My 2pm session at CEIC 2012 was a surprise and treat. Mike Wilkinson from Champlain College give a rather in depth review of the Amazon Kindle and the exploits used to gain root access to its Linux system for gaining a forensic image.
Before I jump into his presentation I want to hit on a point he made about the realm of the phrase “forensically sound” or a “forensic image”. With the ever changing technology we face on a daily basis utilizing exploits is sometimes the only option. Within US laws Mike stated the fact that the word “forensically sound” isn’t used, but the work “scientific” or “scientific image” is. As a digital forensic examiner you must use tools and process that limit data changes, but within the realm of the word “scientific” you can obtain data with minor changes to the system. Does it change the validity of the evidence? Ask yourself that and you can determine if the process is okay to continue with.
Back to KINDLE FORENSICS!
The only option of gaining access to the Kindle (not Fire, not exploit is known yet) is to enter via the system update feature. When the Kindle gets an update from Amazon it receives a bunch of files and folders for the specific update. Amazon adds a signature to each folder and file to ensure that unauthorized files can not up uploaded. Since this is a Linux based tablet their are options for getting around this. Within Linux you can edit the update package to do the following (this is a rough breakdown so you get the idea)
update/\ – This backslash tells the Linux system to not worry about the next file
As you can see you inserted you script by telling Linux to not worry about that file and continue on. (this is so high level that I suggest you follow the links below if you want to learn more). There are 10 files that need to be changed to run the script. Once this is done the script will install dropbearSSH, telnet, and busybox. Each of these programs are very small and take up very little data.
When this image is being taken from the Kindle it is done on a rootfs (virtual) to ensure that the system and OS files are not corrupted if rebooted. Once these 3 programs are up and running and you have access to the rootfs you utilize the Linux .dd command to image the Kindle over SSH to a local computer where you can upload it into EnCase or which ever program you prefer.
We also have the option of doing chip off forensics on a kindle because its memory is a 4gb Samsung flash BGA chip. Since Binary Intelligence does chip off forensics this maybe an option for those who cant get the data this way, or have a Kindle that is broken or damaged beyond these rooting capabilities.
computerforensics.champlain.edu will have the script and the step by step video available this week for review!
I hope you enjoyed this like I did!
Computer/ Mobile Forensic Examiner