Mobile device forensics & digital investigation

Project overview

PiRogue Tool Suite (PTS) provides a platform combining analysis tools, knowledge management, incident response management and artifact management, which allows NGOs with limited resources to equip themselves at a low cost. The project consists of an open-source tool suite that provides a comprehensive mobile device forensics and digital investigation platform.


πŸ“’ Announcements

πŸŽ‰ Impacts and results

The Colander Firefox extension has been released. It streamlines the workflow for capturing and indexing web content into Colander. It reduces manual steps and improves efficiency for users who frequently use web content artifacts during their investigations.

We’ve addressed an interface detection issue in the pirogue-admin package. The issue occurred during at install time when the bonding module is loaded, incorrectly selecting bonding_masters as the isolated network interface. PiRogue now correctly supports bound network interfaces.

πŸ“’ Activity report

You can find more details about the different activities in the project roadmap.

πŸ“¦ US3 - Interoperability

The project seeks to enhance interoperability by enabling the import and export of knowledge in industry-standard format. This includes batch importing of knowledge, data interchange in MISP format, and the support for user-defined templates to generate custom knowledge feeds. PTS users must have the freedom to move their data and findings from and to other tools such as OpenCTI or MISP.

Overview of the different activities

  • πŸ” Import and export cases
  • πŸ” Import and export knowledge from/to MISP format
  • πŸ” Support user-defined templates to generate custom feeds
  • πŸ” Use HAR to store the decrypted network traffic

Use HAR to store the decrypted network traffic

This month

We have published the source code of the HAR analyzer (viewer). This tool is currently undergoing active development and is not suitable for production use.

Next month

We will continue the development of the HAR analyzer. The objective is to release it as a standalone tool and a VueJS library.

πŸ“¦ US4 - Evidence collection

Efforts will be directed towards the extraction and preservation of artifacts and evidence, particularly those extracted from online content and mobile devices. The system will automatically archive and index various forms of online content such as photos, videos, social media posts, and web pages. Additionally, the capability of saving a watermarked capture or recording of the victim’s phone screen will be added to the PiRogue. In the context of forensic analysis, it is crucial to not only collect potential evidence of a compromise but also collect its context, such as the attack vector. As an example, retrieving and storing tweets was key in the Citizen Lab investigation on Predator, retrieving and storing WhatsApp messages in the Citizen Lab investigation on Tibetan groups being targeted.

Overview of the different activities

  • βœ… Archive and index online content
  • βœ… Take a watermarked capture/recording of the phone screen

Archive and index online content

This month

Colander now includes all the necessary tools to receive, review and, convert dropped files into Artifacts. Colander Companion web-extension has been released. The extension is officially signed by Mozilla and available for Firefox on desktop, mobile, and tablet. The tests with webkit-based browsers were successful. The extension is not published on official add-ons marketplaces. The documentation now includes new cookbooks and pages to cover installation and usage of web content acquisition tools.

Next month

Colander Companion and all related features included to Colander are entering maintenance phase.

πŸ“¦ US8 - Colander deployment and administration

In an effort to ease the deployment and administration of Colander servers, functionalities such as importing and exporting entire cases, one-click deployment, and backup and restore tooling and procedures will be implemented, to enhance the overall manageability of the system. We would like to make it easier for end-users to deploy Colander since the deployment procedure described on GitHub can be tricky to follow if one does not have the technical expertise to do so.

Overview of the different activities

  • πŸ” 1-click deployment
  • πŸ” Backup and restore tools

1-click deployment

This month

The deployment of Colander with Ansible is composed of multiple steps. The first deployment requires installing Debian 12 and setting up a Unix user colander on the target server. One important aspect of this task is to improve the overall security and observability of Colander. The playbook install_docker.yml installs Docker in the rootless mode. In anticipation of the work that will be carried out on the migration procedure of Colander, the entire configuration of the stack is generated and saved in a single file that can be encrypted with Ansible Vault. The system administrator can back up this file and reuse it later when migrating Colander from one server to another. The rest of the deployment does not require any special privileges. Although this work is still in progress, we have already published the initial playbooks on GitHub.

Next month

We will continue to work on this.

πŸ“¦ US100 - Documentation

Documenting the project is key in its usability. We are continuously documenting the different tools and features we develop and build new learning materials to facilitate skills development.

This month

The documentation now includes new cookbooks to cover the installation and usage of the Colander Companion Firefox extension.

Next month

We will continue to improve the project documentation to accurately reflect ongoing changes and updates.

πŸ“¦ US101 - Maintenance

We manufacture PiRogues to supply organizations, while taking care of its maintenance. We will include OS upgrades, improvement of the documentation and fixing bugs. Regarding Colander and Threatr, we maintain the public Colander server, upgrade dependencies, improve the documentation and fix bugs.

This month

Thanks to a report by the Qurium team, we’ve been able to confirm and fix an issue regarding interface detection in pirogue-admin package, which shows up when performing the autodetection at install-time, when the bonding module is loaded. The issue resulted in selecting bonding_masters as the isolated network interface. Because bonding_masters is a file, not a directory, it lacks a uevent and defaults to DevType.ETHERNET, causing the issue. While excluding this name is possible, other similar entries might exist, making a comprehensive list difficult to maintain. Therefore, we propose requiring a type entry in each net_dir (regardless of whether it’s a symlink or directory, as type filtering is complex), as documented in Documentation/ABI/testing/sysfs-class-net.

The version 2.0.6 of the package pirogue-admin fixes this issue.

Next month

We will continue the maintenance of the tools and the Debian packages we maintain.

πŸ“¦ US102 - Community and outreach

Given the success of events, webinars and demos with members of the civil society, NGOs and security researchers, we continue with our outreach plan. We organize trainings and demonstration sessions as well as creating spaces for the community to share feedback and request new features via our mailing list, GitHub issues or Discord server. We analyze one Android app that has received the community’s interest (ex COP28 app) per month. The application to be analyzed is chosen by the community. The analysis report is first privately shared with the community and one month later it is publicly released.

We organize monthly calls open to all members of the community to share project updates and get the community’s feedback.

This month

The PTS community meeting has been postponed to a later date, since it was originally planned during Christmas holidays. The publication of the next analysis report has been postponed for the same reason. January’s community meeting will happen on Jan. 31 at 2pm CET.

To supplement the traditional feedback form, we are scheduling meetings with each organization utilizing PTS. This approach aims to foster a more interactive and efficient feedback collection process, enabling us to better understand user needs and implement relevant improvements. During the early adoption phase of PiRogue VPN, we directly supported early adopters in Asia and Latin America. It was crucial to assist them during this phase, as they are deploying PiRogue VPN across a diverse range of hosting providers that we hadn’t tested. This phase revealed that PiRogue VPN is incompatible with DigitalOcean.

Next month

We will continue with our recurring activities.