Saturday, July 18, 2020

Downloading a DJI Drone flight log (from an iPhone)

Unmanned Aerial Vehicle (UAV) forensics

First and best place to get information about a UAV is on the controller device be it a iPhone, iPad, or Android. 

Will be looking at an unlocked iPhone and where to find flight records.


1.  First plug iPhone into a computer that has iTunes and sync/connect device





2.  Select File Sharing in left column.

                 













3. In left window select the DJI app installed on the device depending on UAV model
(typically DJI Go or DJI Fly).  In this case selecting DJI Fly.



4. Highlight the folder "FlightRecords" and save to local location.





                                  




















5. View saved Flight Records.  Saved as binary(.txt) file with date of flight in filename.




And a .dat file is saved in the MCDatFlightRecords folder:












6.  Convert the .DAT to a CSV with the DatCon tool.
Found at: DatCon download page
*requires java installed

Run tool




Add the .DAT file from the MCDatFlightRecords folder and specify an output directory:
Hit








Hit GO!





CSV Saved



7.  View CSV

The CSV contains several columns on relevant data about UAV including data about direction, temperature, height, wind, battery, controller and more data of possible interest.


Columns will show a list of the  GPS:Long and GPS:Lat and dates







8. *Another method:
AirData - plot the data online

  • Airdata.com great site to upload the downloaded .txt  file to to view the data from the UAV.
  • Create an account and select upload to upload the .txt file from the FlightRecords folder.















Shows lots of data from the binary file!



Example






















Friday, May 8, 2020

ANAB - Guiding Principles of Professional Responsibility for Forensic Service Providers and Forensic Personnel

Long title, great document:
https://anab.qualtraxcloud.com/ShowDocument.aspx?ID=6732

From the ANSI National Accreditation Board(ANAB) these are some great forensic principals for forensic work.

Guiding Principles of Professional Responsibility for Forensic Service Providers and Forensic Personnel

1. Are independent, impartial, detached, and objective, approaching all examinations with due diligence and an open mind.

2. Conduct full and fair examinations. Conclusions are based on the evidence and reference material relevant to the evidence, not on extraneous information, political pressure, or other outside influences.

3. Are aware of their limitations and only render conclusions that are within their area of expertise and about matters which they have given formal consideration.

4. Honestly communicate with all parties (the investigator, prosecutor, defense, and other expert witnesses) about all information relating to their analyses, when communications are permitted by law and agency practice.

5. Report to the appropriate legal or administrative authorities unethical, illegal, or scientifically questionable conduct of other forensic employees or managers. Forensic management will take appropriate action if there is potential for, or there has been, a miscarriage of justice due to circumstances that have come to light, incompetent practice or malpractice.

6. Report conflicts between their ethical/professional responsibilities and applicable agency policy, law, regulation, or other legal authority, and attempt to resolve them.

7. Do not accept or participate in any case on a contingency fee basis or in which they have any other personal or financial conflict of interest or an appearance of such a conflict.

8. Are committed to career-long learning in the forensic disciplines which they practice and stay abreast of new equipment and techniques while guarding against the misuse of methods that have not been validated. Conclusions and opinions are based on generally accepted tests and procedures.

9. Are properly trained and determined to be competent through testing prior to undertaking the examination of the evidence.

10. Honestly, fairly and objectively administer and complete regularly scheduled:

  • relevant proficiency tests; 
  • comprehensive technical reviews of examiners’ work; 
  • verifications of conclusions. 

11. Give utmost care to the treatment of any samples or items of potential evidentiary value to avoid tampering, adulteration, loss or unnecessary consumption.

12. Use appropriate controls and standards when conducting examinations and analyses.

13. Accurately represent their education, training, experience, and area of expertise.

14. Present accurate and complete data in reports, testimony, publications and oral presentations.

15. Make and retain full, contemporaneous, clear and accurate records of all examinations and tests conducted, and conclusions drawn, in sufficient detail to allow meaningful review and assessment of the conclusions by an independent person competent in the field. Reports are prepared in which facts, opinions and interpretations are clearly distinguishable, and which clearly describe limitations on the methods, interpretations and opinions presented.

16. Do not alter reports or other records or withhold information from reports for strategic or tactical litigation advantage

17. Support sound scientific techniques and practices and do not use their positions to pressure an examiner or technician to arrive at conclusions or results that are not supported by data.

18. Testify to results obtained and conclusions reached only when they have confidence that the opinions are based on good scientific principles and methods. Opinions are to be stated so as to be clear in their meaning. Wording should not be such that inferences may be drawn which are not valid, or that slant the opinion to a particular direction.

19. Attempt to qualify their responses while testifying when asked a question with the requirement that a simple “yes” or “no” answer be given, if answering “yes” or “no” would be misleading to the judge or the jury.



MacOS - Property List Files

Property list or ".plist" files can contain relevant data for forensicating on Apple computers and iOS devices.

In a kind of obscure similarity, like how windows stores configurations and setting in the windows registry.  Apple devices can store system and user settings in .plist files.  Can show a user's preferences and/or how he/she uses an application.

Several plist files are created when a system or application is first ran.  Aside from configuration info, plist files can provide information recent items and recently accessed files.

Some plists of potential interest include:
* (~) tilde means current logged in user user's folder.  (/Users/<username>)


  • Recent Apps in the Apple Dock 

~/Library/Preferences/com.apple.dock.plist


  • OS Version and Info

/System/Library/CoreServices/SystemVersion.plist 


  • Last Logged-in user

/Library/Preferences/com.apple.loginwindow.plist


  • Deleted Users

/Library/Preferences/com.apple.preferences.accounts.plist


  • User Interaction with Apple Finder

~/Library/Preferences/com.apple.finder.plist


  • Tracking volumes from the sidebarlist
~/Library/Preferences/com.apple.sidebarlists.plist


  • Shared files list and recent items
/Users/<username>/Library/Application Support/com.apple.sharedfilelist/


  • Recent Spotlight Searches
~/Library/Application Support/com.apple.spotlight.Shortcuts


  • Installed Updates
/Library/Receipts/InstallHistory.plist


  • List of User who can sign in
<VolumeUID>/System/Library/CoreServices/SystemVersion.plist


/<VolumeUID>/com.apple.installer/SystemVersion.plist

<VolumeUID>/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey

  • User Information
<VolumeUID>/var/db/CryptoUserInfo.plist




Sunday, August 11, 2019

CyLR — Live Response Collection tool

CyLR — Live Response Collection tool by Alan Orlikoski and Jason Yegge
Windows exe found at:



https://github.com/orlikoski/CyLR/releases

and

https://github.com/orlikoski/CyLR





CyLR was first brought to my attention from the SANS "FOR500: Windows Forensic Analysis"
course.
Used for collection and artifact processing.

FOR ARTIFACTS COLLECTION
This tool looks in:

Windows Default
  • System Level Artifacts
    • %SYSTEMROOT%\SchedLgU.Txt
    • %SYSTEMROOT%\Tasks
    • %SYSTEMROOT%\Prefetch
    • %SYSTEMROOT%\Appcompat\Programs
    • %SYSTEMROOT%\System32\drivers\etc\hosts
    • %SYSTEMROOT%\System32\winevt\logs
    • %SYSTEMROOT%\System32\Tasks
    • %SYSTEMROOT%\System32\LogFiles\W3SVC1
    • %SYSTEMROOT%\System32\config\"REGISTRY HIVES"
    • %PROGRAMDATA%
    • %SystemDrive%$Recycle.Bin
    • %SystemDrive%$LogFile
    • %SystemDrive%$MFT
  • Artifacts For All Users
    • {user.ProfilePath}\NTUSER.DAT and \AppData

*Among other places and other locations for linux and macOS shown on the github page





Simulating Collecting on Remote System

The above diagram simulates as an admin remoting into a Desktop, running CyLR and sending the results to a SFTP server for retrieval






























1. SETTING UP THE SFTP SERVICE IN WINDOWS

Open Start menu.
Type Apps.
Click on Apps & features.
Under “Apps & features,” click the Manage optional features link. 
Apps & features settings.
Click the Add a feature button. Manage optional features on Windows 10.
Select the OpenSSH Server option.
Select Install


May need to start service 

 Control Panel > System and Security > Administrative Tools and open Services.
Start OpenSSH SSH Server service


May need to Set up Firewall exceptions
Allow incoming connections to SSH server in Windows Firewall:
  • Either run the following PowerShell command (Windows 8 and 2012 or newer only), as the Administrator: 
    New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -DirectionInbound -Protocol TCP -Action Allow -LocalPort 22
  • or go to Control Panel > System and Security > Windows Firewall1 > Advanced Settings > Inbound Rules and add a new rule for port 22.


May need to generate a keypair
 In WinSCP can select advanced settings > Authenitcation > Tools Generate New Key Pair with PuTTYgen
Or can use OpenSSH-Win64 "ssh-keygen.exe"




2.  COPYING CyLR.exe TO REMOTE DESKTOP

$s = New-PSSession -Computername DESKTOP-REMOTE -Credential Win10
s$ is the variable.  For the creation of a powershell session to the remote host.  Ideally using admin credentials




Prompt for credentials



3. COPYING CyLR to remote host in session with powershell:


Copy-Item –Path C:\USERS\Win10\Desktop\CyLR_win-x64\CyLR.exe –Destination 'C:\' ToSession $s

Using the previously created "$s" session to copy to the C: drive of the target







4. Enter session with powershell:
Enter-PSSession -Session $s
5. Run CyLR and point to SFTP server's IP address:
C:\CyLR.exe -u SFTP_Server -p password -s 192.168.28.128
Using the parameter to point to the SFTP server.  *Not recommended to use "password" as password






RUNNING


 
 






5. Verifying results on the SFTP server





























RESULTS include:





 

 
Contains "NTUSER.dat registry hive for each user








In conclusion:
I think CyLR is a neat tool and can potentially be used by a IR shop to collect relative artifacts.  May try it on a Mac and/or Linux host and see what it retrieves.

Also looking to try out Eric Zimmerman's KAPE(Kroll Artifact Parser and Extractor) tool to simulate a remote collection.
https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape


--Bryan

Referenced:

Sectechno. (2018, October 10). CyLR - Live Response Collection Tool. Retrieved from http://www.sectechno.com/cylr-live-response-collection-tool/

Orlikoski. (2019, March 18). Orlikoski/CyLR. Retrieved from https://github.com/orlikoski/CyLR