Man In The Middle Attack: Forensics

M01

Yes, that’s right! Mr. Upset did not post ‘I am hating my new job’ as it appears in Figure 2, instead he wrote ‘I am loving my new job’. Then how did it happen and who did it? This article aims at addressing these questions. We fabricate a case where a person is an object of a Man In the Middle Attack and subsequently analyze victim’s device to corroborate the facts and trace the perpetrator. The paper  is divided into two sections. Section 1 demonstrates how did the attacker tamper the original message posted on LinkedIn by using Man In The Middle (MITM) attack. In section 2, we will dissect the forensic side of it to determine if Mr. Upset (victim) is making a reasonable claim.

1       Section I – MITM Attack

It is assumed that Mr. Upset’s mobile device i.e. iPod touch is already compromised by the bad guy which involves installation of malicious certificate or profile (Figure 3) and changing the proxy settings on the device (Figure 4). By modifying the proxy setting, the victim’s device is prepared to direct the IP traffic towards the attacker. With the Charles proxy tool (acting as a proxy server), bad guy is able to capture and monitor IP packets coming to and from Mr. Upset’s device. The Charles SSL CA certificate is assumed to be already added into the list of trusted root certificates on the victim’s iPod that will help the attacker to decrypt the encrypted SSL packets.

M02

Given below is the detail of the steps that attacker follows to intercept the LinkedIn communication and alter the original message using Charles proxy tool.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

1- The bad guy launches Charles proxy tool and starts eavesdropping and noticing victim’s activity. He observes LinkedIn URL touch.www.linkedin.com in the host column illustrated in Figure 5. This leads him to believe that victim is using LinkedIn application.

M03

2- He adds that LinkedIn URL into SSL list under SSL tab in the Proxy Settings, refer to Figure 6 and Figure 7. Note that the port number 443 is entered for https traffic.

M04

M05

3- Next, he applies the break point on POST (Proxy -> Breakpoints). Notice that scheme is POST, protocol is https and host is touch.www.linkedin.com. Since he is interested in holding request packets, therefore he selected Request type, as shown in Figure 8. Now, as soon as Mr. Upset posts a message, he is able to hold these packets before they set out to the LinkedIn server, edits them and let them go to the server.

M06

4- Now is the real show time for the bad guy. The breakpoint is active and in the meanwhile Mr. Upset posts a comment ‘I am loving my new job’ on his LinkedIn account as shown in Figure 1. Soon as he hits the Share button, POST request packets are sent to LinkedIn server. But the man in the middle gets to see and modify the packet(s) before it reaches to final destination i.e. LinkedIn server. The attacker tampers the packet by hitting the Edit request from top menu and selects Form display option at the bottom (Figure 9).

M07

He replaces the word loving with hating as depicted by Figure 10.

M08

5- Finally, he removes the breakpoint by tapping the red button at the top and hit Execute. This will let the packets leave the proxy server towards LinkedIn server and complete victim’s POST action.

2       Section II – Forensics

In section 1, we demonstrated a simple MITM attack. What is next? How can one prove that Mr. Upset did not post that message but was interfered. In order to determine this, in this section, we are going to examine the victim’s device i.e. iPod touch.

One can start the investigation of an iOS device by looking at the files listed below.

  • TrustStore.sqlite3 [/var/Keychains/TrustStore.sqlite3]
  • preferences.plist   [/private/var/preferences/SystemConfiguration/preferences.plist]
  • dynamic-text.dat  [/var/mobile/Library/Keyboard/dynamic-text.dat]

Note that the name and/or location of the file(s) might change with the iOS version number. The given name and paths are validated on iOS 5.1.1 and 6.1.3.

1.1       TrustStore.sqlite3

TrustStore.sqlite3 contains profile information. For example in this case, Figure 11 spots the sign of installed Charles SSL certificate. Modified time of this database changes after installing a new certificate, therefore this time could be critical in drawing a timeline especially if the malicious certificate is the last installed certificate.

M09

2.2       preferences.plist

The preferences.plist file typically stores network preferences. Since we are investigating a MITM attack and after the traces of proxy setting on the device, this file could be our smoking gun. In this case (Figure 12), we observed a proxy server IP 192.168.0.10 which is the potential malicious proxy server address. It is worth noticing that this file saves history of previously configured proxies.

M10

2.3       dynamic-text

Though dynamic-text records the keystrokes of an iOS user in random fashion, but still some times if you are lucky, you may find complete sentences or words enough to make sense. Thus examining the content of this file is a good idea especially for a given case where we need to know if the user did type hating or loving. Chances are one might find out the exact word in the sentence. When we examined the file we found ‘lovingmynew’ as shown below in Figure 13. This indicates that the user typed ‘lovingmynew’.

M11

2.4       Inquisitive Aspect

Based on the above analysis, few questions that can be addressed are as follows.

2.4.1        Are there any signs of compromise in victim’s device?

Yes, there are signs of malicious activities on the device – un-trusted certificate and proxy setting.

2.4.2        Did Mr. Upset actually post what appears on his LinkedIn account?

More likely, Mr. Upset did not post the word hating.

2.4.3        What is the origin of attack?

In this example scenario, we found the involvement of a proxy server of IP 192.168.0.10. In real world case, this could be a public IP or a private IP leading to remote or an insider attack. Whatever be the case, the next potential step is to trace the IP and proceed with the investigation.

FYI: After the analysis, Mr. Upset is not upset anymore 🙂

3        Closure

The article attempts to demonstrate how a posted message can be tampered on the fly using MITM attack and the purpose of this article is to apply forensic techniques on a compromised system and unearth the information.

4        References

@NOODLEWERK. (2011, October 19). Noodlewerk blog. Retrieved July 25, 2013, from Tutorial: Using Charles proxy to debug HTTP(S) communication between server and iOS apps: http://blog.noodlewerk.com/general/tutorial-using-charles-proxy-to-debug-https-communication-between-server-and-ios-apps/

Charles. (n.d.). SSL Proxying. Retrieved July 20, 2013, from Charles: http://www.charlesproxy.com/documentation/proxying/ssl-proxying/

mit proxy 0.9. (2013). Retrieved July 21, 2013, from How mitmproxy works: http://mitmproxy.org/doc/howmitmproxy.html

3 thoughts on “Man In The Middle Attack: Forensics”

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite

Forensic Focus 20th February 2024 11:49 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles