Mobile device forensics & digital investigation

Project overview

PiRogue Tool Suite (PTS) provides a platform combining analysis tools, knowledge management, incident response management and artifact management, which allows NGOs with limited resources to equip themselves at a low cost. The project consists of an open-source tool suite that provides a comprehensive mobile device forensics and digital investigation platform.

πŸ“’ Announcements

We are thrilled to announce that PTS has just been granted the support from Internews for the next 3 months and from Open Technology Fund for the next 2 years to continue to improve the tools we provide and meet evolving needs.

The virtual community meeting will take place every last Friday of the month at 12:00 UTC. They will be announced on our mailing list and on CiviCERT’s Mattermost.

Each month, we will analyze an Android application selected by the community. Details will be communicated soon on our mailing list and on CiviCERT’s Mattermost as well.

πŸŽ‰ Impacts and results

Adding support for the Raspberry Pi 5 facilitates project adoption, as an increasing number of users have transitioned to the latest version of the Raspberry Pi hardware.

πŸ“’ Activity report

You can find more details about the different activities in the project roadmap.

πŸ“¦ US4 - Evidence collection #22

Efforts will be directed towards the extraction and preservation of artifacts and evidence, particularly those extracted from online content and mobile devices. The system will automatically archive and index various forms of online content such as photos, videos, social media posts, and web pages. Additionally, the capability of saving a watermarked capture or recording of the victim’s phone screen will be added to the PiRogue. In the context of forensic analysis, it is crucial to not only collect potential evidence of a compromise but also collect its context, such as the attack vector. As an example, retrieving and storing tweets was key in the Citizen Lab investigation on Predator, retrieving and storing WhatsApp messages in the Citizen Lab investigation on Tibetan groups being targeted.

Overview of the different activities

  • Archive and index online content #20
  • Take a watermarked capture/recording of the phone screen #21

Archive and index online content #20

This month

This month, we were evaluating the different existing tools and libraries we can reuse to implement online content retrieval and indexation. In order to test potential integration, we have developed mocks within Colander.

We have defined additional goals to be achieved:

  • make the integration to the user’s working environment easy
  • allow the user to focus on collecting content by making the upload to Colander totally transparent to them

Even if we are still refining how this feature will be implemented, we think that providing the end-user with a web browser extension would offer a good user experience. In the background, this extension would take care of uploading the collected content directly to Colander.

Next month

We will select an off the shelf or adapt it to our content collection needs, supporting both static pages and medias.

Challenges

It is difficult to find an existing tool that support both static content (html, image, video poster) and video capture. Some tools we have tested could be extended to address the initial need.

Take a watermarked capture/recording of the phone screen #21

This month

Along with a reorganization of the PiRogue Debian packages, we are introducing a new package pirogue-evidence-collector creating the following entry points:

  • pirogue-android to interact with an Android device and run commands on it.
  • pirogue-file-drop to expose a web server allowing the user to upload files from their device to the PiRogue.
  • pirogue-extract-metadata to extract metadata of a file and save it separately in [original file name].metadata.json.
  • pirogue-timestamp to time stamp files by requesting a 3rd-party RFC3161 authority.
  • pirogue-intercept-[gated|single] to instrument an Android application to analyze its network traffic.

Next month

We are planning to release this Debian package next month.

Challenges

The primary challenge was to establish a mechanism for offline timestamp verification exclusively reliant upon OpenSSL.

πŸ“¦ US9 - PiRogue virtualization #35

We want to provide end users with OS images and installation procedure allowing them to deploy PiRogue in a virtual environment (VM, cloud…). One of the direct implication is supporting a vast variety of configuration such as:

  • Eth - Eth
  • Wi-Fi - Eth
  • VPN - Eth
  • Wi-Fi - USB tethering

Overview of the different activities

  • ViRogue - Design and architecture #40
  • ViRogue - Debian packaging #28
  • ViRogue - Local and remote administration #29
  • ViRogue - Tests #30
  • ViRogue - Documentation #31

ViRogue - Design and architecture #40

This month

To support the virtualization of the PiRogue while ensuring it remains iso-functional with the physical PiRogue, have defined the overall software architecture allowing both remote and local administration. This architecture must ensure:

  • flexibility
  • extensibility
  • security
  • full compatibility with physical PiRogue
image

To achieve these goals, we are introducing two major software components:

  • the administration daemon running on the PiRogue (physical or virtual)
  • the administration client that interacts with the administration daemon

The administration client can be used locally by running it directly on the PiRogue and remotely by running it on a remote computer.

image

The two software components are split in three different Debian packages, with pirogue-admin-api defining the communication contract between the client and the daemon.

Next month

Next month, we will refine the software architecture details such as the communication contract.

Challenges

None.

ViRogue - Debian packaging #28

This month

Packages with hardcoded network-related settings or requirements (interface names, IP address/network, etc.) have been identified and modified to make those configurable. A new pirogue-admin tool is being introduced to orchestrate the initial configuration and further modifications in a centralized manner.

Next month

The next step is extending pirogue-admin so that it can still auto-configure Raspberry Pi 3 and 4 as before, while supporting Eth/Wi-Fi on other devices, as well as a new Eth/Eth mode as well.

Challenges

None.

ViRogue - Local and remote administration #29

This month

The project is going to use gRPC proto language to describe, generate and implement the remote/local administration. For now, only a Python binding will be generated and implemented internally.

We have designed the RPC interface supporting elementary functionalities such as retrieving the PiRogue configuration and applying a new configuration. We have set up the development environment for pirogue-admin-api, pirogue-admin-client and pirogue-admin-daemon.

Next month

We are planning to release a first alpha version of the pirogue-admin RPC environment to run smoke tests, at least. We will start documenting the development environment and how to set up it.

Challenges

Setting up a fully functional and secure development environment that includes root system mocks was challenging.

πŸ“¦ US100 - Documentation #36

Documenting the project is key in its usability. We are continuously documenting the different tools and features we develop and build new learning materials to facilitate skills development.

This month

We have updated the documentation to reflect the relocation of the PiRogue OS images to a new repository. Note that the older repository remains open.

Next month

We will continue to enhance the project documentation to accurately reflect ongoing changes and updates.

Challenges

None.

πŸ“¦ US101 - Maintenance #37

We manufacture PiRogues to supply organizations, while taking care of its maintenance. We will include OS upgrades, improvement of the documentation and fixing bugs. Regarding Colander and Threatr, we maintain the public Colander server, upgrade dependencies, improve the documentation and fix bugs.

This month

While deploying officially supported Raspberry Pi 3 and Pi 4 devices, the outdatedness of the last PiRogue OS release became apparent. Since the historical tool used to turn Debian images for Raspberry Pi into PiRogue images was relicensed, it was replaced with another implementation.

After experimenting with the Raspberry Pi 5, the new tooling was extended to generate a different, experimental image to support it, alongside the official image supporting Pi 3 and Pi 4.

A new release arm64_v2.1.0 was published, catching up with Debian 12.6, supporting Pi 3 and Pi 4 officially, and Pi 5 experimentally and unofficially.

Next month

Support for the Raspberry Pi 5 requires some components outside the Debian and PiRogue ecosystems, which might make upgrades a little more complicated than usual. It would be best to perform test runs for scenarios that could be problematic, see if theoretical problems are likely to happen, making it possible to either avoid them entirely, or be ready to tackle them when they show up.

Challenges

Unfortunately, the Debian images for Raspberry Pi that are turned into PiRogue images are also outdated (compared to the updates in Debian 12). Until it’s resolved on the Debian side, an independent image build has been set up, to ensure images are generated weekly.

πŸ“¦ US102 - Community and outreach #38

Given the success of events, webinars and demos with members of the civil society, NGOs and security researchers, we continue with our outreach plan. We organize trainings and demonstration sessions as well as creating spaces for the community to share feedback and request new features via our mailing list, GitHub issues or Discord server. We analyze one Android app that has received the community’s interest (ex COP28 app) per month. The application to be analyzed is chosen by the community. The analysis report is first privately shared with the community and one month later it is publicly released.

We organize monthly calls open to all members of the community to share project updates and get the community’s feedback.

This month

We have identified various communication channels that we can leverage to enhance our outreach efforts.

Each month, we will analyze one Android app that has received the community’s interest. We have set up all the tools we need to share the analysis report we will share with our community.

Each month, we will facilitate an online call open to the members of our community. We have set up all the tools we need to facilitate it.

Four work sessions were live-streamed through Twitch:

  • Deploying PTS on a Raspberry Pi 4, and trying to virtualize it.
  • Introducing pirogue-admin.
  • Reworking PTS image generation, and adding initial support for Raspberry Pi 5.
  • Solving intermittent network failures (dhcpcd), and improving Raspberry Pi 5 support.

Live at https://www.twitch.tv/CyrilBrulebois, every Friday at 12:00 UTC.

Next month

We will analyze the first Android app chosen by the community.

We will facilitate the first community monthly call.

Likely more live sessions around pirogue-admin (to support more than just Raspberry Pi devices), plus VPN/WireGuard at some point.

Challenges

None.

πŸ“¦ US103 - Governance #39

This month

We have composed a document that delineates the scope and objectives of the advisory committee. This document also outlines the various strategic axes that we intend to address, leveraging the insights and recommendations provided by this committee.

This document, along with an invitation to join the advisory committee, has been sent to five individuals from civil society who are highly regarded for their respective expertise in the following areas:

  • Usability and accessibility
  • Outreach and adoption strategy
  • Training and documentation
  • Sustainability
  • Mobile device forensics

Next month

We anticipate receiving responses to our invitation next month. In the meantime, we will prepare and implement all the necessary tools and resources to facilitate the committee’s activities.

Challenges

None.