+ All Categories
Home > Documents > IFIP-WG-11-savoldi

IFIP-WG-11-savoldi

Date post: 30-May-2018
Category:

Documents
Upload: antonio-savoldi
View: 219 times
Download: 0 times
Download Report this document
Share this document with a friend

of 15

Download
Transcript

  • 8/9/2019 IFIP-WG-11-savoldi

    1/15

    FourthAnnualIFIPWG11.9InternationalConferenceonDigitalForensics2730January2008,Kyoto,Japan

    AntonioSavoldiDepartmentofElectronicforAutomation,UniversityofBrescia,Italy

    DATAHIDINGANDRECOVERYONWINCEBASEDHANDHELD

  • 8/9/2019 IFIP-WG-11-savoldi

    2/15

    WinCEbasedhandhelddevices

    WinCEOScharacteristics

    How

    to

    co ect

    t e

    w o e

    memory

    content

    Hardwareandsoftwareapproaches

    Imagingtoolshavebeenused

    ,

    DataHidingandRecoveryinROM/RAM

    2730/01/2008 2IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    3/15

    PortableDigitalAssistant

    Differenttypesofmedia

    ma s,

    users

    con ac s,

    p c ures,

    v eos Differenthardwarecapabilities

    128256MbofRAM

    64

    128

    Mb

    of

    ROM

    (NAND,

    NOR) Manywirelessbuiltincapabilities

    WiFi,Bluetooth,HSDPA,UMTS,GPS

    2730/01/2008 3IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    4/15

    Steganographic techniquesappliedatthe

    Withinimages,audiofiles

    y

    us ng

    e

    s ac

    space RAM(byaddressingarbitraryblocks stealth

    ma waretec n ques

    Covert

    channels

    creation

    Covertstoragechannels

    Coverttimin channels

    2730/01/2008 4IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    5/15

    Supportedbydifferentembeddedprocessors Xscale

    MIPS

    ARM

    Hitachi

    SH

    Usedforsmallscalefactordevices

    RealtimeOS,multitasking,multithreaded

    deterministicinterrupt

    latency

    DifferentWinCEflavors: AutoPC,PocketPC 2000/2002,Mobile2003,5.06.0

    RAM

    is

    divided

    in

    two

    blocks ectstore: eav rtua s

    Programmemory: heapandstackforprograminexecution

    2730/01/2008 5IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    6/15

    WinCE

    deals

    at

    most

    with

    32

    processes,

    each

    one

    .

    Userspace

    2730/01/2008 6IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    7/15

    Howtoaccessthememorycontent?

    CommoninterfacetoaccessaWinCEdevicefrom

    Manipulationofthefilesystem, mountedvolumes

    directaccesstothememorycontent(RAM/ROM)

    2730/01/2008 7IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    8/15

    Physicalacquisition:JTAGinterface,

    Thewholerawcontentcanberecovered

    xpens ve,

    me

    consum ng

    Logicalacquisition:

    EmbeddedOSes provideinterfacestoaccess

    directlythe

    memory

    (Palm,

    WinCE,

    Symbian)

    Integrityproblem:Locards exchangeprinciple

    2730/01/2008 8IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    9/15

    HowtocollectthewholeROMandRAM

    ,

    2002

    Opensourcebundleoftoolsprovidedby xda

    Pmemdump.exevirtual_address block_size

    _ .

    Virtual_address fortheROM=0x80000000

    _ =

    2730/01/2008 9IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    10/15

    Pmemmap.exev

    mapping)

    blockis

    mapped

    to

    the

    corresponding

    physical

    v8000000080400000 pa0100000a05000004096Kbytes

    v8040000082000000

    pa0400000

    02000000

    28672

    Kbytes

    TheentireROM,32Mbytes,canbegathered

    2730/01/2008 10IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    11/15

    v9050000094000000 pa0500000a400000060Mbytes

    v980000009c000000

    p2c000000

    30000000

    64

    Mbytes

    v9c000000a0000000 p3c0000004000000064Mbytes

    vb0500000b4000000 pa0500000a400000060Mbytes

    vbc000000c0000000

    p3c000000

    40000000

    64

    Mbytes

    Experimentallyonlythe60Mbytesblockcanbe

    recovered

    wecan

    address

    onl

    the

    virtual

    memory)

    Itispossibletocarveoutalltheknowndata

    2730/01/2008 11IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    12/15

    Experimentally,itcanbeshownthatabout

    the

    0%of

    the

    binar

    firmware

    is

    em t

    Theslackpart,about40%ofthetotalcapacity,canbeusedascovertchannel

    Utilitiesfor

    re

    flashing

    have

    checksum

    control

    ReverseEngineering >bypassthecontrol

    Quiteeasytoimplement

    Toshiba

    PDA

    E740

    has

    a

    sort

    of

    back

    door Reflash bymeansofstandardprocedureofsoftreset

    Startingthedeviceinreflash mode

    2730/01/2008 12IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    13/15

    Differentstrategiestoallocatearbitrarydataintheslack

    partof

    the

    original

    firmware.

    K

    blocks

    of

    slack

    space,

    p

    blockstoallocate.

    )},,(),...,,,(),,,{(222111 kkktot esnesnesnS =

    Wecan

    allocate

    a

    certain

    file

    splitted

    in

    p

    blocks

    accordingtodifferentscramblingpolicies

    !kk

    =

    )},,(),...,,,(),,,{(222111

    1

    ppp esnesnesnF =

    )()()()(11 FDimFDimibFDim

    p

    ==

    2730/01/2008 13IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    14/15

    DetectionofamodifiedROMimage

    onehasbeengathered

    Datacarvingtechniquestosortoutdatatypes

    Steganalysis methodology

    escram ng ec n ques, a a ngsc emedetection

    2730/01/2008 14IFIPWG11.9DigitalForensicConference

  • 8/9/2019 IFIP-WG-11-savoldi

    15/15

    Collectionatlogicallevelispossiblewiththe

    mentionedtools

    EntireROMandmostoftheRAMcanberecovered

    Datahiding

    is

    possible

    at

    the

    level

    of

    the

    ROMb usin theslacks ace About12Mbover32Mboffirmware

    ,

    Symbian OS,todenythepossibilityof

    2730/01/2008 15IFIPWG11.9DigitalForensicConference


Recommended
CITIciti.di.fct.unl.pt/index_contents/CITI-Report-Jan-08.pdfFMOODS, Coor dina, EALPS, IFIP WG1.3, WG 2.2) Ma in Achiev ements (2003-2006) Novel programming abstr actions and type systems

CITIciti.di.fct.unl.pt/index_contents/CITI-Report-Jan-08.pdfFMOODS, Coor dina, EALPS, IFIP WG1.3, WG 2.2) Ma in Achiev ements (2003-2006) Novel programming abstr actions and type systems

Documents

IFIP WCC 2010, Brisbane, cdk

IFIP WCC 2010, Brisbane, cdk

Education

IFIP Advances in Information and Communication Technology 363 · Engineering Applications of Neural Networks 12thINNSEANN-SIGInternationalConference,EANN2011 and 7th IFIP WG 12.5

IFIP Advances in Information and Communication Technology 363 · Engineering Applications of Neural Networks 12thINNSEANN-SIGInternationalConference,EANN2011 and 7th IFIP WG 12.5

Documents

IFIP SummerSchool2007 boldt

IFIP SummerSchool2007 boldt

Documents

THE PRESENTATION HAS BEEN PRODUCED BY SIMONE GIACCI RICCARDO SAVOLDI SERENA GARGANO.

THE PRESENTATION HAS BEEN PRODUCED BY SIMONE GIACCI RICCARDO SAVOLDI SERENA GARGANO.

Documents

IFIP PROJET

IFIP PROJET

Documents

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

Documents

IFIP RM Evaluation

IFIP RM Evaluation

Documents

A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida.

A Bipartite Graph Model of Information Flow IFIP WG 2.3, May 2014 Gary T. Leavens (with John L. Singleton) University of Central Florida Orlando Florida.

Documents

News Mar 2011 - Asociación de Técnicos de Informática · Page 2 IFIP News March 2011 Message from the IFIP President Dear IFIP volunteers and all other readers, Since the previous

News Mar 2011 - Asociación de Técnicos de Informática · Page 2 IFIP News March 2011 Message from the IFIP President Dear IFIP volunteers and all other readers, Since the previous

Documents

A Brief History of IFIP WG 8.2 Research

A Brief History of IFIP WG 8.2 Research

Documents

Embedded Forensics: An Ongoing Research on SIM/USIM Cards, Antonio Savoldi

Embedded Forensics: An Ongoing Research on SIM/USIM Cards, Antonio Savoldi

Documents

Ifip wg-galway-

Ifip wg-galway-

Technology

IFIP AICT 414 - Towards a Knowledge-Intensive Framework ......V. Prabhu, M. Taisch, and D. Kiritsis (Eds.): APMS 2013, Part I, IFIP AICT 414, pp. 210–218, 2013. c IFIP International

IFIP AICT 414 - Towards a Knowledge-Intensive Framework ......V. Prabhu, M. Taisch, and D. Kiritsis (Eds.): APMS 2013, Part I, IFIP AICT 414, pp. 210–218, 2013. c IFIP International

Documents

Draft IFIP paper 29 August 2008

Draft IFIP paper 29 August 2008

Business

Polemic tweet - IFIP Interact 2013

Polemic tweet - IFIP Interact 2013

Technology

Savoldi-SIM and USIM File System - A Forensics Perspective

Savoldi-SIM and USIM File System - A Forensics Perspective

Documents

Integrating Human-Centered and Model-Driven Methods in ...€¦ · and Model-Driven Methods in Agile UI Development INTERACT2015 W04: IFIP WG 13.2 Workshop on User Experience and

Integrating Human-Centered and Model-Driven Methods in ...€¦ · and Model-Driven Methods in Agile UI Development INTERACT2015 W04: IFIP WG 13.2 Workshop on User Experience and

Documents