Mobile device forensics & digital investigation

Project overview

PiRogue Tool Suite (PTS) provides a platform combining analysis tools, knowledge management, incident response management and artifact management, which allows NGOs with limited resources to equip themselves at a low cost. The project consists of an open-source tool suite that provides a comprehensive mobile device forensics and digital investigation platform.

πŸ“’ Announcements

  • The next community meeting will happen on Dec. 27 at 2pm CET.
  • The analysis report of Turaco is now public.
  • Fill in the form to select the Android app for next month.

πŸŽ‰ Impacts and results

The recent release of PiRogue VPN has been met with overwhelmingly positive feedback regarding its ease of deployment and usability. The zero-configuration deployment feature has facilitated its rapid adoption. In the past month, over 30 PiRogue VPN servers have been successfully deployed.

The addition of cookbooks to our documentation significantly enhances the user experience of PTS. These cookbooks provide detailed, step-by-step instructions for common use cases, such as deploying PiRogue VPN.

The release of the HAR converter represents a significant milestone in both usability and data portability, allowing users to analyze PCAPNG files in a more convenient format and with a diversity of tools, including web browsers such as Firefox and Chrome, VSCode, and specialized tools.

πŸ“’ Activity report

You can find more details about the different activities in the project roadmap.

πŸ“¦ US3 - Interoperability

The project seeks to enhance interoperability by enabling the import and export of knowledge in industry-standard format. This includes batch importing of knowledge, data interchange in MISP format, and the support for user-defined templates to generate custom knowledge feeds. PTS users must have the freedom to move their data and findings from and to other tools such as OpenCTI or MISP.

Overview of the different activities

  • πŸ” Import and export cases
  • πŸ” Import and export knowledge from/to MISP format
  • πŸ” Support user-defined templates to generate custom feeds
  • πŸ” Use HAR to store the decrypted network traffic

Use HAR to store the decrypted network traffic

This month

We have released the first stable version of a standalone tool that converts PCAPNG files into HAR. If the PCAPNG file contains the TLS client randoms, the produced HAR contains the decrypted HTTP traffic. The command pcapng_to_har, if provided with the files generated by the command pirogue-intercept-[single|gated], generates a HAR with decrypted HTTP traffic, stacktrace of each request and response and decrypted contents.

As the generated HAR file may contain extra information (supported by the format specification), we have started the development of a viewer that will replace the current implementation in Colander.

image

Next month

We will continue the development of the HAR viewer.

πŸ“¦ US4 - Evidence collection

Efforts will be directed towards the extraction and preservation of artifacts and evidence, particularly those extracted from online content and mobile devices. The system will automatically archive and index various forms of online content such as photos, videos, social media posts, and web pages. Additionally, the capability of saving a watermarked capture or recording of the victim’s phone screen will be added to the PiRogue. In the context of forensic analysis, it is crucial to not only collect potential evidence of a compromise but also collect its context, such as the attack vector. As an example, retrieving and storing tweets was key in the Citizen Lab investigation on Predator, retrieving and storing WhatsApp messages in the Citizen Lab investigation on Tibetan groups being targeted.

Overview of the different activities

  • πŸ” Archive and index online content
  • βœ… Take a watermarked capture/recording of the phone screen

Take a watermarked capture/recording of the phone screen

This month

The latest release of the evidence collector includes a fully integrated file drop server. Upon launch, the server establishes a connection on the isolated network and creates a temporary URL. Users within the isolated network can then access this URL by scanning a QR code. This action redirects them to a web page where they can select and upload files to the PiRogue.

This cookbook documents this feature.

Next month

Nothing, as this task is now complete.

πŸ“¦ US8 - Colander deployment and administration

In an effort to ease the deployment and administration of Colander servers, functionalities such as importing and exporting entire cases, one-click deployment, and backup and restore tooling and procedures will be implemented, to enhance the overall manageability of the system. We would like to make it easier for end-users to deploy Colander since the deployment procedure described on GitHub can be tricky to follow if one does not have the technical expertise to do so.

Overview of the different activities

  • πŸ” 1-click deployment
  • πŸ” Backup and restore tools

1-click deployment

This month

A comprehensive overhaul of Colander’s deployment and management processes has been undertaken. To facilitate seamless integration with the one-click deployment services offered by leading hosting providers such as Linode, Ansible, a widely recognized automation tool, has been adopted as the primary deployment mechanism.

Next month

We will continue to work on this.

πŸ“¦ US100 - Documentation

Documenting the project is key in its usability. We are continuously documenting the different tools and features we develop and build new learning materials to facilitate skills development.

This month

Based on the feedback from our users, we have decided to introduce a third level of documentation: cookbooks. The purpose of the cookbooks is to provide step-by-step guides to address specific use cases (e.g., how to deploy PiRogue VPN). We are planning to cover the following main topics: deployment, acquisition, analysis, detection, investigation, and collaboration.

Some users have experienced issues with DigitalOcean when deploying PiRogue VPN. While PiRogue in its current version does not support DigitalOcean, we have started to document supported hosting providers.

Next month

We will continue to improve the project documentation to accurately reflect ongoing changes and updates.

πŸ“¦ US101 - Maintenance

We manufacture PiRogues to supply organizations, while taking care of its maintenance. We will include OS upgrades, improvement of the documentation and fixing bugs. Regarding Colander and Threatr, we maintain the public Colander server, upgrade dependencies, improve the documentation and fix bugs.

This month

We have improved the graph editor to address incompatibilities with browsers based on WebKit (e.g. Safari), this includes the fix of:

  • a wrong font fallback in contextual action menu
  • the contextual menu and the missing graph actions on Safari due to missing custom HTML element API implementation

We have fixed an issue in the Colander documentation editor to prevent the loss of unsaved documentation changes when navigating between pages, prompting users to either save or discard their modifications.

Next month

We will continue the maintenance of the tools and the Debian packages we maintain.

πŸ“¦ US102 - Community and outreach

Given the success of events, webinars and demos with members of the civil society, NGOs and security researchers, we continue with our outreach plan. We organize trainings and demonstration sessions as well as creating spaces for the community to share feedback and request new features via our mailing list, GitHub issues or Discord server. We analyze one Android app that has received the community’s interest (ex COP28 app) per month. The application to be analyzed is chosen by the community. The analysis report is first privately shared with the community and one month later it is publicly released.

We organize monthly calls open to all members of the community to share project updates and get the community’s feedback.

This month

We have publicly released the analysis report of the Turaco Android application.

The PTS community meeting took place on Nov. 29. This was a good opportunity to present the latest improvements of PTS. The next community meeting will happen on Dec. 27 at 2pm CET.

We are actively refining our methods for collecting user feedback on the usability, current usage patterns, and desired future functionalities of PTS. To supplement the traditional feedback form, we are scheduling meetings with each organization utilizing PTS. This approach aims to foster a more interactive and efficient feedback collection process, enabling us to better understand user needs and implement relevant improvements.

Next month

We will continue with our recurring activities.

πŸ“¦ US103 - Governance

This month

We have delineated the scope of action and the roles of the future project coordinator. This proposal will be presented to our Advisory Committee for their approval.

We are actively engaged in discussions with potential partners to explore various hosting modalities for our users. These discussions will inherently shape our future work on interoperability.

We are investigating different solutions for monetizing PTS. We have designed a tiered subscription model to accommodate diverse user needs. At present, we envision the following tiers:

  • first point of contact (e.g. helplines)
  • support network
  • technical experts (e.g. forensic labs)

Next month

We will continue with our recurring activities.