Difference between pages "Applied Cellphone Forensics" and "Mdd"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(Can't Use Network Share in Vista)
 
Line 1: Line 1:
===Applied Cellphone Forensics===
+
{{Deprecated Software}}
  
• Defining processes of the acquisition, preservation, analysis of evidence
+
{{Infobox_Software |
 +
  name = mdd |
 +
  maintainer = [[ManTech|ManTech International Corporation]] |
 +
  os = {{Windows}} |
 +
  genre = {{Memory imaging}} |
 +
  license = {{GPL}} |
 +
  website = [http://sourceforge.net/projects/mdd/ sourceforge.net/projects/mdd/] |
 +
}}
  
• Presentation of physical and digital cellular phone evidence in the investigation process
+
'''mdd''', also known as '''[[ManTech|ManTech dd]]''' or '''Memory dd''', is a command line program to acquire an image of the memory of a running [[Windows]] computer. The program has been included in the [[Helix]] incident response tool.
  
• Evidence regulation and its impacts in the investigation process
+
== Status ==
 +
The current version of mdd (mdd_1.3.exe) runs on Window XP to SP3 and Vista to SP 2, and may run on other versions.
  
• Applications: practical forensic cases related to cellular phones
+
The driver uses the [[Memory Imaging| Physical Memory Object Memory Imaging Mehod]] and returns a file handle to a user-mode program via an IOCTL on the device file named:
 +
<pre>
 +
\\.\memdd
 +
</pre>
  
====Introduction====
+
Once the file handle has been returned the driver and associated memdd device is no longer required and can be removed, which is what the mdd utility does.
Cellular telephones are a ubiquitous consumer device. Over 180 million subscribers are using one of over 500 different cellphones offered in the United States from over 30 different manufacturers, processing voice and data traffic over 4 carrier networks. Invariably, with so much voice and data traffic being sent from one cellphone to another, many of these phones can provide critical evidentiary data to crime scene  investigators. Unfortunately, the forensic acquisition and analysis of these phones is a new process in the computer forensics world. Several reasons exist, but the main reasons are the lack of awareness and training of law enforcement agencies. This paper is an effort to change this deficiency.
+
  
====Processes of the Acquisition, Preservation, Analysis of Evidence ====
+
== Building from source ==
Due to their nature, cell phones are acquired and preserved in the same action. This acquisition and preservation is done with various tools and technologies. It can be done through various cabling systems and various software applications. Examples of the cabling systems include Paraben’s Cell Seizure Toolkit, Susteen’s Law Enforcement Cabling Kit, or the various manufacturers data cables.  
+
# Load the x64 Free Build Environment from the WDK (in start menu)
 +
# Go to the mdd directory, e.g. C:\src\mdd\driver\mdd\ and run build
 +
# You should now have mdd.sys in C:\src\mdd\driver\mdd\objfre_win7_amd64\amd64
  
The various software applications include:<br>
+
=== Signing the driver ===
Paraben’s Cell Seizure<br>
+
* Make sure the WDK is installed, you need that for the signing.
Susteen’s SecureView<br>
+
* Get the right cross certificate file, see [http://msdn.microsoft.com/en-us/windows/hardware/gg487315 Cross-Certificates for Kernel Mode Code Signing]
BITPim<br>
+
* Convert the key you have to pfx, if its cert + key you want:
Nokia’s Oxygen PM Forensic Edition<br>
+
** setup a secure spot to put the private key, this should not be on corp or unprotected at any time
FloAt's Mobile Agent<br>
+
<pre>
iDEN Media Downloader<br>
+
openssl pkcs12 -export -out out.pfx -inkey in.key -in in.crt -certfile ca.crt
iDEN Phoenbook Manager<br>
+
</pre>
SmartMoto<br>
+
** use a strong password
GSM .XRY<br>
+
** shred the .key immediately after use
SuperAgent RSS<br>
+
* Sign the driver by running:
MobilEdit<br>
+
<pre>
Tulp2G<br>
+
signTool sign /v /ac <crosscertificatefile> /f <pathtopfx> /p <pfx password> /t http://timestamp.verisign.com/scripts/timestamp.dll <driver.sys>
Access Data’s FTK<br>
+
</pre>
Guidance Software’s EnCase<br>
+
  
SIM Card software applications:<br>
+
Also see: [http://www.microsoft.com/whdc/winlogo/drvsign/kmsigning.mspx Digital Signatures for Kernel Modules on Windows]
SIM Seizure<br>
+
SIMCon<br>
+
Tulp2G<br>
+
  
 +
== Usage ==
 +
To execute mdd, you must start cmd.exe. The options are:
 +
* -o ''filename'' - required to actually run mdd
 +
* -w - license information
 +
* -v - verbose
  
Overly simplified…<br>
+
To run mdd, the account you are using must have administrator access to the machine you wish to image (however, it does not have to be the Administrator account; it only needs to be in the local Administrator group). The program works by installing a service, called mdd, although see below for problems.
  
Is there a method for determining which application to use based on the phone?
+
== Known Issues ==
Can this be built from a database of knowledge
+
These are the known problems with mdd.
 +
===Error 1073===
 +
This is a Windows Service Manager error. mdd executes by registering itself as a service, so it can run as administrator, although this does not mean you can run mdd without having administrator access. At the end of a normal execution, the service is deleted. However, mdd can accidentally leave the service installed, and this prevents further imaging. This could be caused by the system crashing (or an intentional system crash) during imaging, or by attempting to stop the imaging with control-c.
 +
If this happens, a knowledgeable Windows user will open up the Services tab in Computer Manager, but unfortunately, Windows has a wonderful feature that allows services, when they are registered, to state whether or not they wish to be seen in the Service Manager. This amazing concept allows services to run less visibly, and should be considered a class-a security flaw.
 +
Fortunately, there's a way around this, using the command line (cmd.exe).
 +
* Run cmd.exe
 +
* In cmd.exe, run "sc help" to see the service manager command line tool
 +
* Run "sc query" to see all of the currently registered services, but note that this list will overflow the default line buffer of cmd.exe (this is adjustable, but not necessary for our purposes)
 +
* Run "sc query mdd" and - ta-da - you'll see the mdd service
 +
* Run "sc delete mdd" and it's gone, and mdd can now be run again.
  
Process of Cellphone Acquisition.<br>
+
===Error 1062===
1. Take phone off network via faraday technology<br>
+
John Judd will be entering text here.
2. Connect power source and ensure at least 50% charge<br>
+
3. Connect the data synchronization cable to the phone<br>
+
4. Launch the software application for acquisition and analysis<br>
+
5. Acquire the phones image<br>
+
  
Process of SIM Card Acquisition.<br>
+
===Can't Use Network Share in Vista===
1. Connect SIM Card to Computer through a compliant card reader<br>
+
In Vista, even if you are in the administrator group, you do not necessarily run programs with administrator access (this is actually a major improvement to the security model of Windows). You can start programs, including cmd.exe, with admin privileges, but in this case, that won't help. You will not be able to image to a Network Share from Vista. There is no known workaround. This problem may exist in Windows 7.
2. Launch the software application for acquisition and analysis<br>
+
3. Acquire and Analyze the SIM Card<br>
+
 
+
Process of Cellphone Analysis.<br>
+
What are we looking for:<br>
+
GSM: IMEI<br>
+
CDMA: ESN<br>
+
Short Dial Numbers<br>
+
SMS Messages<br>
+
Phone Settings (language, date/time, tone/volume etc)<br>
+
Stored Audio Recordings<br>
+
Stored Computer Files<br>
+
Logged incoming calls and dialed numbers<br>
+
Stored Executable Programs<br>
+
GPRS, WAP and Internet settings<br>
+
Calendar and Contacts<br>
+
Calls Made, Received, and Missed<br>
+
Ring Tones, Games, Pictures, Videos and other Downloaded information<br>
+
 
+
 
+
Process of SIM Card Analysis.<br>
+
What are we looking for:<br>
+
Location Information<br>
+
SMS Messages<br>
+
Abbreviated Dialing Numbers<br>
+
Last Numbers Dialed<br>
+
 
+
 
+
====Presentation of Physical and Digital Cellular Phone Evidence in the Investigation Process ====
+
Cellular Phone<br>
+
Forensic Evidence Folder Organization<br>
+
Analog – Screenshots of phones<br>
+
Digital – Reports from applications<br>
+
Word Document for binding information together<br>
+
 
+
 
+
====Evidence regulation and its impacts in the investigation process ====
+
 
+
====Applications: practical forensic cases related to cellular phones ====
+

Latest revision as of 07:38, 27 July 2012

40px-Ambox warning pn.png

This tool is deprecated.
The tool that this page describes is deprecated and is no longer under active development.
Further information might be found on the discussion page.

mdd
Maintainer: ManTech International Corporation
OS: Windows
Genre: Memory Imaging
License: GPL
Website: sourceforge.net/projects/mdd/

mdd, also known as ManTech dd or Memory dd, is a command line program to acquire an image of the memory of a running Windows computer. The program has been included in the Helix incident response tool.

Contents

Status

The current version of mdd (mdd_1.3.exe) runs on Window XP to SP3 and Vista to SP 2, and may run on other versions.

The driver uses the Physical Memory Object Memory Imaging Mehod and returns a file handle to a user-mode program via an IOCTL on the device file named:

\\.\memdd

Once the file handle has been returned the driver and associated memdd device is no longer required and can be removed, which is what the mdd utility does.

Building from source

  1. Load the x64 Free Build Environment from the WDK (in start menu)
  2. Go to the mdd directory, e.g. C:\src\mdd\driver\mdd\ and run build
  3. You should now have mdd.sys in C:\src\mdd\driver\mdd\objfre_win7_amd64\amd64

Signing the driver

  • Make sure the WDK is installed, you need that for the signing.
  • Get the right cross certificate file, see Cross-Certificates for Kernel Mode Code Signing
  • Convert the key you have to pfx, if its cert + key you want:
    • setup a secure spot to put the private key, this should not be on corp or unprotected at any time
openssl pkcs12 -export -out out.pfx -inkey in.key -in in.crt -certfile ca.crt
    • use a strong password
    • shred the .key immediately after use
  • Sign the driver by running:
signTool sign /v /ac <crosscertificatefile> /f <pathtopfx> /p <pfx password> /t http://timestamp.verisign.com/scripts/timestamp.dll <driver.sys>

Also see: Digital Signatures for Kernel Modules on Windows

Usage

To execute mdd, you must start cmd.exe. The options are:

  • -o filename - required to actually run mdd
  • -w - license information
  • -v - verbose

To run mdd, the account you are using must have administrator access to the machine you wish to image (however, it does not have to be the Administrator account; it only needs to be in the local Administrator group). The program works by installing a service, called mdd, although see below for problems.

Known Issues

These are the known problems with mdd.

Error 1073

This is a Windows Service Manager error. mdd executes by registering itself as a service, so it can run as administrator, although this does not mean you can run mdd without having administrator access. At the end of a normal execution, the service is deleted. However, mdd can accidentally leave the service installed, and this prevents further imaging. This could be caused by the system crashing (or an intentional system crash) during imaging, or by attempting to stop the imaging with control-c. If this happens, a knowledgeable Windows user will open up the Services tab in Computer Manager, but unfortunately, Windows has a wonderful feature that allows services, when they are registered, to state whether or not they wish to be seen in the Service Manager. This amazing concept allows services to run less visibly, and should be considered a class-a security flaw. Fortunately, there's a way around this, using the command line (cmd.exe).

  • Run cmd.exe
  • In cmd.exe, run "sc help" to see the service manager command line tool
  • Run "sc query" to see all of the currently registered services, but note that this list will overflow the default line buffer of cmd.exe (this is adjustable, but not necessary for our purposes)
  • Run "sc query mdd" and - ta-da - you'll see the mdd service
  • Run "sc delete mdd" and it's gone, and mdd can now be run again.

Error 1062

John Judd will be entering text here.

Can't Use Network Share in Vista

In Vista, even if you are in the administrator group, you do not necessarily run programs with administrator access (this is actually a major improvement to the security model of Windows). You can start programs, including cmd.exe, with admin privileges, but in this case, that won't help. You will not be able to image to a Network Share from Vista. There is no known workaround. This problem may exist in Windows 7.