 Mobile device forensics & digital investigationMonthly report nβ°32 - 2024-10https://pts-project.org/blog/monthly-report-n32-2024-10/Project overviewPiRogue Tool Suite (PTS) provides a platform combining analysis tools, knowledge management, incident response management and artifact management, which allows NGOs with limited resources to equip themselves at a low cost. The project consists of an open-source tool suite that provides a comprehensive mobile device forensics and digital investigation platform.
π’ Announcements
π Impacts and resultsPiRogue v2 is here! PiRogue now supports multiple operating modes including Wi-Fi access-point, appliance and VPN. Now, users can install their PiRogue at scale on, computers, virtual machines, bare-metal servers and VPS. PiRogue remains fully compatible with Raspberry Pi. This release represents a major step forward for PiRogue, offering greater flexibility. It can now be used to analyze the network traffic of a small organization by deploying it internally as a network appliance, or to capture and analyze the network traffic of a remote device through its VPN. Regardless the operating mode, the installation remains as simple as running a single command. This new version of PiRogue has been by far the most difficult redesign we’ve had to carry out over the last three years. We are a very small team of 3 and it took us 3 months to implement it in 500+ changes, 8000+ lines of code, and 7 new Debian packages. π Activity reportYou can find more details about the different activities in the project roadmap. π¦ US4 - Evidence collectionEfforts will be directed towards the extraction and preservation of artifacts and evidence, particularly those extracted from online content and mobile devices. The system will automatically archive and index various forms of online content such as photos, videos, social media posts, and web pages. Additionally, the capability of saving a watermarked capture or recording of the victimβs phone screen will be added to the PiRogue. In the context of forensic analysis, it is crucial to not only collect potential evidence of a compromise but also collect its context, such as the attack vector. As an example, retrieving and storing tweets was key in the Citizen Lab investigation on Predator, retrieving and storing WhatsApp messages in the Citizen Lab investigation on Tibetan groups being targeted. Overview of the different activities
Archive and index online contentThis monthWelcome to Colander Companion, the first Colander browser extension. As planned, this project relies on SingleFile as an embedded third-party library. The alpha web-extension is in good shape as it now supports uploading collected content directly to Colander. The saved content is a snapshot of DOM of the webpage. This snapshot can be safely opened offline with any web browsers. This extension gives users the option of automatically adding collected content directly to a Colander case. By default, all collected content is stored outside cases and must be sorted afterward. Next monthWe will add a new feature to this companion extension with the objective to invoke the download of the medias embedded into the saved webpage. ChallengesMultiple security considerations and technical challenges were addressed to ensure a secure communication between the web extension and the Colander API. Take a watermarked capture/recording of the phone screenThis monthThe first version of the
Next monthThe implementation of the command ChallengesNone. π¦ US9 - PiRogue virtualizationWe want to provide end users with OS images and installation procedure allowing them to deploy PiRogue in a virtual environment (VM, cloud…). One of the direct implication is supporting a vast variety of configuration such as:
Overview of the different activities
ViRogue - Design and architectureThis monthThe second major version of PiRogue has been released, the technical and architectural choices are detailed in the system integration documentation. Next monthNothing, as this task is now complete. ChallengesNone. ViRogue - Debian packagingThis monthAll Debian packages have been bumped to version Next monthNothing, as this task is now complete. ChallengesNone. ViRogue - Local and remote administrationThis monthThe PiRogue administration tool has been released. Extensive testing has been performed, from installation to fully functional remote administration. The tests cover all three new PiRogue operating modes. Next monthNothing, as this task is now complete. ChallengesThe wide variety of new PiRogue deployment scenarios was challenging to test from end-to-end. Automating VM environment creation and management would be a significant quality-of-life improvement for our testing efforts. ViRogue - TestsThis monthMany tests were run, using laptops, mixing wired and wireless interfaces, and testing all desktop environments that can be selected from the Debian Installer. The VPN feature was also tested using a virtual machine hosted at Hetzner. Tests indicate that all supported modes of operation are functional. Next monthNothing, as this task is now complete. ChallengesNone. ViRogue - DocumentationThis monthAs we have released all the packages to virtualize PiRogue, the user documentation and the technical documentation have been published. This documentation covers:
Next monthNothing, as this task is now complete. ChallengesNone. π¦ US100 - DocumentationDocumenting the project is key in its usability. We are continuously documenting the different tools and features we develop and build new learning materials to facilitate skills development. This monthWe have updated the documentation of PiRogue to reflect all the changes that have been introduced with the release of the virtualization of PiRogue. We have also added details about the limitations of PiRogue when running on a Raspberry Pi such as low performance and the maximum of number of devices that can be connected to the PiRogue simultaneously. Other edits were made to reflect minor project changes. Next monthWe will continue to improve the project documentation to accurately reflect ongoing changes and updates. ChallengesNone. π¦ US101 - MaintenanceWe manufacture PiRogues to supply organizations, while taking care of its maintenance. We will include OS upgrades, improvement of the documentation and fixing bugs. Regarding Colander and Threatr, we maintain the public Colander server, upgrade dependencies, improve the documentation and fix bugs. This monthA new version
This new version supports 2 types of HAR enrichment:
Find more details on GitHub. We have improved the UX of the Investigate workspace of Colander, making its usage less confusing. A showstopper bug has been fixed in Colander as it was no longer possible to quickly create multiple entities at once. This bug was introduced when we reworked the Investigate workspace last month. We have updated the Linux kernel for Raspberry Pi 5 to Next monthWe will continue the maintenance of all the tools and Debian packages we maintain. ChallengesNone. π¦ US102 - Community and outreachGiven the success of events, webinars and demos with members of the civil society, NGOs and security researchers, we continue with our outreach plan. We organize trainings and demonstration sessions as well as creating spaces for the community to share feedback and request new features via our mailing list, GitHub issues or Discord server. We analyze one Android app that has received the community’s interest (ex COP28 app) per month. The application to be analyzed is chosen by the community. The analysis report is first privately shared with the community and one month later it is publicly released. We organize monthly calls open to all members of the community to share project updates and get the communityβs feedback. This monthWe have publicly released the analysis report of the NetGuard Android application. The PTS community meeting took place on Oct. 25. This was a good opportunity to announce the second major release of PiRogue. The next community meeting will happen on Nov. 29 at 2pm CET. The release of the new version of PiRogue has been announced on our different communication channels such as Discord, mailing list and CiviCERT Mattermost. We’re working on redesigning certain parts of the website, such as the home page, to present the project and its capabilities more effectively. This work includes providing short guides explaining how PTS can be used in different use cases, for example how to maintain detection rules with Colander or how to extract files from a mobile device with PiRogue. This work is part of a long-term effort to constantly improve the way we communicate about the project as it evolves. We continue working on refining the way we collect user feedbacks on the usability of PTS, the way they use and the use cases they would like to see addressed in the future. Next monthWe will continue with our recurring activities. ChallengesNone. π¦ US103 - GovernanceThis monthIn order to strengthen the team, improve the organization of various project activities and follow up on potential partnerships currently under discussion, we are exploring the possibility of hiring a project coordinator. We are currently in the process of defining the scope of action and the various roles that the coordinator will have to fulfil. In order to make the deployment and hosting of Colander and PiRogue easier, we are currently in discussion with several organizations to explore the different hosting modalities we could offer our users. These discussions are also intended to guide future developments of tools for system administrators to simplify the administration and maintenance of Colander and PiRogue servers. Next monthWe will continue with our recurring activities. ChallengesNone. |