The Risk of Rooting

If I were to say the name ‘Linus’ and your first reaction is ‘Torvalds’ then you are a monumental geek. You make me proud. If you thought ‘Peanuts’ then you’re still a geek, just not quite as serious a case.

Linus, from the Peanuts comic strip, used to keep a tight grip of his security blanket. If anything ever happened to said blanket he would go, somewhat, off the deep end. He felt like his world was ending and that nothing could ever make the world feel safer.

Passwords and keys are the grown-up versions of security blankets.

We carry our phones everywhere, regardless of their content. Our phones may contain confidential emails, embarrassing pictures and videos (such as this one… http://www.youtube.com/watch?v=vT1CVFaNEbA), and they may even hold our deepest, darkest secrets; things that we would never want others to uncover. Thankfully we password protect our phones so that no-one else can find out. Sadly these security blankets can often have large holes.

Typically, to gain access to an Android phone someone would need direct access to the phone, hope there was no passcode/pattern lock, and turn on USB Debugging in the settings. This allows the user to gain access to the the Android Development Bridge (adb). Once a user has access this part of your phone all bets are off as your device can then be exploited and all data be pulled down onto a computer. The easy way to stop this? Lock your phone so no one else can access the contents. It is very difficult to bypass a lock on an Android device, especially on devices using 2.0 and up. However, if you like to tinker with your phone, root it, and install custom firmware you are playing with fire.

I rooted my phone a few weeks back so that I could get the Froyo upgrade (2.2) before T-Mobile got to it and took out all of the good stuff. I downloaded an exploit package that allowed me to easily replace the phone’s recovery image, making it possible to install a ‘cooked’ rom. After some experimentation I discovered that the new ‘recovery’ allowed me to gain adb access without ever booting into the operating system. In turn I was able to mount the ‘data’ portion of the phone and download all the contents to my computer. I then turned the phone back on and, viola, the lock screen appeared as if nothing had happened.

Back at my computer I started to look at the extracted data. I found my text messages, phone logs, calendar items, email messages, facebook and twitter updates, internet history, and the list goes on. I was also able to find both the SSID and the key to any wireless network to which my phone had been associated. This not only meant that my own home network was potentially compromised, but my work network too! My whole life was laid bare for anyone to see, assuming they could get the phone away from me. Bad? Yes but not the end of the world because my private life really isn’t that interesting. However, if my phone bill suddenly tripled or quadrupled I could be in trouble!

I found that turning off the screen lock is a straight forward process that takes only a couple of minutes once access to the phone has been established. Full access to my phone is there for anyone that can lay their hands on my phone, all because I rooted it. Yes, I was the weak link in the phone’s security, not Google. If I hadn’t rooted my phone then the process of retrieving the data becomes infinitely more difficult.

The other difficulty is that locking your phone isn’t going to stop anyone from simply popping out the memory card and walking away with your photographs and videos. Android still doesn’t have a way of encrypting the memory card so that it can’t be used elsewhere. Another potential hole in the security blanket.

What have a I done now? I’ve gone to the stock HTC Rom for my HTC Desire. This allows me to get the latest OS upgrades first and overwrites the modified recovery with the standard, non-adb, version. Would I recommend everyone else do the same? Its entirely up to you.

Also, for those iPhone users laughing at the ‘poor security’ of Android phones take a look at the link below. I guarantee you’ll hold on to your iPhone a little tighter in the future. http://www.engadget.com/2010/10/25/ios-4-1-glitch-lets-you-bypass-lock-screen-to-access-phone-app/

Getting into Digital Forensics (in the UK)

There is one question that is asked time and time again. “How do I get into digital forensics?”

I find that I’m answering this question several times a week at the moment so I thought rather than writing the same reply to each email or forum post that I would just write a small post. Most of this comes from an email that I sent to one such inquirer last week. Hope someone finds this useful.

I work for Disklabs in the midlands but I’ve previously worked for CY4OR and Zentek. The December before I graduated I started calling as many forensic companies as I could find, asking them if they hired graduates. I managed to get an interview with CY4OR and they took me on just a few days after my final exam at University. I’m not saying that this is the right approach but it worked for me. My brother was on the exact same course at university. We both got comparable grades but he waited to look for a job until after graduation. If memory serves correctly it took more than a year, and a heck of a lot of miles, to find a forensics job.

Sadly, at the moment, the picture is looking grim. The tender for the Metropolitan Police is going to be announced soon and, as this is a very lucrative contract, most companies are not hiring in case they do not win the contract. Also many police forces have stopped outsourcing work due to budget cuts. This has seriously impacted the field. I know of several companies that have ceased trading in the last year or so because there is simply not enough work to keep them afloat. The outcome of this is that there is a surplus of experienced, qualified forensic investigators in the field who are all looking for work. One company that I know advertised for a single position and had something like 10 applications within an hour of posting the position. That is how desperate the situation is at the moment.

I know of a few people who graduated last year and are still looking for their first job in the field, and these are people who are quite well connected to others in the field through Twitter, Facebook, and the like. But I believe that if you excel and you know what you’re doing you should be able to get a start somewhere. The problem is making yourself more appealing to a potential employer. My best advice is to get some training. Finish your degree but don’t just stop there. Find a way to pay for an EnCase passport and attend their courses. If you do that it means that you know how to use the software and can go straight in to a job and start working right away without the company having to spend money training you. Anything you can do to help a potential employer save money will be in your favour and, if you can do the work you already have won half the battle. I would even suggest going to a local forensic company or police force and asking if you can volunteer your time there for free while you finish university. If you offer to work for free I don’t know many people that would turn you down and it would give you some much needed experience. Also, if you prove yourself to be good at the job they’ll be more likely to hire you once your degree is over.

Also, so something extraordinary. Write a paper about something new, get noticed. Write a blog. Connect with people on Twitter. Get involved in the community. By doing this you will gain respect and trust from your future peers. Don’t do a podcast though, I’ve got enough competition as it is

One thing you have to bear in mind is that you have to be prepared to move to work, potentially a large distance. Don’t limit yourself to a single geographical area because there aren’t that many forensic companies anyway. Maybe even look abroad.

I realise that might read this an become depressed. Sadly things really aren’t great at the moment in the field. They might improve in the future but there’s no harm in doing everything I’ve mentioned anyway.

Finally David Sullivan specialises in recruitment for forensics companies. He’s written a blog post on Forensic Focus about finding a job. Its here: http://www.forensicfocus.com/david-sullivan