Stark 4N6

Monday, March 23, 2020

Google Pixel Now Playing History
March 23, 20200 Comments
Google implemented a baked in app/feature called Now Playing as part of the Pixel 2 and Pixel 2XL launch in 2017 and has been included in every Pixel phone release since. It gives you the option to allow Google to try and recognize song information of music that is playing around you. Per Google:
When music plays nearby, your phone compares a few seconds of music to its on-device library to try to recognize the song. This processing happens on your phone and is private to you. - Google Answers
So since this history information is stored locally, we get a nice little database full of information. To view what you can from the UI, you can go to:

Settings > Sound > Now Playing

You will see a screen similar to this:
There isn't many switches to play with here other than turning on song info on your lock screen or receiving notifications. From here we can click Now Playing History to view a list of song history from as far back as the beginning of when the app was initiated.
If you click on a single song, you get a list of apps that the song can be streamed from:
Now that we know what can be accessed from the UI, let's take a look what we have from a forensic perspective via an ADB backup. The file path where this app information can be located is:


The file is a sqlite database with only a few columns. Opening this in DB Browser we see two tables, only one of real significance, recognition_history:

Timestamp was easily parsed, it was was in Unix Epoch format (Alexis Brignoni made a post on this).

History_entry is a Protobuf blob, which we can see some useful information just by looking at the hex:
But for further analysis we can export the blob out of DB Browser and parse using protoc.exe (thanks for the hint Joshua Hickman) and the following command:

protoc.exe --decode_raw < samplesong1

Here is the output we get:
As you can see from the markups, I was able to parse out some information of each track including song title, artist, and album information. We also see the URL paths to the streaming app locations from the UI. With a little help from Sarah Edwards, I was able to parse out the song duration in seconds, it is an 8-byte float stored in big-endian.

Track ID and album ID can be used to verify the song/album to some degree, they relate to Google Play Music store.

The most useful information tidbit from this may possibly be at the very top, the timezone of the device when the song was identified by the app. This could possibly put the owner of the device at a rough area during a specific timeframe.

All of the other information at this point I have yet to determine the usefulness.

You will see duplicate entries next to each other for songs. That is because Now Playing will listen for a small period of time every minute to conserve battery life, continually identifying what it can. If a song is 2+ minutes, you should see 2 entries for one song in a row, but each will have different timestamps associated.

Quick as always, Alexis Brignoni turned around a parser for ALEAPP in less than a day, so you can grab that now!

Tuesday, October 8, 2019

10 Free Forensic Tools I Can't Live Without
October 08, 2019 3 Comments

In perusing YouTube I always come across Everyday carry lists or GQ's series on 10 things some celebrity can't live without. Here I've compiled a list of free forensic tools that I use on a constant basis for investigations and daily work. All of these tools I carry on a USB drive for quick access when traveling. Let me know your thoughts, what are some of your favorite free tools?

Arsenal Image Mounter
Arsenal's Image Mounter is a very useful tool for mounting evidence files to be able to get direct access to the files found in it while bypassing UAC in certain aspects. They continue to push updates to the current beta with new features.

Basic Technology's Autopsy is a completely free forensic suite which can be fully customized with plugins for your parsing needs. You can even add your own Python plugins (I recommend Mark McKinnon's set). It gets updated a few times a year with new features.

DB Browser for SQLite
SQLite databases are everywhere from web browsers, to third party applications to almost all over the place in Android file systems. DB Browser lets you view the database structures very easily and even execute custom SQL queries to pull out the information you need.

Yes, I'm aware this is multiple tools in one, but there is so much room for automation across the board. You can "set it and forget it" by running multiple collection or parsing modules. JLECmd, LECmd, PECmd, MFTECmd all working in tandem to quickly get you to meaningful data means everything while triaging.

Phil Harvey's ExifTool pulls out as much metadata about files as it can from a very large variety of media types. You can even run it on multiple files and have the results piped to files. This is especially useful for images taken with a phone that could contain info such as lat/long.

FTK Imager
It may not be the preferred tool to ever capture RAM or mount images, but it is still useful for quick viewing of file systems and forensic images. I still find myself using the command line version to take full disk images for remote situations.

Ryan Benson has one of, if not the best Chrome forensic parsing tool out there. It pulls out all the relevant info you'd expect and more while throwing it into a nice timeline for you as an export. It also works great for Edge browser as they transition to a Chromium based backend.

This one is more of the new kid on the block for me. I only learned about the SRUM artifacts just last year. There is definitely some excellent information on what application usage is happening on the system and what can be parsed. Some excellent research from Yogesh can be found here. SRUM-DUMP from Mark Baggett is command line but fairly simple to execute (he even has a beta for GUI now).

USB Detective
Some of the most common investigations I take part in are "did a person take any documents on a USB drive". Using USB Detective we can correlate the relevant registry hives as well as setupapi logs and display it in a way that makes sense. Proving that device X was plugged in or mounted at a certain time can provide more evidence of data exfiltration.

Are there any other memory forensic tools that you use? Probably not, because Volatility does it so well. I am by no means an expert in this area as I don't do it nearly as often but it is extremely useful for pulling data that is only memory resident, especially around full disk encryption keys. V3 beta will be unveiled at OSDFCon.

Tuesday, October 1, 2019

Wake me up when September ends
October 01, 20190 Comments

So it's October 1st, the leaves are changing colors and fall is on it's way (except for these 90 degree days). It's been quiet on the blog front for the past few months but summer has been busier than ever.

I didn't get a chance to make it to many summer conferences because of personal time and vacations but I have been working through the OnDemand course for SANS FOR500. I may do another post with some thoughts on it but overall for my first SANS course, I've learned a lot more than I anticipated.

From a research perspective, I am planning on looking at some mobile apps I've been meaning to tear down as well as more of deeper dive on some Shellbag items.

I will be hitting a few fall conferences including BSides Harrisburg, #OSDFCon, and possibly BSides Delaware and Enfuse, hope to see some old and new faces!

Friday, May 3, 2019

My 2019 Forensic 4cast Awards Nominations
May 03, 20190 Comments

It's that time of year to get your nominations in for the Forensic 4cast awards. It's the 10th year Lee Whitfield has been doing this so applaud him for that. Here are who I am nominating:

DFIR Commercial Tool of the Year
While there were a few options here that I like, I have to go with Magnet AXIOM. From it being able to do both computer and mobile forensics, they have added memory analysis as well as custom artifacts to the mix to take it to the next level. The consistent updates is a huge plus as well (especially compared to other dated products).

DFIR Non-commercial Tool of the Year
I have three nominations here:
  • EZ Toolkit - Eric Zimmerman is constantly added new tools and new features to his ever growing free toolkit, from the likes of MFTECmd to ShellbagsExplorer to TimelineExplorer, you need these in your kit.
  • LRC - If you haven't used Brian Moran's Live Response Collection, it just works.
  • Autopsy - About as full fledged of a forensic GUI you will get for free, plus their are plenty of Python plugins that can be added to parse even more information
DFIR Show of the Year
How can you not nominate the Forensic Lunch here? Dave and Matt continue to put out quality content on YouTube a few times a month with excellent guests in the community (shameless plug, I was one of them!).

I'd like to also give a nomination to 13Cubed. Breaking down artifacts in a way that you can understand it better and more simpler is pretty awesome.

DFIR Blog of the Year
Dave gets another nod here with His daily blog series and content creation the past year is tough to beat.

DFIR Degree Program or Training Class of the Year
Another shameless plug, I have to nominate my alma mater Bloomsburg University of PA for this. They have expanded the program so much since I've graduated and continue to teach quality content to foster the next generation of forensicators.

DFIR Newcomer of the Year
Can I nominate myself here? I mean Jessica Hyde did. In all seriousness I'd be grateful and humbled to be nominated.

I'm nominating Justin Boncaldo. I think his research has been fantastic that he's published out on his blog and look forward to what he puts out the rest of 2019.

DFIR Resource of the Year
Two nominations for this one:
  • - Phil Moore rounds up the best of the best each week, and it's my usual reading material come Monday morning.
  • - Brett Shavers continues to add to the site which now encompasses tool lists, blog lists, news, research, and everything in between
DFIR Team of the Year
Magnet Forensics, they put out a great product that gets updated constantly to keep pace with the every growing demands of forensics and they take feedback from costumers and implement into them just as fast. Jad Saliba and the team also have a kick-ass summit so I've heard...

Digital Forensic Investigator of the Year
There are so many to name here but here's who I'm going with:
  • Sarah Edwards - Here work on APOLLO (and posts too) show why she is the go-to person for Apple forensics in my opinion
  • Phill Moore - From his weekly digest, his monthly podcast, and his own blog, I don't know how he finds time for anything, kudos
  • Alexi Brignoni - Blog updates galore for 2018, a Github repo full of great SQL queries, as well as UsRT for Android parsing
So get out there and nominate now, the deadline is May 14th.

Monday, April 15, 2019

CTF on a Budget - Magnet User Summit 2019 (Part 4) - Secret Project
April 15, 20190 Comments

I was planning on having this out last week but vacation got in the way (no complaints though). For part 4, we will walk through the Secret Project.

When I originally got the disk image prior to the start of the live CTF, I quickly came across the "EvenMoreSecretStuff.vhd" file. I was even to a point of wanting to try and crack the password as I couldn't find anything but gave up until playing. Little did I know completing the Mobile section would eventually reveal the Bitlocker password for the file, "protectedbyjubjub".

So once I had the password, I knew exactly what it was for and how to move forward during competition. After unlocking and loading the VHD into FTK Imager, I could see that there was some files in the recycle bin in the "software" folder.


1. Which language was used to create the secret projects executable?
When I originally played, I made a stab at this one quickly, assuming it was Python because of the icon for the “exe” file, which ended up being the answer.
2. Which Version - Which version of Python is used for the compiled binary? (format: N.N)
If confirmation was needed for Q1, we can load “at-5000.exe” into PPEE (puppy), and filter strings for python, showing that “python27.dll” was loading into the executable, answering this one was well, v2.7.

3. Which Compiler Tool - Which tool was used to create the compiled executable?
Running some quick string searches in PPEE for each option, the only one that showed up was PyInstaller, which was indeed the answer.

4. Processor Architecture - What is the Processor Architecture of the compiled binary?
A quick run through of the executable in exiftool and we can see the architecture was AMD64.

This was also confirmed through PPEE.

5. Redial - What number does the at-5000 redial?
As silly as it was at the time, I originally executed the file and let it running to see what it would do. It eventually stops calling and redials 555-8904.

6. Redialed Association - Who is associated with the number that gets redialed?
With some OSINT and Google we can look up the number 555-8904 and low and behold, someone associated every Simpsons phone number each a character. We can find here that it belongs to Ned Flanders.

Now going back through the question with some extra time to research, doing some quick Google searching I found some scripts to unpack and decompile the executable. We first unpack using Countercept’s python-exe-unpacker. I had next searched for a decompiler and came across this article from hasherezade. Using her instructions (as I’ve never really done much malware analysis) it’s easy to add the magic number (8 bytes) to the front of the “at-5000” file that was part of the extraction.

We then add the file extension “pyc” and run through EasyPythonDecompiler to get the code for the python script. We see that it indeed runs until it gets to Ned’s number.

We can use this code to pull out the information we want for the rest of the questions.

7. Call Time - How much time (in seconds) does the AT-5000 wait between dialing numbers?

Originally, I completely guess this one correctly, because I knew after executing the numbers incremented more quickly than 1 per second. Now, viewing the source code, we see it was 0.01 seconds.

8. Imports - What two libraries does at-5000 import?
Easy, look at the top of the source code and see time and random.

9. Max Calling - What is the max number of calls the AT-5000 can make?
Another easy one now we have the code, you can see it increments in a range up to 10000000.

And with that final question, it completes the Magnet User Summit 2019 CTF with 316 points!

Doing the CTF live was an amazing experience, especially to win 1st place. The second go around was just as invigorating as I got to learn so much more than I did before, specifically around network sessions, and as well as decompiling code.

I'm already looking forward to next years summit and any future CTF's Dave, Matt, and Jessica put on.