smart tv forensics - digital traces on televisions · smart tv forensics - digital traces on...
TRANSCRIPT
![Page 1: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/1.jpg)
DIGITAL FORENSIC RESEARCH CONFERENCE
Smart TV Forensics - Digital Traces On Televisions
By
Abdul Boztas, Remko Riethoven and Mark Roeloffs
Presented At
The Digital Forensic Research Conference
DFRWS 2015 EU Dublin, Ireland (Mar 23rd- 26th)
DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized
the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners
together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working
groups, annual conferences and challenges to help drive the direction of research and development.
http:/dfrws.org
![Page 3: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/3.jpg)
Smart TV Forensics | 25 March 2015
Agenda •The NFI •Introduction •Material and methods •Data acquisition •Data analysis •Future •Conclusion
![Page 4: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/4.jpg)
Smart TV Forensics | 25 March 2015
Introduction
![Page 5: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/5.jpg)
Smart TV Forensics | 25 March 2015
Introduction
Research questions: •Can a Smart TV be a key component in a digital forensic investigation? •Is it possible to acquire data from a Smart TV? •Can a Smart TV contain relevant data?
![Page 6: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/6.jpg)
Smart TV Forensics | 25 March 2015
Material and Methods •Literature study •Selection Smart TV •Data acquisition •Data analysis
•System information and settings •Apps •Web browsing •Photo and multimedia files •External media •Cloud services •Channel information
![Page 7: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/7.jpg)
Smart TV Forensics | 25 March 2015
Data Acquisition: NFI Memory Toolkit
•Chip-off •De-soldering of eMMC chip •Read out with •NFI Memory Toolkit II •This method works on almost all embedded devices, the problem after chip-off is crypto.
![Page 8: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/8.jpg)
Smart TV Forensics | 25 March 2015
Data Acquisition: the Five-Wire Method
• More and more embedded systems use eMMC chips • eMMC is roughly the same as an MMC card • Only three signals + Power Supply required to read • Controller, a disk image is created, no rough copy of NAND
![Page 9: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/9.jpg)
Smart TV Forensics | 25 March 2015
Data Acquisition: the Five-Wire Method
![Page 10: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/10.jpg)
Smart TV Forensics | 25 March 2015
Data Acquisition: the Five-Wire Method Does not work yet. Probably because there are also other chips which start-up and draw current. Can do it with many other devices
![Page 11: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/11.jpg)
Smart TV Forensics | 25 March 2015
Data Acquisition: App
• Smart TVs are ordinary computers • Often work with Linux operating system • Rooting
![Page 12: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/12.jpg)
Smart TV Forensics | 25 March 2015
Data Acquisition: App
•SamyGO forum on the Internet •Many opportunities for "rooting" •Possible to use Smart TV as a BitTorrent client, etc.
![Page 13: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/13.jpg)
Smart TV Forensics | 25 March 2015
Data Acquisition
The Five-Wire Method Quick Method, more research is needed, repeatable Chip-off Takes longer time, repeatability is getting better App Fast method, but does not work on all firmware
![Page 14: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/14.jpg)
Smart TV Forensics | 25 March 2015
Removable Soldered Memory
Test device now equipped with removable media by using a BGA adapter.
13
![Page 15: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/15.jpg)
Smart TV Forensics | 25 March 2015
FILE SYSTEM ANALYSIS
![Page 16: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/16.jpg)
Smart TV Forensics | 25 March 2015
File System Analysis Squashfs
•Read-only •Software of Samsung Open Source Release Center •Adjustment image authentication and compression
Samsung eMMC •Samsung chip oriented file system •Like a BTRFS variant, journaling, snapshotting •Magic ‘1eMMCFS`
Partition redundancy •Some partitions have the same size •Used to reset software
![Page 17: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/17.jpg)
Smart TV Forensics | 25 March 2015
File System Analysis
![Page 18: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/18.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: System and Network Information •Device name •Connected devices •Network information •Smart functionalities
![Page 19: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/19.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: System and Network Information •System information:
•Serial number •Model •Brand •Unique ID •etc.
•Network information:
•Information about network name •IP-addresses •Bluetooth devices •MAC-address
![Page 20: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/20.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: Apps •Facebook •Twitter •YouTube, etc.
![Page 21: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/21.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: Apps •Name •Date •Screenshots •User related information
![Page 22: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/22.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: Apps
![Page 23: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/23.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: Apps
![Page 24: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/24.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: Web Browsing •Visited websites •Web history •Information about search machines •Bookmarks •Cookies •etc.
![Page 25: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/25.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: Web Browsing
settings.db located in p24/webkit/WebBrowser.
•SQLite database •Contains 14 tables
Relevant tables:
•FullBrowserHistory: •fullBrowser_HiddenHistory: •fullBrowser_Bookmark: •fullBrowser_Search:
![Page 26: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/26.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: Web Browsing
![Page 27: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/27.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: Picture and Multimedia Files •The file .CM.db located in p22 •SQLite database •Contains 20 tables •Information about audio, pictures and video files •When files are opened, played etc.
Relevant tables:
•PhotoTable •MusicTable •VideoTable •FileTable •p22/RecentlyPlayed contains files with .mta extension.
![Page 28: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/28.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: Picture and Multimedia Files
![Page 29: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/29.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: External Media Artifacts •Device0013.db located in p22 •SQLite database •Contains one table TABLE_DEVID •Information about USB flash drives
![Page 30: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/30.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis: TV Channels •p16/map-AirA, map-AirD, map-CableA, map-CableD, map-SateD •p22/.EPG.db; SQLite database and contain Electronic Program Guide •Due to time constraints not further investigated
![Page 31: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/31.jpg)
Smart TV Forensics | 25 March 2015
Data Analysis : Cloud services •URL •Pictures •Videos •Username •etc.,
![Page 32: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/32.jpg)
Smart TV Forensics | 25 March 2015
Conclusion •A Smart TV is actually a computer and can be investigated with the same forensic toolset •Acquiring data is possible •A Smart TV can contain relevant data •Relevant information is usually saved in SQLite databases •Malicious users can abuse a Smart TV for viewing child pornography, communication, botnet, etc.
![Page 33: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/33.jpg)
Smart TV Forensics | 25 March 2015
Future
•Further investigation of the five-wire method •Investigate other makes and models Smart TV •Extensive data analysis research •Develop an app for acquiring data •Make memory dump •Analyse network activity
![Page 34: Smart TV Forensics - Digital Traces On Televisions · Smart TV Forensics - Digital Traces On Televisions By Abdul Boztas, Remko Riethoven and Mark Roeloffs Presented At The Digital](https://reader030.vdocuments.site/reader030/viewer/2022041008/5eaedde42f988b017677f64d/html5/thumbnails/34.jpg)
Smart TV Forensics | 25 March 2015
Questions