///Hacking in Parallel – Berlin///

Finding (state) malware: methods and tools for civil forensic analysis
2022-12-28 , HIP - Track 1 - Room 5
Language: English

Not only since the Pegasus Project, which exposed the surveillance of numerous activists, journalists and opposition figures by the NSO Group's Pegasus state malware, state malware have posed a threat to the privacy of those affected and their contacts. In order to make such attacks visible and provable, analyses are needed using methods and tools similar to those used by security agencies, but which should be open source and adhere to ethical standards of consensual forensics. In our workshop we want to give an overview of what approaches, methods, and tools are suitable for these analyses to best perform forensic data extraction in a civilian context and present what tools and scripts we have developed ourselves. We all work in civil forensics ourselves and want to share our experiences on what has worked for us and what has not.
The presented tools are of course not only suitable for the search of state malware, but also for any other malware such as stalkerware or ransomware.


Not only since the Pegasus Project, which exposed the surveillance of numerous activists, journalists and opposition figures by the NSO Group's Pegasus state malware, state malware have posed a threat to the privacy of those affected and their contacts. In order to make such attacks visible and provable, analyses are needed using methods and tools similar to those used by security agencies, but which should be open source and adhere to ethical standards of consensual forensics. In our workshop we want to give an overview of what approaches, methods, and tools are suitable for these analyses to best perform forensic data extraction in a civilian context and present what tools and scripts we have developed ourselves. We all work in civil forensics ourselves and want to share our experiences on what has worked for us and what has not.
The presented tools are of course not only suitable for the search of state malware, but also for any other malware such as stalkerware or ransomware.

Topics and tools we present are:

Collecting data:

* Android/iOS: Mobile Verification Toolkit (MVT), android-qf.
* HDD/SSD Image: guymager
* Windows/Mac: pc-qf

Evaluating data:

* Indicator of Compromise (IoC) Management (MISP).
* Mobile Verification Toolkit (MVT)
* Sysdiagnose exports: analyze processes
* PCAP evaluation (TinyCheck)

For these steps and typical attack patterns we explain reasonable approaches and what has been proven in our work.

Some music with Systemabsturz, some privacy advocacy with CCC, some IT security for activists and some smartphone forensics.

Future updates on IT security for activism things will be posted here: https://chaos.social/@schluevik

This speaker also appears in:

I study computer science at FU Berlin and work at the Digital Security Lab of RSF. I am also a freedom of information and privacy activist.
My blog: https://besendorf.org
My FragDenStaat profile: https://fragdenstaat.de/profil/j.besendorf/
Mastodon: @besendorf@chaos.social

I work as a "Werkstudent" at Reporter ohne Grenzen (RSF) on digital forensics. I'm also currently still studying for my master's degree at the Freie Universität (FU) Berlin.