data forensics collected resources

• reception as a case of detection and amplification [of a weak signal]
• reception as a revealing

OSI model - a division

marking this division is the physicality of the antenna and RSSI. a direction into architecture. antenna|protocol

[in an outside world]

what/where is abstraction in the world except as language and construction in the world

question of if this layered OSI model could (or would have already) enter(ed) the world.

physical layer - identifiable only as such

physical layer is a red herring as OSI model "in the world" bites its own tail. simulation theory

Data forensics practice - detection and collection

detection [primarily of] EM and light

with wireless card detection is already obscured [at OS level - frames and so on - EXPAND]

what is 802.11 encoding/modulation:

one aspect is spread spectrum:

Frequency-hopping spread spectrum (FHSS) is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver.

modulation in this case is: Gaussian Frequency-Shift Keying (GFSK) is a type of Frequency Shift Keying modulation that utilizes a Gaussian filter to smooth positive/negative frequency deviations, which represent a binary 1 or 0. It is used by DECT, Bluetooth¹, Cypress WirelessUSB, Nordic Semiconductor and z-wave devices. For Bluetooth the minimum deviation is 115 kHz.

http://en.wikipedia.org/wiki/GFSK

See also:

http://en.wikipedia.org/wiki/OFDM

and:

http://en.wikipedia.org/wiki/Complementary_code_keying

• Day One:
  

  Introduction all participants

  Introduction to theory and techniques of data forensics: experiments, demonstrations, software, hardware - an overview.

  Data collection expedition in Oslo city centre

• Day Two:
  

  Discussion of previous day's research

  Discussion of artist works within the field of data forensics

  Assessment of relevant techniques by each participant

  Commence personal projects in Oslo interior/exterior

• Day Three.
  

  Discussion of personal projects

  Further collective experiments and suggestions for future work and direction

  Sketches for artistic work

For workshops a LiveCD solution.

Arudius 0.5 (LiveCD): http://www.fosstools.org/

To imagine some kind of taxonomy - exploratory tools, (active/passive)probes, reconstruction, interpretative, visualisation, decryption and encryption, a beginning to making sense.

That this taxonomy could also follow and to some extent critique (or allow for a philosophical examination of) the OSI model of networking:

• scrying platform: http://scrying.org
• TEMPEST (see below) covers both EM and audio emissions

eg. acoustic cryptanalysis: http://people.csail.mit.edu/tromer/acoustic/

• Blinkenlights (Silence on the Wire. ch5. p.65+)
• use of wireless routers as leaked city data collection devices
• cantenna (waveguide antennas), antenna construction, antennas as a bridge between domains [EXPAND]

http://www.turnpoint.net/wireless/cantennahowto.html

http://flakey.info/antenna/waveguide/ [with calculator for waveguide distances and so on]

[use of tetrapaks was also successfully tested in Berlin]

http://www.reseaucitoyen.be/wiki/index.php/BoiteDeLait

http://www.reseaucitoyen.be/wiki/index.php/Home_made - good resource

http://www.saunalahti.fi/~elepal/antenna2.html - also with link to calculator

• magnetic fields: http://www.phrack.org/issues.html?issue=37&id=6#article
• LED pulse transduction/parsing: http://www.mee.tcd.ie/~bruckerj/projects/forwardcomp.html
• Live Membrane modulation parsing: CRT Phreaking: http://jya.com/emr.pdf Flat Panel Phreaking: http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf
• Reading Memory out of hardware context: Electromagnetic Induction attacks on semiconductors: http://www.cl.cam.ac.uk/~rja14/Papers/SISW02.pdf

• xoscope: http://xoscope.sourceforge.net/

x*oscope is a digital oscilloscope that uses a sound card (via /dev/dsp or EsounD) and/or Radio Shack ProbeScope (Cat. No. 220-0310) a.k.a osziFOX as the signal input.

• wavemon, baudline, further spectrum analysis [http://www.wireless.org.au/%7ejhecker/specan/]

• making sense also. sense of context or reverse engineering of a protocol wrapper. sense is/in the encoding scheme itself
• netstat, netcat (nc), ntop, nmap, ngrep, tcpdump, snort, hping2,

dsniff

• nemesis (command-line packet injection): http://nemesis.sourceforge.net/
• iwspy and plotting:

http://wordpress.calgarymesh.ca/2006/08/09/using-iwspy-to-monitor-signal-strengths-in-ad-hoc-networks/

http://users.skynet.be/chricat/signal/signal-strength.html

• Wireshark (ethereal): http://www.wireshark.org/

network protocol analyser (formerly known as ethereal)

Wireshark is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file. Wireshark's native capture file format is libpcap format, which is also the format used by tcpdump and various other tools.

• Scapy: http://www.secdev.org/projects/scapy/

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

• Kismet: http://www.kismetwireless.net/

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.

Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.

• PyPcap, dpkt: http://code.google.com/p/pypcap/

Packet capture and dissection library

• recoding and fiction
• gdb: http://sourceware.org/gdb/

local and remote examination of execution, memory snooping, modification, paring.

• visualisation and examination: baudline also (raw), octave, gnuplot,

python visualisation (scipy, others).

TEMPEST as a revealing

Any time a machine is used to process classified information electrically, the various switches, contacts. relays, and other components in that machine may emit radio frequency or acoustic energy.

… This problem of compromising radiation we have given the covername TEMPEST.

[TEMPEST: A Signal Problem. NSA 1972]

See also: http://1010.co.uk/org/tempest_presn.html

• optical emanations
  

  Markus G. Kuhn: Optical Time-Domain Eavesdropping Risks of CRT Displays, Proceedings 2002 IEEE Symposium on Security and Privacy, Berkeley, California, 2002:

  http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf

• acoustic emanations
  

  http://people.csail.mit.edu/tromer/acoustic/

• resources
  

  TEMPEST for Eliza: http://www.erikyyy.de/tempest/

  Collected TEMPEST resources: http://www.eskimo.com/~joelm/tempest.html

  Wim Van Eck's paper: http://jya.com/emr.pdf

  TEMPEST timeline: http://cryptome.org/tempest-time.htm

  TEMPEST glossary: http://cryptome.org/ncsc-3.htm

  http://csrc.nist.gov/publications/secpubs/tempest.txt

  Compromising Emanations (Markus G. Kuhn, PDF): http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-577.pdf

  Eckbox: http://eckbox.sourceforge.net/

  [decoding screen]

  Tinfoil Hat Linux: http://tinfoilhat.shmoo.com/readme.txt

  [countermeasures]

  Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations Markus G. Kuhn and Ross J. Anderson (Information Hiding Workshop,1998)

  Hidden Data Transmission by Controlling Electromagnetic Emanations of Computers:

  http://abaababa.ouvaton.org/tempest/?lang=en

  http://bss.sfsu.edu/fischer/IR 360/Readings/tempest.htm

  http://jya.com/bits.htm

  Using VCR tuner: http://cryptome.org/qd-tempest.htm

  Sync: http://cypherpunks.venona.com/date/1997/05/msg00123.html

  http://www.tscm.com/TSCM101tempest.html

Bibliography: http://data-hiding.com/

Bibliography for text-based steganography: http://semantilog.ucam.org/biblingsteg/

StegFS (filesystem): http://www.mcdonald.org.uk/StegFS/

[ wbStego: http://wbstego.wbailer.com/ ]

Stegtunnel (covert channel in the IPID and sequence number fields of any desired TCP connection): http://www.synacklabs.net/projects/stegtunnel/

Stepic (Python image steganography): http://domnit.org/2007/02/stepic

Forensic tools: http://unixsadm.blogspot.com/2007/10/digital-forensic-tools-imaging.html

Text-based steganography: http://www.siefkes.net/software/nlstego/ and http://lcamtuf.coredump.cx/soft/snowdrop.tgz

Text-based2: http://www.fasterlight.com/hugg/projects/stegparty.html

and:

http://www.nicetext.com/

and:

http://www.fourmilab.ch/stego/

Steghide (images) : http://steghide.sourceforge.net/

Hydan (within executables): http://crazyboy.com/hydan/

• books
  

  Security Data Visualization: Graphical Techniques for Rapid Network and Security Analysis. Greg Conti (2007)

  Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks. Michal Zalewski (2005)

• online
  

  http://scrying.org/doku.php?id=xxxxx_for_artists:data_forensics_exploratory_toolkit

  http://scrying.org/doku.php?id=pm:forensics