Windows Phone 8 - Nokia Lumia 920 Forensics

Having heard that Windows Phone 8 was a bit of a pain to analyse forensically, I took it upon myself to get hold of a trial version of Oxygen Forensics Suite 2014 and make an image of the Lumia 920.

Figure 1

I have to say that the suite looks (and is) brilliant. Figure 1 shows the Sherlock Holmes type figure with his magnifying glass, which really sums up what we're trying to do here. The logo makes it look as if Oxygen only works with Apple, Android and Blackberry, however, it does work with Windows Phone. 

For some reason unbeknownst to me, Oxygen Forensics Suite 2014 would crash whenever I tried to make it detect the phone which was attached by USB. I had to manually select the phone from the list which Oxygen provides. Once imaged, Oxygen creates a file with an OFB extention (Oxygen Forensic Backup, I believe it stands for).

Figure 2

Format to de-crypt the root of the evidence tree:  N-A (serial-number-of-phone) date-image-was-taken.ofb

As you can see in Figure 2, I had opened the OFB file in FTK. There is a long string in brackets which is the serial number of the phone and the date and time that the imaging process took place: 18:30 (GMT) and the subdirectories we're most interested in are called: 'Files' and '_glrThumbs'.

Important Note: When a user is on the home screen of a Lumia 920, the 'photos' live tile shows photographs that are sitting in the 'Photo Albums'. The Nokia Lumia 920 creates a thumbnail of these photographs and puts them into the _glrThumbs folder.

Figure 3

The thumbnail quality varies, as the pictures often don't keep their quality as they increase in size, however, they do provide extremely good evidential value and the quality is excellent in some cases, see Figure 3. Each thumbnail is provided with a filename, although the unique naming system is unknown to me at this moment in time: tmb_xxxxxxxx.jpg (where X is either a number or letter).

Sitting inside the directory immediately under [ZIP] seen in Figure 3, there is a database ending with the extention FDB. The FDB file may be something to do with Oxygen Forensics Suite, or the only other option is that it's a Firebird Database. Whatever it is, my one is 5280 bytes and may contain something of interest. I may look at this another time.

Finally, we come to Figure 4. Figure 4 shows the 'Files' folder, which contains photographs from 'Photo Albums', word documents, excel documents etc. This is a very useful folder for examination.

Figure 4

The photographs appear here with the same resolution they were taken at, or if they were cropped, they appear as the size post-crop.

It seems that there is alot of evidence to be found on a Windows Phone 8, but unfortunately, not near as much as on Androids or iPhones. The Windows OS is locked down and you're not likely to see much apart from the mp3's, documents and photographs. On my initial look at the image, I couldn't see (or find) the likes of IMEI just by looking at the files sitting on the phone. A physical investigation of the phone would probably be required to get that sort of information.

In part 2, we will look at what more evidential value we can get from docx files.

Thank you for reading.

Brute Forcing...With Precision!

ATTACK OF THE PERMUTATION !

Today we're going to be looking at brute forcing. Why would we need to brute force? Well, let's pretend that we have examined a suspect's machine and found a *.rar file which a user has created but refused to give up the password. The file may contain indecent images and we need to get that rar file open and see what the suspect was hiding, or on the flipside, our client forgot the password and is being accused of IP theft, so we need to get this file cracked and prove his innocence.

Normally, you would use a program like JTR, Hydra etc and get hold of a wordlist, which could be 50gb+ and leave your computer to bruteforce the password. The thing is....having 50gb wordlists isn't always practical. It takes a long time and the password may not even be in there. Now, the latter is still an issue, no wordlist can promise to give you the password, but what you can do, is use RSMangler to help make your wordlist more unique and specific.

RSMangler was, I believe, written by Robin Wood (aka DigiNinja) for security company Random Storm. What RSMangler does, is create a wordlist based on words that you provide. So, in order to speed up the process, if you fire up Kali Linux and download my shell script here - I've automated some of the process for you.

Download my shell script above and fire up your terminal. Use: 'chmod a+x getRSM' without quotes and then type in: 'sh getRSM'. Your screen should look something like the one below:

then:

 The script will download and unpack RSMangler for you. CD into the RSMangler folder and type in: 'nano si.txt' (call the text file whatever you wish). Type in around 4 words, each on a separate line that are related to the person in question.

hit ctrl+o and then enter to save your work, then ctrl+x to exit nano. So now, inside your rsmangler folder, you should have the txt file you have just created. Now for the fun part!

As rsmangler is written in Ruby, you'll need to type in the following: 'ruby rsmangler.rb --file si.txt > siDictionary.txt'

Essentially, what you're doing here is calling the ruby script to look at the --file si.txt, which we created earlier and redirect the output to siDictionary.txt. Give it a short while to generate all the combinations, and once done, you can open the file (if you have a slower PC, be wary of this, as it may crash or hang). See screenshot below:

So there you have it! Within just a few short, simple steps, you have created a wordlist which can be used for a permutation attack, which is essentially brute forcing with (potentially) more accurate passwords.

RSManger does support switches and unfortunately, they are all on by default. So this means you have to turn them off if you don't require them. So for example, you could use:

ruby rsmangler.rb --capital --ing --leet --upper -ed --perms --file si.txt > siDictionary.txt

Bear in mind your word list will dramatically vary in size depending on how many switches you do or don't use.

You can find RSMangler's source code here.
You can find the full list of switches at RandomStorm's website by clicking here.


Thanks for reading! I take no responsibility for how you use (or mis-use) this information! Please put your white-hat on :)

How I Spent My Friday Night - 0x80070490

Whilst most people are gearing up for a night on the town; ladies putting on thick make-up in an attempt to impress men who have went overboard with cologne, ordering taxis, laughing and joking - I wasn't partaking in any of those events, instead, I was sat indoors hunched over my new laptop like the geek I am.

I'd just purchased a HP Pavilion 15-n098ea laptop with Windows 8 pre-installed. Of course, having used Windows 8, I was eager to move to Windows 8.1 for the (few) benefits it brings. I was getting an error when I was trying to update apps: 0x80070490. After a bit of searching, I landed on the following Microsoft support/knowledge-base page: http://support.microsoft.com/kb/958044

According to Microsoft, this error is shown when "the Component-Based Servicing (CBS) manifest is corrupted." After scratching my head and wondering what exactly the CBS manifest is, I looked around for some more info. I had websites telling me that they had experienced that particular error message when "the hard drive is on the way out". But it's a new laptop!!! Well, there's something I didn't admit earlier. It's not a 'new' laptop - it's a refurb. Underneath the laptop there is a sticker which says: 'This laptop is a refurb, it may contain used parts'. Great...

Click here for more info about manifest files. Essentially, manifest files are XML files which contain instructions and tell Windows what to do. The CBS or Component-Based Servicing manifest is a set of files that is required for Windows to be serviced, or as it's better known - updated. You can read more about the CBS at Microsoft's TechNet website by clicking here. So ultimately, I found out that Windows Vista and Server 2008 and newer OS's use CBS Manifests to update files.

For those who may not know, automatic updates are recorded in the following location: "C:\Windows\SoftwareDistribution\Download" - This meant that in theory, I could go to that location, delete all references and begin the automatic updates again. (Please research before deleting the contents of this folder, some people suggest you leave it alone.) No luck.

By pure coincidence, I found that the action centre in Windows 8.1 (and maybe 8, I don't know) has a Troubleshooting section which specifically says: "Fix problems with Windows Update". It's almost as if they know you will have problems, isn't it? :-) Well I ran the troubleshooter and it did confirm that the CBS Manifest was corrupt. By now, I'd spent 1-2 hours reading and working on it - I was getting pretty bored. The troubleshooter said it had fixed the issue, but the problem remained: I couldn't download updates.

There is an option in Windows 8.1 under the Restore settings called "Refresh your PC without affecting your files". It was a last resort, but from what I could gather, I had exhausted most options I had. I opted for the refresh and after about 30 mins, I was faced with a brand new installation of Windows 8. Automatic updates finally worked and at the time of writing, I am using Windows 8.1 with all the latest updates.

TLDR: Windows update was broken due to an error involving the CBS Manifest file. After many attempts to fix it, the only thing that ended up working was a 'refresh' (re-install) of Windows 8. Updates now download fine.

So, that was Friday night for me. I hope yours went better than mine did.

Future Projects...

Windows Phone 8 Forensics

Having spent the last 6-12 months developing forensic software in Python, i'm due to present the near-completed product in the coming months and after graduation, I will be looking to take on a new project. I wanted to do something that nobody has really looked at yet, or at least something that few people have looked at.

With smartphones becoming the 'must-have' item of recent years, I wanted to look at mobile phone forensics, the obvious choice being an Android or iOS device. The problem with Android and iOS is that they have been out for a long time, people have researched them and people have released books about them.

But what about Windows Phone 8? The market-share isn't as good as Android or iOS devices, but it wont be, it's a relatively new mobile OS and it's based on Windows 8, so in theory, it should be similar to analysing a Windows desktop OS. I'm pretty certain that Windows Phone 8 must have been analysed by somebody, so in order to make the research more obscure, what about if the phone was wiped remotely before a forensic examination was performed?

Like Android and iOS, Windows Phone has the ability to remotely wipe the device, lock the device and ring the device. What I want to know is: how secure is the wipe? Would someone determined be able to recover any data? What data remains on the device, if any? There are quite a few questions I have before attempting the project and i'm sure more questions would arise as the project begins.

If you can think of any projects, or questions you have about Windows Phone forensics, let me know in the comment section below.

Thanks for reading.

Chmod Video Tutorial

I'm soon to be taking a Red Hat module which includes a lot of command-line goodness. It's surprising that many people are unfamiliar with command-line, so once again, I've taken to youtube with a relatively basic tutorial on how to use chmod.

Chown Error: Operation not permitted

I'm taking a Red Hat course/module soon (RHA030) and I was playing around with the chown command. If you're not familiar with the command, it is an abbreviation of change owner/ownership and does what it says on the tin - lets you change the owner of a file. I'm sure you know how to run it, or else you wouldn't see this error message: 'Operation not permitted'.

I was actually working on a Macbook Pro on OS X Mavericks when I received the error. I had a file with the following permissions:

-rw-r--r--  1 simon  staff  455 25 Jan 15:05 file.rtf

(Please note, you must run the command as root otherwise you'll get this error: 

chown: file.rtf: Operation not permitted)

Once I ran the command as root, it asked for a password. I didn't have a password on my account, so I hit enter and received the error:

chown: file.rtf: Operation not permitted

This error can be fixed by simply giving your root account a password. Once done, I could run the command and change owner/group without any issues. I've read online that other people had issues and solved it by other means; but this may help someone out there.

Thanks for reading!

My Experience With Tesco Mobile

Having owned many smartphones, been on every network and being a great fan of new technology, I was eager to get my hands on a new phone as my girlfriend had recently bought an iPhone 5C, someone in my family bought an iPhone 5S, but I wanted to try out Windows mobile. I've used android and think it's over-rated and doesn't have that nice polished feel to it like iOS and the more I hear about Windows mobile, the more tempted I was to see what it's all about.

I looked around online and eventually came across the Nokia Lumia 920 for just £15.50 a month from Tesco Mobile. The phone itself was free and the tariff included 500mb of 3G data, 250 mins and 5000 text messages per month - more than enough for my needs. So, without much hesitation, I ordered the Nokia Lumia 920 from Tesco on Monday 20th January, 2014.

After looking on forums, most people got their phone within 2 working days of ordering. 3 days passed, then 4...I began to get a little anxious, so I called up and spoken to a Tesco Mobile representative who told me in a rather sarcastic, obnoxious voice that: "Mobiles take 3-5 WORKING days to arrive" with a real emphasis on the word 'working'. Nothing I didn't already know, but I still didn't get a dispatch notice on the 4th day.

The weekend went by and on Monday 27th, I still hadn't had a dispatch email. I called up Tesco Mobile and asked what was going on. I spoken to a guy who passed me onto a lady who said that the system they use to check the e-agreements was 'rubbish' and it wasn't working. She called me back 15 minutes later to tell me that my phone hadn't even been dispatched and was sitting in a warehouse somewhere.

She told me that she would ensure that:

1. The phone was sent out via next day delivery
2. I would get money added onto my account as Tesco had taken money out of my bank account and they hadn't honoured their 3-5 days delivery promise

Tuesday 28th January passed - absolutely nothing. No post. No dispatch email. No sign of the phone. At the time of writing, it's Wednesday 29th January. I have just got off the phone with Tesco Mobile. I was passed around to 3 different people, including a guy called Travis who passed me onto the Technical Team.

The technical team rep then told me that he can see I've called a few times, the notes on my account say that someone should have given me a call today (but they haven't). He told me that he's passed on the message to give me a call before 5pm today.

It's 3pm now, that means Tesco have 2 hours to call me. If I don't get a call back, I will be cancelling the contract because this is the worst possible customer service I have ever come across. I've spoken to no less than 6-7 reps for Tesco Mobile and 9 days after my order, I am still without a phone, without a dispatch notice and without any idea as to where the phone actually is. Oh, and did I mention Tesco have already charged my account with my first monthly payment?

EDIT: Tesco didn't call me back. I had to call them, only to be told "The Tech team have gone home, i'll get them to call you back tomorrow". Yeah - sure you will Tesco.

I will be cancelling my contract with you.