Difference between pages "T-Mobile Sidekick II" and "CAINE Live CD"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Copying my paper onto the Wiki)
 
 
Line 1: Line 1:
<b>Work In Progress</b>
+
{{Infobox_Software |
 +
  name = CAINE LiveCD |
 +
  maintainer = [[Nanni Bassetti]] |
 +
  os = {{Linux}} |
 +
  genre = {{Live CD}} |
 +
  license = {{GPL}}, others |
 +
  website = [http://www.caine-live.net Caine Live] |
 +
}}
 +
'' ''' Caine' (an acronym for Computer Aided Investigative Environment'''') is a [[distribution Linux | distribution]] [[Live CD | live]] oriented to Computer Forensics ([[computer forensics]]) historically conceived by Giancarlo Giustini, within a project of Digital Forensics '' Interdepartmental Research Center for Security'' (CRIS) of the University of Modena and Reggio Emilia  see [http://www.caine-live.net/page4/history.html Official Site].
 +
Currently the project is maintained by Nanni Bassetti.
  
h1. Disclaimer
+
== Features ==
 +
The latest version of Caine is based on the [[Ubuntu Linux]] 12.04 LTS, MATE and LightDM. Compared to its original version, the current version has been modified to meet the standards forensic reliability and safety standards laid down by the [[NIST]] View [Http://www.cftt.nist.gov/Methodology_Overview.htm the methodologies of Nist].
  
This paper assumes that the investigator has secured appropriate authorization to intercept or access the files and information contained on or received by the electronic device in question, and that the implementation of any of the techniques and procedures set forth herein is being done under circumstances and restrictions that are in full compliance with The Electronic Communications Privacy Act of 1986 and other potentially applicable federal and state laws. No representation is made or intended that any specific application of the techniques and procedures set forth herein may be lawfully performed in any particular factual circumstance. Each investigator should secure appropriate legal advice with respect to each such application.  
+
Caine includes:
 +
* Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools, many of which are open source;
 +
* Updated and optimized environment to conduct a forensic analysis;
 +
* Report generator semi-automatic, by which the investigator has a document easily editable and exportable with a summary of the activities;
 +
* Adherence to the investigative procedure defined recently by Italian Law 48/2008, [Http://www.parlamento.it/parlam/leggi/08048l.htm Law 48/2008,].
  
h1. Introduction
+
In addition, Caine is the first distribution to include forensic Forensics inside the Caja/Nautilus Scripts and all the patches of security for not to alter the devices in analysis.
  
This document is meant to familiarize investigators with the Danger Hiptop 2, known also as the T-Mobile Sidekick II (Sidekick herein).  The procedures and tools presented here are by no means exhaustive of the technology surrounding the Sidekick, but are intended to elicit design of custom tools to gather forensic data from the device.  All testing done for this paper were conducted using an original T-Mobile Sidekick II device along with a T-Mobile To-Go account.  Since T-Mobile's Sidekick service includes Internet access to the data on your device, it is important to cover what can and can't be gathered with an account's password.
+
The distro uses several patches specifically constructed to make the system "forensic", ie not alter the original device to be tested and / or duplicate:
 +
* Root file system spoofing: patch that prevents tampering with the source device;
 +
* No automatic recovery corrupted Journal patch: patch that prevents tampering with the device source, through the recovery of the [[Journal]];
 +
* Mounter and RBFstab: mounting devices in a simple and via graphical interface.
  
h1. Relevance of Sidekick Forensics
+
[[RBFstab]] is set to treat [[EXT3]] as a [[EXT4]]'' noload with the option'' to avoid automatic recovery of any corrupt Journal of '[[EXT3]];
 +
* Swap file off: patch that avoids modifying the file [[swap]] in systems with limited memory [[RAM]], avoiding the alteration of the original artifact computer and overwrite data useful for the purposes of investigation.
  
Like other devices in the smartphone category, the T-Mobile Sidekick contains personal information such as calendars and contacts. Similar to RIM's Blackberry, the Sidekick does not require desktop synchronization to get any new data from the device.  Instead, all data is synchronized over the air with T-Mobile and Danger's servers.  This was best explained by Michael Burnette in his examination of the Blackberry in June of 2002.
+
Caine and Open Source == ==
 +
Patches and technical solutions are and have been all made in collaboration with people (Professionals, hobbyists, experts,
 +
etc..) from all over the world. <br />
  
bq. The more time a PDA spends with its owner, the greater the chance is that it will more accurately reflect and tell a story about that person. Thus, the ... unsurpassed portability is the examiner’s greatest ally.
+
CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, anyone could
 +
take the legacy of the previous developer or project manager. <br />
  
h1. The Hardware
+
The distro is open source, the Windows side (Nirlauncher/Wintaylor) is open source and, last one but not least important, the distro is installable, so as to give the possibility to rebuild in a new version, in order to give a long life to this project.
  
The Sidekick comes in two versions: PV-100 and PV-108.  The PV-100 model is a GSM 900/1800/1900 device.  The PV-108 model has GSM 850 rather than GSM 900.  Both versions of the Sidekick 16 MB of of built-in Flash shared memory as well as 32 MB of RAM.  The Flash memory is for storage of photos, applications, ringtones and other types of personal data while the RAM is management of open applications similar to a PC.  A VGA camera with flash is also built-in to the device.
+
== Caine Interface ==
 +
Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools. <Br/>
  
The Sidekick has a QWERTY keyboard underneath the TFT screen for easy e-mail and SMS messaging.  To expose the keyboard, the screen needs to be rotated upward.  
+
Environment updated and optimized for digital investigations. <br />
  
h1. Tools Used
+
Report Semi-automatic - the final production of a complete document and easily editable exported by the investigator.
 +
Maximum adherence to the Italian investigative procedure. <br />
  
To test methods presented in this paper, the following tools were used on a Windows XP machine running Service Pack 2.
+
The first distribution to include forensic inside the Caja Forensics / Nautilus/Caja Scripts and all security patches, not to alter the devices in the analysis. <br />
  
* Danger Developer SDK free at http://danger.developer.com
+
The basic interface of the distribution called Caine Interface, was performed using the known GTK2-Perl wrapper that implements the Perl language instruction set and commands made available from the Gtk + toolkit.
* Hex editor
+
* Text editor
+
* USB Sim Card Reader
+
  
h1. Acquisition
+
Caine Interface allows you not only to select the various forensic software, it automatically generates the final report, due to the modules offered by Perl Template Toolkit, and DocBook.
  
From my research, I have discovered that the T-Mobile sidekick device is incapable of having forensic data extracted.  According to Danger, the USB port found on the device is a _dumb_ terminal: it can only transfer files to the device, but not retrieve any data from the device.  Attempts at connecting to the device via Windows XP and Mac OS X were unsuccessful.
+
Inside contains the following software.
  
Danger's reasoning for not allowing the extraction of data from the device is to protect their intellectual property.  The Sidekick has a proprietary file system and operating system that the company is not interested in allowing to be exposed more than it already is.  To get data from the device, Danger's attornies suggested submiting a subpoena to their legal office.  They could not offer a definite turnaround time on the receipt of the data in an investigator's hand.
+
, Acquisition
 +
* Grissom Analyzer (mmls, img_stat, fsstat)
 +
* LRRP
 +
* AIR
 +
* Guymager
 +
* Terminal with saving the output
 +
* DC3DD
  
h1. Evidence Collection
+
; Analysis
 +
* Autopsy
 +
* [[The SleuthKit]]
 +
* [[Selective file dumper | Sfdumper 2.2]]
 +
* Fundl 2.0
 +
* Scalpel
 +
* Foremost
 +
* Stegdetect
 +
* Ophcrack
 +
* Nautilus scripts
 +
* And many others
  
_Extended System Information_
+
Reporting semiautomatic == ==
  
Even though transferring data from the device to a third party computer doesn't seem to be possible, an investigator can still get useful information from the device itself. The system information contains the user's login name for the Danger servers and the phone number. With the login name, an investigator can subpoena the data from Danger's servers.  Basic system information can be accessed via the following key sequence:
+
Every contribution in the form of output and local report for each program involved in an investigation is saved in a report file, easily manageable by the investigator. The generation of the final report is done through the creation of temporary log file, that is to contain the output products for implementing the programs used by the investigator. <br />
 +
The generation process is achieved through the use of Perl, bash scripts, variables Perl Template Toolkit and the DocBook file that acts as a container to the final report. <br />
  
bq. Jump -> Menu -> Settings -> System Info
+
All set within the Perl program.
  
One feature that can be accessed is extended system info.  This shows the following information:
+
The Project Caine == ==
  
* hiptop OS (firmware) build number, build date & time
+
The project was initially inserted into the priorities of the CRIS (Centre for Research Interdepartmental Security) <ref> Research Centre Interpardimentale Security - University of Modena [http://cris.unimore.it/cris/node/54 site] </ ref>, in this way the distribution has benefited from essential contributions on the technical computing, together to the latest "best practices" legal investigation digital  see [http://www.di.unisa.it/~ads/ads/Sicurezza_files/tesina%20pisano%20marzaioli.pdf Security University of Salerno] see [http://www.forwardedge2.com/pdf/bestpractices.pdf U.S. Secret Service document] see [http://ncfs.org/craiger.forensics.methods.procedures.final.pdf CraigeR's Draft].
* Long-format Radio Firmware version (v0.4.1 becomes 5.041.6)
+
* 'Dress Barn (unknown)'
+
* Recovery ROM filename and write-date & time
+
* System Library build number, build date & time
+
* 'Partner ID 101'
+
* build number, build date & time of all installed applications.
+
  
It's unclear what the 'Dress Barn (unknown)' and 'Partner ID 101' information details, but it doesn't seem to be relevant for a forensic analysis of the device.
+
The project Caine was also the subject of a scientific paper accepted and published inside the first Workshop on Computer & Network Forensics held in Milan September 10th 2008 - [http://conferenze.dei.polimi.it/ossconf/schedule.php OSSCoNF].
  
To get to the extended system info, enter this key sequence:
+
In followed all close collaboration with Denis Frati (spilled by the project at end 2009) and Nanni Bassetti, prominent figures in the panorama of Italian Digital Forensics, allowed a constant improvement of investigative standards proposed. The work carried out together with the staff ConoscereLinux allowed to enter Caine within the Italian community of programmers of open-source software.
  
bq. Jump -> Menu -> Settings -> System Info -> Menu + M
+
Caine is very much the spirit of Open Source OSSConf 2008 Open Source Day 2012, precisely because the various inputs planning and operational were provided by so many employees scattered across the globe, using only the network to communicate and many have our utmost to provide hosting, mirror and suggestions, scripts and everything that can serve to improve the project, then a full and free.
  
_System Log_
+
Currently the project manager and a team of international figures treat the project Caine since the 1.0 release to date that has arrived at version 4.0 (18-March-2013) and achieving praise from law enforcements of several foreign nations.
  
An important, but removed feature, in later versions of the Sidekick is the ability to view the syslog.  This only works with firmware versions prior to 2.3. The functionality was removed because a bug was found that allowed someone to get past the three digit security lock the device may have had enabled. The log contained information on data transmitted to and from the Danger servers.
+
24/11/2012 The Caine 3.0 was presented at '[http://www.opensourceday.org/2012/?mid=20 Opens Source Day 2012] at the University of Udine.
  
The syslog can be accessed by entering this key sequence. 
+
== Notes ==
 +
<references />
  
bq. Jump -> Menu -> Settings -> System Info -> Menu + Shift + S
+
== Bibliography ==
 +
* Andrea Ghirardini, Gabriele Faggioli, ''Computer Forensics'', Apogeo, 2009, ISBN 9788850328161
 +
* E. Huebner, S. Zanero, ''Open Source Software for Digital Forensics'', Springer, 2010, ISBN 978-1-4419-5802-0
 +
* Diane Barrett, Greg Kipper, ''Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment'', Syngress, 2010, ISBN 978-1-59749-557-8
 +
* Sean Philip Oriyano and Michael Gregg, ''Hacker Techniques, Tools, And Incident Handling'', Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9183-4
 +
* Michael Jang, ''Security Strategies in Linux Platforms and Applications'', Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9189-6
  
_Network Status_
+
== Collegamenti esterni ==
 +
*[http://www.careeracademy.com/browseproducts/CHFI-Training-CBT-Boot-Camp--EC-Council-Computer-Hacking-Forensic-Investigator.HTML Presente nel training CHFI Ec-Council] International certificatione
 +
*[http://link.springer.com/chapter/10.1007/978-1-4419-5803-7_5 Open Source Live Distributions for Computer Forensics- by Springer]<br />
 +
*[http://conferenze.dei.polimi.it/ossconf/schedule.php OSSConf 2008]<br />
 +
*[http://books.google.it/books?id=jQVgWaF3pJwC&pg=PT304&lpg=PT304&dq=Andrea+Ghirardini;+Gabriele+Faggioli,+Computer+Forensics+caine&source=bl&ots=mf8-Def6uF&sig=88ydFgTv05M2Q45B4FSvwqhBXKk&hl=it&sa=X&ei=W2voUOD3Lcrk4QSVlIDoDQ&ved=0CEMQ6AEwAQ Google books]<br />
 +
*[http://www.amazon.com/Virtualization-Forensics-Forensic-Investigators-Environments/dp/1597495573Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment]<br />
 +
*[http://www.linux-magazin.de/Ausgaben/2010/12/Italienische-Aufklaerung Linux-Mazin.de]<br />
 +
*[http://www.linux-magazine.com/Issues/2011/122/Caine Linux-Magazine.com]<br />
 +
*[http://www.opensourceday.org/2012/?mid=20 Opens Source Day 2012]<br />
 +
*[http://searchsecurity.techtarget.it/articoli/0,1254,18_ART_103282,00.html TechTarget.it]<br />
 +
*[http://programmazione.it/index.php?entity=eitem&idItem=41687 Programmazione.it]<br />
 +
*[http://www.linuxtoday.com/upload/caine-3.0-review-121009195504.html Linuxtoday.com]<br />
 +
*[http://www.linuxtoday.com/infrastructure/2010122801535SCSW Linuxtoday.com 2]<br />
 +
*[http://news.softpedia.com/news/CAINE-3-0-a-Tool-for-Digital-Forensics-297461.shtml Softpedia]<br />
 +
*[http://hackingzones.in/?p=2726 hackingzone.in]<br />
 +
*[http://www.gustavopimentel.com.ar/ gustavopimental.com.ar]<br />
 +
*[http://www.concise-courses.com/security/top-ten-distros/# concise-courses.com]<br />
 +
*[http://www.e-linux.it/news_detail/caine-15 e-linux.it]<br />
 +
*[http://www.ilsoftware.it/articoli.asp?tag=CAINE-progetto-italiano-per-la-computer-forensics_5656 ilsoftware.it]<br />
 +
*[http://www.dragonjar.org/distribucion-live-cd-analisis-forense.xhtml dragonjar.org]<br />
 +
*[http://www.nannibassetti.com/dblog/articolo.asp?articolo=156 Attestato Marenostrum V.F.F.]<br />
 +
*[http://www.linuxformat.com/archives?issue=151 LinuxFormat] <br />
 +
*[http://www.techrepublic.com/blog/10things/10-obscure-linux-distributions-and-why-you-should-know-about-them/2334 TechRepublic]<br />
 +
*[http://www.forensicswiki.org/wiki/CAINE_Live_CD ForensicsWiki]<br />
 +
* [http://www.caine-live.net Sito ufficiale]
 +
* [http://cris.unimore.it/cris/node/54 Sito del CRIS] dedicato a Caine
  
The basic network status panel gives the following information:
+
{{Linux}}
 
+
* Service status (connected or not)
+
* Connection time
+
* Signal strength
+
* GSM Registration
+
* GPRS status
+
* Radio version
+
 
+
This can be accessed via following key sequence:
+
 
+
bq. Jump -> Network Status
+
 
+
Like the System Info screen, network status has an extended information feature as well.  It can similarly be accessed by keying +Jump + M_ while still in the network status screen.  The extended network status gives the following relevant information:
+
 
+
* IP Address
+
* Packets Transmitted
+
* Packets Received
+
* Bytes Trans
+
* Bytes Received
+
* Current Cell Tower
+
* Bit Error Rate
+
 
+
_Battery Status_
+
 
+
Battery status can be accessed via the following command: 
+
 
+
bq. Jump -> Menu -> Settings -> Battery & Display
+
 
+
_Resetting_
+
 
+
To perform a soft reset of the device, the following key command is used:
+
 
+
bq. @ + 1 + 0
+
 
+
Be advised that there is no confirmation dialog. If you press this combination, the device will reset immediately.  It's unknown what sort of file system cleanup is performed when performing a soft reset.  Danger was not cooperative in answering such questions.
+
 
+
h1. Sim Card Analysis
+
 
+
The only feasible way to extract data from a T-Mobile sidekick is via the SIM Card.  While there doesn't seem to be a way to export contacts from the Sidekick on to the SIM Card, the device can import contacts from a SIM Card.    The main purpose of the card for a device like the Sidekick is network authorization.  Unless data is specifically added to the card, all data is stored on the Danger servers. 
+
 
+
The SIM card's stored SMS messages are also displayed on the device by default.  It's unknown at this time if those messages are then transferred to the Danger servers. 
+
 
+
SIM Card analysis was done using SIMCon. 
+
 
+
h1. Conclusions & Future Research
+
 
+
This paper has presented a starting point for the analysis of forensic data of a T-Mobile Sidekick device.  Because of a lack of an active T-Mobile Sidekick account, I was incapable of performing any sort of analysis or research on the backend servers provided by T-Mobile and Danger.  The main focus of this paper was trying to gather information from the Sidekick device itself.  In short, there isn't much.
+
 
+
Until Danger develops drivers and becomes willing to provide information on the file system and other information surrounding the Sidekick, creating software to extract data from a device will be almost impossible. 
+
 
+
h1. Selected Bibliography
+
 
+
This paper compiles information and/or concepts presented in the following works:
+
 
+
1. Wikipedia: http://en.wikipedia.org/wiki/T-Mobile_Sidekick
+

Revision as of 07:05, 3 May 2013

CAINE LiveCD
Maintainer: Nanni Bassetti
OS: Linux
Genre: Live CD
License: GPL, others
Website: Caine Live

Caine' (an acronym for Computer Aided Investigative Environment') is a distribution live oriented to Computer Forensics (computer forensics) historically conceived by Giancarlo Giustini, within a project of Digital Forensics Interdepartmental Research Center for Security (CRIS) of the University of Modena and Reggio Emilia see Official Site. Currently the project is maintained by Nanni Bassetti.

Features

The latest version of Caine is based on the Ubuntu Linux 12.04 LTS, MATE and LightDM. Compared to its original version, the current version has been modified to meet the standards forensic reliability and safety standards laid down by the NIST View the methodologies of Nist.

Caine includes:

  • Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools, many of which are open source;
  • Updated and optimized environment to conduct a forensic analysis;
  • Report generator semi-automatic, by which the investigator has a document easily editable and exportable with a summary of the activities;
  • Adherence to the investigative procedure defined recently by Italian Law 48/2008, Law 48/2008,.

In addition, Caine is the first distribution to include forensic Forensics inside the Caja/Nautilus Scripts and all the patches of security for not to alter the devices in analysis.

The distro uses several patches specifically constructed to make the system "forensic", ie not alter the original device to be tested and / or duplicate:

  • Root file system spoofing: patch that prevents tampering with the source device;
  • No automatic recovery corrupted Journal patch: patch that prevents tampering with the device source, through the recovery of the Journal;
  • Mounter and RBFstab: mounting devices in a simple and via graphical interface.

RBFstab is set to treat EXT3 as a EXT4 noload with the option to avoid automatic recovery of any corrupt Journal of 'EXT3;

  • Swap file off: patch that avoids modifying the file swap in systems with limited memory RAM, avoiding the alteration of the original artifact computer and overwrite data useful for the purposes of investigation.

Caine and Open Source == == Patches and technical solutions are and have been all made in collaboration with people (Professionals, hobbyists, experts, etc..) from all over the world.

CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, anyone could take the legacy of the previous developer or project manager.

The distro is open source, the Windows side (Nirlauncher/Wintaylor) is open source and, last one but not least important, the distro is installable, so as to give the possibility to rebuild in a new version, in order to give a long life to this project.

Caine Interface

Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools.

Environment updated and optimized for digital investigations.

Report Semi-automatic - the final production of a complete document and easily editable exported by the investigator. Maximum adherence to the Italian investigative procedure.

The first distribution to include forensic inside the Caja Forensics / Nautilus/Caja Scripts and all security patches, not to alter the devices in the analysis.

The basic interface of the distribution called Caine Interface, was performed using the known GTK2-Perl wrapper that implements the Perl language instruction set and commands made available from the Gtk + toolkit.

Caine Interface allows you not only to select the various forensic software, it automatically generates the final report, due to the modules offered by Perl Template Toolkit, and DocBook.

Inside contains the following software.

, Acquisition

  • Grissom Analyzer (mmls, img_stat, fsstat)
  • LRRP
  • AIR
  • Guymager
  • Terminal with saving the output
  • DC3DD
Analysis

Reporting semiautomatic == ==

Every contribution in the form of output and local report for each program involved in an investigation is saved in a report file, easily manageable by the investigator. The generation of the final report is done through the creation of temporary log file, that is to contain the output products for implementing the programs used by the investigator.
The generation process is achieved through the use of Perl, bash scripts, variables Perl Template Toolkit and the DocBook file that acts as a container to the final report.

All set within the Perl program.

The Project Caine == ==

The project was initially inserted into the priorities of the CRIS (Centre for Research Interdepartmental Security) <ref> Research Centre Interpardimentale Security - University of Modena site </ ref>, in this way the distribution has benefited from essential contributions on the technical computing, together to the latest "best practices" legal investigation digital see Security University of Salerno see U.S. Secret Service document see CraigeR's Draft.

The project Caine was also the subject of a scientific paper accepted and published inside the first Workshop on Computer & Network Forensics held in Milan September 10th 2008 - OSSCoNF.

In followed all close collaboration with Denis Frati (spilled by the project at end 2009) and Nanni Bassetti, prominent figures in the panorama of Italian Digital Forensics, allowed a constant improvement of investigative standards proposed. The work carried out together with the staff ConoscereLinux allowed to enter Caine within the Italian community of programmers of open-source software.

Caine is very much the spirit of Open Source OSSConf 2008 Open Source Day 2012, precisely because the various inputs planning and operational were provided by so many employees scattered across the globe, using only the network to communicate and many have our utmost to provide hosting, mirror and suggestions, scripts and everything that can serve to improve the project, then a full and free.

Currently the project manager and a team of international figures treat the project Caine since the 1.0 release to date that has arrived at version 4.0 (18-March-2013) and achieving praise from law enforcements of several foreign nations.

24/11/2012 The Caine 3.0 was presented at 'Opens Source Day 2012 at the University of Udine.

Notes

<references />

Bibliography

  • Andrea Ghirardini, Gabriele Faggioli, Computer Forensics, Apogeo, 2009, ISBN 9788850328161
  • E. Huebner, S. Zanero, Open Source Software for Digital Forensics, Springer, 2010, ISBN 978-1-4419-5802-0
  • Diane Barrett, Greg Kipper, Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment, Syngress, 2010, ISBN 978-1-59749-557-8
  • Sean Philip Oriyano and Michael Gregg, Hacker Techniques, Tools, And Incident Handling, Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9183-4
  • Michael Jang, Security Strategies in Linux Platforms and Applications, Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9189-6

Collegamenti esterni