This document discusses methods for acquiring and analyzing data from Windows Phone 8 devices through physical acquisition, logical acquisition from connected devices, and analyzing application data and secrets stored on the devices. It describes partitioning the devices' storage and extracting useful data like contacts, call history, messages, and application data from databases and folders. It also details extracting decrypted user passwords from the registry and decrypting DPAPI blobs to potentially access encrypted vaults containing email passwords and tokens.
This document provides an overview of cloud forensics and describes tools called ClouDIAN that were developed to access cloud storage data through APIs. ClouDIAN scripts were created for Dropbox and Google Drive to retrieve metadata rather than just files. The scripts utilize the API interfaces and SDKs provided by each service. Metadata collected includes file modification times, sizes, hashes, and sharing details. Analyzing this metadata can provide useful insights for forensic investigations.
This document summarizes a study and analysis of the Orbot, Orweb, and Orfox anonymizer apps on Android devices presented at DFRWS EU 2016. It describes the methodology used, which involved installing each app, browsing with them, and analyzing residual data after uninstalling. Analysis was performed on system and app folders to identify usage logs, caches, cookies and other artifacts left behind. The goal was to evaluate the effectiveness of these apps and identify opportunities for forensic analysis of user activity even after the apps are uninstalled.
This document summarizes research into analyzing artifacts from the Tor browser on Windows systems. It describes how the Tor browser leaves various artifacts that can be analyzed, including prefetch files, the UserAssist registry key, thumbnail cache, Windows search database, bookmarks, pagefile.sys, and memory dumps. A real case example is provided where analysis of these artifacts from a laptop revealed that the Tor browser was used to access a blog and publish confidential company information. The researchers were able to determine the Tor browser version, installation date, and timing of the activities related to the information leak. Ongoing research areas are also outlined.
This document provides guidance on building your own mobile forensics methodology (BYOM). It discusses the needs, knowledge, tools, and suggested readings required for mobile forensics. The document outlines knowledge required about mobile operating systems, file systems, file formats, and programming. It also lists commercial, open-source, and hardware tools that can be used and provides information on training resources, best practices, workflows, and standardization in mobile forensics. The goal is to help practitioners develop their own customized mobile forensics methodology.
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
Windows 8 stores email communications and contacts locally in a format that presents challenges for attorney review in litigation. The testing revealed that Windows 8 imports emails, contacts, and social media information from connected web accounts. Over 2,000 email files were found locally stored in EML format, but no files were found in common formats like MSG, PST, or MBOX. This local storage of email presents potential issues for efficiently processing the communications for discovery in litigation.
This document provides an overview and outline for a research project titled "Finding Forensic Artifacts From Window Registry". The research aims to analyze the Windows Registry to find forensic artifacts from USB devices and unauthorized access. The summary provides background on the structure and contents of the Windows Registry. It also outlines some open problems regarding artifacts left in the Registry when USB devices are connected. The proposed solution will analyze specific locations in the Registry related to USB and other forensic artifacts. This research aims to build upon prior work by providing a deeper analysis of USB device identifiers and Registry locations beyond just installation locations.
This document provides an overview of cloud forensics and describes tools called ClouDIAN that were developed to access cloud storage data through APIs. ClouDIAN scripts were created for Dropbox and Google Drive to retrieve metadata rather than just files. The scripts utilize the API interfaces and SDKs provided by each service. Metadata collected includes file modification times, sizes, hashes, and sharing details. Analyzing this metadata can provide useful insights for forensic investigations.
This document summarizes a study and analysis of the Orbot, Orweb, and Orfox anonymizer apps on Android devices presented at DFRWS EU 2016. It describes the methodology used, which involved installing each app, browsing with them, and analyzing residual data after uninstalling. Analysis was performed on system and app folders to identify usage logs, caches, cookies and other artifacts left behind. The goal was to evaluate the effectiveness of these apps and identify opportunities for forensic analysis of user activity even after the apps are uninstalled.
This document summarizes research into analyzing artifacts from the Tor browser on Windows systems. It describes how the Tor browser leaves various artifacts that can be analyzed, including prefetch files, the UserAssist registry key, thumbnail cache, Windows search database, bookmarks, pagefile.sys, and memory dumps. A real case example is provided where analysis of these artifacts from a laptop revealed that the Tor browser was used to access a blog and publish confidential company information. The researchers were able to determine the Tor browser version, installation date, and timing of the activities related to the information leak. Ongoing research areas are also outlined.
This document provides guidance on building your own mobile forensics methodology (BYOM). It discusses the needs, knowledge, tools, and suggested readings required for mobile forensics. The document outlines knowledge required about mobile operating systems, file systems, file formats, and programming. It also lists commercial, open-source, and hardware tools that can be used and provides information on training resources, best practices, workflows, and standardization in mobile forensics. The goal is to help practitioners develop their own customized mobile forensics methodology.
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
Windows 8 stores email communications and contacts locally in a format that presents challenges for attorney review in litigation. The testing revealed that Windows 8 imports emails, contacts, and social media information from connected web accounts. Over 2,000 email files were found locally stored in EML format, but no files were found in common formats like MSG, PST, or MBOX. This local storage of email presents potential issues for efficiently processing the communications for discovery in litigation.
This document provides an overview and outline for a research project titled "Finding Forensic Artifacts From Window Registry". The research aims to analyze the Windows Registry to find forensic artifacts from USB devices and unauthorized access. The summary provides background on the structure and contents of the Windows Registry. It also outlines some open problems regarding artifacts left in the Registry when USB devices are connected. The proposed solution will analyze specific locations in the Registry related to USB and other forensic artifacts. This research aims to build upon prior work by providing a deeper analysis of USB device identifiers and Registry locations beyond just installation locations.
The document discusses various methods that can be used to gain unauthorized access to a vault or protected computer systems and networks. It describes techniques like trying combinations, exploiting design flaws, observing others, social engineering, software exploits, malware, phishing, spoofing addresses, and session hijacking. It also notes the risks of buggy software and mistakes that introduce vulnerabilities.
A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches
The document discusses a forensic analysis of the Raspberry Pi 400 computer. It introduces the presenter as an Italian digital forensics expert and researcher. It then provides an overview of the Raspberry Pi 400 specifications and imaging process before analyzing its file system, including configuration files, browser caches and logs that could contain evidentiary data. Contact information is provided for the presenter.
The Badtrans worm became widespread in late 2001 due to new features copied from the Nimda virus that helped it spread quickly. It arrived as an email attachment containing code and configuration data that controlled its behavior. This allowed the author to change the worm's behavior without recompiling the code. The configuration data specified behaviors like file names, registry keys, and control bits that determined activities like logging and encryption. These flexible control bits helped Badtrans spread widely and effectively.
This document discusses forensic analysis of the Apple TV. It begins by outlining the history and models of the Apple TV, including the 1st through 4th generations. It then covers identification of Apple TV models, challenges with acquisition for different generations, and potential data sources for analysis. Finally, it proposes a methodology for Apple TV forensics, including extracting data through USB, syslog, and jailbreaking if needed. The document provides an in-depth look at analyzing various artifacts and files that may be forensically relevant from the Apple TV.
Android is a software stack that includes an operating system, middleware, and key applications for mobile devices. It provides core applications like email, SMS, calendar, maps, browser, and contacts. All applications are written in Java. Android includes libraries exposed through the framework and uses the Dalvik VM to execute apps in a secure environment. NETWORKMEDIA STREAMING allows users to access and stream media files from their network by installing a server on one computer and using a client app to browse, select, and play files on their mobile device.
Computer Forensics & Windows Registrysomutripathi
The document discusses how the Windows registry can be used in computer forensics investigations to find evidence of user activity. It describes several registry keys that contain useful information, such as installed software, autorun locations, most recently used lists, wireless networks connected to, USB devices used, and internet browsing history. The registry acts as a log that can correlate user activity to specific times by tracking last write times of registry keys and values.
This document summarizes recent cybersecurity news and events in the information security field. It discusses several security conferences that recently occurred including Brucon, Derbycon, and HITB as well as the arrest of members of the hacker group Lulzsec. It also covers recent vulnerabilities including a chosen plaintext attack against AES in SSL/TLS, the compromise of the mysql.com website, and an Apache reverse proxy bypass issue. Lastly, it mentions new security tools releases, recent malware activity including new Android threats, and recommended security reading materials.
Maximiliano Soler gives a presentation on using Google to gather information without sophisticated mechanisms. He demonstrates how to use Google search operators ("dorks") to find vulnerable products, error messages, sensitive files and passwords, foot holds for access, and more. He recommends securing servers and applications, disabling directory browsing, not publishing sensitive info without authentication, and analyzing website search traffic for security.
Advanced Information Gathering AKA Google HackingGareth Davies
A talk I gave at Hack in the Box (HITB) 2004 about Information Gathering AKA Google Hacking and more.
The talk covers the lesser known aspects of Google, tools such as Athena and Sitedigger and the amount of random misconfiguration that can be found with a little careful search engine manipulation. Other useful public databases will be covered with some details on how to leverage the maximum amount of detail on any given target.
Also an introduction to the Google API and how it can be used or abused during a penetration test or hack attempt. This presentation will include a live demonstration in which the above techniques will used to gather coveted information about both random and targeted organizations.
This document discusses fileless attacks, which use existing software and authorized protocols to carry out malicious activities without downloading files. Fileless attacks can use things like PowerShell, WMI, browsers, and Office applications to connect to command and control servers and execute malicious scripts in memory only. Some behaviors and evidence of fileless attacks include unusual child processes starting, legitimate DLLs loading from unexpected parents, and applications like Word or Excel invoking PowerShell or making network connections. The document demonstrates detecting fileless attacks using Event IDs in Windows logs related to process creation and PowerShell pipeline execution details.
Firefox originated from Netscape Navigator and was released as open source software. It has similar functionality to Internet Explorer but also introduces useful new features like tabbed browsing. Firefox comes with security benefits over Internet Explorer and a wide variety of customizable extensions.
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
This document summarizes a talk on conducting a 15-minute Linux live analysis to determine if a system has been hacked with minimal disturbance. The talk discusses opening a case, collecting key system data like processes and users through scripted network listeners, and analyzing the data to look for signs of compromise. It also covers next steps like dead analysis if evidence of hacking is found. The goal is to quickly identify breaches while preserving evidence through an automated and mostly non-invasive process.
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
Windows 10 takes two steps forward in security but one step back according to the presentation. It introduces improvements like isolated user mode for LSASS and the Edge browser, but also retains or introduces issues like UAC bypass techniques still working and font drivers allowing user code execution. The presentation demonstrated local privilege escalation on Windows 10 by abusing a UAC bypass and highlighted ongoing issues like third-party drivers and cumulative updates.
The document discusses how browser helper objects (BHOs) can be used maliciously to hack websites. It provides an overview of the attack, demonstrations modifying website content and JavaScript, an analysis of the scope and advantages, technical details on how BHOs work and access browser interfaces, and potential defenses including disabling BHOs or improving how browsers handle them. The presentation aims to teach how to hack websites using BHOs and ends with contact information and a question/answer section.
This document provides an introduction to malware analysis through a presentation. It discusses key concepts like Zeus malware, behavioral analysis through tools like NetworkMiner and Wireshark, reverse engineering malware using tools like OllyDbg, and submitting samples to VirusTotal for analysis. The presentation emphasizes setting up an analysis workstation, analyzing malware behavior on networks and systems, reverse engineering code to understand malware functionality, and using virtual environments and tools safely to explore malware without risking real systems. It provides examples of real malware like Zeus to illustrate analysis concepts and techniques.
Google Dorks: Analysis, Creation, and new DefensesFlavio Toffalini
1) The document analyzes Google dorks, which are search queries used by attackers to find vulnerable systems. It presents a taxonomy of existing dorks and motivates the need for new defenses.
2) The authors introduce a new type of "word-based" dork that uses common words left by content management systems to target websites built with those systems. An algorithm is developed to automatically generate effective word-based dorks.
3) Defenses against word-based dorks are proposed, such as inserting invisible Unicode characters into common words to prevent search engines from indexing them. The document concludes by motivating the need for continued research into new dork types and defenses.
James Forshaw gave a presentation on privilege escalation in Windows. He discussed several ways that logical vulnerabilities could allow escalating privileges, such as through command line arguments passed to services, exposed device namespaces, impersonation, and default permissions. He provided examples of exploiting vulnerabilities in services, drivers, and other parts of the Windows attack surface to gain elevated privileges on the system.
El documento habla sobre la tradición de quemar monigotes gigantes de papel al final del año en un suburbio de la ciudad. Este año, la novedad es que dos barrios más se sumarán a la tradición. A pesar del clima frío y lluvioso, cientos de personas visitaron los monigotes gigantes para tomarse fotografías. Tres religiosas también visitaron los monigotes y una dijo considerarlos una forma de arte.
París frena la ‘tasa tobin’ después de defenderla durante años | economía | e...ManfredNolte
Francia ha cambiado su postura sobre la Tasa Tobin y ahora exige a la UE que reduzca el alcance del impuesto sobre las transacciones financieras. El ministro de Economía francés argumenta que la tasa propuesta podría perjudicar la industria financiera francesa y su economía. Francia ha pasado de ser un firme defensor de la tasa a oponerse a ella y pedir numerosas excepciones que reducirían su impacto, convirtiéndola en insignificante. Grupos como Attac advierten que Francia ha cedido
This document discusses using new media such as pay-per-click advertising, blogging, and online public relations to reach interested markets. It notes that with over 1.5 billion internet users worldwide in 2009, new media allows businesses to tell their story directly to customers rather than relying on expensive traditional advertising or mainstream media coverage. The document advocates using low-cost, targeted approaches like pay-per-click advertising and blogging for business purposes rather than traditional marketing techniques.
The document discusses various methods that can be used to gain unauthorized access to a vault or protected computer systems and networks. It describes techniques like trying combinations, exploiting design flaws, observing others, social engineering, software exploits, malware, phishing, spoofing addresses, and session hijacking. It also notes the risks of buggy software and mistakes that introduce vulnerabilities.
A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches
The document discusses a forensic analysis of the Raspberry Pi 400 computer. It introduces the presenter as an Italian digital forensics expert and researcher. It then provides an overview of the Raspberry Pi 400 specifications and imaging process before analyzing its file system, including configuration files, browser caches and logs that could contain evidentiary data. Contact information is provided for the presenter.
The Badtrans worm became widespread in late 2001 due to new features copied from the Nimda virus that helped it spread quickly. It arrived as an email attachment containing code and configuration data that controlled its behavior. This allowed the author to change the worm's behavior without recompiling the code. The configuration data specified behaviors like file names, registry keys, and control bits that determined activities like logging and encryption. These flexible control bits helped Badtrans spread widely and effectively.
This document discusses forensic analysis of the Apple TV. It begins by outlining the history and models of the Apple TV, including the 1st through 4th generations. It then covers identification of Apple TV models, challenges with acquisition for different generations, and potential data sources for analysis. Finally, it proposes a methodology for Apple TV forensics, including extracting data through USB, syslog, and jailbreaking if needed. The document provides an in-depth look at analyzing various artifacts and files that may be forensically relevant from the Apple TV.
Android is a software stack that includes an operating system, middleware, and key applications for mobile devices. It provides core applications like email, SMS, calendar, maps, browser, and contacts. All applications are written in Java. Android includes libraries exposed through the framework and uses the Dalvik VM to execute apps in a secure environment. NETWORKMEDIA STREAMING allows users to access and stream media files from their network by installing a server on one computer and using a client app to browse, select, and play files on their mobile device.
Computer Forensics & Windows Registrysomutripathi
The document discusses how the Windows registry can be used in computer forensics investigations to find evidence of user activity. It describes several registry keys that contain useful information, such as installed software, autorun locations, most recently used lists, wireless networks connected to, USB devices used, and internet browsing history. The registry acts as a log that can correlate user activity to specific times by tracking last write times of registry keys and values.
This document summarizes recent cybersecurity news and events in the information security field. It discusses several security conferences that recently occurred including Brucon, Derbycon, and HITB as well as the arrest of members of the hacker group Lulzsec. It also covers recent vulnerabilities including a chosen plaintext attack against AES in SSL/TLS, the compromise of the mysql.com website, and an Apache reverse proxy bypass issue. Lastly, it mentions new security tools releases, recent malware activity including new Android threats, and recommended security reading materials.
Maximiliano Soler gives a presentation on using Google to gather information without sophisticated mechanisms. He demonstrates how to use Google search operators ("dorks") to find vulnerable products, error messages, sensitive files and passwords, foot holds for access, and more. He recommends securing servers and applications, disabling directory browsing, not publishing sensitive info without authentication, and analyzing website search traffic for security.
Advanced Information Gathering AKA Google HackingGareth Davies
A talk I gave at Hack in the Box (HITB) 2004 about Information Gathering AKA Google Hacking and more.
The talk covers the lesser known aspects of Google, tools such as Athena and Sitedigger and the amount of random misconfiguration that can be found with a little careful search engine manipulation. Other useful public databases will be covered with some details on how to leverage the maximum amount of detail on any given target.
Also an introduction to the Google API and how it can be used or abused during a penetration test or hack attempt. This presentation will include a live demonstration in which the above techniques will used to gather coveted information about both random and targeted organizations.
This document discusses fileless attacks, which use existing software and authorized protocols to carry out malicious activities without downloading files. Fileless attacks can use things like PowerShell, WMI, browsers, and Office applications to connect to command and control servers and execute malicious scripts in memory only. Some behaviors and evidence of fileless attacks include unusual child processes starting, legitimate DLLs loading from unexpected parents, and applications like Word or Excel invoking PowerShell or making network connections. The document demonstrates detecting fileless attacks using Event IDs in Windows logs related to process creation and PowerShell pipeline execution details.
Firefox originated from Netscape Navigator and was released as open source software. It has similar functionality to Internet Explorer but also introduces useful new features like tabbed browsing. Firefox comes with security benefits over Internet Explorer and a wide variety of customizable extensions.
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
This document summarizes a talk on conducting a 15-minute Linux live analysis to determine if a system has been hacked with minimal disturbance. The talk discusses opening a case, collecting key system data like processes and users through scripted network listeners, and analyzing the data to look for signs of compromise. It also covers next steps like dead analysis if evidence of hacking is found. The goal is to quickly identify breaches while preserving evidence through an automated and mostly non-invasive process.
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
Windows 10 takes two steps forward in security but one step back according to the presentation. It introduces improvements like isolated user mode for LSASS and the Edge browser, but also retains or introduces issues like UAC bypass techniques still working and font drivers allowing user code execution. The presentation demonstrated local privilege escalation on Windows 10 by abusing a UAC bypass and highlighted ongoing issues like third-party drivers and cumulative updates.
The document discusses how browser helper objects (BHOs) can be used maliciously to hack websites. It provides an overview of the attack, demonstrations modifying website content and JavaScript, an analysis of the scope and advantages, technical details on how BHOs work and access browser interfaces, and potential defenses including disabling BHOs or improving how browsers handle them. The presentation aims to teach how to hack websites using BHOs and ends with contact information and a question/answer section.
This document provides an introduction to malware analysis through a presentation. It discusses key concepts like Zeus malware, behavioral analysis through tools like NetworkMiner and Wireshark, reverse engineering malware using tools like OllyDbg, and submitting samples to VirusTotal for analysis. The presentation emphasizes setting up an analysis workstation, analyzing malware behavior on networks and systems, reverse engineering code to understand malware functionality, and using virtual environments and tools safely to explore malware without risking real systems. It provides examples of real malware like Zeus to illustrate analysis concepts and techniques.
Google Dorks: Analysis, Creation, and new DefensesFlavio Toffalini
1) The document analyzes Google dorks, which are search queries used by attackers to find vulnerable systems. It presents a taxonomy of existing dorks and motivates the need for new defenses.
2) The authors introduce a new type of "word-based" dork that uses common words left by content management systems to target websites built with those systems. An algorithm is developed to automatically generate effective word-based dorks.
3) Defenses against word-based dorks are proposed, such as inserting invisible Unicode characters into common words to prevent search engines from indexing them. The document concludes by motivating the need for continued research into new dork types and defenses.
James Forshaw gave a presentation on privilege escalation in Windows. He discussed several ways that logical vulnerabilities could allow escalating privileges, such as through command line arguments passed to services, exposed device namespaces, impersonation, and default permissions. He provided examples of exploiting vulnerabilities in services, drivers, and other parts of the Windows attack surface to gain elevated privileges on the system.
El documento habla sobre la tradición de quemar monigotes gigantes de papel al final del año en un suburbio de la ciudad. Este año, la novedad es que dos barrios más se sumarán a la tradición. A pesar del clima frío y lluvioso, cientos de personas visitaron los monigotes gigantes para tomarse fotografías. Tres religiosas también visitaron los monigotes y una dijo considerarlos una forma de arte.
París frena la ‘tasa tobin’ después de defenderla durante años | economía | e...ManfredNolte
Francia ha cambiado su postura sobre la Tasa Tobin y ahora exige a la UE que reduzca el alcance del impuesto sobre las transacciones financieras. El ministro de Economía francés argumenta que la tasa propuesta podría perjudicar la industria financiera francesa y su economía. Francia ha pasado de ser un firme defensor de la tasa a oponerse a ella y pedir numerosas excepciones que reducirían su impacto, convirtiéndola en insignificante. Grupos como Attac advierten que Francia ha cedido
This document discusses using new media such as pay-per-click advertising, blogging, and online public relations to reach interested markets. It notes that with over 1.5 billion internet users worldwide in 2009, new media allows businesses to tell their story directly to customers rather than relying on expensive traditional advertising or mainstream media coverage. The document advocates using low-cost, targeted approaches like pay-per-click advertising and blogging for business purposes rather than traditional marketing techniques.
The document is about the sum of the first n odd numbers. It shows that the nth odd number can be written as a formula of 2n-1. It then expresses the sum of the first n odd numbers as a formula using this, arriving at the conclusion that the sum of the first n odd numbers is n^2.
Este documento presenta una guía sobre el género lírico y la poesía chilena para una clase de lengua y literatura. Incluye objetivos de identificar elementos básicos del género lírico como la actitud del hablante lírico y figuras retóricas. También contiene ejercicios para identificar estas características en diferentes versos asignando números y letras.
Comunicado mesa de unidad agraria. 15 julio 2013Aurelio Suárez
El documento declara que la crisis de la producción agropecuaria en Colombia es grave debido al libre comercio y la falta de políticas que protejan a los agricultores. Mientras que otros países como EE.UU. y la Unión Europea subsidian a sus agricultores entre un 20-50% de sus ingresos, en Colombia no hay subsidios. Además, la agricultura colombiana tiene uno de los créditos y costos de insumos más altos de América Latina. Por estas razones, la Mesa Nacional de Unidad Agropecuaria planea realizar una movil
El documento describe 5 niveles de comprensión de lectura: 1) comprensión literal, 2) inferencial, 3) crítica, 4) apreciativa, y 5) creadora. Cada nivel implica un grado más profundo de análisis del texto, desde reconocer las ideas explícitas hasta crear nuevos trabajos basados en lo leído.
El documento presenta un cuadro comparativo de las características de cuatro tipos de discapacidad intelectual - leve, moderada, grave y profunda. La discapacidad intelectual leve se caracteriza por habilidades sociales aceptables y la capacidad de mantener conversaciones sencillas. La discapacidad intelectual moderada incluye dificultades en el lenguaje y la lectura/escritura, pero la persona puede aprender un oficio. Las personas con discapacidad intelectual grave presentan dificultades en el lenguaje oral y
Comparative Study of Geotechnical Properties of Abia State Lateritic DepositsIOSR Journals
This document compares the geotechnical properties of lateritic deposits from five locations in Abia State, Nigeria. Laboratory tests were conducted on soil samples from each location to determine properties like classification, moisture content, density, strength, and permeability. The results showed that the Amaoba deposit performed best, meeting most specifications for road construction applications. The Timber Market sample performed worst and was deemed unsuitable without stabilization. In general, the Amaoba, Ubakala, Isiala-Ngwa, and Ohiya deposits were found suitable for uses like subgrade and fill, while only Amaoba was fully suitable as a base course material.
Noelle Hurd, Ph.D. - Assistant Professor, Department of Psychology and Curry School of Education,University of Virginia
Part of the Youth-Nex Conference: Youth of Color Matter: Reducing Inequalities Through Positive Youth Development
Panel 1 - "Culturally-Grounded Approaches to Positive Youth Development"
Cultural beliefs, traditions, and pride can play an integral role in promoting positive development for youth from ethnic minority backgrounds. In this panel, we will hear about connections between cultural values and healthy development for American Indian youth, culturally-linked coping strategies among African American teens, and the benefits of emphasizing cultural pride in natural mentoring relationships.
The document describes a battery management system that includes:
- A smart battery with a controller that calculates state of charge and communicates with a local host system, and a control circuit that regulates current and charge/discharge.
- A management system with flexible architecture, accurate state of charge calculation, intelligent current control for balancing and safety, compatibility with multiple platforms, and cloud computing for data analysis and display.
- The system monitors and controls lithium-ion batteries in applications like electric vehicles through current control, data communication, and a control panel that displays state of charge.
ACCOMPLISHED HR PROFESSIONAL:
Nearly 21 years’ comprehensive experience with impressive success in managing the entire gamut of HR and Administrative Operations of leading MNCs
The document discusses various digital forensic techniques for analyzing a Windows system to uncover evidence. It outlines 10 different avenues of analysis including NTFS attributes, the registry, prefetch files, print spool files, the recycle bin, thumbs.db, event logs, internet history files, shortcut files, and system restore points. Each technique is briefly described with examples of how they can be used to answer questions about "who, when, why and how" on a system.
EMM Limits & Solutions
The research goal is analyzes methods developed to reveal resources must be protected. These methods help to evaluate and estimate effectiveness of application & information security against available activities and features; evaluate how critical the emerging risk is in alignment technical solutions like MAM&MIM.
This document summarizes key evidentiary artefacts that can be found in Windows 8 relating to the operating system, applications, and user activity. It outlines where to find artefacts from the UEFI, secure boot, file systems, registry hives, internet activity, search history, picture passwords, installed applications like email/social media, and documents stored in services like OneDrive and OneNote. Locations include the registry, user folders, application folders, and database files.
6.3. How to get out of an inprivacy jaildefconmoscow
The document provides advice on how to examine mobile applications from a forensic perspective by analyzing what types of personal data different applications may store, including contacts, messages, media files, and account information. Specific examples are given for examining applications like WhatsApp, Facebook Messenger, Instagram, and Google Maps to understand what kinds of private user data may be accessible through a forensic analysis. The goal is to understand how to extract important evidence from a variety of mobile applications that people use everyday.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Methods and Instruments for the new Digital Forensics Environmentspiccimario
This document discusses Mario Piccinelli's PhD thesis focused on digital forensics of modern devices like the iPhone, eBook readers, and voyage data recorders. It summarizes that these devices store digital data that may be required for investigations but have not been well-studied forensically. It describes analyzing backups of iOS devices and eBook readers to extract useful metadata and build timelines of usage. For voyage data recorders, it explains recovering raw data files and building tools to parse and visualize the data in NMEA format for use in accident investigations.
The document discusses the roles and responsibilities of a computer forensic investigator. It explains that an investigator must gather digital evidence in a forensically-sound manner from various computer systems and devices. This includes recovering deleted files, analyzing file slack and unallocated space, validating email messages, and using file hashes and metadata to determine what files were created on which devices. The goal is to properly handle, analyze, and present admissible digital evidence in court.
This document summarizes several Windows registry keys and artifacts that can provide information about a user's digital activities. It describes keys that track recently opened files, installed applications, browser history and search terms, network connections, and more. Examining these locations can reveal details like the files and websites a user accessed, when they were accessed, and from where they originated.
The document discusses various components and services provided by operating systems. It describes system components like process management, memory management, file management, I/O management, and secondary storage management. It also discusses operating system services like program execution, I/O operations, file manipulation, communications, error detection, resource allocation, and accounting. The document explains system calls that provide an interface between processes and the operating system and covers types of system calls for process control, file management, device management, and information maintenance. It also briefly discusses system programs, communication models, and execution of programs in MS-DOS and UNIX operating systems.
Metadata Security: MetaShield ProtectorChema Alonso
This document discusses how metadata, hidden information, and lost data can be extracted from files using tools like FOCA for tactical fingerprinting purposes. It provides examples of the types of information that can be found, such as users, paths, devices, and more. The document warns that most people and organizations are unaware of these issues and fail to properly clean files before publishing them. It demonstrates how tools can extract this extra information and identifies weaknesses in common file types and cleaning procedures. The author encourages thorough cleaning of documents and limiting what users publish to avoid unintentionally leaking sensitive information.
This document provides an overview of the Windows Registry, including its structure, key locations, and the types of digital evidence that can be recovered from analyzing the Registry. It discusses how the Registry stores system configuration information, user preferences, installed programs, and other digital artifacts. Specific tools are also mentioned for parsing Registry keys and values, such as RegRipper and Registry Explorer.
Forensic artifacts in modern linux systemsGol D Roger
This document provides an overview of a workshop on forensic artifacts in modern Linux systems. It will cover topics such as partitions and filesystems, boot loaders, the Linux file system layout, systemd configuration for services and scheduled tasks, installed software and packages, log files and the systemd journal. The workshop format will involve both presentations and demonstrations of analyzing disk images and artifacts. It is aimed at forensic investigators and showing what can be discovered from compromised, criminal, or seized Linux systems.
The need of Interoperability in Office and GIS formatsMarkus Neteler
Free GIS and Interoperability: The need of Interoperability in Office and GIS formats
GIS Open Source, interoperabilità e cultura del dato nei SIAT della Pubblica Amministrazione
[GIS Open Source, interoperability and the 'culture of data' in the spatial data warehouses of the Public Administration]
The presentation is all about computer forensics. the process , the tools and its features and some example scenarios.. It will give you a great insight into the computer forensics
This document provides an overview of computer forensics. It defines computer forensics and explains its need in addressing rising cybercrime. It outlines types of computer forensics and common cybercrimes. The document also describes the components and steps involved in computer forensics investigations, including acquiring evidence, creating forensic images, and analyzing data. It discusses important digital evidence sources like metadata, slack space, swap files, and unallocated space.
The document provides an overview of operating systems, their functions, and examples of popular operating systems. It discusses how operating systems manage system resources like the CPU, memory, and I/O devices. The key functions of an operating system are then summarized as input/output management, memory management, job management, and file management. Popular operating systems mentioned include versions of Windows, Mac OS, Linux, UNIX, and MS-DOS.
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalVinod Kumar
The document discusses various data protection best practices, including using encryption techniques like Encrypting File System (EFS) and Windows Rights Management Services (RMS) to secure files and data on devices. It also covers database security practices like implementing proper permissions on SQL Server principals and securables. The key recommendations are to use all available security controls including technology, processes and people, practice defense in depth, and reduce potential vulnerabilities.
Similar to Discovering Windows Phone 8 Artifacts and Secrets (20)
This document summarizes the state of iOS forensics. It discusses 4 scenarios for analyzing iOS devices based on their power and lock state. It also describes techniques for preservation, acquisition, and analysis including disabling locks, extracting lockdown certificates, Checkm8 exploitation, jailbreaking, and analyzing native and third-party application data. The document is presented by Mattia Epifani, an Italian digital forensics expert and instructor.
The Samsung, now Seagate, SecretZone (SSZ) is a software program that protects personal information by creating a secure, password-‐protected folder on the Samsung external drive. This software is provided free along with Samsung devices, as for example a M series device, and can only be used with such devices.
This presentation will share two real DF cases where such tool was used by the suspects to hide their data, and how these cases were handled to overcome such protection. Moreover a major flaw in the SSZ implementation will be addressed, which allows to easily decrypt the whole "secret zone", despite the strong algorithms used (AES, Blowfish).
In the last years several things have chaned in the world of iOS forensics, both in terms of acquisition and in terms of analysis. The objective of this presentation is to provide an overview of the state of the art in terms of acquisition techniques and overcoming of the device's protection mechanisms, in particular the access code chosen by the user. In addition, the presentation aims to highlight what information we are missing by using the techniques and tools available on the market and what are the alternative paths we can use to overcome this problem
Windows credentials manager stores users’ credentials in special folders called vaults. Being able to access such credentials could be truly useful during a digital investigation for example, to gain access to other protected systems. Moreover, if data is in the cloud, there is the need to have the proper tokens to access it. This presentation will describe vaults’ internals and how they can be decrypted; the related
Python Open Source code will be made publicly available. During the session, credentials and vaults coming from Windows 7, Windows 8.1 and Windows 10 will be decrypted, focusing on particular cases of interest. Finally, the presentation will address the challenges coming from Windows Phone, such as getting system-users’ passwords and obtaining users’ ActiveSync tokens.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
1. DISCOVERING WINDOWS PHONE 8 ARTIFACTS AND SECRETS
MATTIA EPIFANI – FRANCESCO PICASSO – MARCO SCARITO
DFRWS 2016 EU – LAUSANNE
30/03/2016
2. WINDOWS PHONE 8 DATA ACQUISITION
Physical Acquisition
• Best acquisition (bit-
by-bit image) but not
available for all
models
• Generally made with
JTAG or Chip-Off
• Cellebrite supports
21 models with known
boot vulnerabilities
Logical and File
System acquisition
• Phone needs to be
unlocked or PIN must
be known
• Various forensics tools
(Cellebrite, XRY, Oxygen,
MobilEdit, etc.) permit to
extract Media files
(Pictures,Videos, Music,
Documents) through
USB connection
• Cellebrite and Oxygen
Forensic permit to
recover Contacts and
Call History through
Bluetooth connection
App and manual
acquisition
• Phone needs to be
unlocked or PIN must
be known
• Microsoft
“contacts+message
backup” App saves
Contacts and
Messages on SD Card
• Microsoft “Project my
Phone” PC application
permits to browse
through the phone from
a PC
Cloud acquisition
• Associated Microsoft
user credentials must
be known
• Elcomsoft Phone Breaker
and Oxygen Forensic
support Contacts,
Messages and Notes
acquisition
3. WINDOWS PHONE 8 DATA ACQUISITION – JTAG EXTRACTION
RIFF Box
ATF Box
Lumia 535 eMMC Dump
https://www.youtube.com/watch?v=w-sizgMUrcs
Many boxes / jigs / adapters
Teel Tech, among others, provides
kits and training
4. PARTITIONS
28 partitions
Most useful:
Partition27 Main OS
Partition28 Data
Other partitions depend on the SoC (bootloader,
configurations backup etc.)
External SD Card is mapped as drive D:
5. MAIN OS PARTITION
Equivalent to the Windows
partition in a PC, without Users
folder
Programs folder contains
executables from built-in
applications
Windows folder contains
windows registry files,
executables, dlls, drivers, and so
on
6. MAIN OS PARTITION
It uses NTFS (so you can find $MFT, $LogFile, $UsnJrnl)
It contains
System registry hives (Software, System, Security, SAM)
Pagefile.sys
It doesn’t contain
Windows Events Logs
Hiberfil.sys
Recycle Bin
Prefetch
Shellbags
11. DATA PARTITION
It uses NTFS (so you can find $MFT, $LogFile, $UsnJrnl)
It contains information about user activities, both for native
and third party Apps
Programs Executables of the installed Third-party
Apps
Users User accounts
SystemData Log files and updates information
SharedData Data shared between Apps
12. USERS FOLDER
There are actually 25 default user accounts
Most user accounts are used by the OS for services
Three types of user accounts:
Service Accounts System users for managing services and
system apps
DefApps User handling the data of third party
apps and (some) native apps
Public User storing media files
13.
14. WPCOMMSSERVICES USER
Most interesting user for a digital forensics analyst
In particular it contains 2 ESE (Extensible Storage Engine)
Databases
UsersWPCOMMSSERVICESAPPDATALocalUnistorestore.vol
Address Book, Calendar, SMS/MMS Messages, Emails, …
UsersWPCOMMSSERVICESAPPDATALocalUserDataPhone
Call History
They can be analyzed with ESE DBViewer/Parser (e.g. Libesedb,
ESEDatabaseView)
15. PHONE DATABASE
Call History
CallHistory DBTable
Type
Outgoing call 1
Incoming call 2
Lost call 3
Raw Number Calling/Called number
Resolved Name Contact name in the AddressBook (if available)
StartTime FileTime format (100-nanoseconds from 1st January 1601)
EndTime FileTime format (100-nanoseconds from 1st January 1601)
16. SMS/MMS Messages
Message DB Table
Type
1 Received
33 Sent
Label
IPM.SMSText
IPM.MMSText
Date and time
FileTime format (100-nanoseconds from 1st
January 1601)
Text
STORE.VOL DATABASE
Address Book
Contact DBTable
Name, Surname,Address(es), Phone(s),
Email(s),Avatar, etc.
Calendar
Appointment DBTable
Start date, duration (in minutes), type
(all day, appointment), place, text, etc.
18. PUBLIC USER
It stores multimedia files
Documents
Downloads
Music
Pictures
Camera Roll Photos and videos taken with the device internal camera
Saved Pictures User-saved images from from applications (e.g. Facebook)
Screenshots Phone monitor screenshots
WhatsApp WhatsApp pictures (if installed, of course)
Ringtones
Videos
This part of the file system is accessible when the phone is connected to a Windows PC
19. DEFAPPS USER
It stores data for (some) native
and third-party applications
It contains one sub-folder for
each application (inside the
AppData sub-folder)
Preinstalled Apps have their own
folders (e.g.
INTERNETEXPLORER)
Every third party apps is identified
by an App ID (Windows Phone
Store ID) or a friendly name
associated to the AppID
20. APPLICATION FOLDER STRUCTURE
The internal structure of every application folder is consistent
INetCache App cache files (images, videos, HTML content, etc.)
INetCookies App cookies
INetHistory App URL history
Local Application related data (database and config) not shared with
other devices
LocalShared Application data shared with the system (eg. DesktopTile image)
Roaming Application related data (database and config) shared with Cloud
or other devices
21. INTERNET EXPLORER
Cache History
UsersDefAppsAPPDATALocalMicrosoftWindowsWebCacheWebCacheV01.dat
ESE Database
Cached files
UsersDefAppsAPPDATAINTERNETEXPLORERINetCache
Cookies
UsersDefAppsAPPDATAINTERNETEXPLORERINetCookies
Favorites
SharedDataInternetExplorerFavorites
22. WHATSAPP
Most information stored in Local subfolder
It uses SQLite DBs
Settings.db User ID and phone number
Contacts.db
UserStatuses ID Whatsapp, Contact Name, Status, Photo ID, etc.
Contacts profile photo are stored in ProfilePictures folder
BlockList Blocked users
Calls.db Call history (for calls made through WhatsApp)
Stats.db Stats information about app usage
23. WHATSAPP
Messages.db
Message type (Received/Sent)
Contacts
Date and time
Text
Remote media URL
Local media URL Typically Public user folder. In some cases
LocalSharedTransfer
Media content size
A backup copy of the messages database is made every day by the application
inside the SharedDataOEMPublicWhatsAppBackup folder
24. FACEBOOK
LocalDataCache.<FacebookID> contains JSON files related to:
User information
Friends
ID, Full Name,
Profile URL, Email,
Birthday, Phone
Posts
Pages
Groups
Events
Photos and Albums
26. AND NOW LET’S MOVETOTHE SECRETS!
USER PASSWORDS
shell> pycreddumppwdump.py SYSTEM SAM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f194e99a9050a026b9445425b4e72c44:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:30f60b1fe0fd69e1eb179d480d54f0d9:::
DefApps:2781:aad3b435b51404eeaad3b435b51404ee:a33a6392a476adfe34294b2029f14708:::
WPNONETWORK:2782:aad3b435b51404eeaad3b435b51404ee:67c041a3ddcc8eeaca176b32a068d97e:::
WPNETWORK:2783:aad3b435b51404eeaad3b435b51404ee:83106e7f2e2921e35197328d8e11eea8:::
WPNETWORKDRM:2784:aad3b435b51404eeaad3b435b51404ee:9fae0b63cd1ba7a85ab0365df786f49a:::
IPOVERUSBGROUP:2786:aad3b435b51404eeaad3b435b51404ee:e0b0fac51f921e5127e12776bee0197e:::
WPCOMMSSERVICES:2788:aad3b435b51404eeaad3b435b51404ee:daa06a338359eed6fc28ddb773369e9f:::
WPNETWORKPII:2790:aad3b435b51404eeaad3b435b51404ee:68981b3c606c20b092366c2c34a8685d:::
CAPTURESVCGRP:2791:aad3b435b51404eeaad3b435b51404ee:ee0cab2b8d7316cc1d109bcc6511533c:::
WPCRITICAL:2792:aad3b435b51404eeaad3b435b51404ee:5fce1c3e7e5b1803a424b514521e1ccb:::
OEMSVCHOST:2793:aad3b435b51404eeaad3b435b51404ee:e6d325755d21dcaab124a9bd4957676e:::
TELREPSVC:2794:aad3b435b51404eeaad3b435b51404ee:dcbcde33eda70369566bf2b021497631:::
OEMSVCGROUP:2795:aad3b435b51404eeaad3b435b51404ee:7550da005cceb21c5ba5c8ecad2ed377:::
NCSDSVC:2796:aad3b435b51404eeaad3b435b51404ee:58686d487dd2ca7503cfe6fd17233d88:::
WLANCOUNTRYSVC:2797:aad3b435b51404eeaad3b435b51404ee:7c72dd4bf4f75fb9570c2058e97f3b4b:::
NGPSVC:2798:aad3b435b51404eeaad3b435b51404ee:1b739d6d3f099293b434c52e193d86b5:::
ACCESSLIB_SVC:2799:aad3b435b51404eeaad3b435b51404ee:23145899db9c5a665fc00f3c3cdf636f:::
PSREGSERVICE:2800:aad3b435b51404eeaad3b435b51404ee:8f88aebc4bfd2b6a59ed7406dd41094a:::
NOKIARCSESVC:2801:aad3b435b51404eeaad3b435b51404ee:076d30c9b00c86ab93e761b0d96070ff:::
SENSOR_SERVICE:2802:aad3b435b51404eeaad3b435b51404ee:c182e91ca1361bd390630676ff25e02a:::
QCSHUTDOWNSVC:2804:aad3b435b51404eeaad3b435b51404ee:35007aa28a7b5a86ff38aa485491a272:::
NSGEXTUTI:2805:aad3b435b51404eeaad3b435b51404ee:deb3282673fbb24ec84fbee636a52450:::
FEEDBACKSVC:2806:aad3b435b51404eeaad3b435b51404ee:27da8da6e58d6fde3de258182f96f2d8:::
27. USERS PASSWORDS CRACKING
Those password cannot be cracked in practice
They are really complex and generated in a
pseudo random way when the phone is
initialized
Anyway the phone must know them…
Searching for users names in the registry
SOFTWARE hive reveals the «mistery»
29. SOFTWAREMicrosoftSecurityUserAccountBootstrapData
Values are DPAPI blobs
They can be decrypted with a System
Master Key
For references see
http://blog.digital-forensics.it/2015/01/happy-dpapi.html
https://github.com/dfirfpi/dpapilab
30. USERS PASSWORDS DECRYPTING
dpapilab> blobdec.py
--security=SECURITY --system=SYSTEM --masterkey=sysmk
--entropy_hex=626BEDCBCA025E41847E3393369C2E5E
bootstrap_DefApps.blob
dpapilab>
E6056E45B3425B7BAB7E328971D8570DC0215D6821657AE0C3F6DD6F8059E3C283838A5CFAA30A2F7547EE12F766ADDFE3F03D22FA
E3DCDA36BA37ECED8807B7C5015E02FB4EF6160754C5ADEB1D1B4E292FED8419D986C3EE8A08901C85A34ABB35F40A770CB3149338
3602C898B9352884195021BBDFD026F452CBA22B2E6F
The DPAPI System Master Key can be extracted
from the LSA Secrets (SECURITY Registry)
Entropy must be taken into account
Hardcoded in AccountProvSvc.dll
626BEDCBCA025E41847E3393369C2E5E
31. WHY USERS PASSWORDS?
Once we know the users passwords we can decrypt DPAPI Blobs!
And Windows Phone is filled by DPAPI blobs
For example, the Windows Mail application uses Vaults to protect
account tokens and passwords (and it’s not the only application using
them)
Given the proper legal authority…
… online email messages can be acquired by exploiting such
decryption
Reference: http://blog.digital-forensics.it/2016/01/windows-revaulting.html
32. WPCOMMSSERVICES AND EMAIL
dpapilab> vaultdec.py
--sid=S-1-5-21-2702878673-795188819-444038987-2788
--masterkey=UsersWPCOMMSSERVICESAppDataRoamingMicrosoftProtectS-1-5-21-2421538757-
1605280464-2344517820-1000
--password=E91889F98E8A68703ABFC68464B16A1373BB6501192F9D68A5C87C41CF43561852502650735EF84ED
27AF308AAD9E08C031B5FC21C3DDC9C978222D83FC3308498C2AE0528A38EB086841E2743DE1BCEC18
FCEDB0775DEA869BF98DEFCE6B5B58A58B58275F42BDA15049DCD9AA3953782E4CD4109CB22795311
ADBF8E2ABAD1
UsersWPCOMMSSERVICESAppDataLocalMicrosoftVault4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Email accounts tokens/passwords are kept inside
WPCOMMSSERVICES user Vaults
33. WPCOMMSSERVICES AND EMAIL
Resource value contain a GUID that must be correlated with Registry
keys
SOFTWAREMicrosoftActiveSyncPartners
Working on: 2DAF2FE224AF306A198BA169B1534ADCC618B47B.vcrd
…
Attribute: 3 (vault_schema_activesync)
identity: ActiveSyncCredentialDefaultUser
resource: SyncPassword{E00DD091-C2C9-4F43-8228-DE965928A329}MailIncoming
authenticator: WhatCouldPossiblyGoWrong?
34. WPCOMMSSERVICES AND GMAIL
Working on: DB580D5ADA46907C4D7218A754491C55CF9C3342.vcrd
Attribute: 3 (vault_schema_activesync)
identity: ActiveSyncCredentialDefaultUser
resource: OAuthRefreshToken{801BB721-87B6-4EB9-9EE2-9CF88173D459}OAuth
authenticator: 1/UyGV1eG2Q7FfabcdEF6nb3dFgr354htJ6K-mgaj2gw
--------------
Working on: FE912C0BD34AD8BC6C00C8E879B2490495AF937E.vcrd
Attribute: 3 (vault_schema_activesync)
identity: ActiveSyncCredentialDefaultUser
resource: SyncPassword{801BB721-87B6-4EB9-9EE2-9CF88173D459}MailIncoming
authenticator: ya29.xBFGoPazVskbtY_HqmExc3PXmVbYhXrYLd3ldzfryQcP65p4CerTGTEVLe_BjqnGHe_
35. FACEBOOK TOKENS
AuthToken in «[data]UsersDefAppsAPPDATALocalPackagesMicrosoft.MSFacebook_8wekyb3d8bbweSettings»
ApiKey in «[os] WindowsSystem32configSOFTWARE»
By using these information with (for
example)
https://github.com/pythonforfacebook/facebook-sdk
you can access online data
36. TWITTER TOKENS
CurrentUserToken and CurrentUserTokenSecret are kept inside the
«__ApplicationSettings» file (XML)
«UsersDefAppsAPPDATALocalPackages9E2F88E3.Twitter_wgeqdkkx372wmLocalStat
e__ApplicationSettings»
ConsumerKey and ConsumerSecret are hardcoded inside Twitter.Core.dll (C#) file,
slightly obfuscated.
37. PIN CRACKING
Useful if you need to power on the device
By having a physical dump (or at least the SOFTWARE hive) you can crack the PIN
code in a really easy way
The PIN is, in reality, like a screensaver
Object21 (SOFTWAREMicrosoftCommsSecurityDeviceLockObject21)
38. PIN CRACKING
The CredentialHash contains three elements:
salt, hash algorithm and the hashed pin +
salt result
The pin check is done by the following
HashAlgo(UTF-16-LE-NoTrailing0(pincode) + salt)
salt
algo
result
Note that other keys could have the pin information (actually it’s unclear why), as Object31
References
code: https://github.com/RealityNet/hotoloti/blob/master/sas/winphonepincrk.py
blog: http://blog.digital-forensics.it/2015/07/windows-phone-pin-cracking.html
39. WHY PIN CRACKING
Why do we have to crack the PIN if we already have a physical
dump?
Not all the apps are easy to parse from the DD image
Starting fromWindows 8.1 the user can decide to install apps on the
external SD card: in this case information on the SD card is encrypted
in a way that depends on both the hardware and the PIN
So also with the physical dump of the internal memory and the physical
dump of the SD card we do not have access to the data and the only way
is to turn on the phone, insert the PIN and browse through app
data
40. WINDOWS PHONE 8 ARTIFATCS LOCATION
File or Location Description
Users/WPCOMMSERVICES/APPDATA/Local/UserData/Phone Call History
Users/WPCOMMSERVICES/APPDATA/Local/Unistore/Store.vol
SMS
Contacts
Appointments
Emails
/SharedData/Comms/Unistore/Data (in various subfolders)
MMS Attachments
MMS Formatting Information
MMS Message Content
SharedData/Comms/Messaging/Temp/MMS File attachments from incoming and outgoing mms messages
Users/WPCOMMSERVICES/APPDATA/Temp/RequestManager/Cache Cached images from message attachments
Users/Public/Pictures/CameraRoll/WP_YYYYMMDD_###.jpg
Pictures taken with the device
Videos taken with the device
Users/Public/Pictures/SavedPictures/ Pictures saved to the device from other sources (Facebook, etc...)
Users/Public/Pictures/Screenshots/ Phone monitor screenshots
Users/DefApps/APPDATA/Local/Microsoft/Windows/WebCache/WebCacheV01.dat Internet Explorer Cache History
Users/DefApps/APPDATA/INERNETEXPLORER/INetCache/ Internet Explorer Cache files
Users/DefApps/APPDATA/INERNETEXPLORER/INetCookies/ Internet Explorer Cookies files
SharedData/Input/neutral/
ihds.dat - user input word list
41. LINKS
Windows Phone 8 Forensic Artifacts
http://www.sans.org/reading-room/whitepapers/forensics/windows-phone-8-forensic-artifacts_35787
Windows Phone 8 Forensic Artifacts and Case Study
https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2015/PDFs/WindowsPhone8ForensicArtifactsandCaseStudyCindyMurphy.pdf
Monkeying around with Windows Phone 8.0
http://cheeky4n6monkey.blogspot.it/2014/06/monkeying-around-with-windows-phone-80.html
Windows Phone 8.0 SMS, Call History and Contacts Scripts
http://cheeky4n6monkey.blogspot.it/2014/10/windows-phone-80-sms-call-history-and.html
"Awesome" Windows Phone 8 Stuff
http://cheeky4n6monkey.blogspot.it/2014/10/awesome-windows-phone-8-stuff.html
Chunky4n6Monkey!
http://cheeky4n6monkey.blogspot.it/2015/07/chunky4n6monkey.html
Automating Window Phone 8 Analysis
http://encase-forensic-blog.guidancesoftware.com/2014/10/encase-and-python-automating-windows.html
Has the smartphone finally outsmarted us?
http://digital-forensics.sans.org/blog/2015/02/25/has-the-smartphone-finally-outsmarted-us
Cheeky4n6monkey Git Hub repository
https://github.com/cheeky4n6monkey/4n6-scripts
Belkasoft – Analyzing Windows Phone 8.1 JTAG and UFED Dumps
https://belkasoft.com/en/jtag-analysis
Magnet – Analyzing Windows Phone Artifactw with IEF
http://www.magnetforensics.com/mobile-forensics/analyzing-windows-phone-artifacts-with-ief
Windows Phone 8 and RegRipper
http://windowsir.blogspot.it/2014/09/windows-phone-8-and-regripper.html
42. ACKNOWLEDGMENTS
The authors thanks:
Pasquale Stirparo (@pstirparo) for his contribution
and suggestions during the research
Cindy Murphy (@CindyMurph) and Adrian Leong
(@Cheeky4n6Monkey) for the impressive work and
research onWindows Phone 8/8.1
43. Q&A?
Mattia Epifani
Digital Forensics Analyst and Mobile Device Security Analyst
CEO @ REALITY NET – System Solutions
Member of CLUSIT, DFA, IISFA, ONIF,Tech and Law Center
GREM, GCFA, GNFA, GMOB
CEH, CHFI, CCE, CIFI, ECCE, AME, ACE, MPSC
Mail mattia.epifani@realitynet.it
Twitter @mattiaep
Linkedin http://www.linkedin.com/in/mattiaepifani
Company http://www.realitynet.it
Company Blog http://blog.digital-forensics.it