Paper: “Forensic Acquisition and Analysis of the TomTom One Satellite Navigation Unit”

Title: Forensic Acquisition and Analysis of the TomTom One Satellite Navigation Unit

Authors: Peter Hannay

Abstract
Global Positioning Systems are becoming increasingly pervasive. The forensic acquisition and analysis of these units is of great interest as it has the potential to yield historic locational data for these units. Analysis of the TomTom one satellite navigation unit has resulted in a method to reliably extract historic data from these devices in a forensically sound manner.

Files: Full Paper (PDF)

Posted in forensics, gps, security | Leave a comment

Paper: “Subverting National Internet Censorship – An Investigation into Existing Tools and Techniques”

Title: Subverting National Internet Censorship – An Investigation into existing Tools and Techniques

Authors: Jason Smart, Kyle Tedeschi, Daniel Meakins, Peter Hannay, Christopher Bolan

Abstract
The announcement of a trial of a National  level internet filter in Australia has caused renewed interest in the arena of internet censorship. Whilst details on the schemes being tested have been fairly sparse the announcement of the trial itself, has drawn wide condemnation from privacy advocates throughout the world. Given this announcement it was decided to test and compare three of the most popular free tools available that allow for the bypassing of internet censorship devices such as those used within China. Tests were conducted using three software packages, Freegate, GPass and GTunnel which were analysed through packet capture to determine their likely effectiveness against the speculated methods to be employed by the Australian trials. The tests clearly showed that all three applications provide an easy means of subverting any likely filtering method with GPass and GTunnel the more suitable candidates as Freegate still allowed for plain-text DNS requests.

Files: Full Paper (PDF)

Posted in paper, security | Leave a comment

Paper: “Cold Boot Memory Acquisition: An Investigation into Memory Freezing and Data Retention Claims”

Title: Cold boot memory aquisition: An investigation into memory freezing and data retention claims

Authors: Peter Hannay, Andrew Woodward

Abstract
A number of claims have been made regarding cold boot memory acquisition techniques. There are numerous potential applications for these techniques should they be shown to be reliable and suitable for use in the field. An investigation into these techniques has been conducted. The results of conducted experiments do not show that cold boot memory acquisition is viable for use in the field in its current state, however future research may change this. In addition to this there are a number of possible countermeasures that should be considered and carefully evaluated before live memory acquisition methods are employed.

Files: Full Paper (PDF)

Posted in forensics, paper | Leave a comment

Paper: “Forensic implications of using the FireWire memory exploit with Microsoft Windows XP”

Title: Forensic implications of using the FireWire memory exploit with Microsoft Windows XP

Authors: Andrew Woodward, Peter Hannay

Abstract
This paper examined the forensic implications of using the FireWire direct memory access function with Windows XP. If a direct connection can be made to a computer running Windows XP, then the password can  be bypassed and direct access to files on the computer can be gained. It was found that EFS protected files could not be viewed after running the tool. In addition, a console can be opened with high level privileges to run other commands. The tool used for this procedure also allows for a memory dump to be taken. Circumventing passwords is of benefit to  forensic investigators as it saves time. The memory dump has potential to reveal keys or other passwords that may protect encrypted data. There may be issues in terms of admissibility of any information gained using the memory dump as there is no effective way to hash the memory.

Files: Full Paper (PDF)

Posted in forensics, paper | Leave a comment

Paper: "Pocket SDV with SDGuardian: A Secure & Forensically Safe Portable Execution Environment"

Title: Pocket SDV with SDGuardian: A Secure & Forensically Safe Portable Execution Environment

Authors: Peter Hannay, Peter James

Abstract
Storage of sensitive and/or business critical data on portable USB attachable mass storage devices is a common practice. The ability to transport large volumes of data from the standard place of work and then access and process the data on an available PC at a different location provides both convenience and flexibility. However, use of such USB attachable mass storage devices presents two major security risks; the risk of loss of the portable storage device during transport and the risk of data remnants residing on a PC after accessing the data from the USB storage device. The latter risk is due to the way Windows and third party applications store temporary information on the host PC’s hard disk. Even if every effort is made to delete temporary information it may be possible to recover this information by using forensic data recovery techniques such as header analysis and magnetic force microscopy.

The Pocket SDV with SDGuardian provides an elegant solution to the aforementioned security risks. The Pocket SDV is a commercially available USB attachable secure hard disk drive. Features of the Pocket SDV include hardware based encryption, strong authentication, differentiated access rights and cryptographically separate partitioning capabilities. Only a user with the correct authentication credentials can gain access to data stored on the Pocket SDV, thus providing assurance if the Pocket SDV is lost. SDGuardian is a proof of concept toolkit that minimises the remnants left on a PC if it is used to process data stored on a Pocket SDV. Forensic examination of the PC, following processing of data held on a Pocket SDV with SDGuardian, should not reveal any remnants of protected data. In this paper an overview of the Pocket SDV is given and its functionality is enumerated. The motivation for SDGuardian is outlined before discussing the design, capabilities and limitations of the Pocket SDV with SDGuardian.

Files: Full Paper (PDF)

Posted in paper, security | Leave a comment

Paper: "A Methodology for the Forensic Acquisition of the TomTom One Satellite Navigation System"

Title: A Methodology for the Forensic Acquisition of the TomTom One Satellite Navigation System

Authors: Peter Hannay

Abstract
The use of Satellite Navigation Systems (SNS) has become increasingly common in recent years. The wide scale adoption of this technology has the potential to provide a valuable resource in forensic investigations. The potential of this resource is based on the ability to retrieve historical location data from the device in question while maintaining forensic integrity. This paper presents a methodology to acquire forensic images of the TomTom One satellite navigation unit. This methodology aims to be comprehensive and straightforward, while maintaining forensic integrity of the original evidence. However, in consideration of the aforementioned methodology it should be noted that the defined method may not extract all potential evidence and the viability of collected evidence is dependent on future research into the analysis of said evidence. In order to address this consideration, research into this area is currently ongoing.

Files: Full Paper (PDF), Slide Show (PowerPoint), Demo (QuickTime)

Posted in forensics, gps, paper | 1 Comment

Paper: "LIARS Phase One – A live CD system for extraction of user and owner information from laptop and notebook hard drives"

Title: “LIARS Phase One – A live CD system for extraction of user and owner information from laptop and notebook hard drives”

Authors: Peter Hannay, Andrew Woodward, Nic Cope

Abstract
Laptop and notebook theft is major issue worldwide. Many laptops are found by Police, but it is rare that the owner is able to be identified, resulting in the device being wiped and sold. This results in a reduced recovery rare for police and increased payouts for insurance companies. The first phase of the LIARS project modified an existing open source program, chntpw, and used the registry hive interrogation feature. The resulting program is run from a forensically sound live Linux CD, and outputs any relevant registry information to the screen in a text format. This paper outlines the method by which this is done, and gives information about the code modification. It goes on to talk about the next phase of the project, using file carving to examine formatted laptop drives.

Files: Full Paper (PDF)

Posted in forensics, paper | Leave a comment

Spoofing onto a peer

The original arpspoof utility (part of dsniff) provides an easy way to send forged ARP packets. The normal use for this utility is to intercept traffic between two hosts, such as a user and the gateway.

As part of an upcoming project I needed a way to redirect traffic from one host to another host under my control. The arpspoof utility however only allows the user to directly intercept the traffic in question. In order to address this issue I modified the arpsniff utility to enable new functionality which I call ‘spoofing onto a peer’.

In order to use this new functionality the commad line switch -s is used in conjunction with the other command line parameters. For example the command line below would intercept the traffic from host 192.168.1.1 and redirect it to the mac address 12:34:56:78:9a:bc.

arpspoof -s 12:34:56:78:9a:bc 192.168.1.1

Files: arpspoof.c

Posted in code, security | Leave a comment