Difference between pages "SIMCon" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(added elements that could be recovered by SIMCon)
 
(HackingTeam)
 
Line 1: Line 1:
{{Wikify}}
+
'''Malware''' is a short version of '''Malicious Software'''.
  
==SIMCon==
+
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
  
[http://www.simcon.no SIMCon] is a program that securely images all files on a [[GSM]] [[SIM Card]] with a standard PC-SC smart card reader, either Serial or USB. After imaging, the forensic investigator can then analyze the contents of the card. Specific information regarding stored numbers, call history, and text messages are available.  
+
== Virus ==
 +
A computer program that can automatically copy itself and infect a computer.
  
[http://www.simcon.no SIMCon]'s features:
+
== Worm ==
 +
A self-replicating computer program that can automatically infect computers on a network.
  
* Acquire all available files on a [[SIM Card]] and store in an archive file
+
== Trojan horse ==
* Analyze and interpret content of files
+
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
* Recover deleted text messages stored on the card
+
* Manage PIN and PUK codes
+
* Compatible with [[SIM Cards]] and [[USIM Cards]]
+
* Print reports of evidence
+
* Secure file archive using hashing
+
* Export items to popular spreadsheet programs
+
* Supports international charsets
+
* Contains a "content" view for plain text viewing of data, as well as a Hexadecimal view for more specific analysis.
+
  
Simcon is also capable of aquiring the following data from a SIM:
+
== Spyware ==
 +
A computer program that can automatically intercept or take partial control over the user's interaction.
  
* Abbreviated Dialing Numbers (ADN),
+
== Exploit Kit ==
* Last Dialed Numbers (LDN)
+
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
* Short Message Service (SMS)
+
* Public Land Mobile Network (PLMN) selector
+
* Forbidden PLMNs, Location Information (LOCI)
+
* General Packet Radio Service (GPRS) location
+
* International Mobile Subscriber Identity (IMSI)
+
* Integrated Circuit Card Identifier (ICCID)
+
* Mobile Subscriber ISDN (MSISDN)
+
* Service Provider Name (SPN)
+
* Phase Identification
+
* SIM Service Table (SST)
+
* Language Preference (LP)
+
* Card Holder Verification (CHV1) and (CHV2)
+
* Broadcast Control Channels (BCCH)
+
* Ciphering Key (Kc)
+
* Ciphering Key Sequence Number
+
* Emergency Call Code
+
* Fixed Dialing Numbers (FDN)
+
* Forbidden PLMNs
+
* Local Area Identitity (LAI)
+
* Own Dialing Number
+
* Temporary Mobile Subscriber Identity (TMSI)
+
* Routing Area Identifier (RIA) netowrk code
+
* Service Dialing Numbers (SDNs)
+
* Service Provider Name
+
* Depersonalizatoin Keys
+
  
 +
=== Drive-by-download ===
 +
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
  
 +
== Rootkit ==
 +
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.
  
All [[GSM]] cell phones today have a subscriber identity module (SIM) to identify the phone onto the network. [http://www.simcon.no SIMCon] is an application to acquire all of the information from the [[SIM Card]]. 
+
== See Also ==
 +
* [[Malware analysis]]
  
The [[SIM Card]] provides secure storing of the key identifying a mobile phone service subscriber, subscription information, preferences and text messages. Network state information, such as the current location area identity (LAI), is also stored on the card. When a handset is turned off and then back on, it will search for the LAI that it was in, rather than having to search all frequencies that the phone operates in. This saves time when trying to log on to the network. (Subscriber, 2006, para. 1)
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Malware Wikipedia: malware]
 +
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia: drive-by-download]
 +
* [http://www.viruslist.com/ Viruslist.com]
 +
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
  
By using [http://www.simcon.no SIMCon] and a smart card reader, all of the above information and more can be pulled off of the card without knowing the PIN or the PUK of the card. The PIN and the PUK are ways to keep the information on the card secure. They also can be used as a security feature on the phone, not allowing anyone to use a phone to access the [[SIM Card]] without knowing the codes.
+
=== Analysis ===
 +
* [http://sempersecurus.blogspot.ch/2013/12/a-forensic-overview-of-linux-perlbot.html A Forensic Overview of a Linux perlbot], by Andre M. DiMino, December 17, 2013
 +
* [http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html Probing into the Flash Zero Day Exploit (CVE-2014-0502)], by Krishnan Subramanian, February 21, 2014
 +
* [http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf Operation Windigo], by Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M.Léveillé, Benjamin Vanheuverzwijn, March, 2014
 +
* [http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx Security Advisory 2953095: recommendation to stay protected and for detections\, by Chengyun Chu, Elia Florio, March 24, 2014
  
[http://www.simcon.no SIMCon] is an application developed by Inside Out Forensics in Norway. It is designed for use by the law enforcement community, and it can be obtained free of charge by emailing [http://www.simcon.no SIMCon] and identifying the officers and unit.  However, for anyone outside the law enforcement community, it is not free. 
+
=== Exploit Kit ===
 +
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
 +
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
 +
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
  
===Review===
+
=== Rootkit ===
[http://www.simcon.no SIMCon] makes the acquisition of data very easy, simply inserting the SIM Card to the appropriate Sim card reader, and clicking acquire is all that is needed to start analyzing evidence. After the acquisition of the data is complete SimCon will show the user a screen with two halves.
+
* [http://en.wikipedia.org/wiki/Rootkit Wikipedia: Rootkit]
 +
* [http://articles.forensicfocus.com/2013/11/22/understanding-rootkits/ Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection], by Dmitry Korolev, Yuri Gubanov, Oleg Afonin, November 22, 2013
  
On the left panel is the different data sectors of the [[SIM Card]] that can either be checked on or off depending on what is needed. After choosing what data sectors are needed, the right panel will be populated with the selected data. Some of the most useful pieces of information that are shown are: the International Mobile Subscriber Identity number, every contacts name and number, and all SMS messages sent and received both stored and deleted.
+
=== HackingTeam ===
 +
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
 +
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
 +
* [http://reverse.put.as/wp-content/uploads/2014/06/ShakaCon6-FuckYouHackingTeam.pdf Fuck you Hacking Team], by fG! at ShakaCon 2014, June 2014
  
[http://www.simcon.no SIMCon] also comes with two more handy features that are key to an investigation and in a court of law.  The first is [http://www.simcon.no SIMCon]s' feature that allows the printing of a report.  [http://www.simcon.no SIMCon] will format and populate a report with the contents of the users’ choosing.  This can list all the key pieces to an investigation and is an excellent piece of evidence to be used in a court of law.  The second feature is the exportation of the acquired data.  [http://www.simcon.no SIMCon] allows the exportation of all SMS messages and also of all contacts.  When these exported files are opened in a program such as Microsoft Excel the data can be read, sorted, and analyzed in a format of the users design. 
 
  
When SMS messages are exported [http://www.simcon.no SIMCon] automatically adds the following information about every message: file, item, status, service center, message type, number, time stamp, and text.  When the contacts are exported [http://www.simcon.no SIMCon] automatically adds the following information about every contact: file, item, identifier, and number.  For reference a report of an acquired [[SIM card]] is enclosed as well as a document that tells what information is added into an exported file at the end of this document.
+
[[Category:Malware]]
 
+
SIMCon is known to have issues while imaging multiple cards in the same session of the program. These issues include the appearance of random characters in both the contacts list and in the SMS. These complications are outlined in a paper which has been uploaded to the file list amd cam be viewed through this web site.
+
 
+
Currently there is no "data-dump" mode in which one can simply dump data exactly as it is on the card in order to have a more pure investigation of the contents. This has proven to be a major setback up to version 1.1, as the automatic parsing of information from the card sometimes leaves certain details unseen, especially in the content view.
+
 
+
 
+
===Links===
+
* [http://www.simcon.no SIMCon]
+
 
+
* [http://en.wikipedia.org/wiki/Subscriber_Identity_Module Subscriber Identity Module]
+
 
+
* [http://www.simcon.no/ InsideOut Forensics]
+

Revision as of 03:12, 5 July 2014

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

Rootkit

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.

See Also

External Links

Analysis

Exploit Kit

Rootkit

HackingTeam