Sly Guy Nabs Pi Spy

When one of [Christian Haschek’s] co-workers found this Raspberry Pi tucked into their network closet, he figured it was another employee’s experiment – you know how that goes. But, of course, they did the safe thing and unplugged it from the network right away. The ensuing investigation into what it was doing there is a tour de force in digital forensics and a profile of a bungling adversary.

A quick check of everyone with access to that area turned up nothing, so [Christian] shifted focus to the device itself. There were three components: a Raspberry Pi model B, a 16GB SD card, and an odd USB dongle that turned out to be an nRF52832-MDK. The powerful SoC on-board combines a Cortex M4 processor with the RF hardware for BLE, ANT, and other 2.4 GHz communications. In this case, it may have been used for sniffing WiFi or bluetooth packets.

The next step was investigating an image of the SD card, which turned out to be a resin install (now called balena). This is an IoT web service that allows you to collect data from your devices remotely via a secure VPN. Digging deeper, [Christian] found a JSON config file containing a resin username. A little googling provided the address of a nearby person with the same name Рbut this could just be coincidence. More investigation revealed a copyright notice on some mysterious proprietary software installed on the Pi. The copyright holder? A company part-owned by the same person. Finally, [Christian] looked into a file called resin-wifi-01 and found the SSID that was used to set up the device. Searching this SSID on wigle.net turned up Рyou guessed it Рthe same home address found from the username.

But, how did this device get there in the first place? Checking DNS and Radius logs, [Christian] found evidence that an ex-employee with a key may have been in the building when the Pi was first seen on the network. With this evidence in hand, [Christian] turned the issue over to legal, who will now have plenty of ammunition to pursue the case.

If you find the opportunity to do some Linux forensics yourself, or are simply interested in learning more about it, this intro by [Bryan Cockfield] will get you started.

Recovering photos with PhotoRec

photorec

A coworker approached us today with a corrupted SD card. It was out of her digital camera, and when plugged in, it wasn’t recognized. This looked like the perfect opportunity to try out [Christophe Grenier]’s PhotoRec. PhotoRec is designed to recover lost files from many different types of storage media. We used it from the command line on OSX, but it works on many different platforms.

It’s a fairly simple program to use. We plugged in the card and launched PhotoRec. We were prompted to select which volume we wanted to recover. We selected “Intel” as the partition table. PhotoRec didn’t find any partitions, so we opted to search the “Whole disk”. We kept the default filetypes. It then asked for filesystem type where we chose “Other” because flash is formatted FAT by default. We then chose a directory for the recovered files and started the process. PhotoRec scans the entire disk looking for known file headers. It uses these to find the lost image data. The 1GB card took approximately 15 minutes to scan and recovered all photos. This is really a great piece of free software, but hopefully you’ll never have to use it.