Helpful Navigation Toolbar

Tuesday, May 20, 2014

Bluetooth for data exfiltration. Say what?!? Part 1: The Setup

One of the things that I absolutely love about the DFIR community is the amount of communication and idea/information sharing that happens between members of the community. A few weeks ago Ken Pryor posed a question on Twitter regarding extracting data from a Tracfone. I shared my experience with using a Bluetooth connection to get a few files, and Harlan Carvey asked what experience we've seen with regards to Bluetooth data exfiltration. 

The Twitter conversation that started this post!

To date, I have not seen Bluetooth used for data exfiltration on a case that I worked, but since there is such a large crossover between personal mobile devices and the corporate environment, I was curious to see what evidence I could find of data exfiltration when I used Bluetooth to send a file from my laptop (running Windows 8.1) to my Galaxy Note 2 (running Android 4.3). 

I first had to pair the devices, which was accomplished by turning Bluetooth on (on both devices), and confirming on each device that I was indeed pairing the devices together. Once I paired the devices, Windows 8 presented me with the following console on my laptop:

Windows 8 Bluetooth console

For the purposes of this post, I created a TrueCrypt file named "exfil.doc" (for more on TrueCrypt, please visit my previous blog post). I opened the file in HexWorkshop to confirm the lack of a file header, the file size is cleanly divisible by 512, and the character distribution is 0.39%, which is exactly what I expected to see:

File header of "exfil.doc"

File size cleanly divisible by 512

0.39% character distribution in "exfil.doc"

Once I had my "document" ready to "exfiltrate", I had to choose the file to send using the "File Operations" option within the Bluetooth console

File Operations tab within Bluetooth console

I choose this one!

Once I chose the file, Windows queued it to transfer the file from my laptop to my phone. 

Bluetooth FileTaskManager waiting to transfer file

My phone presented me with a message that I had to first accept in order for the data to be transferred.

Bluetooth file transfer notification on Galaxy Note 2

And so it begins....

The file, which was 543MB in size, took about 55 minutes to transfer via Bluetooth. I was a little bit surprised that it took that long, but since I don't use Bluetooth on my laptop (in fact, with the exception of this post, I have it disabled) the slower speeds may have been caused because the drivers/software were not updated.  

Files sent to my Galaxy Note 2 via Bluetooth

On Windows 8, the "History" tab of the FileTaskManager window shows the history of files that are transferred. You can see my attempts to transfer files, and failed attempts as well. I am hoping to find this data either recorded on disk and/or within the memory dump from the system. This data can also be cleared by the user, so it may not always be populated.

FileTaskManager history

Part 2 of this post will include evidence related to the Bluetooth transfer that I find within the memory dump and drive image. As Harlan pointed out, at the very least there should be evidence of the Bluetooth connections in the Registry and within Shellbags. I am hopeful that there can be some evidence found on the device (and in the memory dump) of the actual file transfer itself, but I have to wait for the image to finish, load it up, and see what I can find!


  1. Brian,

    Fascinating post! I'm looking forward to seeing what you can find. thanks!

    1. Thanks Harlan, it was a whirlwind couple of days. Thanks for bringing up the idea of digging into it a bit more! I am still really surprised by how little data is actually there, although I think the memory dump probably contains most, if not all, of what was seen.

      I wish I had a good explanation for the "TCP" connection(s) too, hopefully someone can provide some more insight to that!