Tuesday, 29 April 2014

Ubuntu 14.04 + Windows 8.1 + Realtek RTL8188EE + Google Earth

Wi-Fi Woes (caused by Realtek RTL8188EE)


What a ride it has been. I've encountered some weird and wonderful times with my laptop which has taken me right back to my IT Technician days. Firstly, I partitioned my drive, installed Linux Mint and despite me choosing 'Install Mint 16 over 14'....it formatted the drive. Now the main issue here, was that it overwrote the recovery sector - in other words, it was FUBAR.

Since most of my work is encrypted and backed up on cloud services, I hadn't lost anything of importance, so I did a full re-installation of Windows 8.1. Now, I am unfortunate enough to own a HP laptop with the 'Realtek RTL8188EE' chipset. Let me tell you - this chipset is a NIGHTMARE. At the time of writing, it's not always recognised by Ubuntu 14.04 LTS (which is the new Ubuntu LTS) or when it is recognised, it's EXTREMELY slow and intermittent. Soon enough - I couldn't get a connection at all. Both Windows 8.1 and Ubuntu 14.04 couldn't connect.

After much searching on the web, and encountering people with similar issues, I managed to find a fix. It was the strangest fix in a while, but seemed to work: resetting the BIOS to default settings. This got me a connection on both Ubuntu & Windows. However, wi-fi was still unstable on both OS's. I installed a kernel (3.14) in Linux, which seemed to solve the issue.

If you're on Ubuntu 14.04 and your wi-fi is slow, intermittent and generally crap, you should follow some instructions I posted over on the Ubuntu forums: http://ubuntuforums.org/showthread.php?t=2218962

The user 'basgoossen' on the Ubuntu forums also found that his wi-fi was still unstable, although it was faster when it worked.

The REAL fix seems to be changing the channel in the router; I've since changed the channel of my wi-fi via router settings and so far so good...I'm getting a good speed:



This sounds like a trivial issue, although it taken a hell of a long time to figure out how to fix this. There have been quite a few of us on the Microsoft / Ubuntu forums trying to figure out just what is wrong with our chipset (Realtek RTL8188EE) and it turns out that it might actually be the router that's at fault!

TL;DR - You can try the following fixes:

  • Delete old driver in Windows (Device manager) and re-install the Realtek driver from your manufacturers website
  • Reset BIOS to default settings, then boot into either Ubuntu 14.04 or Windows 8.1
  • Change the channel your router is broadcasting on from 'auto' to something like '2 + 6' if you're on Virgin Media, or another setting if you haven't got this. (Please ensure you have an ethernet cable before you attempt any of these fixes, because you might just need it if things go pear shaped).


Google Earth


And finally, that brings me onto Google Earth. Installing Google Earth on Ubuntu 14.04 isn't as straight forward as downloading the debian file and double clicking - no. That's because ia32-libs is required, and guess what? It is deprecated (since Ubuntu 13.10). I wondered whether it would be possible to install Google Earth anyway - and it turns out that you can - but it requires a bit of hacking to get it to work.

You can go to here or here for instructions on how to install Google Earth on a 64-bit Ubuntu 14.04 installation. Good luck, and have fun googling!

Next week i'll update the site with something a bit more security/forensics related.

Monday, 7 April 2014

Windows Phone 8 - Nokia Lumia 920 Forensics

Having heard that Windows Phone 8 was a bit of a pain to analyse forensically, I took it upon myself to get hold of a trial version of Oxygen Forensics Suite 2014 and make an image of the Lumia 920.

Figure 1

I have to say that the suite looks (and is) brilliant. Figure 1 shows the Sherlock Holmes type figure with his magnifying glass, which really sums up what we're trying to do here. The logo makes it look as if Oxygen only works with Apple, Android and Blackberry, however, it does work with Windows Phone. 

For some reason unbeknownst to me, Oxygen Forensics Suite 2014 would crash whenever I tried to make it detect the phone which was attached by USB. I had to manually select the phone from the list which Oxygen provides. Once imaged, Oxygen creates a file with an OFB extention (Oxygen Forensic Backup, I believe it stands for).

Figure 2

Format to de-crypt the root of the evidence tree:  N-A (serial-number-of-phone) date-image-was-taken.ofb

As you can see in Figure 2, I had opened the OFB file in FTK. There is a long string in brackets which is the serial number of the phone and the date and time that the imaging process took place: 18:30 (GMT) and the subdirectories we're most interested in are called: 'Files' and '_glrThumbs'.

Important Note: When a user is on the home screen of a Lumia 920, the 'photos' live tile shows photographs that are sitting in the 'Photo Albums'. The Nokia Lumia 920 creates a thumbnail of these photographs and puts them into the _glrThumbs folder.

Figure 3


The thumbnail quality varies, as the pictures often don't keep their quality as they increase in size, however, they do provide extremely good evidential value and the quality is excellent in some cases, see Figure 3. Each thumbnail is provided with a filename, although the unique naming system is unknown to me at this moment in time: tmb_xxxxxxxx.jpg (where X is either a number or letter).

Sitting inside the directory immediately under [ZIP] seen in Figure 3, there is a database ending with the extention FDB. The FDB file may be something to do with Oxygen Forensics Suite, or the only other option is that it's a Firebird Database. Whatever it is, my one is 5280 bytes and may contain something of interest. I may look at this another time.

Finally, we come to Figure 4. Figure 4 shows the 'Files' folder, which contains photographs from 'Photo Albums', word documents, excel documents etc. This is a very useful folder for examination.

Figure 4

The photographs appear here with the same resolution they were taken at, or if they were cropped, they appear as the size post-crop.

It seems that there is alot of evidence to be found on a Windows Phone 8, but unfortunately, not near as much as on Androids or iPhones. The Windows OS is locked down and you're not likely to see much apart from the mp3's, documents and photographs. On my initial look at the image, I couldn't see (or find) the likes of IMEI just by looking at the files sitting on the phone. A physical investigation of the phone would probably be required to get that sort of information.

In part 2, we will look at what more evidential value we can get from docx files.

Thank you for reading.