Category: Computer Forensics and Investigation

Posted on by

Binwalk, a cool analysis tool

binwalk and firmware analysis

Binwalk is a formidable tool in the field of cybersecurity and digital forensics. It specializes in the analysis and extraction of firmware, offering a window into the often opaque world of embedded systems.

Conceived and developed by Craig Heffner, showcasing his expertise in digital security and an understanding of the intricacies of firmware analysis.  Binwalk is your go-to instrument when dissecting firmware files. It’s designed to unravel the layers of data embedded within, making it indispensable for security researchers and reverse engineers.

This tool proves its mettle in numerous applications, from peeling back the layers of firmware to discover hidden code and files, to aiding in security audits by revealing potential vulnerabilities within embedded systems.

Understanding Binwalk’s Capabilities

At its core, Binwalk is more than just a program; it’s a comprehensive approach to understanding and analyzing firmware. It employs a variety of methods, including signature-based searches, entropy analysis, and heuristics, to deconstruct complex firmware binaries. This enables users to identify embedded files and executable code seamlessly, a task that is often cumbersome and time-consuming without specialized tools.

The Versatility of Binwalk

Binwalk’s versatility lies in its ability to cater to a wide range of firmware types and formats. Whether it’s a simple binary from a small IoT device or a complex firmware package from a sophisticated router, Binwalk can dissect it efficiently. This adaptability makes it a favored tool among professionals across various sectors, including telecommunications, consumer electronics, and even defense.

Syntax & Command Mastery
    • Basic Scans: Start with binwalk <firmware-image> detecting embedded files and code.
    • String Search: Start with binwalk "search_string" <firmware-image> Search for specific keywords or strings within the firmware image.
    • Raw Signature Scan: Start with binwalk -a <firmware-image> Perform a raw scan without default filters to capture every detail.
    • Extracting Insights: Use binwalk -e <firmware-image> to seamlessly extract embedded files.
    • Recursive Deep Dive: For a comprehensive extraction, binwalk -Me <firmware-image> works wonders, digging into nested files.
    • Comparative Analysis: binwalk -W <firmware1> <firmware2> is your go-to for juxtaposing different firmware images.
    • Signature & Entropy Analysis: Crack the code with binwalk -B <firmware-image> and binwalk -E <firmware-image> to analyze signatures and entropy patterns.
    • Verbose Narration: Get detailed insights with binwalk --verbose <firmware-image>.
    • Log Capturing: binwalk -f file.log <firmware-image> ensures you don’t miss a beat in your analysis.
Advanced Techniques for the Curious Minds
    • Custom Extractions: Tailor your quest with custom extraction rules. Create a signature file using binwalk --magic="0x12345678" --signature new.sig to focus on specific data patterns.
    • Multi-threaded Extractions: Speed up your analysis on multi-core systems using binwalk -j 4 <firmware-image> to employ four threads simultaneously.
    • Recursive & Detailed Exploration: Use binwalk -R firmware.bin for extracting data from files within files, peeling layers like an onion.
Real-World Applications
Binwalk has been pivotal in numerous cybersecurity cases. It has been used to discover hidden backdoors in consumer routers, extract and analyze malware from compromised IoT devices, and even assist in data recovery efforts from damaged hardware. These real-world applications highlight Binwalk’s ability to provide actionable insights in critical situations.

    • Security Assessment: Identify vulnerabilities in firmware by analyzing encryption mechanisms through entropy analysis.
    • Reverse Engineering: Extract and study embedded filesystems and code for educational or debugging purposes.
    • Data Recovery: Retrieve lost or inaccessible data from firmware images, a lifeline in digital forensics.

Binwalk isn’t just a tool; it’s a journey into the depths of firmware, revealing its most guarded secrets. As you wield these commands, remember, each firmware image is a story waiting to be told, and Binwalk is your narrator. Happy analyzing!

Posted on by

Disk imaging with dcfldd

Forensic Imaging and dcfldd: Pillars of Digital Forensics

In the captivating world of digital forensics, forensic imaging, also known as bit-stream copying, is a cornerstone technique, pivotal to the integrity and effectiveness of the investigative process. This meticulous practice involves creating an exact, sector-by-sector replica of a digital storage medium.

The Essence of Forensic Imaging

The essence of forensic imaging is not just in the replication but in its fidelity. Every byte, every hidden sector, and every potentially overlooked piece of data is captured, providing a comprehensive snapshot of the digital medium at a specific point in time.

The Role of dcfldd in Forensic Work

Enter dcfldd, an enhanced version of the Unix dd command, developed by the Department of Defense Computer Forensics Lab (DCFL). It’s a powerful ally in the digital forensic investigator’s arsenal, enriching the standard dd functionalities with features tailored for forensic application.

Applications of dcfldd in Digital Forensics
  • Evidence Preservation: Ensures unaltered copies of storage devices for legal scrutiny.
  • Data Recovery: Facilitates the retrieval of potentially lost or deleted data.
  • Malware Analysis: Assists in examining suspicious drives without risking contamination.
The Art of Forensic Imaging

Forensic imaging isn’t merely a process; it’s an art form. It requires a meticulous hand and a discerning eye. Each image created is more than a copy; it’s a digital preservation of history, a snapshot of a device’s life story.

Creating a disk image using CSI Linux and dcfldd with an MD5 hash involves several technical steps. Here’s a detailed guide:

  • Preparation: Connect the drive to a write blocker to prevent accidental writes, maintaining its integrity as evidence.
  • Identify the Drive: Use the command sudo fdisk –l to list all disks and their paths. For example, /dev/sdc
  • Write Protection: If lacking a write blocker, change the source drive’s permissions to read-only. Use ls –lha /dev | grep sd to view permissions, then sudo chmod 440 /dev/sdc
  • Disk Imaging Command: Create a disk image with dcfldd if=/dev/sdc of=~/Cases/case001/Forensic\ Evidence\ Images/hdd001.dd hash=md5 hashlog=~/Cases/case001/Forensic\ Evidence\ Images/hdd001_hashlog.txt
  • Monitor the Process: dcfldd provides real-time progress information on blocks written and data size.
  • Verification: Verify the image is an exact copy with dcfldd if=/dev/sdc vf=~/Cases/case001/Forensic\ Evidence\ Images/hdd001.dd verifylog=~/Cases/case001/Forensic\ Evidence\ Images/hdd001_verifylog.txt
  • Direct Hash Comparison: Verify by hashing both source and image using md5 or sha1 commands. For example, sudo md5sum ~/Cases/case001/Forensic\ Evidence\ Images/hdd001.dd /dev/sdc.

Remember, the integrity of the data and following the correct procedures are paramount in forensic imaging to ensure the evidence is admissible in legal contexts.

Resource

CSI Linux Certified Computer Forensic Investigator | CSI Linux Academy

Posted on by

Things to consider with onsite digital evidence collection.

In today’s digital world, crime scenes have become more complex. Law enforcement must collect and preserve digital evidence with great care. They must understand the technology and use specialized tools to ensure data remains intact. Sorting through large amounts of digital evidence is challenging, so experts use software to assist in organization and analysis. Admissible evidence requires strict documentation and adherence to protocols. Law enforcement must stay updated on technology and collaborate with legal experts. Their efforts are crucial in the pursuit of justice in the digital age.

Here’s an in-depth look at what to be aware of when collecting digital evidence onsite.

Understanding the Scene and the Device

Before even touching a device:

  • Device Familiarity: Recognize the type of device you’re dealing with. Whether it’s a computer, smartphone, tablet, server, or any other electronic device, understanding its nature can guide your evidence-collection process.
  • Initial Assessment: Determine if the device is turned on or off. This determines your next steps, as powered-on devices may have volatile data like RAM, which can be lost if powered off.
  • Physical Hazards: Check the area for potential physical hazards. Electronic devices can sometimes be rigged or tampered with, especially in cases where the suspect anticipated a police raid.

2. Collecting Volatile Data

If the device is on:

  • Capture Live Data: Data in RAM, running processes, and network connections can provide crucial insights. Utilize specialized software to capture this information before turning off the device.
  • Avoid User Activity: Do not browse through files, click on applications, or modify any settings. This could overwrite potential evidence.

3. Potential Pitfalls

  • Encryption: Modern devices often use encryption to protect data. Turning off an encrypted device without the decryption key could make the data inaccessible. Have decryption tools or experts on standby.
  • Remote Wipe Commands: Smart devices, especially phones, can be wiped remotely. If there’s a risk of this, ensure the device is isolated from any network connection.
  • Data Corruption: Electronic evidence can be fragile. Always make sure to create forensic copies or images of the data to work on, leaving the original data untouched.

4. Documentation is Key

  • Photograph Everything: Before, during, and after the collection process, take photos. This captures the state of the device and its surroundings, proving invaluable for court proceedings.
  • Detailed Notes: Document every action you take and why you took it. These notes can explain and justify your actions in court if necessary.
  • Timestamps: Ensure every step, from the moment of arrival to the completion of the evidence collection, is time-stamped. Time stamps reinforce the chronology of events and the integrity of the evidence-collection process.

5. Maintaining Chain of Custody

  • Immediate Labeling: Once evidence is collected, label it with details like the date, time, location, and collector’s name.
  • Secure Storage: Digital evidence should be stored in anti-static bags, away from magnets, and in a temperature-controlled environment.
  • Transport: If evidence needs to be transported, ensure it’s done securely, without exposure to potentially damaging elements or tampering.
  • Document Transfers: Every time evidence changes hands or is moved, this transfer should be documented, detailing who, when, where, and why.

Onsite digital evidence collection is a delicate and pivotal operation in forensic investigation. The transient nature of digital data makes this process significant, as it can be altered, deleted, or lost if mishandled. Professionals must approach this task with technological expertise, forensic best practices, and meticulous attention to detail. To ensure the integrity of collected evidence, investigators must adhere to a well-defined procedure. This typically involves assessing the crime scene and identifying and documenting all digital devices or storage media present, such as computers, smartphones, tablets, external hard drives, and USB drives. Each device is labeled, photographed, and logged for a verifiable chain of custody. Investigators use specialized tools and techniques to make forensic copies of the digital data, creating bit-by-bit replicas to maintain evidence integrity. They use write-blocking devices to prevent modifications during the collection process. Investigators must be vigilant to avoid pitfalls that compromise evidence integrity, such as mishandling devices or storage media. They handle digital evidence with care, wearing protective gloves and using proper tools to prevent damage. Encryption or password protection on devices may require advanced techniques to bypass or crack. Investigators stay up to date with digital forensics advancements to overcome these obstacles. They also protect collected evidence from tampering or deletion by securely storing it, utilizing encryption methods, and implementing strong access controls. Following these procedures and being mindful of pitfalls allows investigators to confidently collect digital evidence that withstands challenges. This meticulous approach plays a vital role in achieving justice and fair resolution in criminal cases.

Resources

CSI Linux Certified Computer Forensic Investigator | CSI Linux Academy

Posted on by

Using Sock Puppet Accounts for OSINT

‘A sock puppet or sock puppet is an online identity used for purposes of deception. The term, a reference to the manipulation of a simple hand puppet made from a sock, originally referred to a false identity assumed by a member of an internet community who spoke to, or about, themselves while pretending to be another person.’ – Wikipedia

These fake social media accounts are used by both sides of the cyber game. You can find hackers, scammers, bots, and other cyber criminals on the dark side while journalists, penetration testers, and investigators are on the other. Like any decent tool, it can be used for both good and evil. Why would YOU want to create an undercover account? When investigating, it is always a good idea to separate your real identity from the initial investigation. You increase the likelihood of the target will get suspicious. You also run the risk of being identified and doxed, harassed, and in the absolute worst-case scenario, targeted for lethal retaliation. Depending on who the suspect is, you always need to take the appropriate countermeasures to protect your organization/agency, yourself, and even your family. Another thing to take into consideration is that many social media sites have Terms of Service (TOS) that specifically cover fake or investigation accounts. Organizations like Facebook are actively looking for these types of accounts, even if they are law enforcement, and banning them.

!!!DO NOT USE YOUR PERSONAL OR BUSINESS ACCOUNTS TO DO INVESTIGATIONS!!!

The Importance of Anonymity and Security

You should connect to a public WiFi access point and only use VPN or Tor as a last resort. The reasons are that VPNs and Tor are sometimes tracked, blocked, or marked as questionable by websites when creating an account. This means the likelihood you will be able to create the account without having a real phone number decreases drastically. Public WiFi tends to look a bit more “normal”.

More about Tor

I love Tor and always have. Tor is great at offering some of the best anonymity available and the best part is that it’s free. The mechanics of Onion routing is that you are essentially moving through several different proxy servers, and this minimizes trace evidence that can be used to tie the traffic back to its original source. You can easily set up a hidden service with a “.onion“ address. This allows us to communicate securely with other investigators, informants, or even suspects. The downside of using Tor is that it is commonly used by criminals and many of the websites we need to investigate may be blocking traffic from Tor or red flagging it. So, even though it offers a lot of benefits, Tor is not always good for Surface Web investigations.

VPN Value?

There has been a ton of advertising for Virtual Private Network (VPN) services that claim that they will protect your Internet traffic. This is only partly true and mostly false. A VPN is a Point-to-Point encrypted tunnel that allows one network to talk to another through an encrypted tunnel. Think of it this way. You are using a third-party VPN service; your traffic is very secure when connecting from your system to the third-party network. The traffic then routes from that server through their Internet connection. The other thousand people using the same service will also share that same gateway IP address. That sounds fine, right? Well, after you leave that service provider, your traffic is back on the Internet for everyone else to see. This means it is naturally less anonymous than Tor. The providers may also be watching everything you do in the name of “Marketing”. Free VPNs and cheaper ones are the biggest risks. The services that claim they DO NOT STORE LOGS are also usually lying or not telling you the whole truth. Within networking, there will always be logs. They are required to troubleshoot when things fail. Logs will be there; it is just a matter of how long and how they are destroyed. Some of the websites are red-flagging the popular VPN services.

Creating a persona

Some people make these accounts from scratch. The more content and backstory you create in the beginning gives you more of direction to make the account look like a real person’s account. Use a password manager to keep track of everything you are creating for these accounts including the user/pass info and keep notes. KeePassXC is a great free solution that is cross-platform that will allow you to share your password management database among multiple computers and different operating systems.

Character/Persona generators

Creating an account can take some time, effort, and creativity. If you are short on any of those for whatever reason. Anyone that has played role-playing games like D&D, WARHAMMER, or other games where you need to generate a character to play, has a step up because they have done this before. There are a few resources you can leverage to help speed up the process and spit out a “character” with a lot of random attributes and content. Below is a list of resources you can use when generating your Sock Puppet persona. Just remember that all information generated is fake. You can change the data to fit your narrative:

  • Fake Identity Generator (fakepersongenerator.com)
  • Random Name Generator (www.elfqrin.com/fakeid.php)
  • Random Character Generator (random-character.com)
  • Personality Generator (rangen.co.uk)
  • Trait Generator (rangen.co.uk)

Image generators

Generating images that have consistency to them can be a challenge. You want to create a realistic person with history and consistency. It is important to NEVER use pictures of friends or family. This can put the investigation at risk and possibly them at risk as well.

  • (thispersondoesnotexist.com) – GitHub project available
  • AI-Generated Faces (boredhumans.com)
  • Gallery of AI-Generated Faces (generated.photos)

Emails

Creating an email is the base for setting up your undercover investigation account. This will be used for setting up social media accounts and communications with suspects. Any email service will work. Here are a few:

  • GMX.com
  • Mail.com
  • Protonmail.com
  • Yandex.Mail

Burner Phones

A burner phone is extremely useful and may be required to create accounts on certain websites along with creating a history for the persona. The reason is the sites are trying to prevent fake accounts from being created and will send an SMS validation message to a phone. Bots rarely have their own phone numbers. In some countries, you do not need to tie your ID or Passport to buy a SIM card or burner phone. If you are in one of these countries, it is suggested to use cash only and let the phone sit for 2+ months before you activate it with a sock puppet email. Sometimes SIM cards can also be purchased on Amazon.com. Keep an eye out for deals and trial offers. Phone emulators can also work.

VoIP Phone

Generate a Voice over IP (VoIP) account with an online vendor. This will be useful to add another layer of separation. Many online services like Google Voice require you to have a real phone number to tie to your account. This makes your burner phone that much more important.

Pre-Paid Credit Cards and Gift Cards

In some cases, you may need to use a credit/debit card for purchases, account setups, and account verifications. If you are in a country or area that allows you to purchase these types of cards (VISA/Mastercard), use good OPSEC to minimize links back. You can also use a privacy.com masked credit card.

Cryptocurrencies

If your investigation requires cryptocurrencies for transactions, you can use prepaid cards on most of the crypto services. Exodus.com is a wallet that allows you to trade many different currencies and their Desktop software is cross-platform compatible. An example of needing cryptocurrencies during an investigation may include fraud cases on sites like Facebook Marketplace, Instagram’s Shop Now, Craigslist, etc. You may also find them useful when purchasing content and buying services.

Social Media Accounts

When creating a social media account, you want to look as ‘normal’ as possible on the website because many of them are trying to stop people from creating fake accounts. Make sure you are not breaking the law or violating terms of service when doing this. Now things to look at when creating your OSINT undercover accounts:

  • Use public Wi-Fi and do NOT use a VPN
  • Pick a social media site to focus on
  • Use your persona’s “real” phone number for verification
  • Save the information in a password manager like KeePassXC
  • Keep Operational Security (OPSEC) in mind:
    – Use a very strong password for the password manager access
    – Use a different password for each account
    – Never cross over accounts with your real-world or personal accounts
  • Go into the settings of the account you just created and change the phone number to a VoIP number
  • When you are done, log out of the account
  • Log back in and start adding information to your account relevant to the profiles
  • Go back to step 2 for the rest of the sites you want to try

Note: You may burn UC personals when creating accounts. Just be patient and persistent. This process takes time and effort.

Aging the Account

Like a fine wine or good whiskey, the account needs to be “aged”. This means creating content and history. This will minimize the likelihood of the account getting flagged as a fake by the service provider and deleted. Become the persona. Go to the same public WiFi you created the account with to log in and generate activity. Like posts, make comments, share things, and grow your connections. Log out when you are done. This is very important and ties into OPSEC. Not logging out can leak other networks and information out for Big Data if you are not careful. The goal is that you are training the site that you are a real person by doing real-person things. Try to add content and history following the personality of the fake character. This includes finding banners with image searches. Think of banners for your social media pages, memes, and pictures from the location your persona is from. Build your account pages how you believe your sock puppet would have. Add enough information to make it look real. Over time, keep logging into the account and add content to build history and the trustworthiness that the account is a “real” person.

Learn from your Investigations

‘Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.’ – Wikipedia

Things always change and you must keep improving to keep up. Make it a habit of using good OPSEC. There is a saying with investigators. The suspect needs to be lucky every single time, but you only need to be lucky once. The other side can use the same Tactics, Techniques, and Procedures (TTPs) as you do and that flips the table on you. Now, you need to be lucky every single time and they only need to be lucky once.

Resources

  • Creating Research Accounts for OSINT Investigations – We are OSINTCurio.us
  • Dark Side 116: Sock Puppets. What if I told you not all fake social media accounts are used maliciously?
  • DeBot: Twitter Bot Detection via Warped Correlation
  • How to Make Sock Puppet Accounts for OSINT in 2021 | Hacker Noon
  • The Art of The Sock (secjuice.com)
  • The Ultimate Sock Puppets Tutorial for OSINT Operators – Ehacking
  • Identifying Sock puppet Accounts on social media