Wednesday, April 23, 2014

Daily Blog #304: How to use the Triforce Videos

Hello Reader,
        We just uploaded the first of Triforce tutorial videos, you can watch it here: https://www.youtube.com/watch?v=j42FD9jcB4s&list=PLzO8L5QHW0MGUivIBxbrsavk2NL9VwsYQ

We will be uploading a bunch more videos to walk through how to use all the features we've added and do your own analysis. In addition we are proofing our documentation and preparing sample images to test the tool against for your own validation.

Give the video a watch and let me know what you want to know most about first!

Tuesday, April 22, 2014

Daily Blog #303: Verizon DBIR 2014 early access

Hello Reader,
             This is our second year contributing to the Verizon DBIR, Data Breach Investigations Report, and its something that I think is worth the time to do. One thing that most firms who are handling incidents and litigation as we do may not realize is that all your data is anonymous so your clients aren't at risk from sharing what you've seen over the year. One other benefit is that you can choose to have a member of the DBIR team come out to your site to collect all the information about your incidents and buy you lunch!

Beyond that though the other nice benefit to contributing is you get early access to the report, we've been seeing early drafts for quite some time so it helps in educating our clients of trends. As a benefit to you keeping up with the daily blogs I thought I would extend the courtesy to you and provide a link to download the 2014 DBIR a day early, http://verizonenterprise.com/dbir/2014/insider.

 So go check out the 2014 DBIR and get a wider picture of what trends are out there and this time its not just full of the word cyber (though it does contain the word cyber 93 times). You can also join in the fun of the Verizon DBIR cover puzzle challenge! Read more about last years challenge here: http://www.securitysift.com/solving-the-2013-verizon-dbir-cover-challenge/

Have fun reading!

Monday, April 21, 2014

Daily Blog #302: Sunday Funday 4/20/14 Winner!

Hello Reader,
        When I make these Sunday Funday Challenges and I include a specific version I'm usually looking to see how common the knowledge of something is. This challenge was no different as Android 4.4 offers a new logical acquisition option called the Android Backup which I was happy to see in this weeks winning answer. Though I did receive many good responses this week I thought this one best answered the question in terms of acquiring data in the context of an Android 4.4 device.

The Challenge:
Answer the following questions for an Android 4.4 device:

1. What effect would device encryption being on have on a physical acquisition?
2. What effect would device encryption being on have on a chip off acquisition?
3. What effect would device encryption being on have on a logical  acquisition?
4. What are the different types of logical acquisition available for an Android 4.4 device?

The Winning Answer:
Joerie de Gram

In answering the questions I'm assuming the credentials required for decryption are unknown to the examiner.

1. What effect would device encryption being on have on a physical acquisition?

Naive physical acquisition methods would result in the /data partition being inaccessible due to device encryption. If the required passphrase is not available to the examiner, a dictionary or brute force attack may be launched in an attempt to recover it.

As argued in literature by Casey et al. [1], overcoming device encryption requires adapting the legal framework, tactical approach and acquisition procedures. For Android devices utilising device encryption, tailored acquisition methods could allow key recovery through means other than brute force or dictionary attacks. For example, if a target device is acquired while it's fully booted (i.e. the encryption keys are memory-resident) and the lock screen is not barring access to the phone, combining ADB (Android Debug Bridge) with privilege escalation exploits might allow acquisition of volatile memory using LiME [2].

If the device is fully booted, yet the lock screen is barring access to the device, a way of either disabling or bypassing the lock screen is required first if ADB is unavailable. A thorough analysis of the target device model might yield surprising results, as demonstrated by Ossman and Osborn [3], whom leverage port multiplexing on the Samsung Galaxy Nexus to gain a shell on the device.

If the lockscreen cannot be disabled or circumvented, hardware attacks (e.g. JTAG) might allow for acquistion of volatile memory (and subsequently encryption keys) or unencrypted data directly. Finally, 'cold boot' attacks apply to smartphones as they apply to PC hardware and could lead to recovery of encryption keys [4] if the target device allows booting 'custom' images.

2. What effect would device encryption being on have on a chip off acquisition?

A chip off acquisition would yield a similar result to a 'naive'
physical acquisition. If volatile memory has not been acquired prior to performing a chip off, the examiner will have to resort to attempting to crack the encryption key.

3. What effect would device encryption being on have on a logical  acquisition?

- None if the target device is fully booted and either no lock screen is present, or the acquisition method is able to bypass it, as device encryption is transparent to filesystem-level acquisition methodologies.
- If the acquisition method would normally work regardless of whether a device lock (pattern, password, pin, etc.) is present, device encryption prevents logical acquisition if a device is initially powered off.

4. What are the different types of logical acquisition available for an Android 4.4 device?

- File transfer via ADB (optionally combined with privilege escalation exploits)
- Usage of the 'backup' functionality [5].
- I believe backup functionality was introduced in 4.0 (as per Nikolai Elenkov's great writeup [6], which I forgot to cite in my deadline-haste - I cited the backup extraction tool only). There have been some changes to key derivation which affect backups in 4.4 though [7].

[1]: Casey, E, Fellows G, Geiger M, et al, The growing impact of full disk encryption on digital forensics, Digital Investigation, Volume 8, Issue 2, November 2011
[2]: LiME - Linux Memory Extractor, https://code.google.com/p/lime-forensics/
[3]: Ossman, M and Osborn, K, Multiplexed Wired Attack Surfaces, https://media.blackhat.com/us-13/US-13-Ossmann-Multiplexed-Wired-Attack-Surfaces-WP.pdf
[4]: Müller, T and Spreitzenbarth, M, FROST: Forensic Recovery Of Scrambled Telephones, https://www1.informatik.uni-erlangen.de/frost
[5]: Android backup extractor,