Cold Case — Catch a Killer in 16 Bytes

but our next speaker a really good speaker it was actually our b-sides badge designer for 2016 our first b-sides that we ran uh is iggy and his talk is cold case catch a killer in 16 bites so let's all welcome iggy to the stage thanks silvio i'm guessing these work so you'll have to be nice to me this is the first time i've ever done anything on this scale and someone said i was supposed to imagine the audience is all being naked but it's okay because i can't see you anyway so um first a bit of a disclaimer um before i get into things uh my employers don't have a horse in this race as they say um this was purely a

personal research project not connected in any way to my work um i'm not a full-time forensics guy but i enjoy a challenge and i wasn't a member of the investigative team or any organisation that investigated any alleged crimes that i'm going to be talking about but i do have the okay from the investigations team to talk about what i'm going to talk about and i didn't have access to anything that is directly connected to the case so therefore i didn't have the actual device that was involved in the case they didn't give me any inside knowledge and there is a matter that we're going to reference which is still before the courts in south australia and so of

course there's a presumption of innocence in the legal process so first my ego trip i'm a technologist which is just a fancy way especially in places like victoria i believe of saying that i'm an engineer without a degree i've been involved in electronics professionally for about 40 years at various levels and i also spent eight years as a new south wales cop which is the thing that gives me the interest in this stuff i did general duties intel and i was a gun toting j2e dev which is a pretty scary combination especially when things were going wrong probably why they made me work from home and i'm very lucky to have a ton of sans training including various

forensics courses et cetera under my belt but in some ways i didn't really need them for this and i've had an interest in this for a long time and as silvio said i'm also the crazy old dude that designed the badge in 2016. if you think about it back then uh we had 300 badges that we hand sold and we thought that was a good effort and look at the thing you've got around your neck now and that's just an awesome effort from uh all the crew at penn ten so uh maybe a quick round of applause for them i reckon [Applause] so some background back in about mid 2019 i got a call from a friend in law

enforcement and they asked whether i'd be interested in looking at an old-school digital camera that they're trying to recover some stuff from um they were doing a job for uh sa police at the time apparently they tried what they could hadn't been able to recover anything we're about to pass on the bad news to sa poll when somebody said uh why don't we give that old bloke a call and there's a saying that says once a cop always a cops i absolutely jumped at the chance to get involved so the device is a kodak c513 um digital camera it came out about 2007 and i think they started work on them a little bit before that so 5

megapixel camera it's got an sd card slot in the side of it the the typical little compact camera that was sort of popular then what makes these interesting forensically is that they didn't need an sd memory card um because they've also got 16 megs of internal nand flash um so even if the sd card's been removed there's a chance of finding some evidence on this sort of device now 16 megs doesn't sound like a lot these days when you've probably got a single image on your iphone or your android device and it's like five megs and you're going yeah that's a bit pathetic but um you could fit quite a lot of stuff into 16 megs back then

so the risk of blowing their uh department budget the uh crew from the forensics team went out and uh bought a couple of identical cameras from crime cash converters um and sorry freudian slip um and they did write the research they could perform the chip off recovery um of the 16 big nand flash so they did all the right things they uh removed it put it into their forensic nand reader took a full binary image if it was there and then pumped it through the uh the very very expensive commercial tools that anybody who's done any forensic training will have come across and they got nothing so that's why they called me so they sent me a copy of their binary

which again all of this data is um purely from the test cameras so you'll see some photos afterwards that i've got and that's just randoms that may have owned the camera before or stole the camera would you know whatever however the pictures got on there they're nothing to do with the actual um case so i sent that binary um and i got to work using my favorite photo recovery tool which is photorec from linux um from the test disk suite um i use photo heaps like for all those little jobs if you're trying to recover some pictures that are reloads deleted from their camera you know like from their memory stick or something or other um

and i really enjoy buying second-hand hard disks at uh secondhand shops as well i don't know why so in this case i've got the uh the 16 meg image selected that they'd sent me so you can see that in photorec then photorec like a bunch of these tools allows you to recover all sorts of different file formats and i was just interested in photos sort of on this occasion so i deselected all the other ones and just left the jpeg selected and let it run and i got nothing as well so that's pretty comforting really because if it had been that easy i shouldn't be standing here now and they'd probably have some real issues to

address internally within their uh professional forensics team so the next step was to hunt around the binaries see if i could identify anything at all that might help sort of give you some idea of what was going on so it always helps to know what you're actually looking for excuse me for using the notes because i've only read this about 20 times and i'm scared i'll forget it so i jumped onto the uh wikipedia um file signature page or the magic number page now the magic numbers the sequences are bytes that normally um they'll be unique to a particular file type and they already use those bytes to try and find those files in a binary

image of some sort whether it's a hard disk image whether it's an in-memory image or something and so tools like photorec i assume just about every forensic tool use these magic numbers to try and identify the beginning and the end of particular data blocks of interest so jpeg has four sets of magic numbers the most common um and this is right at the the header of the file so there's the ffd8 ffdb and then the other ones down below it you can see some of them for those who are got ascii sort of engraved into the back of their heads um it's got the 4a 464946 um just a normal string sequence and i'll show you what they are in a sec

so if we go to the actual wikipedia page there's the excerpt from it you can see um and there are huge numbers of these just like there are selections in photorec um you can see the the byte sequences there in the left-hand column but the next column along shows you the ascii representation of those so if you're looking at this like as a string stump or something rather in linux or just you know just go type myfile.bin um it will show you these strings you've got that y0yu looking character set or the more readable you know jfif or xif etc so those are the things we're looking for so um since the tools didn't find anything

it was time to have a bit of a look around myself so jumped into a hex editor and started searching for the the one of the the strings in that list and got a hit you can see the highlighted area the ff um d8 ffv0 etc so that would indicate that there was a file starting in that area of the the memory that was promising but it's kind of weird since none of the tools would find any of this stuff so did a search for another one of them found another hit for a slightly different header but again there are like lots and lots of these i just repeated the thing again and again of course

so i worked my way right through the uh the magic number list um again went yeah this is great like there's this stuff there but i just don't know why i can't see it and i didn't know at that stage what sort of file system uh was on the device i suspect it was probably a fat 16 or a fat 12 file system so it would be dos compatible so i went looking for the um the file system identifier string which in this case is the fat 12 and i found that you can see the uh what's referred to as the um the boot record um because even though it's the internal memory of it the file system is set up just as if

it was on a bit of removable media um so you can see that i we found it there's a jump instruction at the beginning which is that eb009 which is meant to be there in the the boot record and then further down and this stuff's all you know on a million websites so you can look up the offsets but the file system identification string is there as well as that fat 12 so i was like i knew it was a fat 12 file system so i um oh and what you could also do if i go backwards is um that offset into this file that's 346890 you could then use dd under linux for example set that as the offset extract

everything from there onwards and you can try and mount it as a file system under linux using the um the mount command with the minus over for a loop device i didn't do that because i thought the thing was probably corrupt anyway but since i hadn't been able to recover any images from it so then i ran another linux tool called binwalk over the file and told it to extract anything it defines bin walk again it's really flashing extract images it'll extract complete file systems as well and it's handy let's say you've got an embedded linux device and you've got access to the the data within flash on that you can extract the whole file system

and then remount that and look at it and again it found a whole bunch of jpeg and tiff headers but nothing was recovered so i was feeling a bit desperate by this stage and all this process i'd let it drag on for many many weeks etc as i got distracted by other things but i sent a random email to kodak australia saying i'm working on a project for some in law enforcement as a favor wondering if you uh have any info on this old 12 year old camera and i really didn't expect them to even reply because lots of times they just won't especially if you're not you know sending an official email from somewhere

but instead this guy called mark emailed me back and said they didn't have anything but he'd ping the us next thing i had an email back from mark it turns out that his contact in the u.s had found a retired design engineer who'd actually worked on these cameras and they called her the red sox was their project name so they gave me some basic info which i'd already guessed at like the fat stuff etc and the way the thing was structured you can see he's got info there about the magic bytes to look for but there was a pdf attached to it as well which was interesting and they'd sent me the whole engineering requirements specification for the

camera wonderful the the fact that the australian rapid reached out to the u.s was great the fact the u.s had reached out to a retired engineer who'd worked on the design and you know was happy to help was awesome but to send me the full technical specs was outstanding so i was a very happy boy so the info in both the email and the the spec has confirmed that yeah images are saved as jpegs as xf 2.21 you could fit a maximum 10 full-size images on there on the internal storage and that they use the the common digital camera format file so that folder structure you always see with digital cameras and the email also confirmed that it was

a fat system as i said the additional information they sent me of course gave me an idea of how many images i could be looking for and if you look at the column says internal 16 megs like there could be up to 41 images um deleted or undeleted sort of hiding in this space when someone may think that there's nothing because there's no memory card plugged in so that was great um i passed on the information that i had so far [Music] and then the back to the forensics team and they offered the drop off yet another camera that they bought from that business and for me to examine so again i'm not touching real evidence

in this case so i started pulling the thing apart before i did that i erased the internal memory took some photos some objects deleted a couple of those so i knew i'd have a couple of good images and couple of deleted images so if i did actually manage to get at the nan contents so i always take a ton of pictures if you pull things apart especially consumer electronics they've always got little catches and different size screws and a million things that you can lose and if you want any chance at all putting back together you know just grab the phone and take lots of photos i think i took about 20 or more photos

and really got pretty distracted by the whole photo taking thing so you see older cameras and flashes didn't use nice safe leds to light up the scene they use these evil xenon tubes that used a really high voltage to operate and the reservoir for all that high voltage nasty this is that big black 330 volt capacity you can see in the photo which i may have highlighted a little you can see what's coming can't you in this case i'd grab the camera firmly in one hand to undo some screws and in doing so i stuck my thumb straight across the terminals of this angry little bastard the camera flew in one direction i flew in the opposite direction and landed on

my backside yelling every profanity that people were kind enough to teach me in my eight years and the cops so be safe kids always discharge high voltage circuits i should have known better i used to work on cv and radio transmitters with very high voltages and it's easy to do so after all that excitement um we finally got to the nand itself so in this case it's an sti nan 128w blah blah blah it's 128 megabit device um this is an 8-bit device with um parallel access to the data so it's 16 megabytes as we'd sort of said before i still wasn't confident that the chip off read that they'd given me um was complete and so i wanted to see

whether i could read the contents of this especially this particular camera myself and i've got one of those cheap tl866 programmers that everyone seems to use to get them on ebay they're great for like all sorts of stuff but no support for these as far as i knew so i was gonna do a chip off of my own so i masked off um all around the chip with the yellow captain tape which is a heat proof tape and that's important to do because if you're going to use hot air to rework something or to remove a chip like in this case if you don't mask off the other areas that hot air is going to melt the solder

on all those really really small resistors and capacitors and things that are all over it and you're going to blow those all over your workbench um so after i masked it off applied a bit extra flux and ran some fresh solder up the two sides of the chip and then just used hot air trying not to burn the something out of the boards another mistake people make and remove the chip and as you can see on the the second picture everything else looks pretty good i didn't embarrass myself by uh blowing any components around the place so then back to the data sheet to figure out what to do with it we can see it's a tsop 48 device just

means it's very flat wide it has legs on both sides of it um but the memory is organized into 512 byte plus 16 byte pages um and it's a parallel interface as i said so all the address and data lines are multiplexed onto some shared pins so you can see that on the the middle picture you've got some shared i o lines and you've got read lines and enable lines and address that latch lines and whatever else so you've got to figure out what to do with those um so you need quite a few ios to be able to talk to it and this sort of flash device is different to for example the esp32

um that's on your badge where the flash is connected over spy which is a high speed serial bus so it needs a bunch of wires so i need to find a dev board in my collection and i decided on the tnt4 which is the bottom board there's a chip on it and the usb connector um it's a blisteringly fast 600 meg micro with enough io to do the job i needed 15 i o lines all together and it's got arduino ide support which is awesome because i'm a lazy programmer um so i stuck the nand onto a breakout board you can buy those for all sorts of different size chips that's a green board um and wired it all up with

point-to-point wiring underneath and from the top it looks pretty pretty um and as i said there were 15 i o lines so then got into the process of actually writing some code to talk to it and you sent commands to the flash at what you want to read whether you want to write setting up your the address lines etc about where you want to talk to what page you want to read um started by trying to read the electronic signature finally moved on to being able to read blocks of memory that went on to a full-on dumper where i could just specify whatever range of memory pages i wanted and spit those out in intel hex format

and this is all across a terminal in traditional arduino styles so just a serial terminal and so i could save that intel hex stuff in the capture buffer and then use object copy for example to turn that from a hex file back into a binary so once i had that i took my image which was on the left hand side and the image they sent me on the right hand side started doing comparisons see if i could find the same sort of strings in there etc and i found all the identifying stuff about it being a kodak camera the data manufacturer those things i looked further down into it found the same sort of fat

structure but the address offsets were different and i wasn't i thought that was probably because of the way i was reading it because i like i was fresh to this particular memory device a diy reader etc i wasn't too concerned i was more interested in the fact that i had read something i could verify the same sort of stuff where there so i could probably play with that image but um it still didn't really show me anymore about why i couldn't recover any of those uh those uh actual jpeg files so and i tried manually going in there um and file carving by hand from the file allocation tables remember earlier on we saw the start of where the

the disk image was that eb90 etc um so i followed that through in the hex editor and used reference charts and you know went through bite by bite the file allocation tables and just kept running into garbage so you know i confirmed that there was definitely something corrupt in there so i went back to nand data sheet and started looking a little more carefully at how they'd organize things so i was looking at the page operations for reading and writing data and there's the stuff on the left hand side because they had a 256 byte page for a a 256 byte page for b and then they had what they were calling the spare page with 16 bytes of data

and the commands that you send to read that data are optimized to read a b a b a b so when you finish reading page b for example the thing's automatically ready to start reading page again to make it really quick and i thought what if they wanted the best performance out of this thing and you know it's a fairly old device and so they weren't using page c at all so using my magical c crafting skills none of this hipster python nonsense me being an old man i wrote a small utility to read in 528 bytes which is the 512 512 plus 16 and to only write out 512 bytes and i did that for every single record until

the end of the file so effectively stripping out those 16 bytes of garbage so this time running it through photo wreck it went i've recovered something so that was pretty good and as dave from eev blog says winner in a chicken dinner except i can't do his squeaky voice um and i have 17 pictures of random people who may or may not have owned this camera before it was sold or something or other so again they're not involved in the case um but that was awesome like i was definitely ready to party so i documented what i'd found and i sent off my little c utility and stuff to the forensics team and i was pretty excited by what i'd

achieved and i reckon they were pretty happy as well because they can now duplicate all these results themselves and all the email just says what i've just told you really it just didn't take as long or probably took longer to write so summing up um the whole process probably took me several months when i was asked if i was interested in having a look at this thing until i delivered the goods um i got distracted by shiny things i got frustrated i went away from it i came back to it they nagged me a little because i got distracted um so what did i learn um even if you have the best tools in the world you can

only do so much it's garbage in garbage out as they say you can you can't be an expert in everything especially in a busy forensics area like they are so you can't blame them for not going down the rabbit holes i did and into the weeds of you know what design decisions did kodak make to make this thing particularly quick or at least quick enough so customers wouldn't complain um the optimizations in the nand design of you know reading pages and whatever so when it came down to it there was an easy answer but sometimes you have to walk up a big hill to get to the plateau so you're probably curious as to why i

bothered spending all this time on this favor um and that's because i had nothing to lose but other people had lost everything so i'll leave you to have a look at that for a sec

and i still like you know get the choked up thing i believe that some critical evidence may have been uncovered in this case um and that it may be the missing piece and the long-running puzzle that they had um and that's there may be a good outcome coming as i said this matters still before the courts in south australia but perhaps it really does only take 16 bites to catch a killer thank you a really great talk and uh very persistent in your uh in your uh in what you're doing to get that that great result but a question uh on the slack uh what got you into hardware hacking like this to start off with

i've always loved pulling things apart like ever since i was a little kid dad was an engineer the old variety and is to build gadgets and build model airplanes and design control systems for refrigeration things so always have the technical influence i got involved with amda radio which is kind of a neat way of learning a bit about electronics when i was a kid um and that just sort of progressed from there and it's a case of um i've got way too many dead boards for example for a person to reasonably have um the whole thing we did with the badge in 2016 like we put in a ton of work but just that creating something or

looking at something someone else has created um has just always really interested me and it's sort of what drives me which is why i was really interested because i wanted a challenge um other than my normal day-to-day things which may have been slightly more mundane and that's why i said yeah i'll have a look i had nothing to lose and you know i need something to gain so it's really just that interest in everything and anything another question was have you done anything with the pen 10b science badge this year and he also this person also commented uh what a great talk as well so i know that you posted some twitter posts on the on the current badge

um i haven't done anything particularly useful with it i i recently i got involved um as a beta tester for some antenna simulation software so my head's been full of rf and testing things and other goodies um and so i jumped on and started cutting tracks and deciding to measure things because i wanted to simulate the antenna and other bits and pieces and i had enough of a chance to really have a look at all the awesome goodies that are on there because it like there is just so much stuff packed into the badge it would have been inconceivable for us to consider something like that back then like we were going that display is three dollars as you

know can we find a cheaper one or something so i suspect i'm going to try and do lots of goodies with it especially because the speaker ones kindly have all the accessories on it but so far i've just been really looking at it doing a a peer review without being part of the the team and that's nothing i really want to make that clear like the stuff that i did and looked at and my comments about the design um adjust me going through the process of hey this is interesting this is what i found so it doesn't take anything away from all the effort and the awesome job that the guy has done fantastic and

maybe one last question before we uh break for lunch uh would do would you have been able to pull this uh um pull it off without the input from kodak without that data sheet do you think um yeah because i was already hitting down that track anyway so i had found the fat 12 file system by doing the the search for the strings um it was just such a nice touch um and also when i called the the guys kodak back and said apparently this was very successful um thank you very much from the team down there etc um they were really happy because people don't tell them usually it's like oh give some information and that's it but

so you know that they were really wrapped so it helped it wasn't the tipping point but it certainly confirmed what i thought i'd sort of discovered so far fantastic presentation let's all give him a great round of applause thank you thanks a lot