(dramatic music)
(audience clapping)
- Hi, my name is Phill, as they have mentioned.
Thank you for the introduction.
I'm here today to talk to you about the recent
terrorist incident that has so terribly affected
the Imperial Empire.
And provide a little bit of information
about my insights of the Google Home
that was used in their destruction
of our orbital battle station.
I've been working for the Empire willingly
for the last seven years.
Well, I mean willingly join or die,
willingly for the last seven years as an analyst.
Also started a blog, This Week In Forensics,
where I read everything that I can find
about the digital forensics community
and also my personal research blog, ThinkDFIR.
But we're here to talk about the recent destruction
of the DS-1 Orbital Battle Station.
Since the destruction, we've indentified
the Rebel Base and we sent our top forensic,
well our available forensicators were sent,
to examine, to provide investigative support.
The investigators gave us a number of,
well they gave us one question,
they just wanna know everything.
And that wasn't really helpful to me,
so I wrote down a series of questions
that I would like to have written down,
I mean I guess provided.
But I would like to determine
so that I can assist their investigation.
So the first thing I wanna know
is what access point was it connected to?
Were these device connected to each other?
Because of course, just because the home
and the phone were in the same location,
does not necessarily mean that they were used
to interact.
What accounts were they linked to?
What has the device heard?
Which is probably our most important part.
And then the Bluetooth devices
and any location information that can be found.
So I was provided with a Google Home Mini
and an Android device to investigate.
And so I thought where should I start,
and I'm gonna start with the phone.
So the phone examination's gonna be the easiest part
because there's a lot of research about that
and I know what I'm doing.
So I started by looking at the Google Home app.
This app is basically the Chromecast app
that's been renamed.
It's now relating to Google Homes.
So that's why the app ID is the chromecast.app,
and it's mainly used for the device interaction.
You're gonna be able to control the settings, setup
the Google Home devices.
And there's actually no web interface that you can use
to interact with the devices as well.
So the first thing I wanna do is provide an extraction,
well obtain an extraction, so that I can examine
this app data.
The phone that I had to examine was a Nexus five
and is running the Home app version,
well a previous version.
So of course I'm gonna run an ADB backup first
and see what there was.
Unfortunately, not much.
The Google Home app didn't really backup very much
using the native ADB process.
As a result I was left with only obtaining a physical.
This was very helpful, there was a lot of data,
and so then I can direct my investigation after that
directly to the data folder that had everything
that I was looking for.
I also tested the iOS section.
I had a test iOS device, just for interest.
An iOS is a little bit easier.
Everything you're gonna get comes out
of a regular backup and it's all in Synchro Light
and paylists and very simple to analyze.
So this is a bit hard to read,
but we've got a few screens from examining
the physical device itself.
Just looking at the account drawer,
I can say that there is one user account,
and from there I can also query the actual Google Home
that I'm on the network with.
And I can say that there is one account
named Rebels Yavin, rebelsonyavin@gmail.com
with a photo.
That's really useful.
It means I know that there's only one account
that I need to look for and only one account
I need to download.
It will also indicate every other app
that is used to interact with this device.
Every other email address, sorry.
If I take my own phone and connect it up
to the network, I can obtain a little bit
of information but not as much as I need.
I'll be able to tell the user name and the picture,
but I won't be able to get the email address.
And I can also get the device name.
Moving on we can look at the target device again
and we can see all of the devices that that user account
has at it's disposal.
In this instance, it was just the one,
which was called Rebel Base.
The device address is something that's quite important.
You can have a look if you click in through
the device menu and you can see that the device address
is in this instance Lucas Valley Road in California.
Important thing to note about this is
whilst you can very easily see it,
and you can very easily read it in the XML file,
it's set by the user not by GPS,
because the Google Home device was not found in California.
This information also shows up in all
of the Cloud activity under current location
in my activity, so it's very easy to get at.
It's very easy to interpret.
The Home Graph is the most important file
that you can find in the app data.
So, it's basically gonna be called Home Graph
and then a base 64 string of the user's account email,
and there will be one for each user on the device
that has interacted with the Google Home,
so much as they've got a Google Home
linked to their account.
Now unfortunately, this is encoded
in Google's protobuf encoding,
and I haven't been able to figure out
a good way of interpreting it
and decoding it properly, so we're kind of
left with just reading the strings.
Thankfully, a lot of the ones that we need
pop up quite easily.
So the first thing we wanna look at is our Gmail address,
that's fine.
We already know that.
We've got what looks like an ID
and we'll talk about it more as it's very important.
It's the Cloud device ID.
And we've also got another ID about the Google account.
And this account ID is setup to every single user on Gmail.
It's easier to decode if you've got Google+ set up,
but that's not necessarily always the case.
But, that's gonna be useful for later as well.
So, just to summarize what we found on the phone,
we've got our email, we've got our account ID.
We've also got the oAuth Token,
which is gonna be great when we need
to download Cloud data.
A device location, a Cloud device ID
and the Wifi password.
So that's answered a few questions already.
Now we're gonna look at the Google Home.
This is an actual product by the way.
If you would like to support all of those
that were lost in the recent destruction,
please go to the link below.
So there's two things that we can do
to examine the Google Home.
There's querying it while it's live
or we can examine the internals.
It depends on your use case, I'm gonna go all out
because this is for a terrorist incident.
So I need to make sure that I'm getting
as much information as possible.
But in some instances if you do not want
to destroy the device, examining the internals
is going to not be the right way to work.
So first you want to do is you wanna find
the Home itself on the network.
You can easily query the device on the Home app
or you can use something like Fing,
which is a network scanner.
The caveat is that it will scan the network,
send that information up and provide you
with IPs, names, MAC addresses and device types.
That might not be suitable to your situation.
So in that case then you can always use an Nmap
to scan your network and see what you will find.
The Nmap command down at the bottom
will show you all the Google Home devices
and if you get rid of the 10001,
which is the highlighted port,
then that will show you the Chromecast devices as well,
'cause they're both built off the same thing.
You can query them the same way.
So, we wanna find as much information we can
from the live device and there's two methods
of doing so.
I know I said that Google only let us know
that there was one, and that's the one
they only want us to use, which is the Home app.
But unfortunately, that won't give us all
of the information that we would like to find.
So, I built a script called Homespeak,
which I'll be releasing shortly.
It was based off some work by a GitHub user
named Rithvikvibhu who found that you could send
GET and POST requests to the Google Home device
as long as you're on it's network,
and you will receive JSON data back.
There are kind of two methods of doing this,
it depends on the situation.
If you're at the scene, you can jump on the network,
you can send the queries once you've got the IP
but, if you you've opened the exhibit bag
and there's your Goggle Home, you might not
be able to do that.
In that instance, the great thing
about Home devices is when you plug them in,
they shoot up their own network
and you can connect to that.
If you try to query that with the Home app,
you will not actually be able to get any data.
It will be thinking that you're trying
to set up a brand new device.
I don't wanna set up a brand new device,
I want to find all the information
on the current one.
So you can send a couple of requests
that are really gonna get you as much information
as you need.
There's a lot of information in there
that's not really relevant.
But the main stuff that I found
was the Cloud device ID, which we found earlier,
and the Bluetooth devices.
That Cloud device ID, I just wanna point out,
is set up as soon as you initially set up that device.
If you restart the device it'll be fine,
but if you reset the device manually,
you'll get a brand new Cloud device ID.
So we want to put that all together.
We've got our Cloud device ID from the Home Graph
as well as our account and our Gmail address,
and on the other side we've got our Cloud device ID.
Which is great, because now we can put them both together
they match, and we can use that to download the Cloud data.
Well, use that to confirm that this is the account
that we need to download, because the last thing
you wanna do is find a Home device and a phone
and download the wrong person's account.
There can be legislative issues if you do that
and so we just have to make sure first.
The other thing I wanted to bring up
was Bluetooth devices.
Just a useful piece of information,
if you go and query the device with the Home app,
you will find all the connected Bluetooth devices
as well as the date that they connected initially.
This doesn't matter if you're on the suspect device
or in this case the investigator's device.
That will work just fine and it'll give you
that information.
But unfortunately, it doesn't give you much more.
With Homespeak you're able to send the query
and get a bit more information,
which I'll just make a bit bigger.
So we've got the bond date, the date
that it was initially connected.
As well as the last connect date.
It's called last connect date but it means last interaction,
so if you connect or disconnect, depending
on the connected flag, it will log the date.
Which is great for determining when maybe
the rebels were last at that base at that date.
We've also got the MAC address as well as the device name,
which is just a bit more to really confirm
what we found on the Home app itself.
But that might not be good enough.
We might want to go a bit further.
We might want to pull the device apart.
So this is the inside of the Google Home Mini.
They're fairly easy to pull apart
and the Google Home devices aren't much harder.
Inside we'll find a 256 meg Toshiba chip.
There's not a lot of space for any data
on there realistically, compared to the Echo devices
that have I think four gig of data.
We're just looking at 256 megs.
So, I got one of my fellow convicts,
uh Imperial Officers to help read the data back for me.
He was able to use just regular chip off methodology,
in this case a Rework station,
to remove the chip, clean it up
and read it with something like the Dataman.
An associate, Scott Lalass, was able to help
by sending some of the chips to Dataman
and they built a profile.
Which means that everyone with a Dataman
is able to read the Nan chip pretty easily.
So, after we've read the data, this is what we can see.
Don't worry if you're sitting at the back,
I can't read this either.
Most of it is garbage.
Unfortunately there isn't a really good file system
that we can parse out and so we're kind of just left
with looking at strings.
It's unfortunate, if anyone is able to help
figure out what the file system is, that would be great.
But unfortunately, I wasn't able to figure it out.
Thankfully, strings comes up
with a lot of great information.
So from here, we're just gonna look
for the Bluetooth devices that we found previously,
and I can see there's actually another Bluetooth device
that I didn't know about.
And it's called Luke's iPod touch.
We've got a MAC address there, we haven't got dates,
which is not great, and I don't actually know
if this is the deleted file or this is an allocated file
with a log that just hasn't been cleared out yet.
But hey, that just means that I know
that there was another device that we didn't see
that we weren't able to examine,
and maybe the terrorists took it with them.
This can also be really, really useful
if someone says, "I was never there,
"I didn't know anything about that person."
You've now got another record to look at.
We can also find the Google account ID,
which can also be very useful as we've found it before.
If you're able to take that to Google,
they might be able to reverse that for you
and tell you what the account was,
give you the information.
I wasn't able to ask Google that question,
but they might be able to help.
This can be really useful if all you've got
is the Google Home and you need to find out
who's account do I need?
There's also the Cloud device ID on there,
but obviously you've got the device, so.
We wanna put it all together.
We've now got the Cloud device ID
and the account information on the left.
We've got the NAND Read and the Homespeak
will give us the account ID and the Cloud device ID,
which is great.
Now we've just got the Cloud data that we wanna look at.
So, Cloud is basically where we're gonna be looking
for all of the interaction that we really care about.
There's not really much found on the device itself
or on the app with regards to any of the queries,
any of the audio, anything really outside
of the Bluetooth device interaction.
So, I'm gonna cover a couple of ways
to get this Cloud data and examine it,
and then we're gonna talk about what data was found
that was very useful to me.
So you can go to myactivity.google.com
and that will show you all of the interactions
for that account.
I'm only going to focus on assistant
and voice and audio, but if you have a Google device
and you haven't been to that website,
you will be scared at how much information
is tracked and logged.
But the good thing is, if you filter for assistant
and voice and audio, you'll see all
of the interactions with the Google Home device.
It will identify that a Google Home device was used,
not which Google Home device.
So if you've got two Google Homes,
it might not be able to tell you
which one's which.
And the good thing is, it will also identify
there is a known user's voice used.
If two accounts have been set up on the same device,
it will tell you who said what.
You may also come into problems
if there are two users set up on the account,
because you'll need to access two different Cloud accounts.
To download this data, you're gonna be using Google Takeout,
which will get you all the spoken words,
it'll get you all of the responses,
all of the audio and the location data if it's set.
As I said, that location is set by the user.
Even though location services is required
when you turn the app on to set the device up
to begin with.
The only downside with using Takeout is it
A, notifies the individual that you're performing
a Takeout and it also will download everything.
So if time is of the essence or you're required
to only obtain a small amount of data,
then Google Takeout may not be the way to go.
Unfortunately, currently it is one of the only ways that
you're learning to get the most complete
piece of information.
Alternatively, I tested a number of Cloud data
acquisition tools.
These tools are basically the only ones
that were able to provide the information that I needed,
and filter it out in the right way.
Some of the tools will provide you
with the Google search information,
but not actually determine which device was used.
Was it the phone, was it the app,
sorry was it the Home device?
In the last three days Google changed the API
and every tool is broken with regards
to Cloud data acquisition of this specific information.
So Takeout is going to be your best bet.
But, once that's fixed, I'm sure all the vendors
are on it, we'll be able to get all that information again.
These tools are really good at helping you search,
sort, report on that information,
and so it's a good idea to, if you can,
get the Takeout information as well as do
an API acquisition and then just compare the two.
I know that some of the vendors are also working on
ingesting that Takeout data, because they don't necessarily
incorporate it in a really good way
that allows you to easily review it.
Alright, so specifically about our case,
what did we find?
We found that someone was asking,
do they have anything on their calendar?
Unfortunately, in this instance,
Google didn't tell me what they actually found.
The Home would've responded in some way,
but it doesn't always tell you what they said.
So I downloaded the Cloud, the calendar from the Cloud,
and that's pretty damning that they wanted
to blow up the Death Star the next day.
I don't know why they call it the Death Star,
I think that's crass.
It's always been the DS-1 Orbital Battle Station.
But, anyway.
They also were asking curiously about the weather on Hoth.
So,
I mean that's a clue, isn't it?
I feel like that's a clue.
And interestingly, Google responded
and it said, "Hoth's climate is cold."
Well yeah, Hoth's climate is cold,
but why wold they be asking if that's not
where they wanted to go next?
Just a hint though, when Darth Vader says,
"They're in the Hoth System,"
just go along with it, it's just a trick.
Alright, so for a generalized process,
what should we do if we're faced
with a Google Home and a phone at the scene?
The first thing we're gonna do
is get a physical acquisition,
it's gonna be the only way
that we're gonna get the home ref information,
and from there we can identify the account
and the Cloud device ID from the Home Graph.
Potentially more information as well.
I know that there's also the date that the Google Home
was added to that account, but haven't been able
to pull that information out yet.
We're then gonna query the Home device.
We can get the Cloud device ID from there,
as well as other Bluetooth data,
if that's of relevance.
And from there we can put those two things together
to confirm that that's what we need,
with the password or the oAuth Token,
to pull the Cloud data.
So overall findings.
What did we find?
What do we know from all of this?
We know that the room was probably related
to someone named Luke.
We know he had a calendar entry to destroy the Death Star,
and his home location was set to the Skywalker Ranch.
Which could be a previous location,
because we didn't find any Homes on the Skywalker Ranch,
we found them on Yavin.
We've got the last date and time that the phone
was at the base.
Which could be the last time they were at the base as well.
And we also know that he was asking about
the weather on Hoth.
So we've got a pretty decent idea
of where we should look next.
Further work is really where I would like to look next
to try and build out the research for this.
I would like to look in to parsing the Home file system
and decode the proto file, but at the moment
I haven't been able to figure that out.
As well as looking further in to the iOS app data,
in case that comes up.
There are a few other features
and a few other devices planned
in the future with regards to communication.
I wasn't able to test that as it wasn't provided
in this situation, but it's going to be coming
across many iOT devices, so that's something
to look forward to.
Lastly, I'd like to thank a number of people
that provided me with their tools to test.
All of these companies were very gracious
in providing me with their tools
and so I thought I'd give them a shout out,
and I know a lot of them will be working
on improving this data, as it's only gonna get
more and more as time goes on.
As well as a number of people
for helping me with the research,
and providing me with test data.
Cool, thank you.
(crowd claps)
(dramatic music)
For more infomation >> "El oro está haciendo lo que ha hecho siempre" - Duration: 1:27. 
For more infomation >> Cookie Remembers When She Met Damon Cross | Season 5 Ep. 8 | EMPIRE - Duration: 2:32. 
For more infomation >> Curry auf malaysische Art (Rendang) - Duration: 3:24. 
For more infomation >> 'Fuller House' Star Andrea Barber On Her Years Of Playing Kimmy Gibbler | TODAY - Duration: 5:44. 
For more infomation >> Lion Air Crash: 'Black Box' Data Reveals Pilots' Struggle To Regain Control Of Flight | TODAY - Duration: 3:05. 
For more infomation >> Descubre cómo saber si tu hijo es realmente inteligente | Un Nuevo Día | Telemundo - Duration: 4:48. 
For more infomation >> President Donald Trump Threatens To Cut General Motors Subsidies | TODAY - Duration: 3:06. 
For more infomation >> ¡Lupillo y Juan Rivera visitan una cárcel de mujeres! | Un Nuevo Día | Telemundo - Duration: 3:04. 
For more infomation >> ¡La tumba de Chespirito no tiene ni flores! | Un Nuevo Día | Telemundo - Duration: 2:56. 
For more infomation >> Horóscopo hoy, 28 de noviembre de 2018, por el astrólogo Mario Vannucci | Un Nuevo Día | Telemundo - Duration: 3:12. 
For more infomation >> ¿Se debe devolver el anillo de compromiso? #1 | Un Nuevo Día | Telemundo - Duration: 5:59. 
For more infomation >> ¡Vuelve la nanny más querida, "Mary Poppins Returns"! | Un Nuevo Día | Telemundo - Duration: 5:16. 
Không có nhận xét nào:
Đăng nhận xét