Kindle Fire HDX Forensics

Jacob graduated from Champlain College with a degree in Computer and Digital Forensics. The research was performed at the Senator Patrick Leahy Center for Digital Investigation (LCDI). The project plan: Image the Kindle using a Cellebrite. Analyze the data area. Root the Kindle and image it. Investigate findings for a forensic investigation. This project is completed and includes a detailed report. Jacob currently works at a large public accounting firm as an IT Audit Specialist.

Tuesday, April 15, 2014

Kindle Fire HDX Forensics Research Conclusions

It has been a while since I have had a chance to update the blog about my research. I am considering publishing my research if I get the chance. This blog post is a chance for me to summarize some of the most interesting findings.

Why the Kindle Fire HDX?
•The purpose of my research into the Kindle Fire HDX is to find out where data is stored and what forensically pertinent data could be useful to an investigation.
•The Kindle Fire HDX is the newest Kindle brand e-book reader released by Amazon meaning there is little to no forensic research that has been done.
•You might be surprised how much the Kindle logs.

What Was Done?
•Normal user activity was performed and noted.
•A file system extraction was performed using a Cellebrite Touch Ultimate. The operating system, Fire OS 3, branched off from Android 4.2.2.
•The Kindle was rooted to provide root level access to the Kindle data areas not normally available to users.
•The media was examined using the UFED Physical Analyzer and SQLite Database Browser.

Where Did the Research Go?
•Databases contained valuable forensic artifacts.
•The most interesting artifacts came from Facebook, Silk Web Browser, Email, and the Amazon Cloud Drive.
•Information such as system logging and event logging kept track of nearly every user action, for example, turning the Kindle on or off, connecting to Wi-Fi, and search queries.

Facebook, Email, Silk Web Browser, Kindle Fire HDX, Kindle, Forensics, Cellebrite, UFED, Password

Kindle Fire HDX Research

So, what is the significance of these findings?

The digital forensic community could benefit from this research if analysis needed to be performed on a Kindle Fire HDX. The Kindle stores a lot of user activity and user data that could help investigators provide evidence. Artifacts pertinent to an investigation could help show that a suspect was at a crime scene at the time, no where near the crime when it happened, show patterns of behavior, show that a suspect had contraband on the Kindle, create a timeline, and show relationships between the suspect and accomplices through their communications.

Kindle users may be concerned to know how much information about themselves is actually stored on the Kindle itself and on the Amazon cloud. Users may not be aware how much of the activity they perform on the Kindle is logged, dated, and available in plain text. Hopefully the research into the Kindle will provide users with better insight and precautions when using their Kindle. People today have become much more aware of the information that can be recovered from their computers, but may not yet be as aware how much information can be recovered from their e-book readers. Additionally, awareness about the Kindle may provide incentive for Amazon to implement higher standards for security in the future.

Monday, February 10, 2014

Forensics on a Kindle Fire HDX?

Many people's first impression when they hear "Kindle" is an e-book reader. This is a deceptive first impression as one may think a simple e-book reader cannot store much information on it. The purpose of my research into the Kindle Fire HDX is to find out where data is stored and what forensically pertinent data could be useful to an investigation.

I have already started working on my research project into the Kindle Fire HDX and am starting to formulate more ideas with the direction I want to go with my research. Previous students at Champlain have done work on older models of Kindles which has helped me validate and guide the direction I initially wanted to take this project. One student ran into problems rooting their kindle and gaining access to the data area. I don't believe this will be a problem for me as I have already found two guides on how to root the Kindle Fire HDX linked to in my first blog post.

Important information I would like to learn more about at the moment are:

The web history and online data stored on the kindle
The calender
The cloud drive
Apps including social media such as Facebook
The Kindle Fire HDX's capacity to act as a cell phone by sending and receiving phone calls, texts, or media
Where downloads are stored for different file types
Email services especially deleted messages
How passwords are stored for the kindle, online web sites, and apps
What if any encryption can be used on the Kindle Fire HDX
Wifi Settings
Deleting Files
Settings and how they effect how the Kindle Fire HDX works

Other goals I have are to create a hash set of the databases, videos, pictures, texts; also known as a Known File Filter (KFF) in Forensics Tool Kit (FTK). This should allow me to easily compare basic information found on the Kindle Fire HDX to new user initiated data, thus eliminating some of the "noise".

Another goal I had was to look into MAC times on the Kindle Fire HDX. Forensics Expert Dan Farmer blogs about the importance and risks with using MAC times in forensics analysis in "What Are MACtimes?". MAC times are meta data about a file that helps keep track of when the file was created, moved, cut, copied, or used and is usually in the form of LastWriteTime, LastAccessTime, and CreationTime. This type of information can help determine a timeline of events and help investigators come to different conclusions about what users were doing.

Wednesday, January 29, 2014

Kindle Fire HDX File System Extraction

Kindle Fire HDX Robber

Yesterday I was trying to get a physical image of my Kindle Fire HDX 7 software version 13.3.1.0 using the Cellebrite Touch Ultimate and did not have any luck. I found that the operating system is Fire OS 3 which branched off from Android 4.2.2. Even if I could have got an image I would have needed to wait for the dongle for the UFED Physical Analyzer to get updated.

Today I came into the lab thinking I could use the UFED Physical Analyzer to take a physical image of the Kindle. It turns out that the software is used to view the physical image, not to take one. Thus I needed to get an image somehow. I took out the Cellebrite Touch Ultimate again and took another look at my options. There is an option to take a physical extraction of the file system. I figured this would provide me with all of the forensically important data. The state of the Kindle is restored to factory settings as if it had never been used. This physical extraction should serve as a base line.

The extraction gave me 158 images, four videos, 193 text, and 93 databases. My initial inventory of the information reveals a lot of interesting data within the databases. For example:

/data/data/com.amazon.venezia/app_amazon_webview/amazon_webview/Archived History contains keyword search terms, urls, visit sources, and visits. /data/data/com.amazon.cloud9/databases/browser.db contains domain performance statistics, pages, saved pages, stock searches, tab history, tabs, trending pages, url performance statistics, and user agent preferences. Six pages are already set: Amazon.com, Bing, Facebook, Yahoo!, Wikipedia, and YouTube. /data/data/com.android.providers.calendar/databases/calendar.db contains Calendar Alerts, Calendar Cache, Calendars, Events, and Reminders. /data/data/com.amazon.zico/databases/cloud_drive.db contains files to pin, files to upload, opened files, pinned objects, and serialized values. It is interesting that there is data on the Kindle that is related to the cloud drive which should store data outside the Kindle. /data/data/com.amazon.kindle.cms/databases/cms.db contains apps (there are already eleven: com.amazon.camera, com.amazon.settings, com.amazon.email, com.amazon.contacts, com.amazon.deskclock, com.amazon.cloud9, com.amazon.csapp, com.amazon. windowshop, com.amazon. tahoe, com.goodreads.kindle, com.android.calender), audiobooks, books, carousel, collections, docs, favorites, music, periodicals, recommendations, user items, and users. It is interesting that I could not view user items and there are 41 of them. /data/data/com.android.providers.contacts/databases/contacts2.db contains accounts, calls, contacts, data, data usage statistics, groups, names lookup, nickname lookup, phone lookup, photo files, raw contacts, settings, status updates, stream item photos, stream items, visible contacts, and voicemail status. This is very interesting to me. I believe the Kindle Fire HDX has the capability to make phone calls, but it is not enabled normally. I wonder if a rooted Kindle could make phone calls. /data/data/com.amazon.mp3/databases/DownloadLibrary.db contains information on music such as albums, artists, downloaded items, genres, playlists, and tracks. /data/data/com.android.providers.downloads/databases/downloads.db contains downloads /data/data/com.android.email/databases/EmailProvider.db contains Account, Attachments, DMetrics, HostAuth, Mailbox, Messages, Deleted Messages, Message Updates, Policy, and Quick Response. /data/data/com.amazon.venezia/app_amazon_webview/amazon_webview/History contains downloads, keyword search terms, urls, visit source, and visits. /data/data/com.android.providers.telephony/databases/mmssms.db indicates the possibility of texting. MMS is Multimedia Messaging Service and SMS is Short Message Service. Interesting, maybe a rooted Kindle could send and receive texts. /data/data/com.amazon.venezia/files/resources/res.db contains 2178 strings such as “forgot password?” or “To continue, enter your Amazon password:” and each string is presented in five languages English, Japanese, Chinese, Spanish, and French. /data/securedStorageLocation/com.amazon.tahoe/databases/tahoe.db I am not quite sure what tahoe.db. I saw it before as an app that was already installed. I would like to find out more what this is for. /data/data/com.amazon.avod/databases/webview.db contains formdata, formurl, httpauth, and password. It is interesting that there are passwords stored here. I am curious if they are for online accounts and if they are in plain text or encrypted with hash values. I am also curious how secure these are and if they could be cracked if they are encrypted.

File System Extraction Analysis

Thursday, January 23, 2014

Kindle Fire HDX Forensics Research

According to tech savvy Brian Burguess, one of the main reasons to root the Amazon Kindle is because the Amazon App Store is so limited compared to the apps Google Play has to offer. Gaining root access is more convenient than side-loading, which is a way of installing non-market Android apps onto the Kindle. According to Burguess, “The rooting community has some great information out there, and if you see something unique that isn't addressed in forums, there's a good chance you'll receive an answer quickly.” This leaves me optimistic to try out Kindle HDX Fire 7 forensics. I recently received one as a Christmas gift and seeing as it is such a brand new piece of technology that uses a familiar operating system, Android, I figured I should be able to gain access to the data area. I have outlined the steps to root a kindle below.

Settings > Device > Enable ADB
Use a USB to connect the kindle to the computer
Download ADB drivers from the XDA-Developers forum and extract the zip file to the computer.
Run the ADB drivers.exe file and install.
Reboot Machine.
Update Driver Software > Browse my computer > Kindle Fire Driver > Install
Use automated script kindle HDX 7 located here https://mega.co.nz/#!2Qw2BRAT!ZGvY7V7GQcn9ucKAEkZmoSwq_SVG6BQk-xT_Kkll2X0 > runme > should use ADB to root the kindle.
Download ES File Explorer, the root explorer can be turned on and mount the system which is root access only (Burguess, AndroidCowboy).

It would be interesting to take an image of the kindle before rooting it and after and seeing what information I gain access to or what information changes. I will be installing different applications, and especially try to install applications that are not normally allowed with amazon devices such as the Google Play Apps. Finding out what artifacts are left behind on the kindle should be worth investigating. As I explore the data area I am hoping to discover some interesting things about the differences between the data area in a rooted kindle and in a non rooted kindle.

http://www.youtube.com/watch?v=ptqvWGWEDnI

http://www.gizmag.com/how-to-root-kindle-fire-hdx/30513/