Forensic Profiling of an eBook Reader - a practical example

404 views
278 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
404
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Forensic Profiling of an eBook Reader - a practical example

  1. 1. Introduction Ebook reader forensics Building the timeline Forensic Profiling of an eBook Reader A practical example Mario Piccinelli mario.piccinelli@ing.unibs.it University of Brescia Dept. of Information Engineering Brescia, Italy Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  2. 2. Outline 1 Introduction 2 Ebook reader forensics Ebook readers Our example reader: Sony PRS-650 Accessing the data Exploring the data 3 Building the timeline Collected data Sony Ebook Reader Time Profiler
  3. 3. Introduction Ebook reader forensics Building the timeline Forensics Research Aims to support investigatory and judicial processes by finding traces in otherwise apparently unpromising raw material from which it is possible to build a picture of events and activities. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  4. 4. Introduction Ebook reader forensics Building the timeline Forensics Profiling The study and exploitation of traces in order to draw a profile relevant to the investigation about criminal or litigious activities. While traces may not be strictly dedicated to court use, they may increase knowledge of the subject under investigation. So, in this context every trace can be precious. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  5. 5. Outline 1 Introduction 2 Ebook reader forensics Ebook readers Our example reader: Sony PRS-650 Accessing the data Exploring the data 3 Building the timeline Collected data Sony Ebook Reader Time Profiler
  6. 6. Introduction Ebook reader forensics Building the timeline Ebook readers Ebook readers are portable electronic devices designed primarily for the purpose of reading digital books. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  7. 7. Introduction Ebook reader forensics Building the timeline Ebook readers forensics Ebook readers are often ignored by forensics examiners because of: Lack of interest (not as interesting as smartphones, of course). Lack of knowledge (which kind of data could I find in this device?). Lack of instruments and protocols (each device different from the others, no standard procedure for examination). Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  8. 8. Introduction Ebook reader forensics Building the timeline Ebook reader forensics As stated before, ANY kind of information can be useful during an investigation. So, why ignore an ebook reader found on a crime scene or in possession of a suspected offender? Each ebook reader is different from the others, so at this stage we can’t build a standard analysis protocol. In this presentation we will work with a widely available modern ebook reader, the Sony PRS-650. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  9. 9. Introduction Ebook reader forensics Building the timeline Just to be clear.. I don’t work for Sony. And surely this work is not endorsed in any way by Sony. It’s just that I own this ebook reader, so I worked on it. Most of the following results could be achieved with other ebook readers from other vendors. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  10. 10. Introduction Ebook reader forensics Building the timeline Sony PRS-650 The PRS-650 is a modern ebook reader manufactured by Sony. E-paper display (6 inches, 800x600 pixels). Main input: resistive touch screen. Secondary input: 5 buttons. OS: MontaVista Linux. Storage: 2GB of internal flash memory. Other: removable SDHC and Memory Stick PRO duo. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  11. 11. Introduction Ebook reader forensics Building the timeline Sony PRS-650 Sony PRS-650 supported data: Electronic books. Supported formats: E-book EPUB, Adobe PDF, Microsoft Word, TXT, RTF, BBeB. Audio files. Supported formats: MP3 and AAC without DRM. Pictures. Supported formats: JPEG, GIF, PNG, BMP. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  12. 12. Introduction Ebook reader forensics Building the timeline Sony PRS-650 Sony PRS-650 OTHER data: Bookmarks. Words highlighting. Hands-free notes on books. Hands-free and typed memos. Books access and use. Built-in dictionaries use. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  13. 13. Introduction Ebook reader forensics Building the timeline Sony PRS-650 Sony PRS-650 OTHER data: Bookmarks. ⇐ Timestamps Words highlighting. ⇐ Timestamps Hands-free notes on books. ⇐ Timestamps Hands-free and typed memos. ⇐ Timestamps Books access and use. ⇐ Timestamps Built-in dictionaries use. ⇐ Timestamps Timestamps help us draw a profile of the user. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  14. 14. Introduction Ebook reader forensics Building the timeline Accessing the data PRS-650 provides an USB interface to connect with host computer. Sony provides software to manage ebooks, pictures, audio, notes and so on (there are also open source alternatives, such as Calibre). But.. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  15. 15. Introduction Ebook reader forensics Building the timeline Accessing the data The usb connection with the device is seen as a simple mass storage, and can be treated with standard forensics procedures. The reader is seen as four mass storage devices. One for the main storage area (FAT32). Two for the removable cards. One for the installation files area (FAT16). Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  16. 16. Introduction Ebook reader forensics Building the timeline Accessing the data The data we are looking for is stored in the main storage area and in the removable cards (if used). The structure is replicated on each of these, and starts from the ”database” folder. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  17. 17. Introduction Ebook reader forensics Building the timeline Media content The folder ”media” contains the multimedia elements described before: audio, pictures, books and notes. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  18. 18. Introduction Ebook reader forensics Building the timeline Notes The device can be used to produce ”notes”. Notes can be written on a virtual keyboard or drawn on the touchscreen. In both cases the are stored in files with extension ”.note”, in the ”notepads” directory seen before. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  19. 19. Introduction Ebook reader forensics Building the timeline Notes The files with extension ”.note” are XML files. They can contain drawn or typewritten notes. Note the ”createDate” field. 1280660410000.000 in Unix time (milliseconds) is Sun, 01 Aug 2010 11:00:10 GMT. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  20. 20. Introduction Ebook reader forensics Building the timeline Markup folder The folder ”markup” contains a reproduction of the portion of the filesystem in which the ebooks are stored, starting from the root dir. The root element, i.e. the book itself, is represented here by a directory containing graphical files for hands-free notes drawn on the book. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  21. 21. Introduction Ebook reader forensics Building the timeline Markups For each note drawn on a book, two files are stored: a low-resolution JPEG picture of the page with the note, and a vectorial SVG description of the note itself. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  22. 22. Introduction Ebook reader forensics Building the timeline Thumbnails folder The folder ”thumbnails” has the same structure of the ”markup” folder previously described. For each multimedia element on the device (not just books) here is stored a black-and-white thumbnail. The creation date of the thumbnail is the date of the first use of the reader after the multimedia element has been loaded on the device. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  23. 23. Introduction Ebook reader forensics Building the timeline Cache folder The ”cache” folder contains data related to the multimedia files hosted on the device (or on the removable media). The data is stored in XML files, created/updated when there could have been a change in the multimedia content (removable media inserted, device disconnected from host computer). The cache folder in the removable media is slightly different, but the file contents are almost the same. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  24. 24. Introduction Ebook reader forensics Building the timeline Media.xml The file ”media.xml” contains a record for each multimedia element with element-specific information. Note the ”date” string, with the creation date of the file, and the bookmark date. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  25. 25. Introduction Ebook reader forensics Building the timeline cacheExt.xml The file ”cacheExt.xml” contains a record for each multimedia element in the device. For the ebooks records, the most interesting sections are: Current position. History. Markups. Preferences. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  26. 26. Introduction Ebook reader forensics Building the timeline cacheExt.xml: current position The ”current position” field describes the last position of the document which was shown on the device. Note the timestamp data. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  27. 27. Introduction Ebook reader forensics Building the timeline cacheExt.xml: history The ”history” field contains a record for each time a page was turned (max 100 elements), along with timestamp data. This is one of our major sources of forensics data. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  28. 28. Introduction Ebook reader forensics Building the timeline cacheExt.xml: markups The ”markups” field contains a record for each markup in the book, each with its creation timestamp. The different kinds of markups are: Annotation (highlighted words). Freehand (freehand drawings). Bookmark (bookmarked pages). There is also a field named ”deletedMarkups”, with data about the deleted markups. In these markups the date field holds the date in which the markup was deleted (the creation date is lost). Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  29. 29. Introduction Ebook reader forensics Building the timeline cacheExt.xml: markups The following is the record for the highlighting of a word. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  30. 30. Introduction Ebook reader forensics Building the timeline cacheExt.xml: markups The start and end position for the aforementioned markup are filetype-specific and encoded in base64. After being decoded, they appear like: T1BTL0hldHR5X0ZlYXRoZXJfMDEwX2NoYXB0ZXIwMS5odG1 sI3BvaW50KC8xLzQvMi8yOC8xOjYpAA== ⇓ Base64 Decoder OPS/Hetty_Feather_010_chapter01.html #point(/1/4/2/28/1:6) This form is EPUB specific. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  31. 31. Introduction Ebook reader forensics Building the timeline cacheExt.xml: markups The following is the record for a freehand drawing on the book. Note the names of the two files shown before. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  32. 32. Introduction Ebook reader forensics Building the timeline cacheExt.xml: preferences The node ”preferences” contains user-defined preferences about the reading of the book (brightness, contrast, ..). The interesting thing is that this node also stores information about the access to the built-in dictionaries. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  33. 33. Outline 1 Introduction 2 Ebook reader forensics Ebook readers Our example reader: Sony PRS-650 Accessing the data Exploring the data 3 Building the timeline Collected data Sony Ebook Reader Time Profiler
  34. 34. Introduction Ebook reader forensics Building the timeline Building the timeline In our analysis we collected a lot of timestamps, giving a clear picture of how the owner used the device, when he did it and how often. For example, we found the timestamps for the following operations: last reading of a document; creation date of a document; creation date of a note; reading of a page of a document; creation and deletion of markups; look up for words in the built in dictionaries. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  35. 35. Introduction Ebook reader forensics Building the timeline Building the timeline To analyze this data, we built a Python script to collect these timestamps from the relevant files, order them and plot the resulting timeline. The script, which we named ”Sony Ebook Reader Time Profiler”, is available for download at: http://github.com/PicciMario/ Sony-Ebook-Reader-Time-Profiler The bundle is made by a python script which scans a directory searching for ”cache.xml”, ”media.xml” and ”cacheExt.xml” files and builds a data file, and a GnuPlot script to create a plot from this data file. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  36. 36. Introduction Ebook reader forensics Building the timeline Sample results Sample graph: usage of the reader in a 2 months span. X axis: time. Y axis: book involved in the event. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  37. 37. Introduction Ebook reader forensics Building the timeline Sample results Sample graph: usage of the reader in a ten minutes span, for a single book. X axis: time. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  38. 38. Introduction Ebook reader forensics Building the timeline Conclusions Virtually each action performed on the device is logged. It is possible to build a forensically sound timeline. The evidence gathered this way could be used in court to: draw a behavioural profile of a suspected offender; support or deny an alibi; provide additional useful information about the owner. Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader
  39. 39. Introduction Ebook reader forensics Building the timeline Conclusions Thanks for listening! Mario Piccinelli Graduate Student in Computer Sciences Digital Forensics Practitioner Dept. of Computer Sciences University of Brescia, Italy mario.piccinelli@ing.unibs.it Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Profiling of an eBook Reader

×