Archive for category xxx iPhone Forensics xxx

This distributed forensics thing is going to change Digital Forensics and Incident Response – DFIR

Distributed forensics and incident response in the enterprise

Abstract

Remote live forensics has recently been increasingly used in order to facilitate rapid remote access to enterprise machines. We present the GRR Rapid Response Framework (GRR), a new multi-platform, open source tool for enterprise forensic investigations enabling remote raw disk and memory access. GRR is designed to be scalable, opening the door for continuous enterprise wide forensic analysis. This paper describes the architecture used by GRR and illustrates how it is used routinely to expedite enterprise forensic investigations.

***********************************************************

Installing GRR

To install GRR you’ll need to set up a server, which runs the front-end HTTP server, enroller, workers and administration UI.

For this proof-of-concept they are installed on a single server, but a more scalable approach would be to run them on individual servers.

Installing the GRR server

To install the GRR server see ServerInstall

Installing the GRR clients

The GRR clients are best deployed as stand alone pre-packaged binaries. These are dependent on the Operating System of the client system

To create a GRR Windows client binary see BuildingWindowsClient

To create a GRR MacOs-X client binary see BuildingOSXClient

The Linux client currently is not provided as a binary, but instructions on how to run a test/development version are included in the server installation documentation.

http://www.dfrws.org/2011/proceedings/Cohen%20DFRWS_Presentation_v1.pdf

Advertisements

Leave a comment

Can you spot the fake picture? Image analysis

Can you spot the fake photograph?

A new photograph-analyzing tool quantifies changes made by digital airbrushers in the fashion and lifestyle industry, where image alteration has become the psychologically destructive norm.

“Publishers have legitimate reasons to alter photographs to create fantasy and sell products, but they’ve gone a little too far,” said image forensics specialist Hany Farid of Dartmouth University. “You can’t ignore the body of literature showing negative consequences to being inundated with these images.”

In a Nov. 28 Proceedings of the National Academy of Sciences study, Farid and doctoral student Eric Kee debut a computational model developed by analyzing 468 sets of original and retouched photographs. From these, Farid and Kee distilled a formal mathematical description of alterations made to models’ shapes and features. Their model then scored each altered photograph on a scale of 1 to 5, with 5 signifying heavy retouching.

To validate the scores, Farid and Kee then asked 50 people randomly picked through Amazon’s Mechanical Turk task outsourcing service to evaluate the photographs. Computational and human scores matched closely. “Now what we have is a mathematical measure of photo retouching,” said Farid. “We can predict what an average observer would say.”

http://www.wired.com/wiredscience/2011/11/photo-alteration-analysis/

Leave a comment

New research paper on Android Forensics and Volatility Framework

To our knowledge, this is the first published work on accurate physical memory acquisition and deep memory analysis of the Android kernel’s structures. The developed kernel analysis support allows the popular Volatility framework to be used when analysing data, via our implementation of ARM-specific support.

Leave a comment

iPhone Forensics – Find your friends avatar pics on your iTunes backups

 

All that forensic information sitting in your iTunes backup.  Try this SQLite DB path /mobile/Library/AddressBook/AddressBookImages.sqlitedb

 

https://www.blackbagtech.com/blog/2011/10/11/the-bigger-picture-avatar-images-on-iphones

 

Leave a comment

They say a picture is worth a thousand words – exif data tells more

The screenshots above show how I grabbed a picture off a blog and found the exif data hidden in the metadata of the picture.  Using an exif decoding website, you put in the URL of  the photo into the website. Next the website analyses the picture and provides you with the exif data.  Locate the GPS coordinates in the exif data and throw that into google maps and you get the location of where the photo was taken.

Flickr has developed GEOFENCE.  Cool little feature to turn off location leakage via the Flickr site.  You still have to know about the feature and tune it yourself.

The term “geofence” may sound complicated, but our implementation is quite simple. A geofence is a user-defined boundary around a specific area on a map. We decided to keep the creation and editing process similar to geotagging on the photo page. We understand from developing the photo page map that it is important to provide a way to search for a location as well as simply drop something in the right place on the map. The geofence is represented by a selector-circle on a modal map panel with simple edit controls on the side.

 http://code.flickr.com/blog/2011/08/30/in-the-privacy-of-our-homes/

Leave a comment

Police can find data in your iTunes iPhone backup

Backup data location iTunes backups of the iPhone (and iPod, iTouch, etc.) are stored in the following directories:

  • Windows XP:  C:\Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
  • Windows Vista: C:\Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
  • Mac OS X: /Users/(username)/Library/Application Support/MobileSync/Backup/
What they can find using iPhone Forensics
Call logs
SMS Messages
MMS
Contacts
Email
Calendar
Notes
Pictures (Even those deleted Riot photos)
Screenshots
Songs
Web History
Bookmarks
Cookies
Applications
Google Maps
Tracking Info
Voicemail
Passwords
Plists and XML
Phone Information
Video
Speed Dials
GPS
File Hashes
YouTube
HTML
Office Documents
Wifi

Leave a comment

Human Flight Recorder

The iPhone, the next Cyborg device that you carry to be online, anywhere. It’s also your Human Flight Recorder, documenting your whereabouts.

Researchers have discovered that the iPhone is keeping track of where you go and storing that information in a file that is stored – unencrypted and unprotected – on any machine with which you synchronize your phone.

Data scientists Alasdair Allan and Pete Warden came across the file – “consolidated.db” – while they were thinking about the potential trove of mobile data stored on a cellphone and thinking about ways to visualize this data.

Leave a comment