IoT 4n6: The Growing Impact of the Internet of Things on Digital Forensics

good afternoon everyone if you are interested in learning about IOT forensics you are in the right space so good all right let's get started I am loud and I am short so I'm gonna stand over here rock out alright so just so you know who I am who's this person standing in front of you my name is Jessica hi I have two jobs from director of friends except magnet forensics that means I work with a product and development team and do a lot of research to help ensure the forensic goodness of the tools that we put out and I also teach mobile device forensics at George Mason University where I did my MS and prior to them I

worked in as mr. Matt Mitchell described in the keynote to the gummy square so mostly as a contractor and then as a professional doing digital forensics investigations alright so I always was told so I was in the Marine Corps forgot to mention that and I was at least a couple people you're gonna tell them and tell them and told you but wrong with you it's a good way to do this so we'll do that so today we're gonna talk about IOT I'm gonna give you kind of some definition ease stuff of IOT it's the boring stuff right then we're going to talk about why we care about it then we're actually going to get into the

categories where we find the data and then we're going to dig deep into three area we're gonna talk about a wearable we're gonna talk about its marking device and we're going to go ahead and talk about some data that comes from vehicles and then we'll wrap it up it's a lot of stuff so get ready 140 slides 50 minutes ready let's go alright so we like to start at the end what no because I told you I was going to tell you what I told you it's that the slide you might see it again so first of all I ot is imperative in your investigations why because is now going to be a big part of

what we do you don't look at IOT you're not going to get the full picture because if it's ubiquitous you'll see in a moment why without analyzing IOT we won't know the full story and as we run into more areas where you run into a Christian because of the gentleman who did the IOT security front are going to cross that these devices are horrible as far as security which means most the data is easy to get databases clear text and we love that so we're gonna exploit that number and more and more often IOT devices are going to be our thoughts back they're also coming to be a witness they also an instance a bond that can

get a victory so we have to think about IOT and all brandy Browns so what is the AIA and what is the Internet of Things as we say it well there are these horrible definitions you can get in places they tell you that it's all of these physical devices that are connected together in networks I actually like this definition which is nice and shortened to say a network of Internet and that object people to collect and exchange data using embedded sensors the embedded part is important but if you think about it this definition actually goes back 34 years to Peter T Lewis who was speaking to the Congressional Black Caucus foundation you know it's a promise and he stated

that the internet things or IOT is the integration of people processes and technology with connectable devices and sensors to enable remote monitoring status and insulation evaluation and trends of such devices what I'm calling the Internet of Things will be far reaching and the whole reason I bring that up to you it's holy crap somebody in Congress actually knew what they were talking about in terms of technology we care by 2020 seven point six billion people on 50 billion devices sadden six point five eight devices per person okay that means it's not just your phone in your computer anymore right if you look at these estimates these an estimates range all the way up to 75 billion devices by

2020 to one trillion by 2015 we did not get that but you can see some of these estimations are crazy they're all over the place and by the way a few slides are available because these ones are full of work where are the technology vendors what have they actually ship what do we know exists 78 point 1 million wearables in 2015 78 point 1 million it's insane right 20 22 years from now we anticipate 5.1 connected devices person so you will have five devices how many of you in here have five devices with you right now I do you're gonna watch you've got a laptop you've got a smartphone you got a tablet you got any reader wearing smart clothes

it's got it got knobs on the rim right how many of you have a IOT device on you right now I'd say that about 60% of the room just put their hands up time importances and we're a little bit more of a techy group so we're more likely to have these but we're also the most security-conscious room so maybe we should've made 45% of consumer in 2016 that they own dependence and 27% of Smart Watch 12 four times smart clothing man until I started doing this research I didn't notice of such thing as smart clothing my husband which is smart clothing with clothes that watched itself unfortunately it's not but it's clothes it actually can give you

feedback a lot of things have to do with heart rate and athletic performance clip by 2020 more than half of businesses say that they will have IT systems incorporated in their business so this is going into the enterprise architecture if you'll like it or not and so when we're talking about the spending on these devices in terms of what businesses are expecting 25 percent of enterprise attacks but are estimated to be relevant to a IOT devices why because security sucks so if they're going to be in the work space and the security hasn't been worked out there's a really really high risk factor there we need to be aware of it and it's also an issue in the home there's a variety

of reasons that people utilize these vikas and it covers everything from security and safety to resource management such as your smart thermostat the indoor convenience which is the one I love etc and what happens now is they also have to consider all of these commercial applications because it's not just your Smart Watch in your electric speaker your Google home it's a smart city in the crib it's the logistics for shipping companies as their shipping containers around the world and then they can monitor that flow it's the smack city with the traffic lights and their time based on how many vehicles are coming up and forth am i killing you I'm sound I am getting corrected I'm joking I know you don't

need me to talk louder that's not something I've ever been told before so this is a first for me all right so as IOT becomes more relevant the enterprise is actually going to be the largest target so just a mix in here how many of you are actually working on Enterprise Systems care about companies from security okay a great deal of you how many of you are looking at personal consumer devices okay great so let's talk about the different areas where we can run into IOT devices because there are some major categories and you might not even think of everything that's connected so the first category I like to address just because it's the scariest and I am not hacking any of

these for you guys because that would be bad is biometric because biometrics can include everything from heart monitors to insulin pumps to bio chip transponders on farm animals to actually track your livestock there's actually even some biometrics that are done on clamps right and is this actually used in investigations yes this gentleman as it turns out create committed arson on his own house for insurance fraud his claim was that he had actually dumped out once the house caught on fire he packed a bunch of suitcases really quickly and then he broke a window and jumped out the window because he had all his important stuff still well after analyzing the actual heart monitor and his physician looking

at it they said there is no way that his heart rate showed that level of exertion that he packed all that stuff and jumped out his heart rate did not was not indicative of somebody who had been caught by surprise by a fire and because of his medical condition there was no way that he could have possibly capped all that stuff in that period of time so that $400,000 claim out the window god guy was committing fraud right all right wearables now this is something we're used to bolded that means I'm gonna talk about it we're gonna go into some data so you've got everything from your smart watches like your pebble and your Apple

watch to your fitness gear and I swear we're going to talk about some cases with that too and look at some data then we've got things that go you guys are familiar with this this is your entertainment system your connections to your car these can be remote these can be aftermarket it can also be your automobiles built-in sensors that help it Park the help itself Drive this can also include things like drones this can also include autopilot features on the aircraft okay all of these things are connected that's scary the smart home which is what people are becoming more and more familiar with and one of the areas where we're increasing rapidly in use can

include everything from home at speakers like the Amazon echo which I'm going to dig into the data with you guys and talk about it from physical acquisition cloud and app it's great to do Google home to home automation where I tell my lights to go on I I'm testing a lot of IOT things I'm actually working on IOT forensics book I currently have three different vacuums on three different speaker systems in my house my husband's happy because the house is actually clean the appliances like washer dryers refrigerators in oven and then there's the scary stuff it's the other category right we've got things helped firefighters in search and rescue missions to be able to be identified and

found we have DNA analysis that's being done and we have smart cities with these grids it gets pretty scary and there's more so where do you find the data now I get to talk about data that's what I like all right three primary sources for data you're gonna find you're gonna find data on the device itself warning it's not much the data storage on the device is small then you're gonna find data any associated applications this will be the mobile phone app that's controlling the device and then you're going to find data in the cloud the clouds the big momma man the cloud is where the data is that you want why do we care about this because of the

artifacts because of what we're gonna find it's residual let's go ahead and start with these wearables so first we're gonna talk about I'm gonna do one in each category so we're gonna talk about Fitbit and I'm chose Fitbit actually for a reason because there's some good cases but as you guys know there have been around for about 11 years so they've been around for a while they recently acquired pebble so that was kind of interesting because I love the hardware for pebble but they only acquired the software and I've actually done some pebble analysis as well as 2011 they actually were criticized for their activity system settings sharing too much information they wouldn't fix them but one of the

interesting notes here you may see is that some users were upset because they were putting in their sexual activity as physical activity for tracking and monitoring their health and calories burned in that information was made public and available so what about when we're using this investigation so I've got two cases here that are interesting so in this first case back in 2015 a woman had said that she was staying at a house a friend's house and that's while she was sleeping someone came in and she was raped and the house was trashed this was actually a false claim and I think it's important to talk about how data can be used not only to find criminal

activity but to exonerate innocent people because static can help in both situations and from an exonerating innocent people she had accused someone of rape well she said she was sleeping and someone came in the actual Fitbit activity proved that she was up and walking around and she was actually trashing the house and creating the scene and then and up until the point where she actually called an incident in another side there is actually a murder trial that went to trial last month so this is super recent this was in Wisconsin and what happened here was this guy was accused of murder of this woman and his claim was that the husband had actually forced him at gunpoint

to kill her and bring her to the farm and everything else he did the husband claimed to be asleep and he was wearing his Fitbit and his Fitbit actually told the story that he was asleep and that he had gotten up between 4:00 and 4:30 to go use the restroom and actually you'll see why it's only a 4:00 to 4:30 window that I'm saying initially when we talk about the data here in a second and that was actually used in court - and the first gentleman who was accused of murder actually did get sentenced last month for this and the other gentleman got off and was exonerated because he was actually sleeping at the time and

the Fitbit proved it and actually the important thing about him getting up and going to the bathroom was proof that he was actually wearing it because it did register the activity also the total cumulative number of steps that he had taken during the period of time while the watch was being worn was not enough for him to have traveled the distance that was actually utilized in the investigation so let's talk about some data all right so the first thing you're gonna get out of Fitbit and this is actually looking at the application data in this particular instance you're actually going to get the full name birthday and profile image now what you might wonder about why do I really care

about this information is because it gives some specific information about how the person identifies themselves so everything from their gender to their height to their weight the walking stride and running stride is actually calculated both based off of those user inputs but they can be utilized then - that's how the steps are calculated you they also can get their picture what they self-identified with with their picture now you also get that user ID in the instance of the case I was just referencing that happened Fitbit was actually queried and they were served with a warrant and they responded back with data they gave a spreadsheet and that spreadsheet action they gave information that confirmed the

analysis from the app but additionally actually gave things in a better increment so the stride length is calculated based on a gender and height that the user enter so the steps and in this instance I told you the steps were utilize you'll see that the steps are arranged in a fifteen minute increment window so it's how many steps you took within 15 minutes and here you see so you get that start time and end time this is why we know that he went to the bathroom between 4:00 and 4:30 because there were steps that were registered between 4 a.m. and 4:15 a.m. and then 4:15 a.m. and 4:30 a.m. so how can this help just as we spoke to

this shows a level of activity and this is actually what was used in both the false rape case as well as presents lack of movement during a crime is what indicated that that gentleman who was accused of a murder did not commit it floors climbed this is interesting because you get floors climbed but only for an entire day so you don't actually get this broken down into more precise increments that's what it's based on but it does indicate your overall activity for a period of time over a day and you can use this for pattern of life analysis so heart rate now we already learned how heart rate was used with a pacemaker to register level of our

tivity but you can actually get periodic heart rates and you get those in 5-minute increments so this can really show the level of activity of somebody as well as if they were exerting themselves which can be helpful especially if graphed over the period of time of an incident so was there a spike in a specific amount of time and I am NOT a doctor so you would not want to testify as to intent or what somebody may or may not be doing but giving that information to someone who can testify to that is critical sleep is also monitored by some of these but it's actually kind of a gray area you see that time awake time in bed time asleep

there's some debate about how those are calculated and this doesn't pertain to how much time you went to bed and stayed in bed this pertains to more of looking at things like sleep apnea so there's a lot of debate as to what this data actually means but it can be a useful indicator in cases like the false rib case because this actual data was news that she was not sleeping and it can play someone in their bed around a specific time but remember there's some questions regarding that data all right now we're going to talk about my favorite one the smart home so we're gonna talk about what I like to call the Amazon echo system get it echo system

all right so the Alexa app actually was released in 2014 but what's really interesting is Amazon spent four years on this I will preface this I did a lot of work with Brian Moran on the research on Amazon of Brian Mooar labs and we wound up finding some vulnerabilities if you're interested in this there's a reference in the slides that tells you where we talk about the vulnerabilities and we did some reach back when they released a new feature specifically the calling and messaging feature this was particularly scary to me because they spent four years on this one and they obviously did not spend four years before releasing the Amazon echo show which had a camera and calling and

dropping in and all kinds of other scary stuff so the smart speaker is controlled when you ever you say the wake word Alexa whatever whichever one you set it to there's three it's available US UK in Germany anybody wonder why it's not available in Canada anybody know because it doesn't speak French and Canadians have a rule that you can't bring the product in it's actually really interesting and it's running fire OS so there I found it really interesting because they actually want to so now we've got some ones that have cameras and video and they're great in the kitchen for recipes but they're really scary but what's really scary about the smart speaker ecosystem is

you're not just limited to what Amazon built there are these apps that you can build they're called skills in this universe and you can see here that there were over 7,000 in January 2017 guess who I am asan gets people to build apps so quickly all right so I used to live in DC Metro they actually house classes where they teach you how to code apps and if you go to the class and submit an app by the end of the class you get a free echo and they do this all over the place so they're actually funding development of new apps now if you're learning to write the application and they say you don't

ever have to have written any code before if you're learning to write the application and you leave with an application in under two hours how secure do you think that app is exactly right and then I'm sure you've all heard about this in London there was an ad that ran that said Alexa get me a dollhouse and hundreds of Alexa's queried the web and began to order doll houses so they can be pretty interesting but from a crime perspective Amazon Alexa devices have actually been used murders and I will state that I've been requested to provide information as to how to obtain data from Amazon Alexis and at least for police matters at least four so if

you're thinking that these things aren't happening in crimes they are there was actually a murder somebody died in a hot tub and an Alexa was in the house and there was reason to believe that the Alexa had data of interest and so Amazon was served a warrant and this is a really important thing Amazon refused to give over the data okay Fitbit gave over data we talked about that so now it becomes even more important to figure out how we can get that data forensic ly if needed in cases so we can get the data from three different places and we're gonna get different types of data we can go into the hardware we can go into the mobile

app and we can go into the cloud alright and what you guys don't know about me is that I'm bi bi pending I used to be an electrical engineer and I like hardware attacks so I took these things apart for fun and what you first get is you've got a 4 gigabyte ein and ultra flash memory on the tall echo the first device I took apart and you can actually create an isp pin out it's got these beautiful big tests points on it so you can go ahead and solder directly to these and you can pull the data without taking a chip off score non-destructive methodology yes all right the echo dot mini the echo dot which is

a miniature one it's not called an echo dot mini of the home it's called a mini so excuse my vernacular that I actually took apart two of these because there's two different gens and they actually had a different chip and there's no data sheets on these chips which made this a little bit more challenging I'm not going to get exactly into that I assume they were emmc as I went ahead took them off look at the BGA figured it out then once I took one off I went ahead and wrote the pin out for this and this is a little bit more of a pain you see how they're all clustered together and small and we've got our five pin so for those

of you who are not familiar with doing ISPs you need your VC C voltage your V CC Q your data in out your clock and your command signals you solder to those five points you connect it to a flasher box you can pull data for gigs oh but you need 40,000 Swire to connect to those which is very very tiny it's like hair wire I actually had to buy myself a better soldering iron I was actually stoked about it I love my job you see now but I was able to easily pull that data and what did I get well I know a lot about what kind of recordings Amazon's gonna have in the future in what languages it's going to

support in the future wasn't much user data there to be honest but I got what I needed I got my Wi-Fi connections and I got my registration information and see that user ID string I know you can't see it don't worry I've got bigger pictures of what that user ID string looks like I got first name full name and device name and actually on one case that I helped a PD with this was actually enough information for them to do what they needed to do it between those two fields so that was actually pretty cool the echo maintains 160 second recording the last 60 second recording has been through all the data so rule number one

if you go to a collection scene and you believe that that Amazon may have been critical in the investigation whatever you do whatever you do do not say the way quirt do not say oh look there's an Amazon echo it runs Alexa because now you just said all three a quick words so do not say yeah I'm a thot Alexa echo because guess what the last recording is going to be you and have fun explaining that oh yeah it's fine it's not volatile yeah this is this is a emmc chip an emmc at the end of the day is an SD card and emmc can actually put on an adapter that you read through an SD card slot just

like and put through a write blocker if you take it off the board pretty cool stuff there there are devices that have volatile memory this is not one of them so let's talk about the app okay Chuck so now we go to the app the app goes ahead and gives you user info remember I told you that string is important see that customer ID this is the mamma-jamma because this is what we're gonna use to get cloud data I told you I'm his home it's not going to give you data so don't think that's going to help you but at least now you can tie it to a device and if there were multiple accounts on that device I've

done testing with multiple accounts you'll get those multiples now how this is gonna help you you're gonna get the basic user info that you might be able to use for a search warrant or subpoena but good luck eleska tasks now you can parse all of this straight off the phone these are all in sequel like databases nice and easy it's going to give you all of the requests that were made to a left Alexa from here you can see things it was asked right and you can set tasks for specific time so you can see the last time it was updated you can see created times I love anything that gives me timestamps what you also see here is a resource URL

anybody notice anything in that resource URL that user ID pivots in there okay this URL if you pop this into a web browser guess what you popped that you resource URL into a web browser you get the actual recording but Shane that's where they're stored there in the cloud now you will have to put in the credentials but I'm gonna teach you some secrets so there you go you've got to put in the credential going on how this could help you you've got great in photons hats hats and you get the user dictated recording now I will tell you these devices all the smart speakers I've looked at they are notoriously bad at recognizing some

voices some accents etc so they sometimes mistake the word so if you are using critical data that was something that was spoken you may want to verify with the recording yeah it keeps the recording from the second awake word is said it keeps the entire 60 seconds so if someone breaks into your house please say Alexa if you have one of these devices in your home so you're gonna get your audio tech same thing with the Google home it will start recording when you say the wake work we won't talk about Linney's things start recording when you don't say wake where it's that's a whole another scary incident that we're not gonna discuss um so you

can also get your audio activity and you get a resource URL for that again you're gonna get timestamps you're getting to task types and you've got that link for the cloud so you can pull that data down cached audio how many audio recordings are left on the device on the app how many do you think a one so you get the last sixty second recording it's also sync there so if you don't have the device and you only have the phone or you can only get into the phone maybe you don't have that's okay you're gonna get the sixty second recording here here is the path to it and boom you can play it it's a sound it's an mp3 note starts

away if I lied there's a day that's a WAV file because it doesn't actually give you an extension so just export it out call it a WAV file and you'll be good and proof it'll play all right out in the cloud so again Amazon has the right to change it whenever they want there is for each category there's a certain number of messages that are saved a certain number of recordings it varies by category most of them are a hundred or a thousand they like these in numbers I don't recall I have in my notes every single category exactly how many but I don't recall off the top of my head so we did our testing what devices have

been running for two years so we had plenty of data as well as new devices we are breaking so if you go to account data you will see that that string remember that URL it's important right now I'm going to tell you something that I just discovered two weeks ago you do not need the device already asked to pull that string anymore Amazon did something new in the web Amazon regular application if you go onto your computer and you log into your account your personal account and you go to your profile there is now a place to go look up if you go to your profile anyone else in the universe by first name last name

when you type in their first name last name it brings you to a link with their profile nobody has set up these profiles unless they really link them to which lists already you'll get a fake you know like just like head that isn't anything but guess what's in that URL bar that's string so now you take that string even if you don't have the device to pull any of the stuff I told you here your cloud data URLs go ahead you take that string put it into any one of these replace that string you will get all of the calling and messaging so you will get the full call outs that we used for the

calling a messaging service you look at all of the contacts you will get all the devices attached you will get the Wi-Fi can fix I can go on and on when you pull this data down you are going to get a JSON file mark McKinnon thank you mark McKinnon he went ahead and wrote actually an autopsy plugin if any of you Topsy it's an open source free forensics tool and it'll go ahead and parcels so you're welcome to use that parser we also did a lot of work on Casa which is one of the skills it can be used with some Casa IOT devices it will parse the stuff from those apps and stuff you get

from the cloud as well I mentioned there were some major security flaws with Amazon if you are really interested in that stuff please go check it out this is what you're going to get if you run you're gonna get elect to index card entries groups math data storage accounts we basically pulled everything and parse it if you want to know about those vulnerabilities please check out these presentations specifically the fans one we went and depth on the vulnerabilities that we found and reported to Amazon and to Casa since this is a security group I will let you know that Casa or tp-link tp-link makes a CAF app hapy link now has somebody working in security and they were

fantastic and responsive they were wonderful they actually now send me all their devices ahead of time to beta test which I love it's great more free devices to go ahead and do forensics on Amazon was also fantastic we notified them of a coco vulnerabilities one they had patched by 7:00 a.m. the next morning after a 5 p.m. notification the other one they did patch and update the day that we gave our presentation they knew that that was kind of their drop that date on it and I mentioned this to you for one other important reason is if in your research you're coming across vulnerabilities I'm not a vulnerability researcher I'm a forensic ATAR I still

find vulnerabilities please use responsible disclosure please inform these organizations and give them the opportunity to fix and correct their issues and who knows you may spawn a company who's got small IOT devices to go ahead and actually hire somebody for security and start addressing that in their products oh they're completely aware of the fact in that to them so I actually met with their head of security who's fantastic and to them that is a not a security flaw because you still need to put in the credentials you still you need username and password I'm sorry no you need user name and password to get that data just like I said whenever you put in any of those resource URLs

you need the username and password you do need the users credentials so you do need their username and password so that is not a security flaw the other stuff we found that was completely different please feel free to check those things out things that go things that go alright so we're gonna look at OnStar so for those of you who aren't familiar with OnStar um it's actually been on devices since 1996 that's quite some time obviously it's part if they're I'm sorry it's in Michigan and it's a subsidiary of GM so this is on most new GM vehicles in many instances you get it for the first year for free it's available in several countries United States Canada

China Mexico Europe all most of Europe Brazil and Argentina so pretty big global footprint there are some other versions Opel star in Western Europe and Chevy star in Latin America the data that should be pulled from those are similar in 2011 onstart said they had more than six million customers that's a lot of data points on vehicle data right and they also have an aftermarket product so it's not just Chevy's and GM products it may have this it can be anyone who installs installs the aftermarket mirror which gives them OnStar capabilities and there actually has been some hacks into some OnStar things and what's great is again a good company who responded so in 2015

own star was introduced and that actually allowed OnStar drivers cars to be opened unlocked etc using a man-in-the-middle and they can even start the vehicle you can actually kill someone like that right think about it no no it's over the sim so so so any device that uses own star actually has an additional SIM card in it and it's a separate sim that's being used to transmit data so they actually pretty quickly responded so July 30th own star was publicized by August 11th General Motors had released an update that went out to every system and it patched it and I want to bring up again that companies do sometimes respond and I'm only talking about the ones that respond

positively alright so you're gonna get your account information now this is critical because you've got the account key and the account number and that time that it was set up but should get the VIN isn't it nice to know the VIN if somebody's vehicle just after getting their mobile phone so now if you were stopped and there is a reasonable cause and there is a warrant and your phone is examined now someone actually has the VIN of your vehicle and if they say there's a police department or a law enforcement agency obviously they can go to the DMV and find your car now that's kind of interesting so again you can use that account info the time stamps might be

relevant as to when you set it up but the VIN is the key here because it's going to provide you information about something that might not be known hot spots oh great so how many of you use your vehicles a hot spot well if you do the password the hot spot and the creative time in the last updated time along with the fin because why not include the VIN on every single piece of this data its sarin every single one it's gonna be there it is a unique number and it's such a good unique number ah then you've got OnStar remote link here so these Wi-Fi hotspots now can provide location related information this passwords might

have been used other places on the password junkie I love them recent location searches oh look now I know where you searched I know the actual destination address that you put into your infotainment system boom there it is and I know if it's sent you the navigation route or not I don't know if you drove it but I know at this point that you got it so you've got destination information you've got time stamps you know where somebody wanted to go this can help me with a pattern of life especially if you're going to the same place over and over and you know what if you need nav it's probably not your work or your house

unless you're trying to avoid traffic so let's uh let's step back because we do do traffic routing so remote commands so what's great about remote commands is if you interpret these commands yeah you guys get it so you can get the requested command as far as lock that lock door send avert but those ones such as lock door and start vehicle these can be critical in examination you can also tell when this command was sent by the user versus when it was sent by the system so it's time date stamp and the events themselves can be very useful if somebody says they did not get in their vehicle that day they stayed at the house all day and you have their vehicle

starting and them getting in own star was patched it was probably them hey all right places of interest so you can actually put in your places of interest places you normally go or any of my Waterloo friends in here yes look Waterloo data-score alright so here are some addresses in Waterloo you get the addresses URL from the NAB you get the actual latitude and longitude room Bob's your uncle there you go all right how can this help again this is location information geo is golden investigations gives you new places to look it could provide insight on a target wireless carrier information remember how I told you that there's a separate sim pretty answer guess what

here's its information and just because of the way lives are in the u.s. you can request this information from the carrier so a PMP then can be requested to actually provide the data of all of the times that there was pinged out and you'll get basically the equivalent of a call data record which includes tower information so you can potentially geo locate where a vehicle have been at specific time so there is basically so there it is a subpoena target vehicle diagnostics I can know if you need to change your oil no that's not important okay what what does matter is it's not just the kind of Diagnostics you think because it includes your trip domitor as

well as your odometer so you can actually see how long or how many miles have been on a vehicle and it does give you the last updated time so you are getting actual information that relates to when a vehicle was used so this can actually potentially help you know how much the vehicle was in use not anything super critical but it might be helpful all right vehicle info so this is actually more than just the VIN it actually tells you the vehicle make and model and gives you the phone number and the account ID for the user so this might be interesting for actually going ahead and identifying the vehicle even more because now you don't just have a VIN if

you don't have records to do lookups you can say oh I know now that it's a Cadillac 85 it's a 2015 I can go ahead and target those vehicles especially if you're not a police department and you're looking at the stuff so if you're a private investigator doing some other information but you can actually correlate now a person to a vehicle any questions so far oh yeah no I mean I could go in pull my phone change the data push it back to the phone oh I'm sorry he asked if any of that information with user modified and it's not not from a user interface not easily yes okay so the question is about data that's coming from traditional

phone usage presumably call data records being requested from the carriers and that data being sometimes misrepresented by attorneys in the court of law and are there things we can do well I would say that tower data in itself is less reliable because there's actual codes and influence and it depends what sector and it's actually pretty complex to map out called data record data so the real answer is that somebody should have a computer forensics examiner on the defense so that they can actually look at and interpret that data correctly so as somebody who works for it for if you're working on the defense side you should be advising or finding I can see the forensics expert to look at that data if

that is the issue and the other point is it's even if you don't do that that data can be well you'd still need a computer forensics expert but that data if they do have applications like this on their device or even if they don't because there's tons of location today des that comes off of phones in lots of different apps anything from your weather app to applications that serve you ads because people know that ads are geofence now so a lot of these applications on your phone that allow other tools to serve up ads will actually track your geolocation and those things can be then used to prove or disprove or corroborate us call data record data

yes in the back take the sim out the question was can you find a way to disable send armed answer and there are two ways don't pay your bill or pull up a sim and I don't know it's not paying your bill actually works I was joking huh so Wi-Fi will keep broadcasting but it is a separate sim so if you pull that separate sim you should you should be okay so pull the separates so the point that was just brought up this gentleman does a lot of wardriving and he mentioned the fact that he can sit in intersection and get 300 cards wrap very quickly that are broadcasting their Wi-Fi MAC addresses absolutely absolutely if you have multiple

locations you can then track where that MAC address is being picked up again so let's talk about some considerations here typically less information is stored on a device I have looked at lots of physical devices pull the data from them your actual locations where you're going to find most of your data is typically the cloud and the mobile application itself oftentimes if you're looking at the physical device and right now I'm talking about considerations with a physical device you are going to need to either JTAG it is P it or take the chip off how many people do I have so a proficient in those here right zero hands went up I am but I have an

electrical engineering background and this is what I used to do for a living great you can do JTAG and can you and identify points sometimes it's a hard skill depends on the chipset if you're there's a lot of considerations and it's expensive the equipment to do these things are expensive and it's extensive training so it's something to consider when you're looking at the device so the device itself it's not typically your best target could be honest your best target is not going to be the device and what about non-consumer sources where you might not have access we're talking about if we're talking about a watch and we're talking about something in your vehicle that's fine

but if I'm talking about somebody's pacemaker do you think I'm gonna do open Church F surgery to go ahead and go ahead and JTAG or ISP that device know so sometimes it is just not feasible to access the device what we're looking about the application there's a lot of things we have to consider one what's it recently synced right that's one - is it the actual device that's controlling it three are there multiple devices that are controlling it and then we run into encryption a lot with mobile phones we actually do not run into encryption really with uh with needs as IOT smart thinks by the way for those of you who are concerned Amazon does encrypt all of

the network traffic I I did pcap all this stuff and Brian actually specifically P capped that but it is encrypted so you can show a little bit better about that but on actual mobile devices if you don't have pin or passcode you may be stopped for encryption now there's plenty of methodologies bootloader methodologies custom recovery it's etc in the mobile device forensics world that you can use but on some devices you will be stopped by encryption so it might not be a viable source and the whole point is is you need to look at the whole system and thing cloud cloud is really interesting because from a technical perspective for most of these things pulling data from

the cloud is not difficult especially if you've got the username and password and let me tell you I love things like Amazon where tells you to use your email because usually I can get their Google credentials and you guys can get credential as a variety of ways right you can ask the user and get consent you can pull the credentials from another device like their computer forensic image you could fish them there's lots of different ways that you could get user credentials depending on what kind of world you're working in but from a legal perspective the laws are not there yet for cloud there are more legal challenges because there is no good precedence right now for cloud then

there is technical challenges things you might have to look into or em laughs okay so agreements between countries as to where if data stored in a different country than where you're doing the assessment from this can be a very large pain because depending on where the device is located you may not be able to get that data at all legally it also could be in the country you are in you are not allowed to get cloud data from a legal perspective for law enforcement things there are some countries where if you recover the data and the device was connected to the cloud and you recover it from that scene at that time it's fine but if you wait till you get back

to the lab you can't there are some countries where it is completely legal to pull cloud data they don't care and then there are countries like in the US where there is no precedent and some jurisdictions are fine with it so if you go to a law enforcement department and let's say Massachusetts because of what Circuit Court they fall under they're probably going to be okay if their search warrant spelled out pulling the data from the cloud source to pull the data try to find an investigator in law enforcement in California who's willing to take that risk they won't it's a different Circuit Court so it's really interesting as I talk to people about their ability to

pull this data from the cloud the first thing I ask them when I'm advising them on how to pull the data say do you legally have access to pull from the cloud and it's really really sticky right now there's also two different ways that you can pull data from the clouds from devices and I know we were speaking about Amazon data with the cloud but there's two primary ways for everything what is tokenized and one is credentials when you use your phone to authenticate something it doesn't always ask you for your username and password that is because there is a token on the device a lot of times you can just borrow that token and Relenza Kate

depending on the application some applications require the token to actually also have matching information from the device you can fake that in a VM or in an emulation for many devices not perl but there's also a legal issue with this in some places using token credentials it's considered impersonating the user not impersonating the device so my big statement here that I want you to consider is just because you technically can do something doesn't mean you can do it because you might find yourself in a whole host of hot water and you definitely don't want to ruin something because you touched fruit from the poisonous tree right so there's also a lot of different ways you can access

data so there's everything we were talking about was just pulling data from the cloud and there are even some consumer things that allow you to pull data from the cloud so everybody and people here are familiar with Google and the Google has a cloud are you guys familiar with takeout takeout allows you with your credentials to pull data from your account you still have to parse and figure out that data that's fine is that forensic Lee sound will that meet the needs of your investigation maybe maybe not if they're potentially more information that you can get outside of takeout yes I will tell you something really cool and actually somebody who I who I know in forensics I

feel more out of Australia he actually it's been doing some Google home research and I've been chatting with him about it and just recently takeout did not used to pull the audio recordings from Google home and it now is so it's now storing those and then there's the future and the things we need to worry about right there was a hack where it's Samsung when they first came out with their Smart TVs running anybody know what operating system Smart TVs by Samsung were thrown Tizen they wrote their own operating system oh no it's okay it's an easy one it's got a regular file system it looks very much like Android that's fine and the Galaxy gear

2 and up for the smartwatches run Tizen but the first one actually runs Android there have been major botnet attacks that have been used bringing in anything from your refrigerator to your nanny cam etc and everybody is familiar with this but a hundred thousand everyday consumer devices used in a botnet December 23rd 2013 and January 6 2014 so these go back a while and guess what these flaws are not fixed most of these exploits that were used start still usable and while most homes are not using the Internet of Things yet hackers are prepared for it it is easy it is sad I did want to talk about some interesting things and actually it's kind of you mentioned some of Sarah's

work earlier today Matt regarding IOT toys as well as other types of devices but this is I actually want to call I like to put call-outs the companies that are doing things right and I mentioned that there were ones that weren't helping so forensics bites on November 12th and I reached out to him after he did that he actually reached out to the makers of this cool little IOT dinosaur and asked them how they would handle forensic investigations and they vowed that if they ever received information from a law enforcement agency that they would go over ahead and turn over the records and actually the reason he reached out and asked was because the semaphore was actually pretty secure so

I thought that was great and I just want to call out when I do see note that I'm not calling out hundreds of companies okay so cognitive is actually taking a good stance on both forensics and security and it's kind of that's a weird thing right so I'm a forensics person speaking at a security conference I just want to address it sometimes there's a little bit of differentiation right because guess what when things are less secure that's a win for me in my analysis and in my investigations right I think that there's a balance that needs to be found and we're all exploiting and looking at vulnerabilities yes sure the it the malware it did it not my pants story so

everybody everybody know with but not my pants means so the question to repeat the question for those who will be watching the YouTube video of this was do the vulnerabilities leave the opening for somebody to say it wasn't me the malware did it and for those of you who are not so who are familiar with the phrase not my pants this is when you get a pat-down and they pull out some may be a drug out of your pocket you say dude these weren't my pants the reason I use that correlation it's because many times it's similar and the right thing for Justice is to have a digital forensics examiner on both the prosecution and the

defense that's the only way we get just things the truth of it is in all things is you typically don't want to rely on just one data point to prove a case right you want corroborating evidence and so when you say the malware did it my thought is that there is more than one piece of evidence that's going to pull you there so if I've got there's also evidence of malware right so you can actually look for that evidence as well so yes people can go ahead and use that excuse and five years ago that used to hold up in court and now forensics examiner's are smarter and they use more corroborating evidence and they actually do look for malware

that may have done what the person claims and typically we're better in that realm alright so in conclusion you guys already know what's on this slide right right so IOT is important because there's a wealth of evidence you can find it's gonna become a bigger part of what we do in forensics without analyzing the IOT data you're probably gonna be missing part of the part of the picture right I didn't put this on the original one but that assists the data system includes the device the application and the cloud in many instances you will need more than one of them to get all of the information and they're going to be our suspect more often so I'd like to take a

moment to open up questions yes sure so the question is if there are HIPPA challenges to using this information and how do you tie it in so in both of the cases that I spoke about they were cases that were being brought up criminally and being looked at in court so in those instances pH I is no longer at issue because you have a warrant and a subpoena signed off by a judge it specifically speaking to US law there are privacy violations if you just start doing this stuff without proper authority and consent you should not be doing that that is illegal as far as corporate analysis when we're talking about Internet of Things you know how

many people are aware that a lot of insurance companies now give deductions for you he thinks physically fit and will issue you a Fitbit and will give you fifty dollars off your insurance so here's a more interesting question can that company who owns that device look at that data I don't know that's a good question for an attorney which I am NOT it is it's a good question right because it's and there's I could get into a whole bunch of precedents and different cases which would actually make it all questionable because there's cases on both sides of that from a mobile phone perspective and I'm happy to discuss that with you and send you some of those citations afterwards as

far as corporate owned devices and if there if there's still a reasonable expectation of privacy for the most part when you talk about your Fourth Amendment applies only for the government so there's a big difference between if the company looks at the data and they provided you to device or if the company gives that data to the government right so it's actually a really interesting area and the answer is my favorite forensics answer which is it depends any other questions Oh perfect yeah thank you [Applause]