Monday, December 29, 2014

Registry Explorer - Feature update - Date Time Filter

It's still pre-beta. I haven't gotten to the point where I've untangled it from my other project.

I have added the Date Time restriction feature. This allows an examiner to display all the named registry keys with a last modified  timestamp between a given start and stop date/time.


And a quick video of the feature in action.
  • In the video I selectively target the "7-zip" named key - last modified Sept 27, 2012. 
  • Set a start and stop data around the last modified for the key.
    • Start: Sept 26, 2012
    • Stop: Sept 28, 2012
  • The returned results are default sorted by date time. In order to find my target I sorted the Name column.
  • Double click the "Name" column header to sort, then hit the first letter of the field of interest to jump to it. 
  • The selected entry populates the right side table and property tabs.


 
I may add the following additional timestamp related features:

  • Time normalization to timezone offset.
  • Default start and stop date time being set to the last selected Named Key.
Posted by at No comments:

Friday, December 26, 2014

Voiding Warranties - Morphie Space Pack [possibly overlooked storage]

NB: Disassembling a device will most likely void your warranty. If you follow any of the steps in this post you taking the chance of irreversibly damaging the morphie space pack. I would not recommend using the morphie space pack after dis-assembly, as doing so is potentially dangerous. This post is for informational purposes and does not serve a instructions for safe dis-assembly. Attempt any of the steps below at your own risk.

The Morphie Space Pack is a device used to extend both the battery life and available storage space for an iPhone. One came into my hands yesterday. It was having an issue with charging and was placed in my hands with understanding that it may not come back in the same shape. The Space Pack essentially acts like a case for the iPhone5. It has a lightning adapter which plugs into the bottom of the phone. The lightning connector acts as a pass through from a USB micro connector on the bottom exterior of the case.


This case has 16GB built into it, but it may be easy for an investigator to overlook. Especially if the wording indicating the size of the storage has been removed from the case. In the below image you can see "16GB" screen printed just above the Lightning connector.



Opening
The space pack is designed as two separate pieces, which when joined encloses the phone. The bottom portion contains what would appear to be the charging circuit, switch, and storage space. The upper portion of the case contains the battery.

The picture above was taken after the dis-assembly was started. The bottom portion is two pieces of plastic sandwiched together with a two piece border holding it together. The border is attached with a double sided tape and had small plastic catches.  You can see one of the detached borders clearly in the bottom of the above image.

1. Separate the borders from the two halves - The iSesamo opening tool and dental pick was used to slowly leverage the borders loose. Gently working around the edges until it started to separate. You shouldn't force it open as there are wires connecting the top and bottom of the halves.





2. Remove the flex cable - The PCB (printed circuit board) is connect to the top half by a thin flex cable inserted into a ZIF socket. In the image below the ZIF socket is circled in red.


See the image below for a close up. In order to remove the ZIF socket, so you can separate the PCB from the plastic casing, you need to flip the ZIF socket toggle. The black section connected to the white section as seen below. The left side of the black section is the hinge, so lift up on the right side to release the flex cable. Be careful, the flex cable is fragile and the ZIF release can try your patience. Note: There was a thin line of glue, similar to a harder version of a glue gun glue, across the flex cable ZIF socket area. I used the dental pick to gently remove it. There was a similar line of glue between the black case and the PCB that I removed in the same way. 


Here is a close up using a digital microscope with the hinge open and the flex cable released. 

  

In the image below the flex cable has been release and the PCB has been flipped over. You can now see the storage, a 16GB micro SD card.


3. Detach lightening connector - To the right of the SD card, in the image above, you can see two screws which fix the lightning connector to the top piece of the shell. I remove both screws to separate the two halves. I didn't want any surprises, but it was an unnecessary step.


4. Access the micro SD card - The seat for the micro SD card is attached to the black plastic shell by means of a double sided tape. You can see the tape in the picture below. This is the bottom of the micro SD seat.  This is another step which you could skip.



The top of the micro SD card is kept in the seat by a one sided foam tape. This prevents you from slipping the micro SD card loose from the seat. Simply peel the tape back to disengage the micro SD card.



The card format is not recognized by default in a Windows machine (Win 7 Pro), nor OS X 10.9.5. Using Encase I was able to recover a FAT32 partition. If time allows I'll delve deeper into the micro SD cards format. I was able to recover pictures, movies, and other files. I also found mac droppings. 


I had originally thought that the USB connection problem was due to a broken solder joint. I still think that is the problem, but I'm unsure if I can fix it. I was hoping for a through hole type connection, but as seen in the picture below it's surface mount connection. Between the other surface mounts in the area and the fact that the USB pins look like it doesn't have enough solder on it, I doubt I can get my rework equipment to do it. It won't hurt to try, but its been placed farther down my list of projects. 



I also had the thought that the inside of the connector may have been obstructed, but from this side it looks fairly good (other than the amount of pocket lint in the picture).


I used the following tools to void this warranty of this device :
  • iSesamo Opening Tool
  • Dental Pick
  • PH00x40 Wiha  Phillips Screwdriver






Posted by at No comments:

Wednesday, December 24, 2014

Digital Forensics - Pattern Visualization - 3 [Latin 9]

In order to see patterns we must choose a single representation (character encoding) to use when viewing our data. This allows us to have a consistent view into the data. If we jump from character encoding to character encoding at will it changes how the data is displayed. This may be a minute change in how the data is displayed or one which would make us miss a pattern. For example, below are several images of different character encodings used to display the same file.

Image: Displayed using ISO Arabic Encoding.


Image: Displayed using ISO Cyrillic Encoding


Image: Displayed using ISO Latin 9 Encoding

If you had a peek at the hex (in the middle section) you would have seen "FF D8" as the first two bytes of the file. If you guessed that was the signature for a JPEG image you would be right.

Looking at the hex is still a pain, you see a lot of pairs and groupings; and after a while your eyes want to wander over the the encoded text representation side on the right. Once your eyes gets to the text side, little islands of calm appears. These islands are regions caused by printable and unprintable characters. If you reference the ASCII chart below, the thirty-two cells highlighted in brown represent unprintable characters. These include such items formatting characters (tabs, carriage returns, line-feeds, ...) and legacy characters which typically are not used in modern computing.


0
1
2
3
4
5
6
7
0
NUL
DLE
SP
0
@
P
`
p
1
SOX
DC1
!
1
A
Q
a
q
2
STX
DC2
2
B
R
b
r
3
ETX
DC3
#
3
C
S
c
    s
4
EOT
DC4
$
4
D
T
d
t
5
ENQ
NAK
%
5
E
U
e
u
6
ACK
SYN
&
6
F
V
f
    v
7
BEL
ETB
^
7
G
W
g
w
8
BS
CAN
8
H
X
h
x
9
HT
EM
(
9
I
Y
i
y
A
LF
SUB
)
:
J
Z
j
z
B
VT
ESC
*
;
K
[
k
{
C
FF
FS
+,
< 
L
\
l
|
D
CR
GS
-
=
M
]
m
}
E
SO
RS
.
> 
N
^
n
~
F
SI
US
/
?
O
_
o
DEL

These unprintable characters are typically represented by forensic applications by a dot, or whitespace, or some other standardized character.

 The Short of it...

  • There are many character encodings out there, but to view your data I would recommend selecting one. 
  • You can change your encoding settings as needed, but default back to the one you selected.

Which one you ask?

Well I've stuck with "ISO/IEC 8859-15, also known as "Part 15: Latin alphabet No. 9". Which I like to call "Latin ISO 9" or various combinations of the same. Why this one? Well, when I was a newly hatched script monkey mashing buttons it was said to me that this was the one to use. Now since a I no longer drag my knuckles, and rarely scratch myself I can give you my reasoning for continuing to use it. 
  1. It is an 8 bit (1 byte) fixed length encoding scheme. In short, one byte is equal to one character. This means n bytes of data no matter how it is arranged is displayed as n characters.
  2. The encoding is based on ASCII, so at least for the English language and a numerous Latin alphabet derivative languages it works in whole or part.
  3. The encoding supports Western European languages. Yes this statement would appear to be awfully European/English centric, but I assure you it doesn't matter as much as you think. 
So let's look at Latin ISO 9 ... I won't give you the historic details, just the pretty pictures. Remember this series is on visualizing patterns, not lecturing on the evolution of computing.

Image: Latin ISO 9 

 If we can can believe Wikipedia the following languages are supported under Latin ISO 9.
Afrikaans, Albanian, Breton, Catalan, Danish, Dutch, English, Estonian, Faroese, Finnish, French, Galician, German, Icelandic, Irish, Italian, Kurdish, Latin, Luxenbourgish, Malay, Norwegian.


Using Wikipedia again, I came up with an approximate coverage of  .. cough .. 2.5 billion primary and secondary speakers for the above languages. taken with a large grain of salt the coverage comes out to what you see roughly below.


The countries in green are those I could identify which either had a language based on the above list as an official language, but this does not necessary mean it's a primary or majority language. Not data I would make a scholarly publication on, but good enough if you squint. Keep in mind that the top half of North America (Alaska /Canada), Greenland, and Australia have a really low population density, but it looks great in the picture. Also,some of the countries identified in green have than one language being utilized internally, especially Africa and India. 

Examples:
Morocco has Arabic as the official language, but French is very common. Signage within the country typically has both Arabic and French wording.  It’s also worth noting, that besides the Arabic and French, the Berber language is also found within Morocco (Tifinagh alphabet). 
India has Hindi and English for official languages, but has an additional 20 other regional languages are in use within the country. Hindi along with a large number of these regional languages has their own character sets.

So let’s go over what languages this encoding does not cover.
Chinese and Japanese Ideographs
Korean Ideographs (Hangul)
Cyrillic
South/Southeast Asian Scripts
Arabic
Hebrew
Berber
Amharic
et al…

This is the point where you say loudly, "of cooooourse they are not supported. They are not Western European languages'. 

To this I reply, you are absolutely correct, but it doesn't affect our ability to identify patterns. I'll get to that in an upcoming post ..   

Your take away points:
  • Choose an encoding.
  • Return to that view when you do not have to be specifically view data in another character encoding scheme.
  • I like ISO Latin 9, but as I wrote this I realized that was because I have the bias of being able to recognize the characters in the patterns. For example the first set of three images in this post are of a JPEG. When I see I JPEG (in ISO Latin 9) I see "YoYa" as the first two bytes, but if I was Cyrillic reader the Cyrillic may be a better choice. 
If you have a better Encoding scheme you like to use, drop me a line with your reasoning. I'm always ready to learn new tricks.

to be continued ....



Posted by at No comments:
Subscribe to: Posts (Atom)