Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
[1]Institute for Digital Forensics IDF; Mobile Telephone Examination Board MTEB; London, England
Useful links:
1) https://www.cs.cmu.edu/~cil/gif87a.doc
2) http://www.martinreddy.net/gfx/2d/GIF87a.txt
3) http://www.intel-assembler.it/portale/5/Compuserve-Graphics-Interchange-
Format/Gif87a-Gif89a-specification-format.asp
4) https://tools.ietf.org/pdf/rfc2083
Often expressed as a simple image
format not often used today; BITMAP
has a well defined format standard
and, it has been said by non-technical
individuals, convoluted structure by
those who are unaware.
https://en.wikipedia.org/wiki/BMP_fil
e_format#File_structure
IMAGES
SENT WITH
MESSAGES
Whilst station classmark
(SCM) can be use useful
(GSM04.08 UE signalling to
network) an examiner
needs to look further into
the standards for guidance
about image attachments
associated with SMS, EMS
and MMS.
SMS - TS 23.040
MMS - TS 22.140,
TS 23.140, TS 26,140,
TS 26.141
The relevant standards to review are:
3GPP TS 22.140 - Multimedia Messaging Service (MMS); Stage 1
3GPP TS 23.140 - Multimedia Messaging Service (MMS); Functional description;
Stage 2
3GPP TS 26,140 - Multimedia Messaging Service (MMS); Media formats and
codecs
MMS - http://www.3gpp.org/specifications/79-specification-numbering
OMA - http://www.openmobilealliance.org/release/MMS
SMIL - http://www.w3.org/TR/smil20/
Open Mobile Alliance
OMA-AD-MMS-V1_3-20110913-A.pdf
SMIL (Synchronized Multimedia Integration Language)
MMS SMIL - SMIL subset defined for MMS interoperability purposes
SMIL used for the presentation of multimedia messages on mobile terminals. Window size can be
severely limited by the resolution and appearance of the receiving terminal display. Layout may not fit
into the display of the receiving mobile terminal. MMS SMIL can handle this exchange possibly by
changing the relative position of the different elements. Could this cause the corrupted or incomplete
state of message in this case?
.BMP ASSEMBLED
Considered graphics file formats
Standard bitmap file formats Nonstandard graphics file formats
Graphic Interchange Format (.gif) Targa (.tga)
Joint Photographic Experts Group (.jpeg, Raster Transfer Language (.rtl)
.jpg) Adobe Photoshop (.psd) and
Tagged Image File Format (.tiff, .tif) Illustrator (.ai)
Window Bitmap (.bmp) Freehand (.fh9)
Standard vector file formats Scalable Vector Graphics (.svg)
Hewlett Packard Graphics Language Paintbrush (.pcx)
(.hpgl) Etc.
Autocad (.dxf)
Etc.
Various graphics file viewers were used
- Windows Photo Viewer
- Paintbrush
- IrvanView
- XnView
- Opanda Professional
- Etc.
424D3E070000000000003600000028000000180000001900000001001800
000000000807000000000000000000000000000000000000655A5A47155F
441850125E5B575F5B5D11574B55585F595D43154014414456515F5B5D53
1542524B4512475B1552525B5E565614425E564C115E5C5B5E4517545859
56145416195A5C42135D5857505D11504640155F4418585C555556421759
1141565747534318545C50464C46435D55125E514645565F541240515B42
17594212521441534F4C115F56474657505D11465C144643505F54414714
415E564C11465B511544525B58574551474517555E505A58501647505E5C
5614585955515D5713505C5217565E46135C5440521850125B555B525B5D
43125C461552455147574114415917515F4656464544524C1153131A575B
4718575B5F511B12345678
.BMP
RECONSTRUCTION
For the purposes of this presentation a second
opinion was sought on validation of findings and
independently assessed by David Wren, MD.,
PassMark
- There is still the work involved to identify which part of the data is padding
and which is the encryption content (trial and error)
- There is still the work to discover what encryption algorithm involved and
whether program created by user or sourced online, etc.
- Etc.
A peek inside a working copy of Encryption.exe revealed the encryption capability.
For reference visit: https://en.wikipedia.org/wiki/XOR_cipher
“Stars.bmp” - .bmp file signature:
424D3E0700000000000036000000280000001800000019000000010018000000
00000807000000000000000000000000000000000000655A5A47155F44185012
5E5B575F5B5D11574B55585F595D43154014414456515F5B5D531542524B4
512475B1552525B5E565614425E564C115E5C5B5E451754585956145416195
A5C42135D5857505D11504640155F4418585C5555564217591141565747534
42 4D Bitmap file signature Yellow hex-decimal
318545C50464C46435D55125E514645565F541240515B421759421252144153
discovered is padding
4F4C115F56474657505D11465C144643505F54414714415E564C11465B5115
44525B58574551474517555E505A58501647505E5C5614585955515D5713505
C5217565E46135C5440521850125B555B525B5D43125C46155245514757411
Decryption Key
4415917515F4656464544524C1153131A575B4718575B5F511B12345678
The real message used a basic encrypted
655A5A47155F441850125E5B575F5B5D11574B55585F595D431540144144
56515F5B5D531542524B4512475B1552525B5E565614425E564C115E5C5B
5E451754585956145416195A5C42135D5857505D11504640155F4418585C
5555564217591141565747534318545C50464C46435D55125E514645565F
541240515B4217594212521441534F4C115F56474657505D11465C144643
505F54414714415E564C11465B511544525B58574551474517555E505A58
501647505E5C5614585955515D5713505C5217565E46135C544052185012
5B555B525B5D43125C461552455147574114415917515F4656464544524C
1153131A575B4718575B5F511B
- Where examination laboratories are harvesting tens of ‘000 texts and other
messages it may be a message like that might not be seen as relevant.
END
FCORD2017
.bmp sent with a text message