Mobile device forensics & digital investigation

Project overview

PiRogue Tool Suite (PTS) provides a platform combining analysis tools, knowledge management, incident response management and artifact management, which allows civil society organizations with limited resources to equip themselves at a low cost. The project consists of an open-source tool suite that provides a comprehensive mobile device forensics and digital investigation platform.

๐Ÿ“ข Announcements

  • Make sure to upgrade your PiRogue to get the latest security patch!
  • The analysis report of the Botim v3.38.1 Android application is now public.
  • The next community meeting will happen on Jun. 27 at 2pm CET.
  • Fill in the form to select the Android app for next month.
  • To ensure we’re meeting your needs and expectations, we kindly ask you to complete a brief feedback form.

๐ŸŽ‰ Impacts and results

With the release of Colander v1.2.3 users can better organize their investigations by creating a hierarchy of cases and creating multiple sub-graphs to help focus on specific findings. Uploaded artifacts are now automatically analyzed, the text content (if any) is extracted with OCR and metadata is parsed to reveal information such as geolocation. The decryption of TLS traffic has improved and is now saved in an HAR file and like any other HAR, it can be open directly in Colander. Talking about interoperability, it’s now possible to import CSV files!

๐Ÿ“’ Activity report

You can find more details about the different activities in the project roadmap.

๐Ÿ“ฆ US2 - Better knowledge management

A significant improvement involves refining knowledge organization and representation within Colander. This includes establishing a hierarchical structure for cases, where parent cases inherit from child cases, enhancing the management of extensive investigations. Furthermore, Colander will support the creation of multiple graphs within a single case, allowing for diverse projections of a subset of the case knowledge graph. The inclusion of thumbnails on graph nodes will simplify the investigation by involving pictures.

Overview of the different activities

  • โœ… Create a hierarchy of cases
  • โœ… Create multiple graphs
  • โœ… Add thumbnails on graph nodes
  • โœ… Batch import of knowledge
  • โœ… Feature request: bulk add of observables

Create a hierarchy of cases

This month

Colander now supports the creation of a hierarchy of cases, allowing zero or one ancestor per case. The user interface has been redesigned to highlight the case hierarchy, if any.

This feature has been released in Colander v1.2.3.

Next month

Nothing, as this task is now complete.

Create multiple graphs

This month

This feature has been released in Colander v1.2.3.

Next month

Nothing as this task is now complete

Batch import of knowledge

This month

Colander now allows the user to load a CSV file and import each row as an entity. This feature has been released in Colander v1.2.3.

Next month

Nothing, as this task is now complete.

๐Ÿ“ฆ US3 - Interoperability

The project seeks to enhance interoperability by enabling the import and export of knowledge in industry-standard format. This includes batch importing of knowledge, data interchange in MISP format, and the support for user-defined templates to generate custom knowledge feeds. PTS users must have the freedom to move their data and findings from and to other tools such as OpenCTI or MISP.

Overview of the different activities

  • ๐Ÿ” Import and export cases
  • ๐Ÿ” Import and export knowledge from/to MISP format
  • ๐Ÿ” Support user-defined templates to generate custom feeds
  • โœ… Use HAR to store the decrypted network traffic

Use HAR to store the decrypted network traffic

This month

The decryption of the traffic captured during a PiRogue experiment now creates an HAR file containing the decrypted traffic. This HAR can be open directly with Colander. This feature has been released in Colander v1.2.3.

Next month

Nothing as this task is now complete

๐Ÿ“ฆ US5 - Offline artifact analysis

To bolster security measures and guarantee a sufficient level of confidentiality, Colander will allow the offline analysis of artifacts using antivirus software and user-defined Yara rules. In the context of forensic analysis, this is crucial to be able to locally analyze extracted files (without relying on 3rd-party services) to ensure case confidentiality.

Overview of the different activities

  • ๐Ÿ” Offline artifact AV analysis
  • ๐Ÿ” Offline artifact analysis with user-defined Yara rules
  • โœ… Offline artifact analysis with Apache Tika

Offline artifact analysis with Apache Tika

This month

We have improved the offline analysis of artifacts. Now, Colander automatically analyzes uploaded artifacts with Apache Tika by invoking Mandolin. This analysis supports more than 200 file formats. It extracts text content with OCR when necessary, and extracts file metadata including location information. This feature has been released in Colander v1.2.3.

Next month

Nothing, as this task is now complete.

๐Ÿ“ฆ US100 - Documentation

Documenting the project is key in its usability. We are continuously documenting the different tools and features we develop and build new learning materials to facilitate skills development.

This month

Weโ€™ve updated the documentationโ€™s installation steps for PiRogue to reflect recent changes, particularly after resolving the default SSH credentials issue.

Next month

We will continue to improve the project documentation to accurately reflect ongoing changes and updates.

๐Ÿ“ฆ US101 - Maintenance

We manufacture PiRogues to supply organizations, while taking care of its maintenance. We will include OS upgrades, improvement of the documentation and fixing bugs. Regarding Colander and Threatr, we maintain the public Colander server, upgrade dependencies, improve the documentation and fix bugs.

This month

A user preference system has been implemented. This allows the user to pin sub-graphs. Many other minor UI and UX fixes and enhancements have been done, which includes: the addition of visual hints to represent the hierarchy of case, the improvement of the graph editor to fix the difference of rendering between WebKit and Gecko.

MVT

We have upgraded MVT, and is now available in version 2.6.0.

Frida

We initially published the versions 16.7.13, 17.0.1, and 17.0.5. Our users were facing issues with the latest version, and we have decided to unpublish the versions 17.0.* as investigation is needed.

If you are experiencing issues with Frida, make sure to downgrade to the version 16.7.13 with the command sudo apt install frida=16.7.13~pirogue1.

pcapng-utils

We have released the version 1.0.9 of pcapng-utils to improve the support of IPv6 and to improve the handling of HTTP2 compressed multi-streams.

Mandolin

We have released the version 1.0.2 of mandolin and its Python client to reduce the number of Docker layers, to fix the improper handling of small size, and increase the timeout of requests to Apache Tika.

Next month

We will continue the maintenance of the tools, Debian packages we maintain and Colander ecosystem.

๐Ÿ“ฆ US102 - Community and outreach

Given the success of events, webinars and demos with members of the civil society, NGOs and security researchers, we continue with our outreach plan. We organize trainings and demonstration sessions as well as creating spaces for the community to share feedback and request new features via our mailing list, GitHub issues or Discord server. We analyze one Android app that has received the community’s interest (ex COP28 app) per month. The application to be analyzed is chosen by the community. The analysis report is first privately shared with the community and one month later it is publicly released.

We organize monthly calls open to all members of the community to share project updates and get the communityโ€™s feedback.

This month

The analysis report of the Botim v3.38.1 Android application has been published.

The PTS community meeting took place on May 30. It was a great opportunity to present the latest release of Colander. The next one will happen online on Jun. 27 at 2pm CET.

To expand our reach, we began announcing community meetings on other platforms like IFF Mattermost.

Next month

We will continue with our recurring activities.

๐Ÿ“ฆ US103 - Governance

This month

The recent US aid cuts mean that our primary avenues for support are diminishing rapidly, placing the continued development, maintenance, and user support for PTS in jeopardy. We are working tirelessly behind the scenes, exploring every possible avenue to secure alternative and sustainable funding as quickly as possible. We are actively engaging with potential new partners and grant opportunities. However, the landscape is competitive, and the timeline for securing such support is often lengthy and uncertain. While we are doing our utmost to navigate this period and find new financial backing, the future remains precarious. If PTS is a valuable asset in your work, if it helps you conduct crucial investigations, research, or defend digital rights, we now earnestly ask for your support.

We are continuing the implementation of the working plan with The Engine Room.

Weโ€™ve followed up with potential partners to explore different hosting options for our users.

Next month

We will submit a proposal to the Spyware Accountability Initiative.

We will continue with our recurring activities.

List of changes

piroguetoolsuite.github.io

  • @Esther #eefb59c Add short demo videos of Colander
  • @Esther #ac87efc Refine PiRogue installation steps in documentation.
  • @eq #6ed7bce Add draft for Botim Analysis
  • @Esther #8ce52d1 Make it a bit more responsive
  • @Esther #b7698ac Update the landing page
  • @Esther #8afda99 Monthly report

colander

  • @Christophe Andral #c1d71b8 Fix comment list and form UI.
  • @Esther #c81ad58 Add functionality to generate HAR files from PiRogue experiments
  • @Esther #a979ecc Slightly improve the UI
  • @Esther #7e151af Add methods to retrieve Elasticsearch index IDs for artifacts and traffic data
  • @Christophe Andral #86d9f8c User preferences foundation and pin/unpin SubGraphs features.
  • @Christophe Andral #84a7eaf Minor database migration script (descriptions and django stuffs)
  • @Christophe Andral #f0f491c Fix Webkit/Gecko graph node size mismatches.
  • @Christophe Andral #6a18e8d Fix UI feedback Case accessibility rights
  • @Christophe Andral #db6dd64 Harmonize thumbnail size
  • @Esther #9dc955f Use Mandolin to automatically generate the thumbnail of pictures
  • @Esther #4f47f35 A bit of cleanup and error logging
  • @Esther #c0c289c Add pcapng-utils dependency
  • @Esther #22afdbf Update mandolin-python-client to version >= 1.0.2
  • @Esther #e9c4d29 Remove useless button in the CSV importer
  • @Christophe Andral #4d6d186 Foundation for PiRogueToolSuite/project-management#8
  • @Christophe Andral #f3f1ddb Fix documentation toggler position
  • @Esther #cbdd33e Don’t set the extra attributes when not supported by the model
  • @Esther #80fd495 Move the import of entities to another REST endpoint
  • @Esther #a01eeac Import entities from CSV files
  • @Esther #8f37e31 Display a world map showing the location extracted from an artifact
  • @Esther #ab4fca1 Change the default size of the HAR viewer
  • @Esther #40817ec Set a longer timeout for Mandolin
  • @Esther #fb4cfdd WIP: import CSV file
  • @Esther #e0e1e25 Force the maximum size of artifact overview
  • @Esther #bb66708 Add a geographic map Vue component
  • @Esther #5c68513 Enable Mandolin in dev environment
  • @Esther #31a3614 Remove the magnifier icon
  • @Esther #be9a9a9 Rework the display of the thumbnails

debian-12

  • @Esther #fe4a1cf Delete incompatible versions of Frida
  • @Esther #94f09e6 Merge pull request #24 from PiRogueToolSuite/frida-17.0.5
  • @Cyril Brulebois #57a3f08 Publish frida packages.
  • @Cyril Brulebois #ef2372c Bump frida packages to 17.0.5 upstream.
  • @Esther #7a5db36 Release pirogue-admin v1.0.10
  • @Esther #2f0be4e Merge #23
  • @Cyril Brulebois #80e347e Bump mvt to 2.6.0 upstream.
  • @Esther #3a5206f Merge pull request #22 from PiRogueToolSuite/frida-17.0.1
  • @Cyril Brulebois #ad77609 Publish frida packages.
  • @Cyril Brulebois #12ae304 Bump frida packages to 17.0.1 upstream.
  • @Esther #630171d Merge pull request #21 from PiRogueToolSuite/frida-16.7.13
  • @Esther #6f33386 Release pcacpng-utils v1.0.9
  • @Esther #fadd8f1 Release pirogue-admin v2.0.9

pirogue-admin

  • @Cyril Brulebois #e552ee7 Make tag able to tag old releases.
  • @Esther #10e4961 Force the udpate of the external networks when the external IP address has changed
  • @Esther #e03f37b Redeploy the entire configuration when the external IP address has changed

deb-frido

  • @Cyril Brulebois #cec9d74 Add a note regarding repository indices.
  • @Cyril Brulebois #723e2d7 Sync the suite directory explicitly.
  • @Cyril Brulebois #20600f0 Document how to clean up old releases.

pcapng-utils

  • @Esther #5627cd6 Update the changelog
  • @Etienne Maheux #ed18116 Prepare for 1.0.9 release
  • @Etienne Maheux #f2d1fa8 Properly handle IPv6
  • @Etienne Maheux #f3ad820 CLI: flag to output tshark raw JSON + improve README (caveat regarding HTTP/2 compressed multi-stream data for tshark < 4.2)

mandolin-python-client

  • @Esther #d204b83 Clean up
  • @Esther #2382555 Automatic generation of the client for the version 1.0.2 of Mandolin

mandolin

  • @Esther #650c158 Prepare the version 1.0.2
  • @Esther #178e47e Specify a return type to the thumbnail converter