With the rise of secure communications, there has been an increase analyzing these implementations. Recently, EFF had released a Secure Messaging Scorecard to help users evaluate the security levels of each of the products evaluated. Some of the criteria used by EFF for evaluation included:
- Encrypted in transit?
- Encrypted so the provider can't read it?
- Can you verify the contacts's identities?
- Are past comms secure if keys are stolen?
- Is the code open to independent review?
- Is security design properly documents?
- Has there been any recent code audit?
All of these questions are a great starting place, but one of the items that could be misleading is
Can you verify the contacts' identities? (more on this later). Further questions we thought would be relevant would be: Can metadata from silent circle be extracted to compliment timeline analysis?.
Why is this important?
For us, this was important because we have had more than one case where we had to create a detailed timeline of a conspiracy of sorts, where any secure communications utilized would be very helpful in identifying and correlating the transmission of sensitive data. We don't really need the data, we just need to know
when someone took extra steps to conceal their activity.
assumption that was perceived in the EFF criteria is an absence of data, something which we have found to be plentiful in an investigation where
frequency analysis play a key role in the
corner piece needed in the
Also, if we can correlate the usernames to actual identities ( Note: This is not really that hard)*,
frequency analysis becomes much more valuable. Cases where this has been valuable in the past for other entities can be found when General Michael Hayden admitted.
How to acquire valuable MetaData from Silent Circle?
- Acquire a phone, or the backup of a phone where SilentCircle/SilentText is installed.
- Acquire SilentTex.sqlite file.
- View the
ZmissiveTable. Within this table is the following structure.
offset. The areas of interest for us really revolve around: zdate and ztojid.
ZTOJIDis really the source or recipient.
- Let's start with zdata. In its normal form it looks like this:
391691884.675269. Now we need to quickly identify the formatting of the data and push this into
dcode. dcode tool
- Select your offset in
addbias. Set the Decode format:
MAC: Absolute Time
Value to decode: (information acquired from a
391691884.675269Now, Hit ((Decode)). The
ZDATEis through most of the Silent Circle tables setup in SQLite and is quickly discernable as valuable in the data model. Other areas that are valuable may be: ZSCIMPOGENTRY and ZINFOENTRY.
ZINFOENTRYis very valuable, as the
ZJSONDATAis also good for correlating valuable
timelineinformation for activities of interest.
Running down this rabbit hole, one of the most interesting area lies within the
ZCONVERSATION table, where
ZREMOTEJID values exist. This is all very helpful in looking at
viewed, receipt of messages.
Wed, 26 February 2014 12:59:23 UTC
Wed, 26 February 2014 13:00:34 UTC.
Then you can add this into your timeline of conversations. Similar data can be observed within SilentPhone, but SilentText is of greater value due to the value of
instant messages over phone calls when placed in the context of human behavior.
- Another piece to investigate will involve metadata that can be retrieved from
- The unallocated space that can be carved within SQLlite is helpful to clean as well. Valuable username information can be gleaned from this area.
Stepping away from timeline (Pushing information in your timeline into TimeMap)based metadata, you might also want to carve out all of the usernames or aliases someone has setup in SilentPhone. For this load up
zids_sqlit.db, and pivot to the
zrtpNames table. (Sidenote, doesn't ostel, jabber, zrtp just sound familiar to SilentCircle stuff, ... I'm just saying) Within this table there is the
name field, with each
alias associated with the SilentPhone address book. If luck is on your side, the dossier's and other information you have already built in your case will correlate. We haven't not had this problem to date. You shouldn't either.
Wrapping all of this up, there is a great deal of information to be exploited when you only need to correlate metadata on a timeline surrounding an event or an interesting investigation/conspiracy across different mediums.
While, Silent Circle and Silent Text help things be
encrypted, they aren't that forgiving when giving away information
when sensitive data may have been transmitted over a frequency of time. Only having information on co-conspirators and the frequency of information transmitted has always been enough for some of our investigations to push farther, can you imagine what a state sponsored entity might pursue?