BATTLEFIELD DIGITAL FORENSICS
BDF_Battlefield_Digital_Forensics_final
BDF_Battlefield_Digital_Forensics_final
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
security for smartphones are described in [24]. These kinds of scenarios can be based on various techniques<br />
such as attaching wireless (Bluetooth, RFID, etc.) proximity tags, 28 for example to the clothes of the user. The<br />
purpose of such tags is commonly to discover things or create an alarm, for example if the smartphone or<br />
wallet is forgotten, stolen or dropped. Some tags are in the form of wearable wireless wristlet bands. It is<br />
possible to set up a system in which working on a PC is only possible if a certain tag is also present. In normal<br />
enterprise security, this would add one factor to authentication, but in special operations, the enemy might<br />
want to use the same technique to protect their information. In more advanced scenarios, heart rate monitors<br />
could be wirelessly connected to the used devices. The system could be configured so that if the heartbeat is<br />
not tracked any more, the device would, for example, shut down or encrypt the content. The same thing would<br />
happen if the device were captured (without the user) or if the user were be removed from the PC.<br />
<br />
<br />
<br />
<br />
Recommendation: Check the number of wireless connections and devices with specific equipment 29 (scan<br />
and identify).<br />
o Existing tools can be used to detect the number of networks and devices; however there seems to<br />
be no automated tools specially meant for detecting booby-traps or kill-switches. For this, specific<br />
custom tools will be needed.<br />
Recommendation: Mark devices with wireless connections (document).<br />
Recommendation: Check if enemy is wearing or if there are any loose small wireless tags or wristbands<br />
(scan and identify). If there are, extra caution is required. All such items, their connections and the<br />
connected devices should be documented (document). Captured items should be kept in proximity to the<br />
connected, captured devices (secure).<br />
o One approach is to test with one device / user pair if something strange happens when their<br />
distance is increased (identify). The same applies to security badges.<br />
Recommendation: Check if enemy wears heart rate monitors that are possibly connected to other devices<br />
to be captured (scan and identify). Mark such items (document). Items should be worn by the same person<br />
who captures the actual device (secure).<br />
o It is worth noting that it might not be possible to remove the heart rate monitor until after<br />
returning from the special operation.<br />
7.6.2 USBKill<br />
This chapter describes USBKill, 30 which is an anti-forensics kill-switch that waits for a change on a computer’s<br />
USB ports and then immediately shuts down the computer. If USBKill is used, removing any USB device such as<br />
flash drive, mouse, or keyboard from the computer or inserting a new (non-whitelisted) USB device enables the<br />
computer to execute wanted commands and shut itself down. It is impossible to know during the strike what<br />
programs have been installed into computers, or what USBKill would do if currently running.<br />
<br />
<br />
Recommendation: If any devices that are attached to fixed solid objects (such as tables or wall) via wires<br />
going to their USB ports are discovered (identify), extra caution should be taken when touching (document)<br />
and seizing them (secure).<br />
Recommendation: If any enemy is holding, or is attached to, for example via wristbands or handcuffs,<br />
devices (mouse, USB flash drive) that are connected to computers (scan and identify), extra caution should<br />
28 Various Bluetooth tags exist, such as BluTracker, Bringrr & BringTags, Chipolo, Estimote Beacon, F-Secure Buddy, Find’Em Tracking,<br />
Gecko, Guardian, PebbleBee, PROTAG Elite, StickNFind, Tile, Linquet, Locca, Lupo, TrackR, Wallet TrackR, and XY Find-It.<br />
29 Open source tools such as NirSoft’s BluetoothView can detect Bluetooth devices. Various commercial network monitoring solutions exist.<br />
30 Source code and more information about USBKill can be found from https://github.com/hephaest0s/usbkill.<br />
38