Category Archives: Piracy

Forensic Focus Interview – Matt Davies – Digital Forensics Analyst – SYTECH

Matt, you’re a digital forensics analyst at SYTECH. Tell us a bit about your role and what it involves.

My role at SYTECH predominantly involves the extraction and analysis of embedded devices, such as mobile phones, tablets, satellite navigation systems, games consoles, unknown devices etc. The examinations I am involved in vary considerably and range from indecent images of children (IIOC) to providing assistance in murder investigations. Working for a private organisation, such as SYTECH, allows me to experience both prosecution and defence based cases.

What first made you interested in digital forensics as a field?

It was the varied nature of the work accompanied by the opportunity to make a difference that attracted me to the field of Digital Forensics.

I really didn’t want a mundane or repetitive job; I wanted a career that would provide both challenges and stimulation, so far I have not been disappointed! I have a real passion for forensics and love what I do.

At DFRWS you presented some research on forensic analysis of a Sony PS4. Could you briefly outline this for our readers?

The Sony PlayStation 4 is the most powerful 8th generation games console on the market. As of March 2015, there are over 20,000,000 devices in worldwide circulation. The console’s security features, such as encryption, face recognition technology and passcode protection, make this device the perfect weapon for criminals. Therefore it was essential that an analysis method be devised for this device. The proposed best practice methodology is the result of over 50 experiments conducted upon the PlayStation 4 over a 12 month period.

In the first instance the console’s hard drive is removed, imaged and restored upon a duplicate HDD using a Linux based system. A shadow drive is then inserted between the console and the duplicate drive, which receives all write requests and as such prevents the alteration of data stored upon the HDD. The operational effectiveness of the shadow drive was evaluated in the following manner: The duplicate HDD was imaged and verified. An online analysis of the console’s Internet web browser was conducted and the HDD removed and verified. A comparison of both the MD5 & SHA-1 hash values concluded that no alterations were made to the HDD during the analysis.

A technique that can be exploited by the user enables images viewed online to be stored upon the device. These images are stored as screen captures and can easily be copied to a USB pen drive for evidential purposes. Image and video content acquired via the console and saved to an alternative device (under a different file name) contain metadata that includes the device make & model, firmware version used, original file name and the date and time created. This information can be correlated to the suspected device responsible for creating the artefacts.

One of the greatest challenges with the PlayStation 4 is the continuous updating of system firmware. It has been observed that firmware updates take place at around 8 week intervals and provide additional features as well as “system stability” updates (suspected updating of encryption keys). For each firmware update where the experiments were repeated, the results differ considerably between firmware versions.

You mentioned that one investigative challenge is that Sony is now storing the majority of PlayStation data on the PlayStation Network rather than on each device. Talk us through the unique challenges associated with this, and how they might be addressed.

Having previously evaluated the operational effectiveness of the shadow drive when viewing non PlayStation Network (PSN) dependent content, a second experiment focusing upon PSN was conducted. The experiment involved connecting the console to PSN and sending a single message to a friend, whilst utilising the shadow drive. The console was then rebooted and the message content analysed. The first iteration demonstrated that the message was not visible upon rebooting the console. For validity reasons, the experiment was repeated. On this occasion both the initial and second messages were visible. The experiment was repeated a final time and it was apparent that all messages sent whilst connected via a shadow drive were visible. Therefore, the shadow drive does not prevent data stored in PSN being altered. This presents a significant challenge as data stored in the PSN is duplicated, in part, upon the console’s HDD, meaning that an investigator accessing PSN content without a shadow drive could potentially overwrite existing data or unintentionally delete vital evidence.

The best solution is to use a secondary console to view PSN content. Creating a basic user account without any data will result in that account being populated with the user’s content upon logging into PSN, including unique PSN gamer ID, profile information, messages, party, friends, What’s New, Notifications etc. In addition, an investigator can also access partial PSN data by logging into the suspect’s account via a PC browser. The Sony Entertainment Network (SEN) can be used to prove ownership and contains the user’s real name, address, credit card details etc.

Additional challenges are presented by the console’s remote access features: such options should be disabled, the console restarted and the changes verified prior to conducting an online analysis of the device. In addition, investigators should disable the PSN automatic login feature in order to prevent the alteration of PSN content.

How do you think the world of digital forensics will change over the next few years?

Security Features
The industry trends seem to indicate a significant increase in the use of security features such as encryption, biometrics and passcode protection. Over the coming years such features are likely to become more widely utilised, and as a result present greater challenges to forensic investigators.

Technological Evolution
It has been said for many years that the line between personal computers and embedded systems is becoming increasingly blurred. The technological advancements, accompanied by larger storage capacities, will continue to present significant problems for digital investigators. According to Sony, the PlayStation 4 possesses 43 times the processing power of the PlayStation 2 and 10 times that of the PlayStation 3. One can’t help but wonder what the PlayStation 5 will have in store for us!

Social Media
The sharing capabilities of the PlayStation 4 enable social media websites such as Facebook, Twitter and Youtube to be synced with the device. Tablets and mobile phones also encourage users to share content via social media applications, the whole area seems to be expanding at an alarming rate.

We only need look at the development in mobile phone forensics over the past 5 years to see how far the field of digital forensics has already come. The challenges faced by investigators in the coming years will greatly surpass those seen in previous years, providing a solution to these is far from impossible. Perhaps the greatest change to the field of digital forensics will be the operational requirement for dedicated Research & Development teams within every organisation. We might also see a significant shift from traditional forensic techniques and the reliance upon industry standard tools. There has been a great deal of debate in this area and as to whether or not the whole forensics process is becoming automated. I think it’s an interesting discussion and one that is likely to continue in the future.

I am currently continuing further research into game console forensics and intend on presenting the results at DFRWS 2016, Switzerland.

Matt Davies is a Digital Forensics Analyst at Sytech, who work on digital investigations across all areas including criminal justice, civil litigation and corporate.

Forensic Focus interviewed Matt at DFRWS, the annual Digital Forensics Research Workshop, which took place in Dublin from the 23rd-26th of March. The next workshops will be held in Philadelphia in August 2015, and Switzerland in March 2016. You can find out more and register here.

Original Forensic Focus Article

SYTECH gain 7th place for Digital Forensics in – Tweeting Forensic Science: 100 Great Accounts Worth Investigating

 

The field of forensic science depends heavily on technology, and is subject to rapid innovation. This is especially true of digital forensics. There is a constant arms race to come up with new programs to more effectively protect and analyze data to reinforce computer security. Many top experts in forensic science, including digital forensics, crime scene investigation, and even forensic archaeology and entomology, are using Twitter to share their views and discuss innovations in the industry. Twitter is an excellent venue for newcomers and old hands in forensic science to keep up with industry news, learn about new developments, and network both socially and professionally.

 

These are some of the most informative Twitter accounts in the Forensic Science space. Following any and all of these individuals, companies, and publications is a great way to delve into the rich and ever growing field of forensic science. The accounts are classified by general subject matter, and listed in no specific order.

 

Digital Forensic Investigation Info

Digital forensic investigation is one of the most rapidly developing branches of the forensic science field. Crimes involving identity theft, financial fraud, and other digital evidence require the technical expertise of a digital forensic scientist or cybersecurity specialist. Many companies and publications have popped up specifically to cover digital forensics, and they often share their insights on Twitter.

 

@SytechForensics

@SytechForensics

Sytech Digital Forensics brings together leading-edge specialists in all areas of Digital Forensics to provide a comprehensive one-stop analysis service. They work with all sectors and have over the years been involved in thousands of cases, including several very high profile cases. Their tweets touch on such topics as criminal justice, civil litigation, corporate and individual digital forensics.

Tweeting Forensic Science: 100 Great Accounts Worth Investigating » Forensic Science Degree.

We reported a few days ago that the (in)famous Pirate Bay had switched providers and locations due to intense pressure from law enforcement agencies. It seems the pirates have finally found a new long term home and it##Q##s probably the most surprising place ever: North Korea.

Yes, the site that is reportedly fighting for freedom has become best buds with one of the most restrictive regimes on Earth. Then again, they are arguing for giving almost everything away for free, to each according to his needs from each according to his ability. So yeah, maybe they actually have more in common then we thought. In either case, the irony isn##Q##t lost on the them. On their official blog the pirates posted:

This is truly an ironic situation. […]We believe that being offered our virtual asylum in Korea is a first step of this country##Q##s changing view of access to information. It##Q##s a country opening up and one thing is sure, they do not care about threats like others do.

What##Q##s even more interesting is that they mention that the beloved leader Kim Jong Un was the one that actually extended the invitation to come over.The pirates also note that this relationship has a potential to actually exert some change in the country. They explain that they will try to do everything in their power to convince the N. Korean government to let its own people access The Pirate Bay.

This development is definitely interesting and it will very likely have geopolitical implications. And if nothing else, it will give certain folks even more reasons to hate North Korea.

The Pirate Bay lands in North Korea. Glorious leader breaks out the rum! – Neowin.

Following the decision by the High Court of the UK last year to block The Pirate Bay and its known alternative addresses, the court in the UK has added three more sites to the list and are requiring a number of “major” ISPs to block them henceforth.

The BBC reports that the ISPs will be required to stop their users from accessing Kickass TorrentsH33T andFenopy.

Music industry group the British Phonographic Industry (BPI) said the sites infringed copyright on a “significant scale”.

Opponents to the decision have long argued that such decisions have little effect, and in some cases such as the blocking of The Pirate Bay last year, can actually have the opposite effect where traffic not only returned to normal, but actually increased after the ruling.

Speaking after Thursdays decision BPI chief executive Geoff Taylor said:

The growth of digital music in the UK is held back by a raft of illegal businesses commercially exploiting music online without permission.

Blocking illegal sites helps ensure that the legal digital market can grow and labels can continue to sign and develop new talent.

The BBC report also pointed out that a market research firm NPD has suggested that there had been a large reduction in the number of users illegally downloading music, with users instead favouring legal options like streaming site Spotify. However, their report did fail to mention that services like Spotify has only become a viable legal option since recently and has still yet to roll out in other countries.

UK Court orders blocking of more “illegal” websites – Neowin.

In a case U.S. officials say is the first of its kind, a Chinese businessman pleaded guilty Monday to selling stolen American software used in defense, space technology and engineering – programs prosecutors said held a retail value of more than $100 million.

The sophisticated software was stolen from an estimated 200 American manufacturers and sold to 325 black market buyers in 61 countries from 2008 to 2011, prosecutors said in court filings. U.S. buyers in 28 states included a NASA engineer and the chief scientist for a defense and law-enforcement contractor, prosecutors said.

Corporate victims in the case included Microsoft, Oracle, Rockwell Automation,, Agilent Technologies, Siemens, Delcam, Altera Corp and SAP, a government spokesman said.

U.S. officials and the Chinese man’s lawyer, Mingli Chen, said the case was the first in which a businessman involved in pirating industrial software was lured from China by undercover agents and arrested.

The businessman, Xiang Li, of Chengdu, China, was arrested in June 2011, during an undercover sting by U.S. Department of Homeland Security agents on the Pacific island of Saipan, an American territory near Guam.

Video from the undercover meeting in Saipan, filed as evidence in court, is expected to be made public during a press conference Tuesday by John Morton, director of U.S. Immigration and Customs Enforcement, and Charles M. Oberly III, the U.S. Attorney for Delaware.

Li, 36, originally charged in a 46-count indictment, pleaded guilty late Monday to single counts of conspiracy to commit criminal copyright violations and wire fraud.

“I want to tell the court that what I did was wrong and illegal and I want to say I’m sorry,” Li told U.S. District Judge Leonard P. Stark during a 90-minute hearing in federal court. The Chinese citizen spoke through a translator.

In a court filing, prosecutors David Hall and Edward McAndrew said the retail value of the programs Li sold on the black market exceeded $100 million.

During the hearing, Li told U.S. District Judge Leonard Stark that he disputes that figure. After the hearing, his lawyer said Li did not realize the retail value of what he was selling until he was caught and plans to present his own estimate at sentencing, which is set for May 3, he said.

In recent years, U.S. officials have targeted software pirates overseas but bringing them to the United States has proved difficult.

In one of the largest copyright cases, U.S. prosecutors last year charged seven people, including Megaupload founder Kim Dotcom, with racketeering conspiracy and copyright violations. The indictment alleges that Dotcom, who lives in New Zealand, ran an organization that earned $175 million selling an estimated $500 billion worth of pirated movies, TV shows and other entertainment media. Dotcom is fighting extradition from New Zealand.

EXPENSIVE SOFTWARE

The Li case involves sophisticated business software, not entertainment software, and thus small quantities of higher-priced products. The retail value of the products Li pirated ranged from several hundred dollars to more than $1 million apiece. He sold them online for as little as $20 to $1,200, according to government court filings.

At one point, Crack99.com and Li’s other sites offered more than 2,000 pirated software titles, prosecutors said.

Li trolled black market Internet forums in search of hacked software, and people with the know-how to crack the passwords needed to run the program. Then he advertised them for sale on his websites. Li transferred the pirated programs to customers by sending compressed files via Gmail, or sent them hyperlinks to download servers, officials said.

“He was pretty proud of himself,” Chen said of his client’s business acumen. “He did not realize it was such a big crime.”

Agents from Immigration and Customs Enforcement/Homeland Security Investigations learned of Li’s enterprise after an unidentified U.S. manufacturer noticed his company’s software for sale on crack99.com.

Working undercover for 18 months beginning in early 2010, the U.S. agents made at least five purchases from Li. These included pirated versions of “Satellite Tool Kit” by Analytical Graphics Inc. of Exton, Penn., a product prosecutors said is “designed to assist the military, aerospace and intelligence industries through scenario-based modules that simulate real-world situations, such as missile launches, warfare simulations and flight trajectories.” Agents bought software worth $150,000 retail for several thousand dollars.

Agents lured Li from China to the U.S. territory of Saipan under the premise of discussing a joint illicit business venture. At an island hotel, Li delivered counterfeit packaging and, prosecutors said, “Twenty gigabytes of proprietary data obtained unlawfully from an American software company.” Officials did not identify the company in court documents.

Chinese man pleads guilty in $100 million stolen software sting | Reuters.