A journey into IoT Forensics - Episode 2 - Analysis of an LG Television (aka thanks VTO Labs for sharing!)

By -
This the second blog post on the analysis of IoT devices images made available by VTO Labs. The first blog post was about the analysis of Samsung refrigerator and this one is about the analysis of an LG Television.

[START DISCLAIMER]

I only had one dataset, so the testing is limited and not to be considered strong and verified. 

The goal is to open a discussion and to provide a first glimpse into the analysis of these types of devices.

[END DISCLAIMER]

The LG 55SK8000PUA Television

The second candidate for my research in the VTO Labs dataset was the image of an LG Television model 55SK8000PUA, a Smart TV produced by LG with the WebOS Operating System.

Various researches are available online about LG Smart TVs hacking and exploiting. A great resource is the SANE Lab website, managed by Prof. Seungjoo Kim. I suggest reading their works on LG and Samsung Smart TV:

XDA Developers has also a WebOS dedicated forum. 

On the Forensics side, I suggest reading:

Some of the mentioned papers and presentations already contain references to the analysis of WebOS devices, but most of them are based on previous versions of the OS. 

Image verification and partitioning schema

As in the case of the Samsung refrigerator, I tried loading the provided image (image.001) in X-Ways Forensics vers. 20.0. By simply loading the image, the tool was not able to find any partitioning schema.


I then used the "Scan for lost partitions" feature, and X-Ways found four EXT4 partitions.


I then did some additional testing with three additional tools: MobileRevelator, TestDisk and 7-Zip.

MobileRevelator found four EXT4 partition: three of them (Partition 0, Partition 1 and Partition 2) were already found by X-Ways, while Partition 3 was found by MobileRevelator and not by X-Ways Forensics.

[UPDATE on 4th January 2021]

X-Ways version 20.1 SR-1, also based on this article, corrected the issue and can now find all the partitions.

Thanks Michael Yasumoto for the information and for your testing!

[END UPDATE]



TestDisk found four EXT4 partition, similarly to MobileRevelator


7-zip revealed a SquashFS at the beginning of the image. 


The Squashfs has a Linux-style folder schema and seems to contain the WebOS files.


I decided then to run "binwalk" on the image: the tool found 6 SquashFS file systems.


Overall I found six SquashFS, extracted by binwalk and four EXT4 partitions, extracted by MobileRevelator and TestDisk: Partition 0 (/mnt/lg/uhdcp), Partition 1 (/var/db), Partition 2 (/mnt/lg/cmn_data) and Partition 3(/media).

SquashFS files

The six SquashFS files contain the stock LG WebOS. The "/etc/issue" file contains the operating system version. In the dataset it contains "webOS TV 3.5.0".

Partition 0 (/mnt/lg/uhdcp) and Partition 1 (/var/db)

Partition 0 (/mnt/lg/uhdcp) and Partition 1 (/var/db) don't seem containing useful data from a forensics perspective.


Partition 2 (/mnt/lg/cmn_data)

Partition 2 (/mnt/lg/cmn_data) seems containing the most interesting files from a forensics perspective.


The "/.iot/accountInfoFile" file contains a username, apparently related to the Amazon Echo service. In the provided dataset three values seem interesting: userIDuserNo and aliasName.


The "/.iot/networkInfoFile" file contains the device name (in the provided dataset "[LG] webOS TV SK8000PUA")


The "/btsvc/mtk.conf" file contains:
  • the TV Bluetooth name (in the provided dataset "[LG] webOS TV SK8000PUA") 
  • the TV Bluetooth MAC Address (in the provided dataset "00:51:ed:2b:db:27", manufactured by LG Innotek)
  • the paired LG MR18 remote controller Bluetooth MAC Address (in the provided dataset "98:f5:a9:da:aa:f5")


The "/btsvc/mrcu1.info" file contains additional details about the remote controller, including the firmware version.


The "/btsvc/pairing_history" file contains information about remote controller pairing, including timestamps.


The "/btsvc/bluedroid-mtk/rec/bluedroid/bt_config.conf" file contains additional information about paired devices.


The "/channel_logo/major_logo_img" folder contains TV channels images an related JSON files.


The "/irdbmanager/setting/oss_setting_info_stb.txt" file contains information about the connected Set Top Box. In the provided dataset the Set Top Box is manufactured by "Direct TV" and connected on HDMI_1 port. The service name is "DirectTV(Denver)".


The "/var/lib/connman/" file contains information about connected Wi-Fi.


The "/var/luna/data/downloadhistory.db" file contains information about installed applications. An embedded JSON file for each installation is available. It contains information about the specific app, including timestamps. In the specific dataset various apps are installed like Netflix, Amazon Prime Video, Vudu, ChannelPlus, Sling and YouTube.


The "/var/lib/wam/" folder contains information about the "Web Application Manager", a component  responsible for web application management in webOS platform. The Default subfolder is a Chrome-style profile folder, that can be parsed with Hindsight.


Various Chrome-style Localstorage databases are stored in the profile. Among the others, the "lgappstv.com" contains last use date for each installed app.


The "/var/luna/preferences/" folder contains various TV settings and preferences. 

The "/var/luna/preferences/localtime" file contains the local timezone. In the provided dataset "/usr/share/zoneinfo/America/Denver".


The "/var/luna/preferences/option" file contains various TV settings, including the ZIP code. In the provided dataset "80020", that corresponds to "Broomfield, Colorado" where VTO Labs is located.


The "/var/luna/preferences/locl" file contains the SHA-256 value of the System PIN. In the provided dataset the value is "9af15b336e6a9619928537df30b2e6a2376569fcf9d7e773eccede65606529a0" that corresponds to the PIN "0000".


The "/var/luna/preferences/systemprefs.db" file contains various system preferences, including the local timezone


Some other interesting files in the "/var/luna/preferences/" folder are:
  • time
  • twinTV
  • channel
  • environmentCondition
  • localeinfo
The "/var/spool/" folder contains various log files.


For example, the "analytics_log_NNN.tgz" files, contain information about app launch, and other user actions. More research is definitely needed on these logs, but they are for sure useful to build a usage timeline.


The "/webbrowser/chrome/Default" folder contains the internal web browser data. The WebOS Web Browser is based on Chromium, so the content of the folder can be easily parsed with Hindsight.


In the provided dataset I found three Google searches ("calendar", "aol mail", "sprout"), a login on AOL.com with a specific email address and a login on Facebook.com.

Partition 3 (/media)

Partition 3 (/media) contains user data and third-party applications binary files, libraries and configuration.

The "cryptofs/apps/usr/palm" folder contains third-party application binary files, libraries and configuration.


The "cryptofs/apps/var/lib/status" file contains third-party application details, including installation date.


According to previous papers:
  • "captureTV" folder should contain captured images
  • "internal" folder should contain user files (wallpapers, downloads, ringtones)
  • "myphoto" folder should contain user photos
In the provided dataset all of these folders are empty.

Conclusions

During the analysis I was able to find:

  • Device hardware and software information
  • Account information
  • Network settings (Bluetooth and Wi-Fi)
  • TV settings
  • Timezone and ZIP code
  • List of installed apps
  • Browsing history
  • Usage logs
  • Media files
Again, more research is definitely needed in this field and I really hope to find soon new images to validate and improve these findings. If you have any additional image to share for research, you are very welcome!

I encourage you to provide me any kind of feedback and verify my findings. I'll update the blog post mentioning and thanking the reader.

Comments

Post a Comment

Popular posts from this blog

Huawei backup decryptor

By -
When doing Mobile Forensics the first and usually the hardest step is to get access to user's data . It depends on the case type, but the so called physical  acquisition is the analyst object of desire. The reason is simple: iOS and Android native backups, respectively adb  and iTunes , contain a subset of user data, because they respect the various apps configurations where they can specify " you can't include me in backups ". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups . In the scenario where  device is unlocked or the lock  code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Al
Keep reading

iOS 15 Image Forensics Analysis and Tools Comparison - Processing details and general device information

By -
Image
As explained in the first blog post, I would like to start discussing the acquisition and processing details. The acquisition was done by Josh Hickman using the Cellebrite Premium tool and the result is a Full File System capture in the traditional file format created by UFED. If you open the file EXTRACTION _FFS.zip ZIP you will see that UFED organizes the extracted full file system into 5 subfolders; filesystem1 : extraction of system partition, without the mount point “/private/var/mobile/” (“user data") filesystem2: extraction of the mount point for user data (“/private/var/mobile”) metadata1: metadata for files stored in “filesystem1” metadata1: metadata for files stored in “filesystem2” extra: iOS Keychain As always, when an acquisition is made with UFED, the ZIP file is accompanied by a UFD file that contains all the details of the acquisition process. UFED PA can load an acquisition created with UFED 4PC/Premium by simply loading the UFD file into PA GUI. The user has just
Keep reading

A first look at Android 14 forensics

By -
Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS.  For testing and review, I set up a Google Pixel 7A and used it for about a month, with a SIM card and various native and third-party apps installed. The blog post is organized by sections: Device information and general settings User accounts Information on Cellular, Wi-Fi, and Bluetooth connections Native Android applications Google applications Analysis of the use of native and third-party applications Other relevant information As always, I'll try to update this blog post as I test and research. Device information and general settings build.prop TXT format Stored in the root directory of the system partition  Among other things, it contains the device manufacturer, the device model, the operating system version, a
Keep reading