Roundup of my DFIR 2023

Published Date : December 31, 2023 , atropos4n6

It's been quite a long time since I last posted something here. Nonetheless, I was conducting DFIR research on IoT Forensics in the background (while working on my PhD), and now, in the last minutes of the year, I would like to share some of our findings with you here. So, hop on for the last roundup of the great year 2023:

Let's start by outlining the DFIR contributions of this productive year and then elaborate further on each point:

  • 3 conference papers
  • 2 journal papers
  • 1 presentation
  • 1 chapter contribution (currently under review)
  • 4 parsers contributed to xLEAPP
  • 2 new FOSS tools developed

Conference Papers

All the research projects that you will read about here are related to IoT Forensics. We first examined a popular mobile application by HIKVISION, a China-based manufacturer considered one of the global leaders in the camera and surveillance equipment market. We conducted over 100 tests and acquisitions, which took us some time to correlate our findings. Our tests were performed on both Android and iOS smartphones to gain a comprehensive understanding. Additionally, we utilized CCTV systems to interact with the mobile app, as this is what the application was designed to do. Some noteworthy findings include the app's use of encrypted realm databases to store information about the employed CCTVs. We successfully decrypted these realm databases, using Frida and Fridump3 software, which was really cool. More details about this research project can be found here. doi: 10.1016/j.fsidi.2023.301560.

We then moved on to examine smart home environments, focusing on Ajax Systems Security. Specifically, we established a smart home using IoT appliances from this renowned Ukrainian-based manufacturer. Our digital investigation targeted the mobile app of this manufacturer. As in the previous case, we conducted numerous tests and scrutinized both Android and iOS to gain a better understanding of its findings. Similarly, this mobile app utilized encrypted Realm databases, which we successfully decrypted using the aforementioned tools. This allowed us to retrieve the geolocation of the smart home and various other artifacts related to it. If you are interested, you can read more here. doi: 10.1109/CSR57506.2023.10224992.

Our last conference paper focused on both smart home devices and CCTV systems. For this study, we selected Dahua Technology, a well-known China-based manufacturer of surveillance systems. We configured a smart home using IoT products from Dahua Technology, along with a couple of its CCTV systems. Subsequently, we installed its mobile application, which served as the focal point of our research. We conducted an extensive number of tests on both Android and iOS, uncovering intriguing artifacts about both the smart home and the CCTV systems. For more details about this research, you can read here. doi:10.1109/CSR57506.2023.10224982.

Journal Papers

Next, we researched the hard drives within CCTV systems to uncover any evidentiary data that commercial tools do not parse. Our efforts yielded some interesting artifacts:

Firstly, we examined HIKVISION CCTV systems, which use a proprietary file system, also known as the 'HIKVISION file system'. We discovered that the CCTV system log records stored within their hard drives are not efficiently parsed by both commercial and freeware tools. Therefore, we conducted an investigation into these records and, through heuristic tests, were able to match their interpretation with their hex representation. This research unearthed some valuable artifacts, which could prove extremely useful for anyone conducting CCTV examinations. The paper is freely available (open access) here. doi: 10.1111/1556-4029.15349.

Secondly, we investigated Dahua Technology CCTV systems, which also utilized a proprietary file system, known as the 'DHFS file system'. Similarly to the aforementioned research, neither commercial tools nor others could successfully parse the system logs residing within the systems' hard drives. Through our research, we successfully identified the structure and interpretation of these log records. These results can aid investigators of CCTV systems in attributing actions to users and more. This paper is also freely available (open access) here. doi: 10.1111/1556-4029.15401.

Presentation

In an effort to disseminate our findings on the CCTV systems log records, I gave a talk entitled 'IoT Forensics: Exploiting an unexplored piece of evidence in CCTV investigations' at the first SANS DFIR APAC Summit. The presentation is available on the SANS website.

I am also preparing a similar talk for the upcoming #MVS2024. If you are interested in these artifacts and want to attend, make sure to register for free here.

Chapter Contribution (currently under review)

I finally submitted my chapter on IoT Forensics for review in the awarded book of the year, 'The Hitchhiker's Guide to DFIR: Experiences From Beginners and Experts'. The book is crowdsourced and available here. If you are new to IoT Forensics or want to learn more about this field and the skills needed to succeed in it, you might find my chapter helpful. Make sure to download it as soon as the chapter is published (I will tweet about it).

Parsers contributed to xLEAPP

Taking advantage of the aforementioned research projects on IoT companion mobile applications (HIKVISION and Dahua Technology), we integrated our findings into Python parsers that were contributed to ALEAPP and iLEAPP, respectively. In particular, two parsers were contributed to ALEAPP and two to iLEAPP. If you are conducting mobile forensics and are not familiar with these great tools, make sure to grab them and use them. They are powerful and free!

New FOSS tools developed

In an effort to help examiners forensically evaluate HIKVISION CCTV system log records, we developed a Python tool, namely 'Hikvision Log Analyzer'. The tool can automatically extract log records from a raw disk image and report its findings in an easy-to-view HTML file. It can also parse log records if they are exported through the CCTV system's GUI into text files. The tool is freely available here.

Furthermore, we developed a Python tool, namely 'Ajax Systems Log Parser', which can analyze some of the artifacts found during the aforementioned research project on Ajax Systems smart home devices. The tool is freely available here.

Conclusion

And that's all, folks! The end of a very productive year! It's time to relax and rejoice as we prepare for the New Year's Eve!

I would like to express my sincere gratitude to my supervisor, Professor Costas Lambrinoudakis, and my colleague and dear friend, Michael Kotsis, for their invaluable contributions to all the aforementioned research projects. Without them, it would be impossible to conduct and publish all this thorough research. A huge thanks to Andrew Rathbun for providing extra time for me to manage and finish my chapter on IoT Forensics.

Wishing you all a great 2024, full of health, joy, success, and moments that fill your heart with happiness and fulfillment. Cheers!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.