Difference between pages "Deception indicators" and "JTAG and Chip-Off Tools and Equipment"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Created page with "The following indicators may indicate that the user of a computer system is trying to hide their presence, implicate another individual, convey erroneous information, or otherwis...")
 
m (Updating links.)
 
Line 1: Line 1:
The following indicators may indicate that the user of a computer system is trying to hide their presence, implicate another individual, convey erroneous information, or otherwise attempt to deceive a forensic analysis or tool.
+
The following list contains equipment used for performing JTAG and chip-off analysis.  It is noted when equipment is used for both procedures in order to avoid overlap and duplication of equipment.  The URL's provided are for reference and other vendors and suppliers exist for said equipment.  Please search Internet for other competitive vendors.
  
Unfortuantely, many of the deception indicators are also indicators of good security practice.
+
''Note: This equipment is not a definitive list and substitutions can be made for equivalent tools and equipment.''
  
==File System Indicators==
+
'''JTAG and Chip-Off Equipment List'''
* Files having the wrong extension (e.g. file.jpg instead of file.doc).
+
* Very large files (may indicate use of cryptographic file systems, virtual machines, etc.)
+
* Virtual Machine Players (VMWare, VirtualBox, Parallels)
+
* TrueCrypt or RealCrypt
+
* PGP files or Volumes
+
* PointSec
+
* Encrypted email
+
* Date or time wrong
+
* Repeating data over the drive
+
* Truncated history files
+
  
 +
{| class="wikitable"
 +
! align="left"| Item
 +
! Info
 +
! Estimated Cost (CAD)
 +
|-
 +
|Carton SPZT-50PG Microscope (optional: w/trinocular)
 +
|http://valleymicroscope.com/shop/spz-50pg/
 +
|$1200
 +
|-
 +
|Xytronic 988D Solder Rework Station
 +
|http://www.howardelectronics.com/xytronic/988d.html
 +
|$300
 +
|-
 +
|Weller WES51 Solder Station
 +
|sourced locally (Electronics shop)
 +
|$100
 +
|-
 +
|Xytronic LF-852D Hot Air Station
 +
|http://www.howardelectronics.com/xytronic/LF-852D.html
 +
|$225
 +
|-
 +
|HP Agilent U8002A Variable Power Supply
 +
|http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng
 +
|$400
 +
|-
 +
|Magnifying Desk Lamp
 +
|http://www.amazon.com/Ultra-Efficient-LED-Magnifier-Lamp-Adjustable/dp/B001064VTE
 +
|$100
 +
|-
 +
|Circuit board holder
 +
|http://www.ibreakityoufixit.com/shop/mounting-kit
 +
|$13
 +
|-
 +
|Chip Epoxy Glue Remover
 +
|http://www.ebay.com/itm/BGA-IC-30ml-IC-BGA-CPU-Chip-Epoxy-Glue-Remover-Adhesive-Solution-Solvent-Liquid-/321012736931?pt=Digital_Camera_Accessories&hash=item4abdd9a3a3
 +
|$10
 +
|-
 +
|0.040 gauge transformer winding wire
 +
|sourced locally (Electronics shop)
 +
|$15
 +
|-
 +
|Kester 44 rosin flux solder
 +
|sourced locally (Electronics shop)
 +
|$50
 +
|-
 +
|Xcelite Hobby Knives
 +
|sourced locally (Electronics shop)
 +
|$15
 +
|-
 +
|Terra Dexterity PVC foam gloves
 +
|sourced locally (Costco)
 +
|$10
 +
|-
 +
|8" x 8" x 3/8" steel plate
 +
|sourced locally (Steel fabrication shop)
 +
|free
 +
|}
  
==Log File Indicators==
+
'''JTAG Specific Equipment List'''
Log files that are:
+
* Missing
+
* Truncated
+
* With time gaps
+
* With one or more incomplete lines, or other lines that start midway (happens if the attacker removes the last 4K of a file without respect to line boundaries)
+
* Inconsistencies (e.g. email that is forwarded without being received.)
+
  
==Network Communications==
+
{| class="wikitable"
* Presence or use of VPN software.
+
! align="left"| Item
* Use of anonymity websites, such as:
+
! Info
** anonymizer.com
+
! Estimated Cost (CAD)
** hidemyass.com
+
|-
** Open Proxy Servers (got a list?)
+
|RIFF Box
* hushmail.com
+
|http://www.multi-com.pl/index.php/en_US,details,id_pr,7883,menu_mode,categories.html
* Setting a proxy server
+
|$120
* ssh
+
|-
 +
|Octoplus Box
 +
|http://gsmserver.com/shop/gsm/octoplus_box_full_set.php
 +
|$340
 +
|}
  
  
==Redaction Indicators==
+
'''Chip-Off Specific Equipment List'''
* Evidence Eliminator
+
 
* ccleaner
+
{| class="wikitable"
* list of Drive Cleaner tools; searches for drive cleaning software
+
! align="left"| Item
 +
! Info
 +
! Estimated Cost (CAD)
 +
|-
 +
|Wagner HT1000 Heat Gun
 +
|http://www.wagnerspraytech.com/portal/ht1000_en_spray,362096,358970.html
 +
|$30
 +
|-
 +
|Heat Gun stand
 +
|http://www.ibreakityoufixit.com/shop/air-gun-holder
 +
|$60
 +
|-
 +
|UP-828 Programmer
 +
|http://www.up48.com/english/programmer/up828.htm
 +
|$1300 - $1700 depending on source
 +
|-
 +
|UP-828 SBGA152 Adapter
 +
|BlackBerry
 +
|$600 - $1000 depending on source
 +
|-
 +
|UP-828 BGA110 Adapter
 +
|
 +
|$600 - $1000 depending on source
 +
|-
 +
|UP-828 VBGA169E Adapter
 +
| BlackBerry and Android
 +
|$600 - $1000 depending on source
 +
|-
 +
|UP-828 VBGA133 Adapter
 +
|iPhone 4
 +
|$600 - $1000 depending on source
 +
|}
 +
 
 +
'''Notes'''
 +
 
 +
1. The UP-828 driver is not signed and therefore doesn't work by default in Windows 7 64-bit. The programmer is identified as a as a Cypess Semiconductor Corp. CY7C68013. The signed Windows 7 64-bit driver can be installed by downloading and installing the Cypress EZ-USB FX2LP Development Kit, then using the CyUSB.sys driver found in '<installdir>\CY3684_EZ-USB_FX2LP_DVK\1.0\Drivers\cyusbfx1_fx2lp' for the UP-828 programmer.

Revision as of 12:30, 18 April 2014

The following list contains equipment used for performing JTAG and chip-off analysis. It is noted when equipment is used for both procedures in order to avoid overlap and duplication of equipment. The URL's provided are for reference and other vendors and suppliers exist for said equipment. Please search Internet for other competitive vendors.

Note: This equipment is not a definitive list and substitutions can be made for equivalent tools and equipment.

JTAG and Chip-Off Equipment List

Item Info Estimated Cost (CAD)
Carton SPZT-50PG Microscope (optional: w/trinocular) http://valleymicroscope.com/shop/spz-50pg/ $1200
Xytronic 988D Solder Rework Station http://www.howardelectronics.com/xytronic/988d.html $300
Weller WES51 Solder Station sourced locally (Electronics shop) $100
Xytronic LF-852D Hot Air Station http://www.howardelectronics.com/xytronic/LF-852D.html $225
HP Agilent U8002A Variable Power Supply http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng $400
Magnifying Desk Lamp http://www.amazon.com/Ultra-Efficient-LED-Magnifier-Lamp-Adjustable/dp/B001064VTE $100
Circuit board holder http://www.ibreakityoufixit.com/shop/mounting-kit $13
Chip Epoxy Glue Remover http://www.ebay.com/itm/BGA-IC-30ml-IC-BGA-CPU-Chip-Epoxy-Glue-Remover-Adhesive-Solution-Solvent-Liquid-/321012736931?pt=Digital_Camera_Accessories&hash=item4abdd9a3a3 $10
0.040 gauge transformer winding wire sourced locally (Electronics shop) $15
Kester 44 rosin flux solder sourced locally (Electronics shop) $50
Xcelite Hobby Knives sourced locally (Electronics shop) $15
Terra Dexterity PVC foam gloves sourced locally (Costco) $10
8" x 8" x 3/8" steel plate sourced locally (Steel fabrication shop) free

JTAG Specific Equipment List

Item Info Estimated Cost (CAD)
RIFF Box http://www.multi-com.pl/index.php/en_US,details,id_pr,7883,menu_mode,categories.html $120
Octoplus Box http://gsmserver.com/shop/gsm/octoplus_box_full_set.php $340


Chip-Off Specific Equipment List

Item Info Estimated Cost (CAD)
Wagner HT1000 Heat Gun http://www.wagnerspraytech.com/portal/ht1000_en_spray,362096,358970.html $30
Heat Gun stand http://www.ibreakityoufixit.com/shop/air-gun-holder $60
UP-828 Programmer http://www.up48.com/english/programmer/up828.htm $1300 - $1700 depending on source
UP-828 SBGA152 Adapter BlackBerry $600 - $1000 depending on source
UP-828 BGA110 Adapter $600 - $1000 depending on source
UP-828 VBGA169E Adapter BlackBerry and Android $600 - $1000 depending on source
UP-828 VBGA133 Adapter iPhone 4 $600 - $1000 depending on source

Notes

1. The UP-828 driver is not signed and therefore doesn't work by default in Windows 7 64-bit. The programmer is identified as a as a Cypess Semiconductor Corp. CY7C68013. The signed Windows 7 64-bit driver can be installed by downloading and installing the Cypress EZ-USB FX2LP Development Kit, then using the CyUSB.sys driver found in '<installdir>\CY3684_EZ-USB_FX2LP_DVK\1.0\Drivers\cyusbfx1_fx2lp' for the UP-828 programmer.