A handy script for Cell location

No rocket science, but a handy python script for locating a cell. Given the LAC and Cell id, the script will open your default browser and pinpoint the location on google maps. This is nice to have when you are investigating data from a SIM card and want to do a quick lookup of the LAC and CID stored in the SIM.
Where do I get the coordinates? Google has a hidden (or at least undocumented) API at http://www.google.com/glm/mmap which you can query using the correct packet format.
Here is the relevant part of the script. Drop me an e-mail if you are too lazy to construct a working script from this snippet and I will send you mine.

byteString = pack(">hqh2sh6sh5sh3sBiiihiiiiii",21,0,len(country),country,len(device), device, len("1.3.1"), "1.3.1", len("Web"), "Web", 27, 0, 0, 3, 0, int(CID), int(LAC), 0, 0, 0, 0);
contentLength = len(byteString);
contentType = "application/binary";
headers = {"Content-Length" : str(contentLength), "Content-Type" : contentType};
#Create the http request object and submit it to the URL
httpReq = Request(mmUrl, byteString, headers);
try:
httpResp = urlopen(httpReq);
except HTTPError as e:
sys.stdout.write("failed!");
return -1, -1;
except URLError as e:
sys.stdout.write("failed!");
return -1, -1;
else:
pass;
bytes = httpResp.read();
if(len(bytes) != 25): #likely an invalid CID + LAC was submissed
print("The server returned an unknown response("+str(bytes)+").");
return -1, -1;
(a, b, errorCode, latitude, longitude, c, d, e) = unpack(">hBiiiiih",bytes);
latCrd = latitude / 1000000.0;
longCrd = longitude / 1000000.0;
return latCrd, longCrd;

MFW09 Day 2

Another day packed with killer talks has passed. My mind is still processing all the information I picked up today, but yet I cannot refuse to share it with you people.

For me, the day kicked off with Eoghan Casey talking about the forensic soundness of the tools available for mobile forensics. He emphasized that forensic soundness does NOT mean that nothing may be altered on the drive, but that any changes made should be documented. It is accepted nowadays to install an agent to facilitate retrieval of data from smart phones as long as the tool makes clear what is actually happening and the investigator is able to uninstall the agent.

The second talk was by Ben Lemere (DoD) on GPS forensics. His talk focussed on the Garmin devices. He analyzed the way garmin devices create tracklogs an trackpoints when navigating and how these can be recovered. He also demonstrated different methods to extract evidence from the device. Data from Garmin can be extracted logically by sending AT commands (which are published by Garmin, forgot the URL) to the device. The preferred method is by connecting the device as mass storage on your USB port. This allows to extract the complete (hm...at least the relevant part afaik) of the file system and analyze any interesting files.

The afternoon started with a funny talk from Thomas Slovenski about bugging smart phones.

And just when you think you had the best of it all, up comes Andrew Hoog with a fascinating talk about Android forensics. The info was too much to summarize here. He covered it all: what Android is and how it is built up. How to gain root access by downgrading your device and exploiting a bug that allows you to startup the telnetd service as root. How to create a hexdump of the NAND flash memory and even touched on the yaffs2 file system used and how to analyze it. Great stuff! Love to hear more about it when anyone will pick this up and book further results.

MFW09 Day 1

So, the first day at Mobile Forensics World 2009 has come to an end. I heard some very interesting stuff today on low-level iPhone forensics and mobile phone forensic tool testing.

The first talk was from Rick Voss (FBI) about the future developments in digital (and some mobile) forensics. It was mainly about the recent proposal for new legislation on conducting digital forensic investigations. Think of certification and accreditation of labs and so forth (can't remember the rest). It was less applicable to me, cause it was focused on the US legislation, but still interesting to hear.

The second talk I attended was from Jonathan Zdziarski about low-level iPhone forensics. This guy definately knows what he's talking about.
He explained the process of 'hacking' the iPhone and how to initiate a dd dump of the user partition of the internal memory over SSH. The hack of the iPhone (often the term 'jailbreaking' is used, even though it is not accurate) is forensically acceptable, since only the system partition is altered in this process. The exact details are to elaborate for now, but in essence it just alters the system parition to include certain tools like netcat, sshd and dd in the system. These are then used to dump the memory over a netcat connection. The same method of altering the system partition can be used to disable an activated handset lock. This is a matter of deleting or altering a certain file in the system partition.
Further, Jonathan is working on a method to transfer the memory over USB instead of the network which should make it faster.

The third talk was from Rick Ayers (NIST) about forensic tool testing. He explained how the process works and how to interpret the documents that result in this process.
In 2010 they will start forensic tool testing for smart phones specifically! This means, comparing and testing the tools available for Symbian, Windows mobile, Apple iphone, RIM blackberry and Android (although this one was not on his sheet).

That was it for today, more tomorrow!

Track and trace SIMs...without consent!

It was brought under my attenti0n that there exists a method to retrieve geographical information on a SIM by knowing only the subscriber's phone number. Phone-hunter is a service that allows you to do just that. Enter the phone number of the subscriber you would like to track and the website returns the area where the SIM was last registered. This area corresponds to an area of a switching center. The details of the method are described here and I will provide a short summary:

Telecom providers need to know where their subscribers are located. To this end, they keep a record of which subscriber is currently located at which MSC. This record is actually queried whenever you send a text message to see where the receiver is at.
To illustrate, when I were to send a text message, the database is queried using the receiver's MSISDN and the query would return the following information:

• The MSC number the subscriber is currently using
  
• The subscriber's IMSI
• Possibly a user error (e.g. "absent subscriber == 'phone is offline')

The database is public for any company that is a 'telecom provider' (which could be in fact any company). A service like phone-hunter will allow you to query this subscriber database given any MSISDN.

Now, the MSC number is unique for each telecom provider and each MSC is bound to a certain geographical region. Given this info it is possible to determine someone's geographical location up to the region of a certain MSC: wicked!
One small challenge is that the mapping from MSC number to geographical location is not readily available, so this is for a lot of area's to be determined.

I can think of a couple applications where this may be interesting (never mind the ethics :)) : tracking employees, tracking wife's, private investigator's doing remote observations, etc.

Yet another smart phone OS coming up

Nokia and Intel have just announced the oFono project.
The oFono project is aimed at designing an open-source infrastructure for telephony (GSM/UMTS) applications. oFono is licensed under GPLv2 and it includes a high-level D-bus API for applications.
Here is a high-level view of the infrastructure:
Looks like Nokia is eager to follow google's Android open-source concept. I am excited about this, since open-source allows for easier and better forensic tool development and hopefully more generic solutions.

I guess Nokia prefers to bet on two horses since Symbian is losing ground in the smart phone market.

Mobile Forensics World 2009!

Anyone interested in the state of the art in mobile forensics, visit the MFW 2009 28th of May:
http://www.mobileforensicsworld.com/default.aspx

I got lucky and have the privilege of attending this conference. There are lots of interesting topics like low-level iphone forensics, blackberry forensics and some talks on GPS forensics.
After the conference, I will write some hightlights on this blog.

The nokia 1100 mystery unfolds

This article hits the spot.
Unfortunately the website is in Dutch, so some of you will not be able to read it.
In short, it summarizes the claims made about the possible reasons why the 1100 would be so popular (like opening cars with it...) and how little evidence there is to prove the claims.
Particularly, the part on Ultrascan, the company that issued the initial statement on the 1100, is interesting. It appears UltraScan is not even registered in the chamber of commerce and their claims on their website about their size and reach are possibly false. Why then should people take Ultrascan statements seriously...

The Nokia 1100 mystery

On 18-4-2009 Ultrascan issued a press statement about criminals offering up to 25.000 euro for Nokia 1100 phones produced in Germany. These handsets could be used to spoof a phone number and intercept text messages containing TAN codes for online banking. Unfortunately, this claim has no references and thus it is difficult to verify. The ING bank in the Netherlands is getting restless, because this is a potential threat to there online banking security mechanism. So, let's give the rumour a chance and reason about what may be possible.

From the GSM specification:
A handset (ME) is identified to a service network (SN) by the International Mobile Subscriber Number (IMSI). This number is stored in the USIM. Let's say the criminal somehow could program the IMEI and the IMSI into the 1100 handset. To authenticate the ME as being the subscriber it claims to be, the ME needs the secret key K which is stored in the USIM and is linked to the IMSI. This secret key K can not be read in plaintext from the USIM, so one would need the USIM (or a clone) containing K to authenticate the ME to the SN.

Now, I had a quick peek at a Nokia 1100 using a flasher tool and found that it is possible to alter the IMEI number. This IMEI is not enough to spoof a subscriber identity to the SN. Unfortunately, my Nokia 1100 was not produced in Germany, so that is probably why I don't see the magic 'spoof identity' option. If anyone has other idea's about possible attacks, I would really like to hear them.

Time will probably tell if this rumour is true. For now, it is neither confirmed nor denied.

Phone Lock Picking Continued

I have spent some more time on retrieving the phone lock code from Nokia e-series models. It appears that on e-series phones the security code is not stored in the permanent memory. However, I did manage to find a flag value in the permanent memory which is used to enable or disable the phone lock. On the e65, this is the value in field 308, sector 8. Setting this value to 0x00 disables the phone lock. On the e70, this value is stored in field 95 sector 0. Unfortunately the e71 appears not to store this flag value nor the phone lock code in the PM.

In short, it is difficult to predict where a certain model of the e-series will store its security code data. The best way to find this (at least, that is how I did it) is comparing memory dumps of a test model before and after changing security codes and enabling/disabling the code. I used the tool vbindiff to compare the dumps and find differences. The differences may indicate where security code data is stored.

How to pick a Nokia phone lock

Today, I have been working on security code retrieval from various Nokia smart phones. Nokia phones can be configured to lock the device (note the difference with the SIM PIN code) with a password after a certain period of time and at boot time. A locked phone does not respond to USB, bluetooth or keyboard input. You can see how this may pose a problem for forensic investigation on such a device...

For Nokia phones there are ways to retrieve or reset this security code whithout changing relevant user data on the phone.
1. For DCT3 and DCT4 models of Nokia it is possible to calculate a master code from the phone's IMEI number. This 10-digit master code overrides the security code. Unfortunately the newer phones are not DCT3 or DCT4, but BB5 phones.

2. THC posted a method that uses a flaw in the Nokia software to auto-execute software from the MMC card even though the phone is locked. I haven't tried this method (yet), but I am curious to see on which Nokia models this method works and if it depends on the version of OS.

3. This is my favourite since it only involves a read from memory and now I can guarantee not to alter any user data. All that is needed is a flasher tool like JAF or NSS and the proper cables.
Nokia phones store the security code in a part of the memory called the persistent memory or PM. The PM is not touched by ROM flash file when the phone is flashed. The PM may store information like security code, Bluetooth address and service provider info. The JAF tool can extract this PM and store it. A quick peek into these PM files shows the security code in clear text! I have tried it on the following models: Nokia 6600, N72, N78 and N95. Here is an example of a PM value containing the security code:
[35]
0=35 34 33 32 31 00 00 00
The first 5 bytes contain the 5 digits of the security code, just substract 0x30 from each byte. This results in 54321 as the security code. Easy huh! Now, I have tried this method for an E70 and E71, but it appears these models store the security code in some encoded form.
This method might just work for all newer Nokia models that do not have a QWERTY keyboard.

I am to see how security codes can be retrieved, reset or circumvented on other phones.

Hello World

Welcome to my fresh blog on small scale digital device forensics!
Let me give you a small introduction of myself. My name is Ivo Pooters and I am currently (hopefully not for long) a student Information Security at the Technical University of Eindhoven. Just recently I discovered the wonderful world of digital forensics and decided to do my thesis research in this area. Besides doing my thesis I am working at the Forensics department of Fox-IT, a company specialized in Information Security.
To give you a small insight in my thesis project: I am looking into new methods to a forensic image from Symbian smartphones. Ofcourse, in time the result will be posted here.


My plan with this blog is to share my thoughts, information and experiences with anyone who is interested. Even more, I am looking forward to useful comments from you people.