Posts

McAFuse - open source McAfee FDE decryption

This post is a guest post, where Andrea Canepa ( recently graduated at University of Genoa, Computer Science) will explain his Master Thesis . The topic is how to handle McAfee FDE acquisitions when doing a DFIR investigations. Suppose that you're asked to perform a forensic investigation on a laptop where McAfee FDE is used: the company will provide you the xml file (McAfee ePO) with the decrypting key. How would you proceed? Our usual approach has always been to perform a full disk acquisition of the encrypted disk, as is: this is most likely the best freeze of the current data you could get. Then, how would you decrypt the forensic image? McAfee provides the DETech tool and a proper manual : point is, you'd have to use it by creating a boot-able WinPE device (CD, USB) to run it and decrypt the original disk, sector by sector. What I've done in the past is a Powershell script which will take the DETech.zip file and it will "install" it inside a Windows syst

Oh no! I have a wiped iPhone, now what?

Image
One of the most common questions I got asked during presentations and conferences is: " During a search and seizure we found a wiped iPhone, what can we do next? " First and foremost: you cannot recover data stored on the device before wiping occurred . The encryption keys you need to decrypt the data are gone forever. Full stop :) If you are aware of any method, technique, tool or magic box that can do that, please let me know :) You have three options to recover data: Data stored on computer (s) (Windows or Mac) On Windows you can search for Lockdown certificates C:\ProgramData\Apple\Lockdown iOS Backups  C:\Users\<username>\AppData\Roaming\Apple Computer\MobileSync\Backup C:\Users\<username>\Apple\MobileSync\Backup Synced CrashLogs C:\Users\<username>\AppData\Roaming\Apple Computer\Logs\CrashReporter\MobileDevice MediaStream C:\Users\<username>\AppData\Roaming\Apple Computer\MediaStream\ iPodDevices.xml C:\Users\<username>\AppData\Local\Apple

Triaging modern Android devices (aka android_triage bash script)

Image
When dealing with mobile devices, you need to follow a procedure that includes various stages from identification to reporting. One of the key-point in this process is the  acquisition , where we extract a copy of the data stored in the mobile device.  While evaluating your acquisition method, you should always consider the old but gold rule of the  order of volatility  ( RFC 3227  - " When collecting evidence you should proceed from the volatile to the less volatile "). Our general goal is to obtain a physical dump of the internal memory, from the very first to the very last bit. On most modern smartphone devices, where file-based encryption (FBE) is in use, a full file system is typically our "best evidence".  These extraction methods often rely on vulnerabilities and exploits (either at the hardware or the software level) developed to overcome device security. We use various tools and techniques and sometimes also a physical approach. In some cases, especially

A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)

Image
This is the fifth blog post on the analysis of IoT devices. The first blog post was about the  analysis of Samsung refrigerator , the second one was about the  analysis of an LG Smart TV , the third one was about the analysis of an  Ematic Android TV OS Box , and the fourth one was about the analysis of an iRobot Roomba 690 . All the previous blog posts were based on images made available for research by VTO Labs . This fifth post is about the acquisition and analysis of the Apple Homepod and the Apple HomeKit environment. This is based on a research developed by our RN team during 2020: in particular, it was the research topic of the thesis of our internship Francesca Maestri , who successfully obtained her computer science degree last year. Congrats and thanks for your great work Francesca! This work was first presented online in June 2020 at the DFRWS EU 2020, as a short presentantion. It was also the topic of the famous DFRWS Rodeo. Presentation from the DFRWS, the Rodeo dataset, q