digital forensics

3 Articles

Video Baby Monitor Repair Uncovers Private Data

September 2, 2024 by 35 Comments

As the name of the channel implies, [BuyItFixIt] likes to pick up cheap gadgets that are listed as broken and try to repair them. It’s a pastime we imagine many Hackaday readers can appreciate, because even if you can’t get a particular device working, you’re sure to at least learn something useful along the way.

But after recently tackling a VTech video baby monitor from eBay, [BuyItFixIt] manages to do both. He starts by opening up the device and going through some general electronics troubleshooting steps. The basics are very much worth following along with if you’ve ever wondered how to approach a repair when you don’t know what the problem is. He checks voltages, makes sure various components are in spec, determines if the chips are talking to each other with the oscilloscope, and even pulls out the thermal camera to see if anything is heating up. But nothing seems out of the ordinary.

The scope uncovers some serial data.

While poking around with the oscilloscope, however, he did notice what looked like the output of a serial debug port. Sure enough, when connected to a USB serial adapter, the camera’s embedded Linux operating system started dumping status messages into the terminal. But before it got too far along in the boot process, it crashed with a file I/O error — which explains why the hardware all seemed to check out fine.

Now that [BuyItFixIt] knew it was a software issue, he started using the tools built into the camera’s bootloader to explore the contents of the device’s flash chip. He uncovered the usual embedded Linux directories, but when he peeked into one of the partitions labeled Vtech_data2, he got a bit of a shock: the device seemed to be holding dozens of videos. This is particularly surprising considering the camera is designed to stream video to the parent unit, and the fact that it could record video internally was never mentioned in the documentation.

Continue reading “Video Baby Monitor Repair Uncovers Private Data”

Sly Guy Nabs Pi Spy

January 20, 2019 by 38 Comments

When one of [Christian Haschek’s] co-workers found this Raspberry Pi tucked into their network closet, he figured it was another employee’s experiment – you know how that goes. But, of course, they did the safe thing and unplugged it from the network right away. The ensuing investigation into what it was doing there is a tour de force in digital forensics and a profile of a bungling adversary.

A quick check of everyone with access to that area turned up nothing, so [Christian] shifted focus to the device itself. There were three components: a Raspberry Pi model B, a 16GB SD card, and an odd USB dongle that turned out to be an nRF52832-MDK. The powerful SoC on-board combines a Cortex M4 processor with the RF hardware for BLE, ANT, and other 2.4 GHz communications. In this case, it may have been used for sniffing WiFi or bluetooth packets.

The next step was investigating an image of the SD card, which turned out to be a resin install (now called balena). This is an IoT web service that allows you to collect data from your devices remotely via a secure VPN. Digging deeper, [Christian] found a JSON config file containing a resin username. A little googling provided the address of a nearby person with the same name – but this could just be coincidence. More investigation revealed a copyright notice on some mysterious proprietary software installed on the Pi. The copyright holder? A company part-owned by the same person. Finally, [Christian] looked into a file called resin-wifi-01 and found the SSID that was used to set up the device. Searching this SSID on wigle.net turned up – you guessed it – the same home address found from the username.

But, how did this device get there in the first place? Checking DNS and Radius logs, [Christian] found evidence that an ex-employee with a key may have been in the building when the Pi was first seen on the network. With this evidence in hand, [Christian] turned the issue over to legal, who will now have plenty of ammunition to pursue the case.

If you find the opportunity to do some Linux forensics yourself, or are simply interested in learning more about it, this intro by [Bryan Cockfield] will get you started.

Recovering Photos With PhotoRec

November 12, 2008 by 17 Comments

photorec

A coworker approached us today with a corrupted SD card. It was out of her digital camera, and when plugged in, it wasn’t recognized. This looked like the perfect opportunity to try out [Christophe Grenier]’s PhotoRec. PhotoRec is designed to recover lost files from many different types of storage media. We used it from the command line on OSX, but it works on many different platforms.

It’s a fairly simple program to use. We plugged in the card and launched PhotoRec. We were prompted to select which volume we wanted to recover. We selected “Intel” as the partition table. PhotoRec didn’t find any partitions, so we opted to search the “Whole disk”. We kept the default filetypes. It then asked for filesystem type where we chose “Other” because flash is formatted FAT by default. We then chose a directory for the recovered files and started the process. PhotoRec scans the entire disk looking for known file headers. It uses these to find the lost image data. The 1GB card took approximately 15 minutes to scan and recovered all photos. This is really a great piece of free software, but hopefully you’ll never have to use it.