Exploration Forensics Final Update

Introduction

As the Exploration Forensics team wraps up our last few weeks at the LCDI, we have been making progress in analyzing the mobile application files. We’ve also concluded our research on the Ovilus V for the time being, even though it did not meet our original expectations. Despite unexpected hurdles throughout the semester, the team has learned a lot in the past few months and we are hopeful that this project will be successful if given more time.

The Ovilus V

As we’ve mentioned in our other blogs, we’re not only working with the Paranormal Puck, but a device from Digital Dowsing called the Ovilus as well. When first conducting research for the project submission in December of last year, the Ovilus was able to connect to a network, and we thought that we would examine packets being sent.

Unfortunately, when we received the device, we weren’t able to connect to our network. We took another look at the website and realized that, between when we were originally researching for the project and when we received the device, “the unit no longer has wireless connectivity as it was an under utilized feature that consumed extra power and was previously preventing a larger speaker” (quoted from the product listing on the Digital Dowsing website). As a result of this revelation, we had to think on our feet and find a solution for this big chunk being taken out of our project.

We ended up trying to analyze USB traffic using USBPcap. That didn’t lead anywhere other than recognizing what was the stored on the Ovilus, as expected.

Then we opened up a broken hard drive and pulled the magnets from it. We intended to use them to create false positives by messing with the electromagnetic sensors in the devices. The magnets were able to affect the Ovilus a little bit, but nothing astronomical like we were hoping.

Decompiling APK and .ipa Files

To decompile the Apple applications, we first jailbroke the iPad. Then, we used the Cydia extension called ipainstaller, which extracts the .ipa file. An .ipa file is an Apple-specific version of a zip file. This allowed us to copy and analyze the contents of the app. We used Radare2 to investigate the assembly code of the application. They looked for indication of the credibility of the sensors, what sensors are used, and how the application operates.

To decompile the Android application, the team downloaded the APK Extractor application from the Google Play Store. After obtaining the APK file, the specific application file can be “shared” to a Google Drive account. We’re going to use software to decompile and analyze the APK file.

Conclusion

As this will be our final blog for the semester, our team would like to thank you for reading these and staying updated as we worked through problems and found solutions. Keep an eye out for our final report, which will be posted in the weeks to come, where we’ll be going into detail about our work this semester. Have a fantastic summer!