The end of 2020 could not come fast enough for most of us, and yet, as the year wound down, some things — such as the digital forensics research recapped in this article — were worth slowing down for. This article offers an overview of research published between November and December.
This month we start with DigitalCorpora’s news that they’ve joined the AWS Open Data Sponsorship Program. Corpus downloads have moved from their previous downloads server at George Mason University to storage in Amazon S3.
“This means that the download server will be more stable moving forward,” reads the blog on DigitalCorpora’s website. “It will also make it much easier (and faster) to analyze the corpus from the Amazon Cloud—and all forensics should be done in the cloud, right?”
The http://downloads.digitalcorpora.org/corpora/ gateway will remain, but will redirect users to an AWS S3 download. TTS for downloads is another addition.
New research from the EU’s FORMOBILE initiative
The Automated Android Analysis Lab of ZITiS (Z-A3L) was highlighted at November’s virtual Research Institute Cyber Defence Meeting, as PhD candidate Christopher Lenk presented “Analysis of suspicious applications from evidence-relevant Android devices under real reconstructed conditions.”
The result of 18 months of work as part of the FORMOBILE initiative, Lenk’s presentation offered a brief overview of Android malware, followed by a discussion of automated analysis for applications from Android devices — in a way that adheres to forensic process regulations, including evidence preservation.
Lenk walked through the Z-A3L prototype created through FORMOBILE, including its web access interface, static and dynamic techniques for its hardware-based analysis, and its reporting of app behavior both during execution and on analysis after the fact — helping to determine the likelihood of it being malicious.
Future functionality will include more applications and Android versions, as well as advanced program analysis and realistic Android system simulation.
4 posts — and lots of research opportunities — at DFIR Review
DFIR Review published a number of articles at the end of the year on the following topics:
- The trustworthiness of Google Takeout location data
- Two Bluetooth-oriented pieces of research
- Tracking Windows 10 processes by their access to camera and microphone
As with all DFIR Review articles, future work is spelled out for other researchers who want to pick up a ball and run with it. Follow the links to the individual articles for more details!
Cloud-based data like Google Takeout is often held up as a way to verify data acquired from mobile devices or provider search warrant returns. However, in his article “Can Google Takeout Location Data Be Trusted?” Ross Donnelly, Digital Team Leader for Keith Borer Consultants, questions:
“As the data is downloaded directly from Google, there is a temptation to blindly trust this data. This leads to an important question: could a user alter the location data held by Google in order to mislead an investigator?”
The short answer: yes. Donnelly’s research revealed that Google’s own Location History tool indeed allows users to easily remove and add locations. By comparing two sources of location data within the Takeout — the alterable Semantic Location History, with the (so far) unalterable raw-data in Location History.json — Donnelly demonstrated indicators that can be used to identify data manipulation.
Cellebrite’s Heather Mahalik, Senior Director of Digital Intelligence, contributed to two DFIR Review pieces. “How Android Bluetooth Connections Can Determine if a Driver had Their Hands on the Wheel During an Accident” and “How to Use iOS Bluetooth Connections to Solve Crimes Faster” both relied on Josh Hickman’s public images and test documentation, as well as building on her own previous research.
For her Android Bluetooth article, Mahalik focused on determining first, if Bluetooth devices were paired to an Android device; and second, actual connection times. Relying on parsed Bluetooth data from Cellebrite’s Physical Analyzer — which reviewers made sure to mention was verifiable using various open source tools — Mahalik showed where and how to find timestamp data needed to “put a person in a car, connected to Android Auto, when an activity occurs.”
The iOS Bluetooth article, which Mahalik coauthored with Matt Goeckel, a Cellebrite solutions engineer, built on both examiners’ independent iOS Bluetooth research. Of note, she wrote: “Oddly enough, our research stemmed from a question asked by an IACIS colleague of ours…. Matt and I could have worked on this together in 2018, but we weren’t aware we were both researching the same thing, which is a common theme in DFIR.”
Similar to the Android research, the question here revolved around Bluetooth timestamps, which as it turned out, are not stored in UTC as most iOS database and plist timestamps are. Instead, the file stores timestamps “in UTC with an adjustment to the user’s ‘base’ time zone” — even if they connect in a different geographic location altogether.
Finally, Zachary Stanford’s “Can You Track Processes Accessing the Camera and Microphone on Windows 10?” shows how to determine when and how long a process had access to resources such as the microphone, webcam, Bluetooth, location, contacts, etc. with a focus on the first two. In particular, he wanted to test how malicious activity could be tracked this way, though the method is also useful for determining the length of, say, a conversation.
Based on sheer curiosity after coming across a page in Windows settings, Stanford’s research relied on registry keys’ LastUsedTimeStart and LastUsedTimeStop values to demonstrate, for example, “Zoom.exe had access to my webcam for 27.2 minutes.”
Visual-based geolocalization for forensics; cryptomarket transaction patterns
Also in December, two scholarly papers on digital forensics were made available at Forensic Science International: Digital Investigation:
Yokota, et al. from Japan’s National Research Institute of Police Science published “A revisited visual-based geolocalization framework for forensic investigation support tools.” Defined as a “given a photo, where was it taken?” problem by Cornell University’s SE(3) Computer Vision Group, visual-based geolocalization studies “have not mainly focused on forensic purposes,” wrote Yokota et al.
Their paper aims to fill that gap for machine learning around investigation support tools, with particular emphasis on “maintainability that results from the ease of replacing the implemented algorithms with more appropriate algorithms [and] the interpretability of bottlenecks in the current system,” which they called advantages that are “specific and essential to forensic science where practicality is important.”
At Tohoku University and the Tokyo University of Science, meanwhile, researchers Yoichi Tsuchiya and Naoki Hiramoto, published “Dark web in the dark: Investigating when transactions take place on cryptomarkets.”
Seeking to fill a gap between cryptomarket characteristics — product categories, sale volumes, and the number of listings and vendors — and patterns of activity around illegal drug transactions, specifically times of day and days of the week, Tsuchiya and Hiramoto traced Bitcoin addresses associated with the six previously leading and most active cryptomarkets.
Doing this identified clear activity patterns:
- Transactions more often take place at night in European countries, the United States, and Canada.
- More transactions take place on Mondays, Tuesdays, and Wednesdays, and fewer on Saturdays and Sundays.
The research also determined that Operation Onymous, a cryptomarket policing effort, “only displaced users among these marketplaces and did not deter their activity, even in the short-term…. [nor] alter users’ transaction patterns.”