Stalkerware is monitoring software or spyware that is used for cyberstalking. The term was coined when people started to widely use commercial spyware to spy on their spouses or intimate partners. (https://en.wikipedia.org/wiki/Stalkerware) TinyCheck allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point in order to quickly analyze them. This can be used to check if any suspect or malicious communication is outgoing from a smartphone. (https://github.com/felixaime/TinyCheck-1) In addition to showing what an excellent defense tool TinyCheck is, in my talk I’ll show how I have modified it for forensic acquisition of messaging application in support for LE, obtaining a tool that users can fully inspect to verify what’s happening in every step of the acquisition.

1. © D.S.A. S.r.l. SFSCONF 11-11-2022
Open Source Digital Forensics –
Wiretapping and Defence
Open Source digital forensics 104
Alessandro Farina – forensics@dsa.it

2. Open Source Digital
Forensics
wiretapping and
defence
• Stalkerware
• TinyCheck
• Forensics acquisition of Cloud data for
Apps

3. Open Source Digital Forensics
wiretapping and defence
Digital Forensics Definition
«What is digital forensics? Digital forensics is the field of forensic science that is concerned with
retrieving, storing and analyzing electronic data that can be useful in criminal investigations. This
includes information from computers, hard drives, mobile phones and other data storage devices.”
(https://www.nist.gov/digital-evidence)
For Italian Law: genuinità, non ripudiabilità, imputabilità ed integrità
Translation: authenticity, non repudiation, attributability and integrity

4. Fantastic closed and proprietary tools

5. Black box forensics

6. Open Source Digital Forensics
wiretapping and defence
Stalkerware
“Stalkerware” are software programs, apps and
devices that enable someone to secretly spy on
another person’s private life via their mobile
device.
The abuser can remotely monitor the whole
device including web searches, geolocation, text
messages, photos, voice calls and much more.
Such programs are surprisingly easy to buy and
install.
They run hidden in the background, without the
affected person knowing or giving their consent.
Regardless of stalkerware’s availability, the abuser
is accountable for using it as a tool and hence for
committing this crime.

7. Open Source Digital Forensics
wiretapping and defence
TinyCheck
TinyCheck is a free and open-source tool, developed and
supported by Kaspersky experts and the IT Security community
(special thanks go to @felixaime, @tenacioustek, @nscrutables
and @Emilien).
The solution was created to help organizations working with
victims of domestic violence. TinyCheck aims to protect privacy
through the detection of stalkerware in a simple, quick and non-
invasive way
SpyGuard is a forked and enhanced version of TinyCheck,
developed by the same author when he was working at Kaspersky.
SpyGuard's main objective is to detect signs of compromise by
monitoring network flows transmitted by a device.
The software is available now on Github
(https://github.com/spyguard)
A short video https://twitter.com/i/status/1331535790392946689
Félix Aimé

8. Open Source Digital Forensics
wiretapping and defence

9. Tinycheck + forensics
Internet

10. Tinycheck + forensics
1. Authenticity
2. Integrity
3. Non repudiation
4. Attributability
?

12. Some useful links
http://www.linuxleo.com/
(very good introduction to DF)
Alessandro Farina
forensics@dsa.it
https://www.caine-live.net/
ELECTRONIC EVIDENCE GUIDE
www.coe.int/cybercrime https://tsurugi-linux.org/index.php
https://twitter.com/felixaime
https://github.com/SpyGuard