logo FEDIDEVS

38C3 2024

Day 2 (3601) Jared Naude (140)

The framework for investigations is based on the Berkeley Protocol on Digital Open Source Investigation. The investigation starts with monitoring, assessment, collection, preservation, verification, analysis and reporting. The Tor project wants to help volunteers to stay vigilant on protecting the Tor network and its users.

0 0 1

Combating bad relays is hard as it takes time and expertise to investigate the associated data. Tor has created an open source investigation proposal to help with investigations. False positives are real and need to be reviewed with adds further to the challenge.

0 1 1

Attacking iOS is getting harder with the defenses that Apple has put in place. This often means that an exploit chain is required to compromise a phone.

1 0 1

A user was de-anonymized and the Tor project has looked at preventing further attacks. A suggestion was to add padding to traffic, however traffic was already padded. Another suggestion was adding delays, however this is not suitable for the broad users that use Tor.

3 1 1

A summary showing infection mechanisms and the forensic artifacts that are left / removed when an infection occurs.

2 1 1

If you analyzing backups, there are specific files that can be analyzed for traces of an infection.

0 0 1

Sysdiagnose can be used for analyzing a phone for an infection. The table below shows the capabilities of the tool. Forensic analysis has some challenges which includes the amount of time that it takes, backups can take hours depending on how much storage the user has. The user needs to interact with the phone during the analysis process and requires some knowledge of IT to do properly.

0 0 1

Guardians of the Onion: Ensuring the Health and Resilience of the Tor Network by Hiro & Gus

This talk will cover recent news, the current state of the network, how we determine its health, and the strategies to strengthen its resilience, addressing challenges around sustainability and governance. 🧵

3 3 1

In 2019, a campaign against Uygures in Nepal which was attributed to i-Soon and used 14 individual exploits. Data that was transferred was done in an unencrypted way.

0 0 1

In 2022, an app was used to do the infection by RCS labs that used multiple exploits. In 2023, Kaspersky found an active exploitation that chained 4 exploits together to perform the exploit. The actor is unknown but they made a mistake by not removing a specific entry from the process database.

0 0 1