One of the things that I absolutely love about the DFIR community is the amount of communication and idea/information sharing that happens between members of the community. A few weeks ago Ken Pryor posed a question on Twitter regarding extracting data from a Tracfone. I shared my experience with using a Bluetooth connection to get a few files, and Harlan Carvey asked what experience we've seen with regards to Bluetooth data exfiltration.
 |
| The Twitter conversation that started this post! |
To date, I have not seen Bluetooth used for data exfiltration on a case that I worked, but since there is such a large crossover between personal mobile devices and the corporate environment, I was curious to see what evidence I could find of data exfiltration when I used Bluetooth to send a file from my laptop (running Windows 8.1) to my Galaxy Note 2 (running Android 4.3).
I first had to pair the devices, which was accomplished by turning Bluetooth on (on both devices), and confirming on each device that I was indeed pairing the devices together. Once I paired the devices, Windows 8 presented me with the following console on my laptop:
 |
| Windows 8 Bluetooth console |
For the purposes of this post, I created a TrueCrypt file named "exfil.doc" (for more on TrueCrypt, please visit my previous blog post). I opened the file in HexWorkshop to confirm the lack of a file header, the file size is cleanly divisible by 512, and the character distribution is 0.39%, which is exactly what I expected to see:
 |
| File header of "exfil.doc" |
 |
| File size cleanly divisible by 512 |
 |
| 0.39% character distribution in "exfil.doc" |
Once I had my "document" ready to "exfiltrate", I had to choose the file to send using the "File Operations" option within the Bluetooth console
 |
| File Operations tab within Bluetooth console |
 |
| I choose this one! |
Once I chose the file, Windows queued it to transfer the file from my laptop to my phone.
 |
| Bluetooth FileTaskManager waiting to transfer file |
My phone presented me with a message that I had to first accept in order for the data to be transferred.
 |
| Bluetooth file transfer notification on Galaxy Note 2 |
 |
| And so it begins.... |
The file, which was 543MB in size, took about 55 minutes to transfer via Bluetooth. I was a little bit surprised that it took that long, but since I don't use Bluetooth on my laptop (in fact, with the exception of this post, I have it disabled) the slower speeds may have been caused because the drivers/software were not updated.
 |
| Files sent to my Galaxy Note 2 via Bluetooth |
On Windows 8, the "History" tab of the FileTaskManager window shows the history of files that are transferred. You can see my attempts to transfer files, and failed attempts as well. I am hoping to find this data either recorded on disk and/or within the memory dump from the system. This data can also be cleared by the user, so it may not always be populated.
 |
| FileTaskManager history |
Part 2 of this post will include evidence related to the Bluetooth transfer that I find within the memory dump and drive image. As Harlan pointed out, at the very least there should be evidence of the Bluetooth connections in the Registry and within Shellbags. I am hopeful that there can be some evidence found on the device (and in the memory dump) of the actual file transfer itself, but I have to wait for the image to finish, load it up, and see what I can find!
Brian,
ReplyDeleteFascinating post! I'm looking forward to seeing what you can find. thanks!
Thanks Harlan, it was a whirlwind couple of days. Thanks for bringing up the idea of digging into it a bit more! I am still really surprised by how little data is actually there, although I think the memory dump probably contains most, if not all, of what was seen.
DeleteI wish I had a good explanation for the "TCP" connection(s) too, hopefully someone can provide some more insight to that!