±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 1
New Yesterday: 7
Overall: 27316
Visitors: 53

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

KeepSafe for Android

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

KeepSafe for Android

Post Posted: Thu Dec 05, 2013 9:17 am

I have a case in which the suspect used KeepSafe. I am finding images in \media\Main Folder\ and more in \media\Main Folder\.thumbs.

They are named with the following format <13 digit number>.<original file name?>.<original extension>.ksd. Some examples :
1375729769368.2013080195185854-1.jpg.ksd
1375729877735.a100c5f4-40c8-447b-8ce5-381507a0d437.jpg.ksd
1378219904357.2013090395094012.jpg.ksd
1375730074092.VID_20120705_160718.3gp.ksd
1378219904357.2013090395094012.jpg.ksd
1375729846126.IMG_20130730_183003_634.jpg.ksd

However, when viewing the image, it shows a blue castle, similar to the one seen here :

They all have different hash values. Testing on my phone, I found that the Keepsafe image is 3722 bytes larger than the original - everytime.

Looking at the hex, the images are definitely PNG files (not .jpg). Internally, no .jpg header is seen.

Is there a way to use PNG as a wrapper for .jpg (and other) files?

Comparing file names to the rest of the bookmarked files (thus far), I am not seeing a whole lot of overlap.

Looking at the keepsafeDatabase SQLite database, I have hashes, existing paths, and the new path.

I would not be surprised if this contains the smoking gun, so every bit of help would be appreciated.

Terry  

twjolson
Senior Member
 
 
  

Re: KeepSafe for Android

Post Posted: Thu Dec 05, 2013 9:39 am

Fire up an Android VM. I use AndroVM.

Load KeepSafe.

create baseline image.

Use KeepSafe on baseline image.

Compare and deduce how to reverse KeepSafe
OR
Load copy KeepSafe config from suspect to VM with data, and try to open through KeepSafe,
OR
find security fault in KeepSafe to break into it.

etc. Mr. Green  

jhup
Senior Member
 
 
  

Re: KeepSafe for Android

Post Posted: Thu Dec 05, 2013 11:46 am

Thank you for the reply.

I have already done testing with a test phone. That revealed what was originally posted.

Copy over procedure is a good thought. I haven't played with Android VMs yet.

But, if this went to court, I'd like to be a bit more informed (and maybe find a more defensible procedure).

So, if anyone has any additional knowledge, I'd be grateful.  

twjolson
Senior Member
 
 
  

Re: KeepSafe for Android

Post Posted: Thu Dec 05, 2013 2:02 pm

Is it possible to share your test images? I'd be curious to see the difference in the original and the KeepSafe version.  

trevin.mowery
Newbie
 
 
  

Re: KeepSafe for Android

Post Posted: Thu Dec 05, 2013 2:45 pm

It *seems* like the encryption is not "specific".
I.e. by reinstalling the app (with a known PIN) and redeploying the previously backed up contents of the "Main Folder" inside the (hidden) .keepsafe folder they can be viewed, according to this:
appcyla.wordpress.com/...ding-apps/


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: KeepSafe for Android

Post Posted: Thu Dec 05, 2013 4:51 pm

- trevin.mowery
Is it possible to share your test images? I'd be curious to see the difference in the original and the KeepSafe version.


Regular
KeepSafe

I had to rename the KeepSafe version to PNG, to allow the upload. It was originally .ksd. I am unsure if Photobucket altered the data, however. I know the original had EXIF metadata in it.

- jclaz
It *seems* like the encryption is not "specific".
I.e. by reinstalling the app (with a known PIN) and redeploying the previously backed up contents of the "Main Folder" inside the (hidden) .keepsafe folder they can be viewed, according to this:
appcyla.wordpress.com/...ding-apps/


jaclaz


The problem with using another phone is these images may contain contraband, and all we have for testing is a personal phone. The rest are either far off brand, or very old (Android 2.3ish).

I emailed you about the AndroVM/Genymotion. Absent reversing the encryption (I am seeing reference to libcrypto in the KeepSafe folder), that is my best option, I think.  

twjolson
Senior Member
 
 
  

Re: KeepSafe for Android

Post Posted: Mon Dec 09, 2013 12:24 pm

If you have the APK for the application, dump it and decompile the code - it sounds like they're using a static key (by the sound of the link posted above), so it should be defined in the code somewhere (unless, I suppose it's getting pulled down from a server each time, but that sounds risky) - it'll probably give you a better idea of the encryption scheme used as well.

They might have obfuscated the code, which would make the digging more "fun", but I've had success doing similar jobs this way.

Trimming off the PNG bodged at the top of the file (it has an empty IEND tag at the bottom, so you should be able to just go from that point down) would, I suspect, give you the encrypted data.

Good luck with this, sounds interesting! If I get a chance to play I might download the app and have a poke...  

AlexC
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next