2. Branch of forensics science that studies the
identification, extraction and analysis of digital
data for use in a court of law.
3. In the beginning (from
the 80s until now) it
was all about
(Personal) Computers.
They were all (almost)
alike, and there were
plenty of standard
tools.
4. In the last 5-10 years everything began to
store digital data.
7. iPhone Forensics
eBook Reader Forensics
Voyage Data Recorder Forensics
What do these devices have in common?
• Modern devices which contain digital data
• Their data could be required during an investigation
• No consolidated literature about them
The rationale behind this thesis is the ever-
growing need to perform digital
investigations on devices and systems that
have not already been studied from this point
of view.
8. What can we find in an iOS
device and how can we bring it
to a court...
9. Mobile and tablet worldwide market share of operating system usage for
November 2013. Net Market Share collects browser data from a
worldwide network of over 40,000 websites. (Credit: Net Market Share)
10. There is no simple way to extract data from an
iOS device.
No easy way to access its contents
without jailbreaking (which, by the way,
we can’t).
Encrypted filesystem (HFS+)
Not sharing anything with the rest of the World
No debug interfaces
Easiest way to peek inside the filesystem: the
backup system.
14. Backup files are organized in a
hierarchy, the first level of it
being the «Domain»:
• Media domain: media files,
mms attachments, …
• Keychain domain: account
data and encrypted
passwords…
• Home domain: data for
standard apps (contacts, mail
client, calendars, …)
• Wireless domain: data about
the telephone system (call
logs, connection logs, …)
• …
15. PLIST Files (plain
text and binary)
SQLite files
ASCII files
Data files
Media files
16. Installed applications’
data is stored in «Apps»
domain (for third party
applications) or «Home»
domain (for standard
ones).
The hierarchy of each
application’s folder
follows a standard
structure.
Strong integration
with Webkit offline
storage.
20. Address book data (Home domain)
Knowing about the data
location and structure is the
first step.
Next step: making it easily
usable for the ones who need
it.
21. iPBA2 is a tool
developed to:
Study the backup
content.
Make it easier to
understand for
practitioners.
Right now it is the only complete open source suite for analysing
iOS backup data, and it is used by both researchers and
practitioners from all over the world.
http://www.ipbackupanalyzer.com
22.
23. Why an eBook reader is not
worthless in a forensics
context…
24. • Because is a widely used digital device.
• Because it holds digital data.
• Because no piece of data can be deemed
«worthless» in advance during an investigation.
• Because almost any practitioner says it’s
worthless… which by the way it’s not.
Locard’s exchange principle
"Wherever he steps, whatever he touches, whatever
he leaves, even unconsciously, will serve as a silent
witness against him. Not only his fingerprints or his
footprints, but his hair, the fibers from his clothes,
the glass he breaks, the tool mark he leaves, the
paint he scratches, the blood or semen he deposits
or collects. […]"
25. Forensics profiling refers to the study and
exploitation of traces in order to draw a profile
relevant to the investigation about criminal or
litigious activities.
While traces may not be strictly dedicated to a
court use, they may increase knowledge of the
subject under investigation.
26. For our research, we chose a widely available
modern device, the PRS-650 by Sony.
Of course, many of our results can probably
be achieved after further studies also with
different devices from different vendors.
• E-paper display (6 inches, 800x600).
• Resistive touchscreen.
• 5 buttons.
• Montavista Linux.
• 2GB internal flash memory.
• Removable SDHC and Memory Stick PRO
Duo.
27. Books, documents, images,
audio files.
Annotations.
Current position of documents.
Bookmarks.
Notes (written and audio).
Dictionary lookups.
Last reading of a document.
Pages read for each document.
Everything has a timestamp!
28. We can access the main storage by USB storage interface
For the whole device..
For each document…
31. For each document:
• History of the last 100
page turns, with page
number and timestamp.
32. To perform the analysis, we build a Python script which parses
cache.xml, media.xml and cacheExt.xml and build a graph of the
interactions between the user and the device.
The script extracts the timestamps and produces a data file with all the
timestamps found, to be plotted on a timeline.
http://github.com/PicciMario/Sony-Ebook-Reader-Time-Profiler
33. eBook reader usage in a two-months time span.
• X axis: time
• Y axis: ID of the document involved
34. Usage of the reader in a ten-minutes span, for a single book.
• X axis: time
35. Virtually each action performed on the device
is logged.
It is possible to build a forensically sound
timeline.
The evidence gathered this way could be used
in court to:
◦ Draw a behavioural profile of a suspected offender.
◦ Support or deny an alibi.
◦ Provide additional useful information about the
owner.
39. The Voyage Data Recorder (VDR)
is a mandatory device for all
medium-to-big sized modern
ship.
Its job is to keep a record of ship
data to be used in an accident
investigation.
• Position, speed, heading
• Date and time
• Radar plot
• Audio from bridge and VHF
• Sonar depth
• Hull openings (watertight doors, fire
doors)
• Rudder position, propellers speed
• Meteo station data (wind, ...)
• Onboard alarms
• ...
40. Data collecting unit
An industrial computer which
collects all data and temporalily
stores it in a magnetic disk.
Final Recording Medium
A rugged box containing a solid-
state memory, designed to
survive a catastrophic accident
and be recovered for further
investigations.
46. The same goes for the «NMEA» directory.
∼800 MB of ASCII data in NMEA format
47. NMEA 0183 is a data exchange protocol used primarily in the
navigation field. It is the preferred way to exchange data between
navigational aids.
• $: starting character.
• PREFIX: origin and type of data
• First 2 characters: originating device
• Other 3 characters: type of sentence
• Checksum: 2-digit hex XOR of the whole sentence.
NMEA sentence:
$PREFIX, data0, data1, …, dataN*CHECKSUM
NMEA sentences are standard, but vendors are allowed to add
custom ones for specific purposes.
48. Timestamp: Unix time
= 4F 10 88 90 (hex)
= 1’326’483’600 (dec)
= Jan 13, 2012 @ 19:40:00 UTC
= Jan 13, 2012 @ 20:40:00 local time (UTC+1)
49. Example of standard sentence:
$RAZDA,194001.00,13,01,2012,-01,*41
RA: origin (radar)
ZDA: date and time
194001.00: time
13,01,2012: date
-01: difference between local time and UTC
*41: checksum
50. Example of non standard sentence:
$PSWTD,07,C----,*34
P: non-standard prefix
S: vendor (Seanet)
WTD: watertight doors
07: door number
C-----: door status (closed, no warnings)
*34: checksum
51. Once we were able to recover the raw data, we
proceeded to work on it to:
Understand the meaning of the standard and
non-standard elements.
Understand the relative importance of each
element.
Build tools to parse the data and report the
results in a useful format.
58. The steps we described are related to this specific
VDR model, but they also show a general approach
which could probably be applied, with further
studies, to any other model and vendor.
The analysis of the VDR data is of course easy to
perform with closed and proprietary software from
the vendor, but we were the first to publish about a
forensically sound approach.