Research

35 results - showing 1 - 20
1 2
May 17, 2022

There is always room for improvement to parsers of the past. That was the case when I asked to look into some Kik Messenger artifacts. There has already been support for Kik in iLEAPP for months but you can always squeeze out more information. Starting with the basics we can open up Josh Hickman’s well documented test image of an iPhone SE. We can look at the main sqlite database file found at the following path:

January 02, 2022

Was an iPhone restored from iCloud, iTunes backup or started from scratch?

January 02, 2022

In the last two blog posts I wrote about ways of obtaining a list of currently installed apps and their corresponding app directories from an iOS file system extraction. My usual method is to query the contents of the applicationState.db file to find the app bundle id and what directory GUID like name corresponds to it. By finding the proper directory one can focus on the data stores it contains for parsing of user generated data when our forensic tools are not aware of them.

January 02, 2022

What was the public IP address of a Windows 10 device?

January 02, 2022

Recently I purchased a new car. I am talking brand spankin’ new. I had been looking for a compact SUV for a while because of a growing family, and I found it: a 2019 Nissan Rogue. I purchased it in 2018, so this would make the car, like, really new. I was super excited as this was the first time I had ever purchased a new car.

While signing the novel-sized stack of paperwork that is part of any car purchase, the woman I was working with and I were chatting about all the bells and whistles that were in my newly purchased ride, and she mentioned that she had a term for newer cars: laptops on wheels. She was absolutely correct. My car keeps track of all sorts of things: gas mileage, proximity to objects, tire pressure, what I’m listening to on the radio, external temperature, and other things I probably don’t know about. The on-board electronics are crazy compared to my first car (a 1985 Chevy S-10 pickup). Additionally, my new car supports Apple’s CarPlay and Google’s Android Auto, the two automotive interfaces developed for the two major mobile software platforms

While I have been using CarPlay for some time now, I have never used Android Auto. I was aware of its existence, but that was about it. When I bought the car, I was in the middle of creating a clean Android image for the DFIR community, so I thought it would be great to have this in the image since phone-to-car interfaces will become more and more common. Currently, there are 29 different auto manufacturers that have various models which support Android Auto, and the list continues to grow. Additionally, there are after-market radio manufacturers (e.g. Pioneer, Kenwood, etc.) that are baking Android Auto in to their units, so I feel that this will become more common place as time goes on.

January 02, 2022

Search history. It is an excellent way to peer into someone’s mind and see what they are thinking at a particular moment in time. In a court room, search history can be used to show intent (mens rea). There are plenty of examples where search history has been used in court to establish a defendant’s intent. Probably the most gruesome was the New York City Cannibal Cop trial, where prosecutors used the accused’s search history against him. Of course, there is a fine line between intent and protected speech under the First Amendment.

January 02, 2022

A few weeks ago, I posted a blog about some research I conducted on Android Auto, and I mentioned there was some interesting data left behind by Google Assistant when using Android Auto. Based on what I found there, I decided to go further down the virtual assistant rabbit hole to see what I could find.

As far as virtual assistants go, I use Siri. When I had a newborn, Siri was used a lot. In addition to turning on/off lights or playing music, I used Siri to turn on certain appliances (via smart plugs), respond to texts, and make phone calls as my hands were usually holding a baby or trying to do something for/to/with a baby. Siri was really helpful then. Siri is still useful, but, nowadays, my primary use of Siri is in the car. There are times where I still yell at my phone or HomePod to find a TV show, play a song, turn on a light, or answer a quick math question. For other things such as search and typing a message (outside of the car), I’m old fashioned.

January 02, 2022

In part two of this article I will be looking at Google Assistant artifacts that are generated when using a device outside of the car (non-Android Auto). Since this post is a continuation of the first, I will dispense with the usual pleasantries, and jump right into things.  If you have not read Part 1 of this post (dealing with the Google Assistant artifacts generated when using Google Assistant via Android Auto), at least read the last portion, which you can do here.  The data (the phone extraction) discussed in both posts can be found here.  Just know that this part will not be as long as the first, and will, eventually, compare the Google Assistant artifacts generated in Android Auto to those generated just using the device.

January 02, 2022

This document is provided to the general Computer Forensic community as a starting point to incite further research by others in the community, with the goal of further refining these procedures and developing additional procedures. This document contains three main sections. The first section explains the importance of obtaining all available cloud data from Google either via legal process or via consent through the Google self-service “Takeout” mechanism. The second section provides scripts and instructions on capturing a decrypted logical backup of all encrypted data on a Chromebook/Chromebox if you have the username(s) and password(s) for the accounts on the Chromebook/Chromebox. The final section provides scripts and instructions on capturing a full physical disk clone of a Chromebook/Chromebox in some very limited situations. Please see each section for complete details.

January 02, 2022

Google implemented a baked in app/feature called Now Playing as part of the Pixel 2 and Pixel 2XL launch in 2017 and has been included in every Pixel phone release since. It gives you the option to allow Google to try and recognize song information of music that is playing around you. Per Google:

January 02, 2022

Windows users can create shortcut files on the systems they use. A shortcut file is a small file which has information used to access or point to another file (Lee, FOR500 Windows Forensic Analysis Textbook, Volume 3 Core Windows Forensics II: USB Devices and Shell Items 2018, 8). Shortcut files are most often referred to as Link files by forensic analysts based on their .lnk file extension. In addition to user created LNK files, the Windows operating system automatically creates LNK files when a user opens a non-executable file or document. Windows creates these LNK files on a frequent basis and their creation is performed in the background without the explicit knowledge of the user. Within a LNK file, Windows records several pieces of information about the target file of which the LNK file is designed to access (13Cubed 2017). Some of these pieces of information include:

January 02, 2022

With all the news around TikTok (on political, business, and privacy fronts), I decided to take a look at it. There's been lots of coverage on the mobile apps, regarding what they can do or collect. That's not really my wheelhouse and has already been explored, so I decided to look into the URLs and see what I could find. If you're familiar with Unfurl, you might know I like to find timestamps embedded in things, so I figured I'd begin there.

January 02, 2022

When it comes to scanning and tracking paired Bluetooth devices, Android devices are completely different from iOS phones. Historically, more files were accessible that tracked connectivity in older Android versions. We used to be able to track connectivity to Bluetooth, NFC, USB, and more within /data/com.android.connectivity.metrics/databases/events.db. This file is no longer present on the Android devices we tested. In addition, connections to a car via Bluetooth exist all over the Android device. If you are trying to determine if a user was driving hands-free, you have your work cut out for you.

January 02, 2022

Data in the cloud is becoming increasingly important to forensic examinations. Services such as those offered by Google and Apple collect a vast quantity of data about the users, and in recent years there has been a shift to allowing the user to access this data too. The Takeout service allows all data held by Google regarding a user to be downloaded.

January 02, 2022

Bluetooth connections are often a factor in many investigations and can cover a wide range of case types from accident investigations to cases involving proximity to locations. Proving whether a driver was distracted before a fatal accident occurred is a common request. Were they really connected to Bluetooth? How can you be sure? What about a “seen” Bluetooth device? Can you leverage that to put a suspect in an approximate location at a point in time? Yes, you can. But only if you really understand the data.

January 02, 2022

In certain investigations, it may arise that you need to find the following:

  • What process was using the camera or microphone?

  • When was the last session?

  • How long was that session?

Using the contents of the following reg keys, you can determine when and how long a process had access to privacy protected resources. These resources include the microphone, webcam, bluetooth, location, contacts and more. For this blog, I will focus on the microphone and webcam as an example.

January 02, 2022

During an examination and analysis, I learned some interesting things and would like to share them with you. After the examination of an Apple iPhone 7, I discovered some photos were captured using the camera application (com.apple.camera.CameraMessagesApp) from within the native iPhone messaging application (com.apple.MobileSMS). As a result of photos being captured, several files were created that I have not observed during my past examinations and I had a few questions.

January 02, 2022

The keychain is one of the hallmarks of the Apple ecosystem. Containing a plethora of sensitive information, the keychain is one of the best guarded parts of the walled garden. At the same time, the keychain is relatively underexplored by the forensic community. The common knowledge has it that the keychain contains the users’ logins and passwords, and possibly some payment card information. The common knowledge is missing the point: the keychain contains literally thousands of records belonging to various apps and the system that are required to access lots of other sensitive information. Let’s talk about the keychain, its content and its protection, and the methods used to extract, decrypt and analyze the various bits and pieces.

January 02, 2022

One of the most common questions we have been asked is “How do I know when an iOS device was wiped?” Wiping is a solid way of trampling potential evidence on a device. Over the years, we have seen some savvy moves to try to cover wiping a device and having the act be detected. These include:

  1. Wiping the device far enough in advance and conducting as much activity as possible to create noise on the device and make it look “used.” Like Ruth did on the Cellebrite CTF.

  2. Wiping the device and pushing old backup data to it to make it look “used”.

  3. Wiping a device and pushing someone else’s data to it to make it look “used.”

In this blog, we want to help you quickly identify if an iOS device was wiped. Keep in mind, a wipe doesn’t mean something nefarious occurred as there are legitimate reasons to wipe a device. We are simply helping you determine the “when” and we leave you with the fun part of determining the “why” behind the wipe.

35 results - showing 1 - 20
1 2