The Threat of MetaData; MetaData leaks in Silent Circle

With the rise of secure communications, there has been an increase analyzing these implementations. Recently, EFF had released a Secure Messaging Scorecard to help users evaluate the security levels of each of the products evaluated. Some of the criteria used by EFF for evaluation included:

  • Encrypted in transit?
  • Encrypted so the provider can't read it?
  • Can you verify the contacts's identities?
  • Are past comms secure if keys are stolen?
  • Is the code open to independent review?
  • Is security design properly documents?
  • Has there been any recent code audit?

All of these questions are a great starting place, but one of the items that could be misleading is Can you verify the contacts' identities? (more on this later). Further questions we thought would be relevant would be: Can metadata from silent circle be extracted to compliment timeline analysis?.

Why is this important?

For us, this was important because we have had more than one case where we had to create a detailed timeline of a conspiracy of sorts, where any secure communications utilized would be very helpful in identifying and correlating the transmission of sensitive data. We don't really need the data, we just need to know when someone took extra steps to conceal their activity.

Eg. Metadata frequency.

Another assumption that was perceived in the EFF criteria is an absence of data, something which we have found to be plentiful in an investigation where metadata and frequency analysis play a key role in the corner piece needed in the puzzle.

Also, if we can correlate the usernames to actual identities ( Note: This is not really that hard)*, frequency analysis becomes much more valuable. Cases where this has been valuable in the past for other entities can be found when General Michael Hayden admitted.

"We kill people based on metadata - Gen. Michael Hayden".

How to acquire valuable MetaData from Silent Circle?

  • Acquire a phone, or the backup of a phone where SilentCircle/SilentText is installed.
  • Acquire SilentTex.sqlite file.
  • View the Zmissive Table. Within this table is the following structure. z_pk, z_ent, z_opt, zconversation, zdate, zshreddate, zscppid, ztojid, zdata, offset. The areas of interest for us really revolve around: zdate and ztojid. ZTOJID is really the source or recipient.
  • Let's start with zdata. In its normal form it looks like this: 391691884.675269. Now we need to quickly identify the formatting of the data and push this into dcode. dcode tool
  • Select your offset in addbias. Set the Decode format: MAC: Absolute Time
    Value to decode: (information acquired from a zdate field)
    Eg. 391691884.675269 Now, Hit ((Decode)). The ZDATE is through most of the Silent Circle tables setup in SQLite and is quickly discernable as valuable in the data model. Other areas that are valuable may be: ZSCIMPOGENTRY and ZINFOENTRY. ZINFOENTRY is very valuable, as the ZJSONDATA is also good for correlating valuable timeline information for activities of interest.

Running down this rabbit hole, one of the most interesting area lies within the ZCONVERSATION table, where ZDATA, ZVIEWEDDATE, ZLOCALJID, ZREMOTEJID values exist. This is all very helpful in looking at frequency of sent, viewed, receipt of messages.

For instance:

ZVIEWEDDATE = 415112363.156905 = Wed, 26 February 2014 12:59:23 UTC

ZDATE = 415112434.210521 = Wed, 26 February 2014 13:00:34 UTC.

Then you can add this into your timeline of conversations. Similar data can be observed within SilentPhone, but SilentText is of greater value due to the value of instant messages over phone calls when placed in the context of human behavior.

  • Another piece to investigate will involve metadata that can be retrieved from Z_METADATA -> Z_UUID, and Z_PLIST.
  • The unallocated space that can be carved within SQLlite is helpful to clean as well. Valuable username information can be gleaned from this area.

Stepping away from timeline (Pushing information in your timeline into TimeMap)based metadata, you might also want to carve out all of the usernames or aliases someone has setup in SilentPhone. For this load up zids_sqlit.db, and pivot to the zrtpNames table. (Sidenote, doesn't ostel, jabber, zrtp just sound familiar to SilentCircle stuff, ... I'm just saying) Within this table there is the name field, with each alias associated with the SilentPhone address book. If luck is on your side, the dossier's and other information you have already built in your case will correlate. We haven't not had this problem to date. You shouldn't either.

Wrapping all of this up, there is a great deal of information to be exploited when you only need to correlate metadata on a timeline surrounding an event or an interesting investigation/conspiracy across different mediums.

While, Silent Circle and Silent Text help things be encrypted, they aren't that forgiving when giving away information when sensitive data may have been transmitted over a frequency of time. Only having information on co-conspirators and the frequency of information transmitted has always been enough for some of our investigations to push farther, can you imagine what a state sponsored entity might pursue?