A journey into IoT Forensics - Episode 1 - Analysis of a Samsung Refrigerator (aka thanks VTO Labs for sharing!)

During 2019 I had the chance to attend live (sigh!) two talks by VTO Labs: the DFRWS EU 2019 keynote by Steve Watson on "Where Are We Headed? Considerations for Digital Forensics of Emerging Technologies" and a talk on the Drone Forensics project by Dave Rathbone at the Techno Security and Digital Forensics Conference in San Diego. 

In both cases, I was fascinated by their researches and I started reading their papers and following them on YouTubeTwitter and Instagram

A couple of weeks ago, while browsing the web, I found a new research on VTO Labs website on IoT Forensics. On this page, VTO Labs published some forensic acquisitions from "sample devices that have been seeded with sample data for the purpose of digital forensics research". 

Wow! 

The list is amazing (TVs, refrigerator, cooker, lights, Roomba)!!!


I downloaded the dataset and I started investigating the images, for curiosity and my strange forensic mindset.

My goal is to write some blog posts on my findings, based on previous researches and data analysis.

[START DISCLAIMER]

I only had one dataset, so the testing is limited and not to be considered strong and verified. 

The goal is to open a discussion and to provide a first glimpse into the analysis of these types of devices.

[END DISCLAIMER]

The Samsung RF22M9581SG Refrigerator

Among the others, my first candidate for the research was the image of a Samsung Refrigerator model RF22M9581SG, a smart fridge produced by Samsung with the FamilyHub technology and the Tizen Operating System.

The Tizen OS is also installed on Samsung Smart TVs and Smart Watches. A lot of researches are available online on vulnerabilities and exploits for this Operating System. Some of the most interesting are:

Though all of them are more on the exploiting side, they are really useful to understand the OS and how it organizes the data. 

On the Forensics side, I suggest reading:

I was not able to find specific papers, presentations or blog posts on a Samsung Fridge with Tizen OS. 

So...let's look into it!

Image verification and partitioning schema

The device image is an 8GB file named "SamsungRefrigerator-002.img". 

I loaded the image into X-Ways Forensics that found a GPT partitioning schema with 21 partitions

I also tested the image with AccessData FTK Imager and Autopsy and both tools were able to recognize the partitioning schema and provide access to the various partitions and filesystems


Partition 18 and Partition 19, rootfs.img, contain the stock Tizen operating system, Partition 20 (system-data) contains system configuration made by the user and Partition 21 (user) contains user data.

Rootfs.img partition

The "\etc\os.release" file contains details about the installed Operating System. In the provided dataset the installed operating system is Tizen 3.0.


The "\etc\tizen-build.conf" contains additional information about the OS, including the build date (in the provided dataset 11th July 2017).


The "\usr\apps" folder contains the pre-installed applications: this folder is useful to understand what you should expect in the user data partition. 

Every app has a bundle name or a sort-of 10 characters-long GUID.


Some of the most interesting native packages are:
  • gfamilymap (Glympse Family Map)
  • org.tizen.browser (Internet browser)
  • org.tizen.energystar (Energy information)
  • org.tizen.glazecamera (Glaze service, managing the internal cameras) 
  • com.samsung.samsung-connect (Samsung Connect App)
In the specific dataset the following apps and GUIDS can be found: 
  • Recipes (1K3CsGDv16)
  • Nomiku (8s4wz2jex0)
  • Spotify Hub (9DZ9Lnbtx0)
  • Calendar (9zWvGSYU8Z)
  • Pandora (g5kOHeKOMQ)
  • SmartHome (kzOK54sYx0)
  • FoodMinder (LAykghKXQw)
  • FHubTuneIn (nn7Wgp14c8)
  • AccuWeather (Snr7si7XV1)
  • ShoppingList (UNduJ5y0UH)
  • iHearthFamilyHub (4GKFs7KtEh)

System-data partition

The system-data partition contains user configuration at the operating system level (like timezone, user account, network settings, and so on). 

The "\etc\localtime" file contains information about the timezone set on the device (in the provided dataset America/Denver, where VTO Labs is located)


The "\dnsmasq.leases" file contains information about leases by the DNSmasq service. The provided dataset contains the following values: 
  • 1517956504, that translates to 6th February 2018 at 10:35:04 UTC 
  • 4c:66:41:5c:7e:92, a MAC address manufactured by Samsung Electro-Mechanics
  • 192.168.7.61, a local IP address
  • Samsung-SM-G930V, a smartphone model
  • 01:4c:66:41:5c:7e:92, a MAC address by an unknown manufacturer

The "\dbspace\5001\.account.db" file contains information about the Samsung account, including username and email address (in the provided dataset "connectedkitchenvto@gmail.com")


The "\dbspace\.notification.db" file contains notification settings (per app).


The "\dbspace\.alarmmgr.db" file contains alarm settings (per app).


The "\var\lib\bluetooth\" folder contains a subfolder apparently named as the Bluetooth MAC Address of the device. In the provided dataset the folder name is 70:2C:1F:41:E2:43, which is a Bluetooth MAC Address manufactured by Wisol, a Samsung company. 

The "\var\lib\bluetooth\<BT_MAC>\settings" file contains the device Bluetooth name (in the provided dataset "[Refrigerator] Samsung").


The "\var\lib\bluetooth\<BT_MAC>\cache" folder contains various files, named as a Mac Address. In the provided dataset 6 files are stored in the folder. Every file contains a device name. They seem to be "seen" devices, although more testing is needed.


The "\var\lib\buxton2\system.db" contains information about OS settings. The database needs more research to understand the exact content, but it apparently contains interesting configuration and information embedded in BLOB data. Here follow the full settings list.

db/refrigerator/modelType
db/usb/sel_mode
db/pwlock/factory_boot
db/wifi/country_code
db/setting/country_code
db/pwlock/setup_wizard_started
db/menu_widget/language
db/menu_widget/regionformat
db/privacy_policy/agree
db/refrigerator/ModelSupportedIceMaker
db/account/msg
db/samsungaccount/signin
db/pwlock/setup_wizard
db/menuscreen/numofpages
db/setting/timezone_id
db/setting/cityname_id
db/setting/timezone
db/dnet/statistics/wifi/totalsnt
db/dnet/statistics/wifi/totalrcv
db/softap/hide
db/softap/security
file/private/wifi/wifi_off_by_airplane
db/refrigerator/checkModelId
db/otn/otn_download_version
db/photoalbum/default_album
db/refrigerator/MicomInfoModelIdStr
db/refrigerator/ModelSupportedDoor
db/photoalbum/last_album
db/refrigerator/FirstWarning
db/wifi/wifi_disconnect_count
db/nfc/feature
db/nfc/enable
db/audio/volume/kantmeq/product_model
db/audio/volume/kantmeq/standard
db/audio/volume/kantmeq/music
db/audio/volume/kantmeq/movie
db/audio/volume/kantmeq/speech
db/audio/volume/kantmeq/silver
db/audio/volume/kantmeq/stadium
db/audio/volume/kantmeq/icehockey
db/audio/volume/kantmeq/african_cinema
db/audio/volume/kantmeq/indian_cinema
db/audio/volume/kantmeq/party
db/audio/volume/kantmeq/rugby
db/audio/volume/kantmeq/reserved5
db/refrigerator/MicomInfoLastSwVersion4
db/refrigerator/TchefMode
db/refrigerator/DoorAlarm
db/refrigerator/EnergySaver
db/refrigerator/icetype
db/refrigerator/TemperatureUnit
db/wifi/bssid_address
file/private/wifi/last_power_state
file/private/contacts-service/default_lang
db/pwlock/function_state
db/indicator/rm
db/clogger/global_ID
db/svoice/ref_room
db/svoice/setting/lang
db/isf/input_keyboard_uuid
db/refrigerator/MicomInfoAddr1
db/refrigerator/MicomInfoAddr2
db/refrigerator/MicomInfoAddr3
db/refrigerator/MicomInfoModelId1
db/refrigerator/MicomInfoModelId2
db/refrigerator/MicomInfoModelId3
db/refrigerator/MicomInfoModelId4
db/dnet/statistics/wifi/lastsnt
db/dnet/statistics/wifi/lastrcv
file/private/isf/autocapital_allow
file/private/isf/autoperiod_allow
db/refrigerator/coolselectzoneState
db/refrigerator/stepFreezerTemp
db/refrigerator/setFreezerTemp
db/refrigerator/setPowerFreeze
db/refrigerator/setPowerCool
db/refrigerator/DispenserLock
db/refrigerator/DispenserIceMaking
db/refrigerator/DispenserIceOff
db/refrigerator/DispenserFilter
db/refrigerator/HandleLighting
db/refrigerator/SterilizationCleaner
db/refrigerator/stepFridgeTemp
db/refrigerator/setFridgeTemp
db/refrigerator/CoolingOff
db/refrigerator/RefOption01
db/refrigerator/RefOption02
db/refrigerator/RefOption03
db/refrigerator/RefOption04
db/refrigerator/RefOption05
db/refrigerator/RefOption06
db/energystar/defrost/status
db/energystar/defrost/activate
db/refrigerator/RefOption07
db/refrigerator/RefOption08
db/refrigerator/RefOption09
db/refrigerator/RefOption10
db/refrigerator/RefOption11
db/refrigerator/RefOption12
db/energystar/dr/override
db/refrigerator/MicomInfoYear
db/refrigerator/MicomInfoProject
db/refrigerator/MicomInfoVersion
db/refrigerator/RefOption13
db/refrigerator/ModelDiodeOption
db/refrigerator/MicomInfoSwVersion1
db/refrigerator/MicomInfoSwVersion2
db/refrigerator/MicomInfoSwVersion3
db/refrigerator/MicomInfoSwVersion4
db/refrigerator/MicomInfoType1
db/refrigerator/MicomInfoType2
db/refrigerator/rm_state
db/energystar/dr/level
db/setting/Brightness
db/refrigerator/displayFreezerTemp
db/refrigerator/displayFridgeTemp
db/refrigerator/DeoFilter
db/wifi/wifi_ui_onoff_status
db/browser/user_agent
db/svoice/manager/bos_response
db/svoice/manager/response
file/private/sound/volume/system
db/bluetooth/bt_ui_onoff_status
file/private/bt-core/flight_mode_deactivated
db/bluetooth/lestatus
file/private/libug-setting-bluetooth-efl/visibility_time
db/bluetooth/status
db/bluetooth/dpm
db/refrigerator/MicomUsedMonth
db/isf/input_language
file/private/sound/volume/media
file/private/sound/volume/notification
db/mic_key/status
db/setting/lcd_backlight_normal

Some of these BLOB data can be easily read, like the Wi-Fi BSSID Address that in the provided dataset is 70:2c:1f:41:e2:42 .


The "\var\lib\connman\settings" file contains information about network services (WiFi, Bluetooth, Wired, Cellular) and if they are enabled or not.


In the provided dataset there is a subfolder named wifi_702c1f41e242_436f6e6e65637465644b69746368656e56544f32_managed_none which contains a settings file with information about the Wi-Fi network the device was connected to. In the provided dataset the Wi-Fi network name is ConnectedKitchenVTO2 and the last assigned IP address is 172.16.42.126.


User partition

The user partition contains most of the user data. 

Tizen Glaze Camera

The Glaze Camera is a built-in camera solution for a refrigerator that supports food management. I was not able to find a lot of technical details about this service, but the GitHub opensource script Python Family Hub mentions it. Some non-technical details about the service are also available here.

The application stores its data in the "\user\home\owner\apps_rw\org.tizenglazecamera\". In the provided dataset three JPG pictures of the content of the fridge were found in the "\shared\trusted\"subfolder. All of them were taken on 7th February 2018 at 18:41:12 UTC.

Tizen Browser

The Tizen OS 3.0 has a default browser named "Tizen Browser", based on Chromium. Details about the browser are available on the tvmode.org website. The Tizen Browser stores information in 2 main locations in the user partition: the "\user\home\owner\apps_rw\org.tizen.browser\" folder and the "\user\data\browser-provider\database\" folder.

The "\user\data\browser-provider\database\.browser-provider-history.db" file contains browser history, including visit date, URL and page title for each visited website. In the provided dataset we can find 4 Google searches ("funny cats", "thug life cats", "starman live", "best of he man") and two viewed YouTube videos (https://m.youtube.com/watch?v=M-P3l9ezaF8 and https://m.youtube.com/watch?v=bMjVvg8jOO4).


The "\user\data\browser-provider\database\.browser-provider-tabs.db" contains information about opened tabs. In the provided dataset you can find a single in entry in the "tabs" table, as shown in picture: it includes an URL (https://m.youtube.com/watch?v=bMjVvg8jOO4) and a creation date value (2018-02-07 18:18:30).


The "\user\home\owner\apps_rw\org.tizen.browser\data\chromium-elf\cache" folder contains browser cache items. As the Tizen Browser is based on Chromium, the Cache can be parsed with ChromeCacheView or Hindsight.


Glympse Family Map


This app is based on Chromium and it also uses a Cache folder ("\user\home\owner\appr_rw\gfamilymap\data\chromium-elf\cache\") that can be parsed with ChromeCacheView or Hindsight.


By analyzing the images stored in the cache folder I was able to find some Google Maps images geolocated at the VTO Labs headquarter, where probably the fridge was used and then acquired.




Some logs files about the Glympse service are stored in the "\user\home\owner\appr_rw\com.glympse.tizen.frapp.service\data\glympse". They seem to contain information about sync with the Glympse service, but more research and testing is needed.

Samsung Connect

The "\user\home\owner\apps_rw\com.samsung.samsung-connect" folder contains Samsung Connect App data. This app "provides users a simple, unified way to control and monitor smart devices in one app".

The "\user\home\owner\apps_rw\com.samsung.samsung-connect\shared\data\sc.db" file contains references to other devices: in the provided dataset a "SAMSUNG SM-G930V" and a "Pixel 2" (table "device_table").

Energystar

The "\user\home\owner\apps_rw\org.tizen.energystar" folder contains energy information. The "\user\home\owner\apps_rw\org.tizen.energystar\shared\trusted\usage.db" seems containing information about power usage with hourly timestamps ("power_usage_table" table).

iHeart Hub Radio

The "\home\owner\apps_rw\4GKFs7KtEh\" folder contains the iHeartHub Radio app data. This app is based on Chromium and it also uses a Cache folder ("\user\home\owner\appr_rw\4GKFs7KtEh\data\chromium-elf\cache\") that can be parsed with ChromeCacheView or Hindsight.

The app seems to suggest radios based on the fridge location (Denver, Colorado).

Media folder

The "\home\owner\media\" folder contains user media files. The internal structure seems self explicative, even though the provided dataset only contains predefined documents and pictures.


Other findings

Some other possibly interesting files to investigate and analyze are:
  • \home\owner\.applications\dbspace\.context-service.db
  • \home\owner\.applications\dbspace\privacy\.calendar-service.db
  • \home\owner\.config\chromium-efl\IconDatabase\WebpageIcons.db
  • \home\owner\media\Documents\.calendar_rotate.db
  • \home\owner\apps_rw\org.tizen.browser\data\.browser.settings.db
  • \home\owner\apps_rw\org.tizen.browser\data\.browser.bookmark.db
  • \home\owner\apps_rw\org.tizen.browser\data\.browser.certificate.db
  • \home\owner\apps_rw\org.tizen.menu-screen\data\dbspace\menu_screen.db
  • \home\owner\apps_rw\org.tizen.setting\data\setting.cfg
  • \home\owner\apps_rw\org.tizen.smarthome.service\data\subscriptionDB
  • \home\owner\apps_rw\org.tizen.smarthome.service\data\pref.db
  • \home\owner\share\.svoice_da_db.db

Conclusions

First of all: thanks again VTO Labs for sharing the dataset!

During the analysis I was able to find:

  • Device hardware and software information
  • Account information
  • Network settings
  • Fridge settings
  • List of installed apps
  • Apps data
    • Browsing history
    • Fridge camera pictures
    • Glympse Family map data with geolocation
    • iHeart Hub radio data
  • Media files
  • Power and usage information
More research is definitely needed in this field and I really hope to find soon new images to validate and improve these findings. If you have any additional image to share for research, you are very welcome!

I encourage you to provide me any kind of feedback and verify my findings. I'll update the blog post mentioning and thanking the reader.


Comments

Popular posts from this blog

A tale on RegRipper Plugins unnoticed

Huawei backup decryptor

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"