Fake text messages ...
 
Notifications
Clear all

Fake text messages app  

Page 1 / 2
  RSS
CCSO
 CCSO
(@ccso)
New Member

I am working a case and using Cellebrite to download an Iphone. I am trying to show the text messages generated by a fake text app commonly available is fake. So far I can find the message in Hex view indicating it could be a real text. Would subscriber toll records show the text did not come from the phone number listed on the text? Has anyone investigated a fake text service from "spoof text" online service. Researching this service, they claim you can "pay" them to send a fake text in any number you provide to them as the sender. I wonder if that number you provide them shows on the subscriber toll records.
Thanks in advance

Quote
Posted : 27/10/2017 1:55 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

You'd have to go down the billing route and see if the other phone ever did send it.

I think that is the only way, these apps are designed to insert messages in the same way any other would.

Take a look at the service centre number for each incoming messages. You may find all the fake ones are from a different service centre than the legit ones.

Download the app, try it on your own test device to prove any theories

ReplyQuote
Posted : 30/10/2017 11:21 am
CCSO
 CCSO
(@ccso)
New Member

I can't find anything explaining how the app sends the "fake" text. I need to explain this in simple terms. Can you explain, or would you be able to point me in a direction to learn?

ReplyQuote
Posted : 30/10/2017 12:48 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

Well very simply, the number it was 'from' is delivered to you by the service centre.

If Alice (A rouge service centre run by the fake SMS service) hands you a note saying its from Bob (The sender) saying he wants to kill you, the message is only as reliable as Alice.

When Charlie (A trusted service centre) gives you the same note it would be far more reliable and to prove it they will have logs i.e. bobs billing records.

Other fake SMS apps write or edit messages straight into the MMSSMS.db, I'd need more info really. So I could be alice wanting to say bob is trying to kill me and I could just run an app that injects said message into my DB for when you download my phone. This will neither be in bobs billing or more importantly my cell data records as an incoming message

ReplyQuote
Posted : 30/10/2017 1:04 pm
CCSO
 CCSO
(@ccso)
New Member

I have run a test on a controlled phone with a app "fake text message". The message shows up in the cellebrite physical extraction as a SMS and in Hex view. Since this Fake SMS never went to the network, I'm certain it won't be on the toll records. I was hoping to be able to explain how this "fake" SMS is showing up in the extraction.

ReplyQuote
Posted : 30/10/2017 1:13 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

If you tell me the specific app, I could put it on my R&D list. There may truly be no way of telling without telecoms data if it's been written well enough.

Even worse if it edits existing texts without a modified marker, all texts on that device without a second device to verify them could be unacceptable as evidence if it can slip stream new ones in.

In cases like this I've had in the past where the app makes fake screenshots or something there is always a giveaway of sorts. Perhaps the messages all arrive or get sent bang on the one minute marker e.g. 173500 192300 where it doesn't have the functionality to make any other less rounded time stamp.

Perhaps a better way to look at this would be the fake text app itself, does it hold logs, are the messages held in a history? Is there renmant evidence in a write ahead log or similar?

ReplyQuote
Posted : 30/10/2017 1:19 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

I am working a case and using Cellebrite to download an Iphone. I am trying to show the text messages generated by a fake text app commonly available is fake.

I missed this was an iPhone skimming it, is it jailbroken? If not then I don't think anything but the SMS application can write to the DB and messages will be coming over the air. Service centre from billing or the database file is your best bet as I explained before

ReplyQuote
Posted : 30/10/2017 1:21 pm
CCSO
 CCSO
(@ccso)
New Member

The app in play store is Fake Test Message from Norton digital.
I'm a 25 year retired police officer and a mobile forensic analysis and have been certified thru cellebrite training. Have 7 year experience all with a police department in Maryland.

ReplyQuote
Posted : 30/10/2017 2:24 pm
badgerau
(@badgerau)
Member

"Play Store" and iPhone don't mix very well.

Can you confirm that you are dealing with an Apple iPhone and if this phone is jailbroken?

ReplyQuote
Posted : 30/10/2017 6:45 pm
CCSO
 CCSO
(@ccso)
New Member

I used a android for the control download.

ReplyQuote
Posted : 30/10/2017 8:41 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

I'm not sure that helps, android apps get access to the sms dB an iPhone app can't do.

Also neurondigital? 100% the same app and app developer?

ReplyQuote
Posted : 30/10/2017 8:54 pm
hcso1510
(@hcso1510)
Active Member

One thing that a lot of people struggle with, and I'm not suggesting that you are, is the concept of a spoof. In my department many officers believe that if you receive a communication from a VoIP number that somehow is a spoof. Not quite.

By fake, I am assuming that a handset received an sms message that was meant to appear as though it came from an individual that may be known to the individual that owns the handset?

The ability to do this could prove to be beneficial to a domestic violence victim who obtained an Order of Protection against an abuser. Victim sends themselves a "fake" sms and shows police that they have been threatened. Police go arrest the individual with the OP. Now OP may say "I didn't send it. Look at my phone." Police know it could have been deleted so they make the arrest. With technology these days that may be a bad choice by the police.

Last year I attended a HTCIA conference just outside Vegas. There was a guy who gave a presentation where he showed that with ADVANCED computer forensic skills you could spoof sms messages on an iPhone. His name escapes me now, but he is based out of Canada.

If it were my case I would focus on the victims provider to see what records they could provide.
I would start off with someone working the Court Order side or El Sur in the hopes that I would be able to speak with someone that had a very good knowledge of their network rather than a contract employee that might just fill requests and have no idea what goes on beyond filling the requests.

Essentially you are looking for the uplink provider for that data transmission, or the Session Initiation Protocol headers for that transmission. That information could possibly link you back to an IP address, or maybe a 10 digit phone number that may be the key to additional information.

ReplyQuote
Posted : 30/10/2017 9:15 pm
CCSO
 CCSO
(@ccso)
New Member

This is the link to the app

ReplyQuote
Posted : 31/10/2017 12:17 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

I think you have missed my point. An android app that 'fakes' texts can do things an Apple app could not. Is the one on your evidencial phone by the same developer?

Any results for the android no matter how interesting will not explain how fake texts got on your apple device unless an android app sent it to the apple phone.

Hope I've not misunderstood

ReplyQuote
Posted : 31/10/2017 12:23 pm
CCSO
 CCSO
(@ccso)
New Member

Yeah, I think we have gotten way off the original question.
Without going into detail of the case on a open forum, The defense has brought up the idea a fake text was sent using an app that is ready available.
I used a controlled android phone and used (app I sent the link) the fake text message app to create the fake text. When I did an extraction it was in the timeline and the Hex view, indicating its just like any other text.

My question, is there a forensic explanation to know this text is a fake and didn't come from the network? My concern, potentially every text could be generated by a fake text app and unless we get tolls on every phone to confirm every text or call the defense could bring this issue up.

I'm asking is there a way to confirm in the extraction itself that text are real and which ones were generated by an app?

ReplyQuote
Posted : 31/10/2017 12:47 pm
Page 1 / 2
Share: