research go here:
http://news.bbc.co.uk/2/hi/uk_news/wales/8036324.stm
and here:
http://www.darkreading.com/security/storage/showArticle.jhtml?articleID=217400054&cid=nl_DR_DAILY_H
A forensics toolkit for the Xbox gaming console is described by US researchers in the International Journal of Electronic Security and Digital Forensics. The toolkit could allow law enforcement agencies to scour the inbuilt hard disk of such devices and find illicit hidden materials easily.
Link:
http://www.sciencedaily.com/releases/2009/04/090430101445.htm
Having a rooted phone means you can do tricks like setting up a 3g/wifi bridge. The process starts by using a rooting app to revert the phone to the rc29 build. then using the “android stupidly executes everything you type” exploit to launch telnetd and upgrade the bootloader. After that, the upgrade process is fairly easy. Just flash a new baseband and build. once you’ve got your new custom firmware, you can do future updates using an app from the android market.
Read More here:
You might know some of them but most of them are just an inside code and some can raise red flags.
Here are some of them:
D46 - “Do you want to have sex?”
LG6 - “Let’s have sex”
GNOC - “Get naked on camera”
TDTM - “Talk dirty to me”
LMIRL - “Let’s meet in real life”
See the link below wich includes a video:
The video talks about a couple of people who’s lives are ruled by harrasing calls and threats. They claim that their phones are tapped with special software.
Rick Mislan talks about the software and how easy it is to be placed on mobile phones.
Software such as:
- http://www.mobile-spy.com/
- http://www.world-tracker.com/
- http://www.flexispy.com/
- http://www.e-stealth.com/
- http://www.fonefunshop.co.uk/spyphone/
- http://www.thespyphone.com/allinone.html
Link to Video on YouTube:
http://www.youtube.com/watch?v=uCyKcoDaofg
It is persumed that the phones can be modified and used in receiving SMS verification codes sent from banks:
criminals have already collected thousands of login details for online bank accounts in countries such as Germany and Holland where banks send a transaction authentication number (TAN) code by SMS to a person’s mobile phone in order to complete transactions.
Read the original post byUltraScan here:
http://www.ultrascan.nl/html/press_room.html#25.000%20Euro%20for%20your%208%20years%20old%20Nokia%201100
Read more about it here:
http://www.arabianbusiness.com/553344-hackers-pay-top-dollar-for-old-nokia-1100-handsets
and here:
http://www.dialaphone.co.uk/blog/?p=2922
A man accused of raping a university student was cleared because of the mobile phone footage showing the woman ‘actively’ having sex with him. The jurors voted to acquit the man, who’d been charged with four counts of rape, including two of rape by oral penetration.
Read more here:
http://www.dailymail.co.uk/news/article-1166466/Man-cleared-rape-court-shown-phone-footage-woman-actively-taking-sex.html
Chris Ogle (29) from Whangerei, New Zealand has stumbled across the sensitive military details of U.S. military personnel after purchasing a secondhand MP3 player in Oklahoma, USA. He discovered around 60 sensitive military files dating from 2005 on the used music player. The files were clearly marked as ’secret’ and contained the phone numbers of numerous soldiers serving in Afghanistan and Iraq.
For more on the story visit:
We acquired the domain names AndroidForensics.com and AndroidHack.com . Both domain names should take you to MySecured.com for now. We might dedicate the Android Forensics domain in the future to a website catering specifically to the Forensics of Android-Based Cellular Phones. The Android Hack domain name will be probably dedicated to the Hacks and Mods for the Android Based mobile phones and other devices such as netbooks and laptops.
Try the domain names now:
http://www.androidforensics.com
http://www.androidhack.com
An interesting article about pedophilia and ’sexting’ in the mobile age. Sexting means sending nude or semi-nude pictures of oneself on mobile phones to others. Two cases are discussed in the article.
In my opinion, lawmakers should consider the changes in technology and evolve the laws to deal with the new issues emerging from the proliferation of cell phones in our societies and changes to the ways mobile phones are used.
I don’t know if this is true or not yet but here it goes! There seems to be a vulnerability that affects Nokia Series 60 phones, including N95 and N73 handsets that blocks all SMS and MMS from reaching the phone, hense the name “Curse of Silence”. attacker in this case sends a specially designed SMS message to the target phone. What’s worrying is that the recipient will receive no indication that they got the message.
The only way to get the target phone to recieve messages again is to factory reset it. Even after the factory recet, the phone still remains vulnerable to future silent curses. The attack will only work on phones running version 2.6, 2.8, 3.0 or 3.1 of Symbian S60.
Cellphone Gun:
Pen Gun:
On October 6th AccessData sent a letter to Guidance Software expressing its interest to acquire all of the outstanding stock of Guidance Software at $4.50 a Share. Read more below:
http://www.itbusinessnet.com/articles/viewarticle.jsp?id=569441
A new book with companion DVD by Jesse Varsalone. Expected retail price is AUD 79.00.
Key Features include:
- Companion DVD Contains Custom Materials That Can Be Used in a Real Digital Forensic Investigation
- Includes Unique Information about Mac OS X, iPod, iMac, and iPhone Forensic Analysis Unavailable Anywhere Else
- Authors Are Pioneering Researchers in the Field of Macintosh Forensics, with Combined Experience in Law Enforcement, Military, and Corporate Forensics
Sounds good? Then for more information go to:
http://www.elsevierdirect.com/product.jsp?isbn=9781597492973
Call it “on-demand computing”, “grid computing” or “software as a service”, cloud computing is the wave of the future whether people like it or not. When it comes to smartphones both iPhone and the Android platform are betting their success on cloud computing. Apple’s MobileMe and Google through its Google Apps on G1 did not get a great start but they are improving their acts with fixes and updates. Microsoft announced lately that they are getting into the cloud computing arena with cloud based servers that target both smartphones and sub-laptop devices called “netbooks”. There are too many news articles to list here to support this post and new articles on the subject seem to pop up every singe hour of the day. So, I am going to leave all the searching for cloud computing articles to you! Here is a google search for smartphone and “cloud computing” to get you started:
Intersting article involving a child porn case:
As you might know, the iPhone 3G comes either on a contract which means that it is locked to the provider or Unlocked via iTunes on pre-paid plans or through a special arrangement with the service provider for a small fee. Locked phones however can be unlocked via hardware SIM attacments such as TurboSIM (discussed in detail in my paper) or other cheaper alternatives such as Universial SIM. What you might not know is that some sellers sell iPhones as if they are officially or leagally unlocked but in actuallity they are unlocked with alternative SIM attachments as shown in the pictures below:
SIM insertion slot showing extension wires
The actual Universal SIM attachment
To find out if the iPhone you are buying is unlockable by its carrier or not, ask the seller for the phone’s serial number and then visit:
http://support.apple.com/kb/HT1937
Buying a fake-unlocked iPhone could mean that your phone might be illegal to use in some countries because it violates usage laws. Also, it means a degration and sometimes the denial of service when it comes to data services and the quality of phone calls.
Pictures and Story from the Arabic source iPhone Islam. The only source for Arabisation of iPhone.
An interesting news article about the work of BT (formerly British Telecom), Glamorgan University, Australia’s Edith Cowan University and Sim Lifecycle Services where researchers recovered data from handsets from mobile phone recycling companies:
Mobile phones can never be totally wiped clean of data
To get more information on the research at Edith Cowan University and its upcoming conferences please visit SECAU Security Research Centre’s website:
Here are some published refereed journal and conference papers to give you an idea of what to expect for the Edith Cowan University conferences in December:
- Valli, C. and A. Jones (2008). A study of 2nd Hand Blackberry for sale - World class security foiled by humans. Proceedings of the 2008 World Congress in Computer Science, Computer Engineering, and Applied Computing - SAM 2008 - The 2008 International Conference on Security & Management., Las Vegas, USA.
- Al-Zarouni, M. (2007, 3rd December, 2007). Introduction to Mobile Phone Flasher Devices and Considerations for their Use in Mobile Phone Forensics. Paper presented at the The 5th Australian Digital Forensics Conference, Edith Cowan University, Mount Lawley Campus, Western Australia.
- Yap, L. F., & Jones, A. (2007, 3rd December, 2007). Profiling Through a Digital Mobile Device. Paper presented at the The 5th Australian Digital Forensics Conference, Edith Cowan University, Mount Lawley Campus, Western Australia.
- Yap, L. F., & Jones, A. (2007). Deleted Mobile Device’s Evidence Recovery:. Paper presented at the Media and Information-War Conference 2007, Kaula Lumpur, Malaysia.
You can register to attend Edith Cowan University’s conferences here:
http://conferences.scis.ecu.edu.au/
Hope to see you there 
The CSI Stick is a portable USB stick kind of device that can be connected to a mobile phone to conduct a copy of some sort of memory from the mobile phone device without the need for a computer to be connected to the mobile phone. The type of data collected form the mobile phone can be chosen through a slider switch. The device currently supports certain Motorola and Samsung phone models with more manufacturer support coming soon. The data collected by the device can then be interpreted via the use of Paraben’s Device Seizure or DS Lite. The cost is $199 USD.
For more information, please visit:
http://www.physorg.com/news139460365.html
and
http://computing.in.msn.com/safe/article.aspx?cp-documentid=1658902
or the device’s official website:
http://csistick.com/
According to Jonathan Zdziarski:
A detective from the Oregon State Police notified me this afternoon that an out-of-the-box refurbished iPhone he purchased contained recoverable personal data including email, personal photos, and even financial information which he was able to recover using my forensic toolkit.
So, if you have to return your iPhone to an Apple or AT&T store and they offer to replace it with a new one, make sure that you wipe your data properly first. A proper bit level wipe is needed here and NOT a system restore!
According to tuaw:
A half dozen different firms are actively hunting for developers who can assist law enforcement in reading data off unjailbroken iPhones
When: April 17, 2008 at 17:00 GMT
Who: Jonathan A. Zdziarski.
Details: While some of a suspect’s data can be viewed using the direct GUI interfaces in the iPhone’s software, much hidden and deleted data is available as well, which may provide for more thorough evidence gathering. Existing commercial forensic tools are sadly lacking their ability to perform deep raw disk level recovery, and so Jonathan will demonstrate how to install his custom forensics toolkit on any existing model iPhone and send a raw disk image to a desktop machine. He will also show you how to recover files specific to the iPhone including deleted keyboard caches, photos, web objects, and much more. Jonathan’s custom forensics toolkit and his accompanying forensic manual will be available free to forensic investigators in law enforcement.
Read More here:
http://www.oreillynet.com/pub/e/949?CMP=ILC-orm_webinars&ATT=iphone-forensics
As requested by Haitham. The Hard drive is not actually a hard drive. It is a Samsung 65 Nanometer NAND flash part number “K9HBG08U1M” the same one used earlier in the 8GB iPod Nano.
Data sheet can be found here:
http://www.datasheet4u.com/download.php?id=604473
More information and other links can be found here:
http://www.iphonefreak.com/2007/07/iphone-componen.html
This is a stand-alone hard disk wiper! No computer needed. Wiebetech’s pocket-sized eRazer erases at a rate of 35MB/s, effectively wiping a 250GB hard drive in under two hours. The eRazer meets the DoD erasing standerds and sells in two versions one for $99 and the Pro which supports SATA and Multi-pass sells for $150… Cheap!
The following new features are available for all enterprise and individual customers:
- Performance on flash drives is improved.
- MojoPac can be used on a host with limited mode login with MojoPac Usher (Beta) installed on the host.
- MojoPac can be installed to a directory on the host computer.
- For our Enterprise customers, MojoPac 1.8 has many enhanced management, provisioning and deployment capabilities.
- Active Directory authentication is now available.
- Image creation and deployment have been made easier.
- New configuration options are available to enforce data protection and security policies.
- MojoPac can perform a security check on host computers.
If you are an IT administrator, please contact sales-at-ringcube dot com for updated documentation and management tools.
If you have automatic updates enabled, your MojoPac will update in the next few days.
If you are not using MojoPac, please download it. MojoPac Freedom is *free* for non-commercial personal use.
For more information and to download Mojopac, please visit them at:
Where: Chicago, Illinois, USA.
When: 8-10 May 2008
What: World’s first conference to be dedicated to performing Mobile Device Forensics.
How much: Registration prior to March 1, 2008: $250 and after $300USD
More details can be found on the official website:
http://mobileforensicsworld.com/
Speakers include:
Rick Ayers, NIST
Sam Brothers, CBP
Michael Harrington, MSP
Wayne Jansen, NIST
Gary Kessler, Champlain College
Ben LeMere, USCG
Kyle Lutes, Purdue University
Agents from Matrix Solutions
Kevin Mansell, Control-F
Rick Mislan, Purdue University
Lee Reiber, MFI
Amber Schroader, Paraben
Greg Smith, TrewMTE
Workshop Sessions in:
Cellebrite UME36
Cellular Data Resources
Control-F
CSurv Cell Site Analysis
DataPilot
Pandora’s Box
Paraben Forensics
Project-A-Phone
The First International Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia will be held in Adelaide, South Australia from January 21st to 24th 2008. Call for Papers closes on September 28th 2007. Topics include data mining, multimedia source identification, image tamper detection and data carving. For more information please visit the conference website.
According to WIRED Magazine:
http://www.wired.com/gadgets/wireless/news/2007/08/iphone_forensics
It quotes an expert from Paraben and Blackbag saying that it is a challange.
Read the following articles for more details on the case:
If you don’t already have this one, please download and read this Computer Security Division NIST Interagency Report (IR). It was published in March 2007:
- http://csrc.nist.gov/publications/nistir/nistir-7387.pdf
- Zipped version of the pdf: http://csrc.nist.gov/publications/nistir/nistir-7387-pdf.zip
It is an update and complement to NIST Reports:
- Guidelines on Cell Phone Forensics (Special Publication 800-101):
- Cell Phone Forensic Tools: An Overview and Analysis (NISTIR 7250):
Where: Liverpool Library, U.K.
When: 5pm on 25th June 2007.
What: read the pdf brochure.
For more information, follow the link:
http://www.criminalsolicitor.net/forum/forum_posts.asp?TID=2450
I have received many visits to this site searching for “Nokia Hidden Codes”. So, I decided to include some more Here is a list of codes and some links to get some more codes:
*#06# Gets you the Serial Number/IMEI.
*#0000# Gives you the software version (e.g. V 5.27.0 / 28-06-04 / NHL-10) The NHL-10 is important and makes your life easier when you try to use flashers!
*#2820# Gives you the Bluetooth device address
xx# - Quick contact access (xx = location number, e.g. : 17#)
*#62209526# Gives you the MAC address of the WLAN adapter, this information is only available on the new models (S60 3rd edition) which have wireless connectivity.
To get some more codes (some of which can do damage to your phone and/or data residing on it, approach the codes on these sites with caution:
- N-Gage codes: http://www.gamefaqs.com/portable/ngage/code/915353.html
- In polish (Patryk, please translate!): http://www.eplay.yoyo.pl/viewpage.php?page_id=79
- From GSM-Hacks: http://www.gsmhacks.com/forums/mobile-technologies/1429-codes-s60.html
Again, please exercise caution.
Picture from MobileFanatic
The article below discusses issues that law enforcement agencies have with intercepting VOIP calls on Mobile phone networks and whether traces are left on the devices about the phone calls taking place.
Link: The Australian Newspaper.
A very helpful pdf documents from SEARCH : The National Consortium for Justice Information and Statistics. It highlights some of the hardware and software solutions that can be added to the investigator’s arsenal along with how much each of them costs. The document can be found here:
http://www.search.org/files/pdf/CellphoneInvestToolkit-0806.pdf
A site with links onganized according to different categories in small digital device forensics. It could be a place holder for a future more in-depth site.
The “Cryptography, Law Enforcement, and Mobile Communications ” article in IEEE’s Security and Privacy magazine sheds some light on the use of flashers in mobile forensics as well as the use of tools such as XRY. The article also mentions the use and importance of Faraday cages.
Here is a link to the full article:
Link.
Thanks to Mike for the following two part series of documents on working with flashers:
Part 1:
http://mobileforensics.files.wordpress.com/2007/04/hex-primer-pt-1.pdf
Part 2:
http://mobileforensics.files.wordpress.com/2007/04/hex-primer-pt-ii.pdf
Make sure that you visit his blog to learn more about advanced mobile device forensics:
http://mobileforensics.wordpress.com/
Read what Prof. Rick Mislan said about the use of Phone Flasher Technologies and their role in the acquisition stage of mobile phone forensics and their use by students in digital forensics courses at Purdue University in the US.
The official site for Western Australia’s Digital Forensics Practitioner Interest Group (DFPIG) is now active. If you live in Western Australia and you are interested in Digital forensics, then you should come to our meetings in Edith Cowan University. For times and dates, please visit the official site at:
Ever wanted to show your mobile screen on a computer screen or a projector? You can now with Project-A-Phone! A picture is worth a thousand words.
Some interesting research topics from Purdue Uni. related to mobile phone forensics under Prof. Rick Mislan:
Click here to visit the site.
Otherwise, their main pages are found here:
http://www.cyberforensics.purdue.edu/DNN/
The Mobile Forensics blog by Michael Harrington has useful information on: SMS forensics, phone flashers, Faraday cages, forensics seizure procedures and much more. The site also includes posts on the forensic examination of BlackBerry devices. The blog was created in February 2007.
You can visit the blog here:
http://mobileforensics.wordpress.com/
The blog is frequently updated and links to Michael’s http://www.mobile-examiner.com/ website. This site has online training and on-location training and it also has mobile forensic tools and a forum.
CellDEK™ is a portable handset data extraction kit designed for use at the scene of a crime and all working environments associated with on-going investigations. The kit is fully integrated within a ruggedised briefcase. It has approximately 10 hours of battery life and can be recharged through a vehicle, or mains electrical source. The website for the product is here:
http://www.celldek.com
More information is also available through logicube:
http://www.logicubeforensics.com/products/hd_duplication/celldek.asp
It is privided in the UK by the Forensic Science Service® (FSS) a provider of forensic supplies to police forces in England and Wales. The FSS is also a source of training, consultancy and scientific support. FSS can be reached here:
http://www.forensic.gov.uk/
Venue: Sheraton by the Creek,Dubai, UAE.
Duration: 2-5 April 2007
Details:
Date: 2nd April 2007
Time: 0900 - 1800
Item: 4-tracks Hands-On Technical Training (Day 1)
Date: 3rd April 2007
Time: 0900 - 1800
Item: 4-tracks Hands-On Technical Training (Day 2)
Date: 4th April 2007
Time: 0800 - 1600
Item: Dual Track Security Conference & Capture The Flag ‘Live Hacking’ Competition (Day 1)
Date: 5th April 2007
Time: 0800 - 1600
Item: Dual Track Security Conference & Capture The Flag ‘Live Hacking’ Competition (Day 2)
Hands-On Technical Training
TECH TRAINING 1 - Advanced Web Application & Services Hacking
Trainer: Shreeraj Shah (Director, Net-Square)
TECH TRAINING 2 - Tactical VoIP : Applied VoIPhreaking
Trainer: The Grugq (Independent Network Security Researcher)
TECH TRAINING 3 -Structured Network Threat Analysis and Forensics
Trainer: Meling Mudin (spoonfork) and Lee Chin Shing (geek00l)
TECH TRAINING 4 - Packetmastering the Monkey Way
Trainers: Dr. Jose Nazario (Senior Software Engineer, Arbor Networks)
Keynote Speakers
1.) Mikko Hypponen (Chief Research Officer, F-Secure Corp)
2.) Lance Spitzner (Founder, Honeynet Project.)
Invited Speakers (alphabetical order)
1.) Anthony Zboralski (Founder, HERT & PT. Bellua Asia Pacific)
2.) Emmanuel Gadaix (Founder, Telecom Security Task Force, TSTF)
3.) Fabrice Marie (Manager, FMA-RMS Singapore/Malaysia)
4.) Jim Geovedi (Member of HERT & Security Consultant, PT Bellua Asia Pacific)
5.) Dr. Jose Nazario (Senior Software Engineer, Arbor Networks)
6.) Raoul Chiesa (Board of Directors Member@ Mediaservice.net ISECOM Group & TSTF)
7.) Roberto Preatoni (Founder, Zone-H Defacement Mirror)
8.) Shreeraj Shah (Director, Net-Square)
9.) The Grugq (Independent Network Security Researcher)
10.) Window Snyder (Chief Security Something-or-Other, Mozilla Foundation)
Links:
http://conference.hitb.org/hitbsecconf2007dubai/
http://conference.hackinthebox.org/hitbsecconf2007dubai/?p=56
News Links:
http://star-techcentral.com/tech/story.asp?file=/2007/2/5/corpit/20070205183948&sec=corpit
http://www.itp.net/news/details.php?id=23403&category=
Thanks David for the heads up 
It takes place from August 13 to 15, 2007 in Pittsburgh, USA. Call for Papers is open untill April 6, 2007. For more information, please go to:
http://computer.forensikblog.de/en/2006/10/dfrws_2007.html
The guide was written by Karen Kent, Suzanne Chevalier, Tim Grance, and Hung Dang.
The guide presents forensics from an IT view, not a law enforcement view. It is written for incident response teams; forensic analysts; system, network, and security administrators; and computer security program managers who are responsible for performing forensics for investigative, incident response, or troubleshooting purposes.
It also has a wide array of resources for further reading. Highly recommended read and reference for IT professionals.
Download it here:
http://csrc.ncsl.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
Read more about it in here:
http://www.cccure.org/modules.php?name=News&file=article&sid=1023
NIST also released the following four security related guides:
- Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
- Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
- Assessment of Access Control Systems
- Guide to Computer Security Log Management
Read more about them here:
http://www.govtech.net/magazine/channel_story.php/101708
Last but not least, it is worth mentioning that last month, NIST released a document about RFID. Read about it here:
http://www.fcw.com/article96300-10-03-06-Web
Thanks Clement
Before you read my comments below, please read the article:
http://www.digitalworldtokyo.com/2006/10/ceatec_ps3s_cell_chip_coming_t.php
It just a matter of time until we see this processor in cellphones. Even with the current processors, mobile phone forensics remains an issue. How the power of the processor from the most powerful game console will change mobile phone forensics remains to be seen.
Moreover, this opens the door for more devices to be merged with cell phones and will demand a more powerful power source to support such a powerful processor.
I stumbled on this while reading NIST’s draft on mobile forensics. So, here are some interesting links in regards to mobile forensics at Purdue University.Main page:
http://www.cyberforensics.purdue.edu/index.htm
Small Scale Digital Device Forensics Course:
http://www2.tech.purdue.edu/cpt/courses/CPT499D/
look at the readings section.
Events:
http://www.cyberforensics.purdue.edu/events.html
Richard Mislan’s Page:
Link
Marcus K. Rogers’ page:
Link
The US National Institute of Standards and Technology (NIST) released the draft version of “Guidelines on Cell Phone Forensics” on August 31st. I found out about it today! Here it is:
http://csrc.nist.gov/publications/drafts/Draft-SP800-101.pdf
Codeen is a proxy server system created at Princeton University. I felt that I needed to tell you about it in relation to my paper on Tracing E-mail Headers. CoDeeN operates in the following manner:
- Users connect to a proxy server nearest to them (or any proxy server in the codeen network).
- Requests are then forwarded to a network node that has cached the file and that has sent recent updates showing that it is still alive (in the form of heartbeats). The file is then forwarded to the proxy and from there to the client.
Interesting for caching purposes but has the potential of becoming a nightmare for network forensics including web and email tracing. Abuse was addressed by CoDeeN in the following statement:
All accesses via CoDeeN are logged, mostly to aid in identifying abuse and other forms of damage control. We sometimes monitor these logs, report abuse, and release entries to aid in investigations. In case of suspicious traffic, we may access URLs from the logs to determine what kind of content is passing through our network. We are also using these logs in our own research, so they may be examined as needed for non-abuse reasons. For normal users, we do not expect that we will intentionally release any personally-identifying information. To prevent abuse, some sites have requested we pass along the client IP addresses, and these are included with every request forwarded to those sites.
So, if you see a CoDeeN server IP in your logs, you know who to contact!
Links:
http://codeen.cs.princeton.edu/
http://en.wikipedia.org/wiki/Codeen
My Paper on Tracing E-mail Headers:
http://scissec.scis.ecu.edu.au/publications/forensics04/Al-Zarouni.pdf
Just like Hard Disks, selling your used mobile phone can be dangerous. It can reveal potentially unsafe and secretive information about you or your business. Sometimes, following manufacturers’ data erase instructions is not enough as the article below shows.
Links:
Sydney Morning Herald Article 1
Sydney Morning Herald Article 2
A post I published on Marwan.com in 2004:
http://www.marwan.com/2004/09/think-twice-before-selling-your-mobile.php
Sorry, the link to the Khaleej Times article is outdated.
UPDATE:
Hard Disks Still Discarded
I found this article on the Phone Magazine Site. Here are some snippets from it:
The number of households relying on mobile phones (one in ten) has equalled the number of those who use landlines.
While incidences are currently low, smarter phones and the adoption of standard internet technologies leave users vulnerable to attack.
It goes on to say that the answer to all of this lies in operators introducing measures to safeguard records held on mobile phones. This is done in the form of anti-spam and anti-virus, anti-abuse and blacklisting.
Using antispam and antispoof technology, operators can detect abnormal patterns in messaging traffic, confirm legitimate senders, filter content, and block suspicious messages. Filtering content also helps the fight against the spread of viruses and trojans. Mobile operators can use technology to share spam control with their subscribers by providing solutions to black-list certain phone numbers and block messages coming from these phones. As an industry there is much we can do to fight fraud. Many of us think we are doing all we can but there are always ways to improve on this to ensure confidence in the mobile industry. Due diligence and taking advantage of new technologies are major contributors to controlling fraud.
Organizations and individuals are still leaving critical data on disks later sold on through online auctions and computer fairs, according to a new study. The research carried out by BT, the University of Glamorgan in Wales and Edith Cowan University in Australia found payroll information, mobile telephone numbers, copies of invoices, employee names and photos, IP addresses, network information, illicit audio and video files, financial details including bank and credit card accounts on hard drives purchased from a number of sources.
To read full article please click on the following link:
http://www.scmagazine.com/uk/news/article/577355/critical-data-found-second-
hand-hard-drives
Another article
http://www.btplc.com/News/Articles/Showarticle.cfm?ArticleID=5e5ce27a-ce88-4
8d7-8ebc-ace912050674
And the Guardian…
http://technology.guardian.co.uk/weekly/story/0,,1840396,00.html
OK, here is the scenario:
- An SMS is sent to mobile phones that lures the victims to visit a web dating site.
- After they visit the specially crafted website address, another message thanks the recipient for subscribing to a dating service, which is fictitious, and states the subscription fee of $2.00 per day will be automatically charged to their cellular phone bill until their subscription is canceled at the online site.
- Recipients visiting the site to cancel their subscription are redirected to a screen where they are prompted to enter their mobile phone number to unsubscribe, then given the option to run a program which is supposed to remove their subscription to the dating service.
- When they run the executable file, it adds several files to the host and changes registry settings to open a backdoor port and lower Windows security settings. The host file is modified to prevent the victim from browsing to popular anti-virus Web sites. The executable also turns the infected computer into a “zombie” network, which can be remotely controlled by the hackers.
So, how do you classify this attack? phishing (notice that no emails were sent), mobile virus, computer malware , Trojan, “no patch for stupidity” or “all of the above”?
Note: notice that bank sites always warn their customers not to trust emails… But they say nothing about SMS! Even the banks that provide services such as mobile banking.
Links:
http://www.zone-h.org/content/view/13889/31/
http://www.ic3.gov/media/2006/060628.htm
While searching for “Mobile Phone Forensics”, I came across the “Security & Forensics wiki” site. I was pleasantly surprised. It was inline with what I was already doing in my research. I was sad though at the fact that no site that I knew of linked to them! I know that Wiki is not considered by many as a good source for information but so aren’t blogs, are they… We still consider blogs as legitimate sources of information and always link to them. We even link to forum posts too, and ‘ahum… bugtraq posts’… so why not wikis? Links:
SecuriWiki Main Page:
http://polya.computing.dcu.ie/wiki/index.php/Main_Page
Mobile Phone Forensics Page:
http://polya.computing.dcu.ie/wiki/index.php?title=Mobile_Phone_Forensics
Email Analysis Page:
http://polya.computing.dcu.ie/wiki/index.php/Email_Analysis
This article reports that 16% of mobile phones are proprietary and quoted: “Standard forensics tools don’t address the less popular types of phone,” from Tyler Moore, a researcher at the University of Cambridge Computer Laboratory, speaking at the Workshop on the Economics of Information Security.
I recently got a proprietary phone and it does look like there are no connectivity options provided with it apart from the usb cable that provides access to mp3 and mp4 content only and no access to other phone data. I am yet to test it with forensics tools though. If you have any experience with there kinds of phones, please comment on this post.
My mobile phone details:
- Sansing S5688 (also known as P990)
Contains links to tools, websites and articles on the subject. To jump to articles click HERE.
Link: E-Evidence.info
This is one DVD that has most of what you’ll need to boot on a machine to examine it throughly. My favorite tools are Auditor, Helix and F.I.R.E.
The current SecureDVD release includes:
The conferences official website is http://scissec.scis.ecu.edu.au/conferences. The conferences will run concurrently and will be held on the ECU Mount Lawley Campus in Perth, Western Australia on 4th and 5th December 2006. The conferences are:
- 4th Australian Digital Forensics Conference
- 7th Australian Information Warfare Conference
- 4th Australian Information Security Management Conference
Important Dates (All Conferences)
Papers Due 1st October, 2006
Feedback 1st November, 2006
Final Papers Due 15th November,2006
