Making Sense of the Advanced Encryption Standard

Posted on Tuesday, March 30, 2010 by Peter

I haven’t been able to get any sleep so I thought I’d try to do something productive instead. I’ve an essay due next month and I thought I’d write about encryption, but rather than just give a general overview of how it affects computer forensics I’m going to try to write about something a little more specific – block ciphers.

My thinking behind this is that block ciphers can be used to obfuscate data, but cryptographic hash functions like MD5 and SHA-1 are also built from block cipher components. I’ve done quite a lot of research into hash functions and the MD5 algorithm in particular, but I’ve never actually studied the maths behind modern encryption schemes like AES!

The AES Wikipedia article is a pretty good place to start, but then things move on to heavy mathematical descriptions of cryptanalysis which just go straight over my head! However, stuck at the end of the article is a link to the aptly-named Stick Figure Guide to AES. It’s quite a long read but it’s by far the clearest explanation I’ve seen of the underlying mathematics. There’s even a bit of humour in there too! At the end of the guide (but before the comments) there are links to PDF and Powerpoint versions which might be better for offline reading. In short, it’s brilliant!

Posted in Technology | Tagged , , , | Leave a comment

The Plan

Posted on Wednesday, March 10, 2010 by Peter

I’ve had a few weeks to do some more reading and I think I’ve come up with a rough plan for the project. Well, “plan” may be too strong a word, but at the very least I’ve got a list of objectives.

Disclaimer: This may change significantly before I actually start the project!

  • Acquire the contents of the internal NAND chip

There are a couple of ways I think I can do this. The JTAG method isn’t really an option, as it doesn’t look as if the Wii actually has a JTAG port (I currently don’t have access to a Wii to check for myself). There’s another hardware approach I’m considering, but I’ll leave that until I’ve properly assessed its feasibility. If all else fails there’s a software approach. I read an interesting paper about using a software exploit to dump Xbox memory and I’m fairly confident that could be modified for the Wii, but at this stage a hardware solution is preferable.

  • Write an image back to the NAND

If an image can be written back to the NAND it may provide a sort of “reset button” for doing live analysis work. Obviously, this depends on the process for reading and writing the NAND being forensically sound.

  • Decrypt the NAND image
  • Perform a physical search of the image

All indications so far point to the Wii using AES encryption on the NAND, though the key may well be accessible. Once the image is decrypted I can have at string extraction and the likes.

  • Analysis of the Wii filesystem

This is unlikely, but if everything up to this point goes stunningly well I might take a look at the filesystem. An undocumented, proprietary filesystem is probably a project in itself though!

I’d like to get at least as far as attempting to decrypt the contents of the NAND, but I suppose it’ll depend on how much time the first couple of steps take.

Posted in MSc Project | Tagged , , | Leave a comment

Twitter

Posted on Sunday, March 7, 2010 by Peter

I’ve just posted a message on Twitter, although I’m not entirely sure why. I imagine it’s something to do with boredom or narcissism… or possibly some combination of the two. I’ll give it a go just so long as nobody expects any 140 character pearls of wisdom to come from it.

Posted in General | Tagged , , | Leave a comment

Rome

Posted on Wednesday, March 3, 2010 by Peter

I went to Rome to watch the rugby last weekend. There’s only so much one can see in two days, especially working around the rugby, but we got quite a bit of sight-seeing in.

My brother and I at the Trevi Fountain.

Entrance to the Pantheon.

There are 2 Popes per square kilometre in the Vatican City.

I’d like to go back to see the Colosseum and take a proper look around the Vatican. That might have to wait for a while though.

Posted in Travel | Tagged , , | Leave a comment

SHODAN

Posted on Thursday, February 25, 2010 by Peter

One of the cool things about my forensics course is that interesting people come to the university and talk to us about interesting things to do with forensics and computer security. The most recent “interesting person” to come along and share his wisdom was penetration tester Rory McCune. Most of his presentation was highlighting the use of the Metasploit framework in testing web applications (including a very cool demonstration of SQL injection), but I was most intrigued by something that was only mentioned in passing: SHODAN.

SHODAN is a search engine. A bit like Google, except that SHODAN searches for computers instead of content. Here’s an example from the SHODAN site:

Lets say you want to find servers running the ‘Apache’ web daemon. A simple attempt would be to use:

apache

How about finding only apache servers running version 2.2.3?

apache 2.2.3

You can also narrow down the results using the following search parameters:

  • country:2-letter country code
  • hostname:full or partial host name
  • net:IP range using CIDR notation (ex: 18.7.7.0/24 )
  • os:operating system (ex: Windows)
  • port:21, 22, 23 or 80

It’s been up and running for a few months now but the seminar was the first I’d heard of it. I just need to find the time to play with it now!

Posted in Technology | Tagged , , , | Leave a comment

Thinking about Wii Forensics

Posted on Tuesday, February 16, 2010 by Peter

I had my first semi-official meeting with my MSc project supervisor today. This is probably as good a place as any to keep track of these sorts of things, so here’s a summary of what I’m planning at this point.

I’ve decided to focus on the Nintendo Wii. The placement that I’ve applied for isn’t likely to be confirmed until sometime in April, but so far the signs are good. It’s just a case of wait-and-see at the moment.

There isn’t very much published research relating to forensic analysis of the Wii. In fact I’ve only managed to find one paper dealing specifically with the subject. It proposes a process for live analysis, which would ideally be recorded through screen-capture or an external video camera.

With regards to storage the Wii has an SD-card slot, which might contain something useful, but in any case should be possible to image/analyse in the usual method. The main issue in my mind is the internal flash storage (Unlike the PS3/Xbox, the Wii doesn’t have a hard drive). I’ve been doing some reading about Wii homebrew and Wii/Gamecube linux which might allow direct access to the internal flash, but tend to rely on exploiting a buffer overflow to execute unsigned code. It may well be technically possible, but I have my doubts about it being forensically sound. Another issue I have is that any method of dumping the internal flash through software is at the mercy of Nintendo patching the Wii system software.

This leads me on nicely to a suggestion by my supervisor. If we can get inside the Wii without doing any serious damage (The availability of 3rd party modchips suggests that it’s possible), and if it has the connections to support a JTAG port, and if we can do some low-level magic with said hypothetical JTAG port, it may be possible to dump the internal flash out through a PC parallel port. There are a lot of “ifs” there, but my supervisor had some success with dumping PDA memory though a JTAG port on a previous project. It didn’t work perfectly, but it could be a good place to start.

It’s a little bit scary seeing as my electronics experience only extends to playing with 555 timer chips when I was in school!

However all of this depends on the Wii even having the connections to support JTAG, which though I’m told is likely, is not guaranteed.

Posted in MSc Project | Tagged , , , | Leave a comment

The iProduct

Posted on Wednesday, January 27, 2010 by Peter

It seems that Apple are announcing some sort of “thing” this evening. According to my “Mac Evangelist” (Yes – that’s what he called himself) flatmate, it’s going to fundamentally change computing forever. Or I suppose it could just as easily be an software update. I especially liked the one that enabled copy-and-paste. That really changed everything!

That sounds rather bitter. It’s not that I don’t like Apple. I’m typing this on a Mac Mini, and the iPod Touch is a brilliant piece of kit. I just don’t care! What annoys me is the incessant hype surrounding this thing. Nobody outside of Apple even knows what it is yet!

Someone once joked that Steve Jobs could crap in a white plastic box and the “Evangelists” would queue up to hand over their money. I’m starting to believe that. I guess it shows the strength of Apple’s marketing department though.

Posted in Technology | Tagged , | Leave a comment

More on Avatar

Posted on Tuesday, January 12, 2010 by Peter

I wasn’t all that fond of Avatar. It was without a doubt the most visually impressive thing I’ve ever seen in a cinema, but I wouldn’t want to sit through it again.

Anyway, Jason has evidently been to see it over the last few days. For the most part we have the same opinion of it. However there is one exception. And since Jason hasn’t implemented any sort of commenting feature to his site yet, I’ll have a little rant about it here.

I have various other niggling complaints about the film overall, but we can now come to my biggest one. Unobtainium. Really? Fucking seriously? Unobtainium? Creative genius at work :|

Yes. Unobtainium. It’s a joke. Not a very funny one, but a joke nonetheless. I thought it was fairly obvious, but I have had to explain it to a few people since seeing the film. Perhaps I just read too much science-fiction? It doesn’t matter what the company was mining for. It could just have easily been gold or oil without affecting the plot in any major way.

Actually calling the substance “Unobtainium” might not seem very creative, but the film has far bigger problems than that. For example, I got the impression that the big floating mountains contained quite a lot of this Unobtainium stuff. Why not just mine them rather than fighting the big blue aliens?

Posted in General | Tagged , | 1 Comment

It’s Cold

Posted on Friday, January 8, 2010 by Peter

There’s something about this image that I find really pleasing. Possibly because I’m inside and warm.

From the BBC.

Posted in General | Tagged , , , | Leave a comment

Festive Goings On

Posted on Tuesday, January 5, 2010 by Peter

I sat my dreaded forensic science exam was this afternoon, so I’m getting back to some degree of normality now. It wasn’t terrible, but it wasn’t just quite what I expected. The questions were really quite general, which didn’t suit me particularly well. Still I think I’ve probably done well enough to pass, and if not, at least I know how to test for drugs and body fluids!

I only have one exam this semester, but I have a fairly sizable report due at the end of next week which I need to get working on. There are a few topics to choose from, but I’m leaning toward a comparison of forensic analysis of Windows vs. Linux systems. I had been hoping to do Windows vs. OS X, as OS X is something I’m not so familiar with, but I’d also been hoping to get the report started before Christmas rather than getting bogged down in forensic science revision, so Windows vs. Linux it is!

Another thing I need to start thinking about is my Masters dissertation (assuming that today’s exam was a success, of course!). I had been thinking about proposing an analysis of one of the current-generation game consoles, most likely the PlayStation 3, but only because that’s the console I’m most familiar with. Instead, I’ve applied for a placement with a company who want to investigate the forensic analysis of the Nintendo Wii. It’ll probably be a few weeks yet before I hear anything more about it, but I’m hoping that goes well because it looks really cool!

Anyway, I was back up north for Christmas and across to Edinburgh for New Year’s Eve. I’d never been to Edinburgh over Hogmanay before, but despite being cold the street party was great craic. I wasn’t too sure about the big blue man on New Year’s Day though. Still, it was probably better to do something vaguely cultural than sit in my friend’s flat and watch an entire day of Mythbusters!

Posted in General | Tagged , , | 2 Comments