From bd10c5b7c6a38d3ca56bf9a5900cb2d739e8d8b5 Mon Sep 17 00:00:00 2001
From: Jan Vales <jan@jvales.net>
Date: Fri, 20 Jun 2014 22:38:15 +0200
Subject: [PATCH] iphone und blabala fertig. androiud still not filled in
---
report4/content.tex | 110 +++++++++++++++++++++++++-------------------
report4/main.tex | 4 +-
2 files changed, 64 insertions(+), 50 deletions(-)
diff --git a/report4/content.tex b/report4/content.tex
index 99b6248..4d8dda0 100644
--- a/report4/content.tex
+++ b/report4/content.tex
@@ -1,39 +1,46 @@
-
\newpage\section{Questions (12 points)}
\subsection{How and when did Mr. Smith and Mr. Mayer communicate? (2 point)}
-\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | X | }
- \hline service & timestamp & (from) to & content\\
- \hline skype & 27-11-2012 12:20:00 & to:allegro.mayer from:johannes.m.smith & Auth\_Request\\
- \hline skype & 06-12-2012 13:20:33 & from:allegro.mayer to:johannes.m.smith & Auth\_Granted\\
- \hline call & 2012-12-06 14:35:38 & Johannes Smith 06603169718 & (0:01:15 sec)\\
- \hline skype & 06-12-2012 16:33:53 & to:allegro.mayer from:johannes.m.smith & "Hallo"\\
- \hline sms & 2012-12-06 17:20:46 & to +436603169718 & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin.\\
- \hline sms &2012-12-06 17:30:43 & to +436603169718 & Sicherer kanal wär besser ....\\
- \hline viber call & 2012-12-06 17:31:57 & Johannes Smith & (71 sec)\\
- \hline sms & 2012-12-06 17:36:26 & from +436605166042 & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\
- \hline sms & 2012-12-06 17:42:50 & to +436605166042 & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\
- \hline sms & 2012-12-06 17:45:19 & to +436605166042 & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\
- \hline call & 2012-12-06 17:45:36 & Johannes Smith +436605166042 & (0:00:21 sec; diensthandy? DumpBank We Sell Your Shit)\\
+\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | l | l | X | }
+ \hline source & service & timestamp & from & to & content\\
+ \hline IPBA & skype message & 27-11-2012 12:20:00 & Smith & Mayer & Auth\_Request Hallo! Ich würde Sie gerne in meine Skype-Kontaktlistaufnehmen. Johannes Smith\\
+ \hline IPBA & skype message & 2012-12-06 13:20:33 & Mayer & Smith & Auth\_Granted\\
+ \hline IPBA & call & 2012-12-06 14:35:38 & Mayer & Smith & duration 0:01:15\\
+ \hline IPBA & sms & 2012-12-06 16:20:46 & Mayer & Smith & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin.\\
+ \hline IPBA & sms & 2012-12-06 16:30:43 & Smith & Mayer & Sicherer kanal wär besser ....\\
+ \hline IPBA & viber call & 2012-12-06 16:31:57 & Mayer & Smith & (71 sec)\\
+ \hline IPBA & skype message & 2012-12-06 16:33:53 & Smith & Mayer & "Hallo"\\
+ \hline IPBA & sms & 2012-12-06 16:36:26 & Smith & Mayer & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\
+ \hline IPBA & sms & 2012-12-06 16:42:50 & Mayer & Smith & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\
+ \hline IPBA & sms & 2012-12-06 16:45:19 & Mayer & Smith & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\
+ \hline IPBA & call & 2012-12-06 16:45:36 & Mayer & Smith & duration 0:00:21\\
\hline
\end{tabularx}\end{center}
\subsection{What information was exchanged between Mr. Smith and Mr. Mayer? (3 points)}
-dropbox extracted from android. no time now. mutter kollabiert gerade.\\
+Mayer sends Smith an eMail and a Dropbox folder named confidential containing 4 files.
+\begin{itemize}
+\item \emph{\textbf{2012-11-27 14.31.56.png}} iPhone screenshot from some flightplan App, shows a number of flights departing Vienna shortly after 1700 (among those, two flights from Vienna to Paris)
+\item \emph{\textbf{Homer-Simpson-Butt-Wide-Load.png}} image of from an episode of the TV series The Simpsons, showing Homer Simpson with \textbf{Wide Load} written across his back.
+\item \emph{\textbf{Stocks-watch.jpg}} shows a key lying on a newspaper with a headline beginning with \textbf{Investing}
+\item \emph{\textbf{stocks.jpg}} smaller version of \emph{\textbf{IPBA::IMG\_0005.JPG}} from the iPhone backup.
+\end{itemize}
+
\subsection{Can you find any evidence or hints that support the suspicion of insider trade? (3 points)}
No hard evidence was found.\\
-The fact that both parties looked up stock trading sites could hint at that.\\
-Also communication between Mayer and Smith does not give a definite proof that they really did anything.
+The fact that both parties looked up stock trading sites could hint at that. Also some not too suspicious images were exchanged.\\
+Mayer communicates with Ernst Strasser while Smith communicates with Karl Heinz Grasser.\\
+Obviously because of the Unschuldsvermutung neither Mayer nor Smith could even remotely be connected with insider trading *scnr*
\subsection{Was the person that the witness identified really Mr. Mayer? (2 points)}
As Mayer was in Paris on Friday, 7th of December 2012, late afternoon it seems unlikely that a witness saw them.\\
Unless of course Mayer and Smith met in Paris which could be hinted at by the FILE in the dropbox-directory and the witness too was in Paris at that time.
+
\subsection{Mr. Mayer seems to have more secrets than initially expected. What is his big secret? (2 points)}
-By using MAYRS EMAIL address, we found out, that he is engaged with NAME.\\
-Communication suggests that MAYR + Laura were on a romantic trip in Paris.
+It looks like Mayer is married to Mrs. Ilse Mayer-Brandl (profile: \url{https://www.facebook.com/ilse.mayerbrandl}) and has an affair with Laura Markovic (\url{https://www.facebook.com/laura.markovic.129}).
@@ -83,23 +90,23 @@ The call-log was extracted from \emph{\textbf{IPBA::Wireless Domain:Library/Call
\end{quote}
The content was:
-\begin{center}\begin{tabular}{ | l | l | l | l | }
- \hline date & to/from & Phonenumber & duration (sec)\\
- \hline 2012-12-06 13:35:38 & to & 06603169718 & 75\\
- \hline 2012-12-06 14:02:20 & to & 06803303660 & 0\\
- \hline 2012-12-06 14:03:02 & from & +436605969364 & 23\\
- \hline 2012-12-06 14:08:34 & to & 0660303010 & 0\\
- \hline 2012-12-06 14:10:02 & to & 0660303030 & 1181\\
- \hline 2012-12-06 15:17:05 & to & 0660303030 & 1023\\
- \hline 2012-12-06 15:34:30 & to & 0660303030 & 864\\
- \hline 2012-12-06 16:00:10 & from & +436605166042 & 17\\
- \hline 2012-12-06 16:08:02 & to & 06604394199 & 9\\
- \hline 2012-12-06 16:25:30 & from & +436605166042 & 0\\
- \hline 2012-12-06 16:26:11 & from & +436605166042 & 0\\
- \hline 2012-12-06 16:34:39 & to & 06604394199 & 6\\
- \hline 2012-12-06 16:34:52 & to & 06604394199 & 12\\
- \hline 2012-12-06 16:35:10 & to & 06604394199 & 23\\
- \hline 2012-12-06 16:45:36 & to & +436605166042 & 21\\
+\begin{center}\begin{tabular}{| l | l | l | l | l | }
+ \hline date & to/from & Phonenumber & name & duration (sec)\\
+ \hline 2012-12-06 13:35:38 & to & 06603169718 & <None> & 75\\
+ \hline 2012-12-06 14:02:20 & to & 06803303660 & Laura Markovic & 0\\
+ \hline 2012-12-06 14:03:02 & from & +436605969364 & & 23\\
+ \hline 2012-12-06 14:08:34 & to & 0660303010 & & 0\\
+ \hline 2012-12-06 14:10:02 & to & 0660303030 & & 1181\\
+ \hline 2012-12-06 15:17:05 & to & 0660303030 & & 1023\\
+ \hline 2012-12-06 15:34:30 & to & 0660303030 & & 864\\
+ \hline 2012-12-06 16:00:10 & from & +436605166042 & Johannes Smith & 17\\
+ \hline 2012-12-06 16:08:02 & to & 06604394199 & Ernst Strasser & 9\\
+ \hline 2012-12-06 16:25:30 & from & +436605166042 & Johannes Smith & 0\\
+ \hline 2012-12-06 16:26:11 & from & +436605166042 & Johannes Smith & 0\\
+ \hline 2012-12-06 16:34:39 & to & 06604394199 & Ernst Strasser & 6\\
+ \hline 2012-12-06 16:34:52 & to & 06604394199 & Ernst Strasser & 12\\
+ \hline 2012-12-06 16:35:10 & to & 06604394199 & Ernst Strasser & 23\\
+ \hline 2012-12-06 16:45:36 & to & +436605166042 & Johannes Smith & 21\\
\hline
\end{tabular}\end{center}
@@ -116,15 +123,15 @@ The SMS-Database was extracted from \emph{\textbf{IPBA::Home Domain:Library/SMS/
The content was:
-\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | l | X | }
+\begin{center}\begin{tabularx}{\textwidth}{| l | l | X | l | X | }
\hline date & from/to & number & service & text\\
\hline 2012-12-06 16:17:20 & from & Viber & SMS & Your Viber code is: 9386 Close this message and enter the code into Viber to activate your account.\\
- \hline 2012-12-06 16:20:46 & to & +436603169718 & SMS & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin\\
- \hline 2012-12-06 16:30:43 & to & +436603169718 & SMS & Sicherer kanal wär besser ....\\
+ \hline 2012-12-06 16:20:46 & to & +436603169718 <None> & SMS & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin\\
+ \hline 2012-12-06 16:30:43 & to & +436603169718 <None> & SMS & Sicherer kanal wär besser ....\\
\hline 2012-12-06 16:33:58 & to & +436604413637 & iMessage & Hi wie gehts? Treffen wir und mal auf einen drink?\\
- \hline 2012-12-06 16:36:26 & from & +436605166042 & SMS & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\
- \hline 2012-12-0616:42:50 & to & +436605166042 & SMS & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\
- \hline 2012-12-0616:45:19 & to & +436605166042 & SMS & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\
+ \hline 2012-12-06 16:36:26 & from & +436605166042 Johannes Smith & SMS & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\
+ \hline 2012-12-06 16:42:50 & to & +436605166042 Johannes Smith & SMS & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\
+ \hline 2012-12-06 16:45:19 & to & +436605166042 Johannes Smith & SMS & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\
\hline
\end{tabularx}\end{center}
@@ -231,9 +238,9 @@ The Viber-Database was extracted from \emph{\textbf{IPBA::AppDomain:com.viber/Do
21f2ce84f493d6c6601851844d14cf4dbdd1523ebe98bdc9deb5db380533df77}
\end{quote}
-The content was:
+The call-log was:
\begin{center}\begin{tabular}{| l | l | l | l | l |}
- \hline timestamp & to/from & number & name & duration (sec)\\
+ \hline timestamp & to & number & name & duration (sec)\\
\hline 2012-12-06 16:27:32 & to & 436803303660 & Laura Markovic & 0\\
\hline 2012-12-06 16:31:57 & to & 436605166042 & Johannes Smith & 72\\
\hline
@@ -287,7 +294,7 @@ On December 7. 2012 14:17 at Paris, with Laura Markovic (\url{https://www.facebo
\newpage\section{Android}
-\subsection{Source: Android.tar.gz (ANDROID)}
+\subsection{Source: Android.tar.gz (ANDRO)}
Android image from Johannes Maskus Smith's phone.
\begin{quote}
\textbf{size}: 270397822 byte\\
@@ -297,18 +304,25 @@ Android image from Johannes Maskus Smith's phone.
ab18c6a2b5b9f8a0e1539474612a4a7ceae627255a2169565f0dddf3409ef67d}
\end{quote}
+
\subsection{Contacts}
\subsection{Call-Log}
-\subsection{SMS-Log}
+\subsection{SMS/iMessage}
+\subsection{Calendar}
+\subsection{Browser}
+\subsection{WLANs}
\subsection{Media}
-\subsection{eMail-App}
\subsection{Viber-App}
\subsection{Skype-App}
-\subsection{Whatsapp-App}
\subsection{Dropbox-App}
\subsection{Facebook-App}
+
+
+
+
+
\newpage\section{Details}
\subsection{Used tools on GuestVM}
Tools that were used for analysis (-{}-version):
diff --git a/report4/main.tex b/report4/main.tex
index 8308d9e..71794c0 100644
--- a/report4/main.tex
+++ b/report4/main.tex
@@ -113,7 +113,7 @@
% START DOCUMENT
\begin{document}\thispagestyle{empty}
-\hspace{50pt}
+\hspace{40pt}
\section*{Digital Forensics 188.922}
\textbf{2014S}
@@ -124,7 +124,7 @@
\textbf{0726236\\\url{mailto:jan@jvales.net}}\\\\
\textbf{Still want an official \LaTeX{} template!}\\
-\vspace{40pt}
+\vspace{30pt}
\section*{Table of Contents}\begin{footnotesize}\tableofcontents\end{footnotesize}
\subsection*{Version}\begin{footnotesize}\url{http://git.somenet.org/?p=priv/jan/digfor.git}\\
--
2.43.0