Monday, September 5, 2011

Introduction to Kindle Forensics

If you haven't figured it out already, this isn't a technical blog. This post is as technical as this blog will get in the foreseeable future. I've been meaning to post this for a while. I worked on this for a few weeks last fall, and I haven't done anything with it since I am moving in a different direction with my thesis. So, I thought I would put this out there for anyone to get a start in Kindle forensics since it's not published anywhere. For more technical forensics of the Kindle, check out Allyn Stott's blog.  

This method uses a jailbreaking process. It may no longer work with the newer Kindle updates. This installs software onto the Kindle and may not be forensically sound, but Cellebrite installs software on some phones in order to retrieve data. I am not familiar with that process (again I am not a technical guy), but if you care to explain it and let me know why it holds up in the courts, please write up a comment.

Future work should include the Kindle mobile app and other eReaders.

I also have a teardown video.

ABSTRACT
The Amazon Kindle is becoming an increasingly popular e-book reader.  This popularity will lead criminals to use the Kindle as an accessory to their crime.  No publications exist at the time of this writing, but various blogs on the Internet attempt to scratch the surface of Kindle forensics.  For this research a populated Kindle was imaged with FTK and compared to the same Kindle after set to factory defaults to determine evidence recoverability.  Analysis of the image exposed the apparent inconsistency of naming conventions of items added to the Kindle.  The reset Kindle image recovered most of the deleted data as picture files.  Another technique was used to gain access to the system partitions, which revealed user metadata; however, some statistics were not located due to the limitations of the technique.  For future work, other challenges of Kindle forensics are identified and recommendations and considerations are given for the digital forensic science community.
Keywords
Amazon Kindle, digital forensics

1.     INTRODUCTION

Jeff Bezos reports that the Kindle is the bestselling, most wished for, and most gifted product on Amazon.com[9].  Bezos is, of course, the founder, president, CEO, and chairman of the board of Amazon.com.  He also reported that Kindle books outsold paper books for the first time on Christmas Day 2009[1].  Bezos says he will not release sales figures because it is a trade secret[13], but most estimates put Kindle sales in the millions[4][5][13][17].  In addition to its sales, 810000 books are available to purchase of which 610,000 are less than ten dollars[9].  This does not include newspapers, magazines, blogs, and another 1.8 million out-of-copyright e-books available for download.  Furthermore, a user can download in over 100 countries and territories and synchronize to other Kindle applications for phones and computers using Amazon’s Whispernet through 3G networks[9].  It seems the Kindle is well grounded and will not disappear from the consumer market any time soon. 

The Kindle has extended functionality that one may not expect.  A user can use the Kindle to play music, play games, browse the web, and store about three gigabytes of data, and not necessarily e-books.  It supports conversion for .doc, .docx, .txt, .rtf, .html, .htm, .jpeg, .jpg, .gif, .png, .bmp, and .zip[2].  It also has native support for .pdf and can store any other file much like a flash drive.  Currently, the Kindle Development Kit (KDK) is in beta testing[10] to allow users to develop their own active content, potentially games, calendars, or photo galleries.  This will give the Kindle even more functionality in the future blurring the line between an e-reader and a PDA or iPod Touch.  These facts lead the author to believe it is a matter of time before Kindles are a means of criminal activity and become sources of evidence.
This examination of the Kindle is important for investigators who have seized a Kindle who wish to jump-start their analysis of its contents.  Books and other files contained can be considered associative evidence, which can give insight to a suspect, victim, or person of interest or can help build a case in conjunction with other evidence.  John Wayne Gacy who raped and killed thirty-three male teenagers possessed books in his home such as 21 Abnormal Sex Cases, The American Bi-Centennial Gay Guide, The Great White Swallow, Heads and Tails, Pederasty: Sex Between Men and Boys, The Rights of Gay People, and Tight Teenagers[16].  Justin Barber was convicted in 2006 for the murder of his wife[7].  He had downloaded the song “Used to Love Her” by Guns N’ Roses on the day of the murder[7].  Its lyrics include, “I used to lover her, but had to kill her/ She bitched so much/ She drove me nuts/ And now I’m happier this way[15].”  Robert Ressler profiled a suspect in the 1980s who killed two boys in Nebraska.  In his profile Ressler wrote that the killer was likely to have read detective magazines because he cut away bite marks from his victims showing knowledge of forensic practices[8].  Twenty-four detective magazines were found in the possession of the killer, John Joubert[8].  The Kindle can contain more 3500 books[9], hundreds of .mp3 songs, or other files.  It will give the investigator a large picture of an active user.

2.     RESEARCH

For this research, a populated latest generation Kindle was imaged using FTK Imager 2.9.0.1385 with a Tableau forensic USB bridge.  This image included fifty-nine books, three games, forty-five converted .pdf files, sixteen Kindle screenshots, two audio books, two book samples, one blog subscription, one magazine subscription, and one newspaper subscription.  However, an unpopulated Kindle was not imaged because the research was performed as a result of Kindle use rather than the Kindle being purchased for research.  This research includes the same Kindle set to factory defaults to determine deleted evidence recoverability.  This paper gives a base to Kindle Forensics and gives a general outline for items of interest.  Other detailed analysis should be completed in future work.  The author assumes legal, crime scene, and other forensic considerations, and chose not to echo most of these methods outlined in other digital evidence papers.



The file system of the Kindle is FAT32, and the operating system is based on Linux.  As shown in the Kindle image summary in Figure 1, the image is 3130 MB, but the Kindle is known to have 4 GB of storage.  The inaccessible storage totaling 682 MB in FTK, the system partition, consists of three other partitions as shown in Figure 2.  These partitions were discovered by privilege escalation with the method described in the following section that is not endorsed by Amazon and may void the warranty.  One caveat of this method is that it directly breaks rules of evidence by writing to the user partition.  The system storage was accessed using the method to determine if there was valuable information within describing the user, but one of the system partitions was not able to be fully analyzed, mmcblk0p1.  During analysis, a telnet session was established between a computer and the Kindle to create an image using dd.  However, after a short time the telnet session would report that the connection to the host was lost seemingly causing the imaging process to cease.  The author assumed the imaging process would continue despite the connection loss because the command was issued to write the image to itself.  This was done to eliminate any networking issues and give proof of concept.  The author allowed time for the imaging process to complete, but a full image of mmcblk0p1 was never obtained. 



3.     METHOD[6]

•      Downloaded kindle-jailbreak-.4.N.zip[12]
•      Content was extracted
•      Connected Kindle to computer
•      Copied update_jailbreak_0.4.N_0.4.N_k3g_install.bin to the root directory of the Kindle
•      Ejected the Kindle from the computer
•      On the Kindle:
        o      Selected Menu | Settings | Menu | Update Your Kindle
        o      Selected Ok to confirm update
•      Downloaded kindle-usbnetwork-0.30.N.zip[12]
•      Copied update_usbnetwork_0.30.N_k3g_install.bin to the root directory of the Kindle
•      On the Kindle:
        o      Selected Menu | Settings | Menu | Update Your Kindle
        o      Selected Ok
        o      Typed any letter to open the search box
        o      Deleted the letter
        o      Typed “;debugOn” and pressed the center of the five-way directional pad
        o      Typed “~usbNetwork” and pressed the center of the five-way directional pad
•      Connected the Kindle to the computer
•      Navigated to Computer Management | Device Manager | Network Adapters
•      Right-clicked USB Ethernet/RNDIS Gadget and selected Update Driver Software…
•      Selected Browse my computer for driver software
•      Selected Let me pick from a list of device drivers on my computer
•      Selected Network adapters
•      Uncheck Show compatible hardware
•      Selected Microsoft Corporation as the Manufacturer and Remote NDIS based Internet Sharing Device as the Network Adapter
•      Navigated to Network and Sharing Center
•      Set the IP Address of the new adapter to “192.168.2.1” and the Subnet Mask to “255.255.255.0”
•      Navigated to Programs and Features
•      Selected Turn Windows features on or off
•      Checked Telnet Client
•      Navigated to Start | Run
•      Entered “Telnet 192.168.2.2”
•      dd if=<source> of=<destination>

For this research the source was /dev/mmcblk0p<1,2,3, or 4>, and the destination was /mnt/base-us/mmcblk0p<1,2,3, or 4>.  The author assumed /mnt/base-us/ was the same as /mnt/us/ for the destination image creation.  Files appeared to be the same in both locations when navigating the file structure, so the author arbitrarily chose one to write to the user partition.

4.     RESULTS

The following in Table 1 outlines what file evidence the author sought, found, and location.  Some content type naming conventions or file extensions did not hold true for all other Kindle files of that type.  For example, one of two sample books downloaded had a .tan extension associated with it, and some personal documents had the word “converted” within the file name despite each of the personal documents were converted through the same process.  Only one type of notice was on the device, notifying the user that documents must be downloaded over WIFI.  Other notices or types of notices are unknown to the author and may appear over time in other conditions.  The SHA-1 hashes in the file names were not successfully reverse engineered.  The relative path, full path, and document title strings were hashed, but resulted in no matches.  Other number associations in the file names were not identified.

Table 2 outlines the location of various Kindle statistics some of which are found in multiple locations.  Much of this incomplete table is unknown at this point, and some of this information is believed to be stored in the system partitions.  Other statistics can be viewed non-forensically in the Kindle from the 411, 611, and the 711 pages by entering the settings menu and typing Alt+R Alt+Q Alt+Q, Alt+Y Alt+Q Alt+Q or Alt+U Alt+Q Alt+Q, respectively[11].

After the Kindle was populated, imaged, and analyzed, it was set to factory defaults.  After data carving, thousands of artifacts were discovered pointing to what books and documents were once on the Kindle.  However, most of the files were images with numbers as the file name, so these must be viewed one at a time.  No traces of any user created directories were found.  It should be noted that books cannot be permanently deleted from a user’s account from the Kindle itself, but only through Amazon.com as shown in Figure 3 in the Appendix.  If needed, many items may be of evidentiary value on the user’s account on Amazon.com could be obtained through a subpoena.  Some items found in the “Manage Your Kindle” section of the user’s account are shown in the Appendix.

Table 1: Kindle Files

Content
Location
Content
Location
Active Content
Kindle-FAT32\.active-content-data\<SHA-1>
Personal Documents

Kindle-FAT32\documents\<title>-asin_<SHA-1>-<0-8>-converted-azw-type_PDOC-v_0.mbp
Audio
Kindle-FAT32\audible\<title>-asin__<Amazon Standard Identification Number>-type_AUDI-v_0.aax_<number>
Kindle-FAT32\documents\<title> azw-asin_<SHA-1>-<0-8>-azw-type_PDOC-v_0.azw
Kindle-FAT32\audible\<title>-asin__<Amazon Standard Identification Number>-type_AUDI-v_0.pos
Kindle-FAT32\documents\<title> azw-asin_<SHA-1>-<0-8>-azw-type_PDOC-v_0.mbp
Books Downloaded
Kindle-FAT32\documents\<title>-asin_<Amazon Standard Identification Number>-type_EBOK-v_0.azw
Notice
Kindle-FAT32\documents\<title> W-asin_<SHA-1>-<number>-<number>-DEVICE_WIFI-wifi-type_PDOC-v_0.azw  
Kindle-FAT32\documents\<title>-asin_<Amazon Standard Identification Number>-type_EBOK-v_0.phl
Non-converted PDF
Kindle-FAT32\documents\<file name>.pdf
Blogs
Kindle-FAT32\documents\<title>-asin_<Amazon Standard Identification Number>-type_FEED-v_65746.azw
Sample Books Downloaded
Kindle-FAT32\documents\<title>-asin_<Amazon Standard Identification Number>-type_EBSP-v_0.azw
Magazines
Kindle-FAT32\documents\<Magazine Title><Date>-asin_<Amazon Standard Identification Number>-type_MAGZ-v_2.azw
Kindle-FAT32\documents\<title>-asin_<Amazon Standard Identification Number>-type_EBSP-v_0.tan
Newspapers
Kindle-FAT32\documents\<Newspaper Title><Date>-asin_<Amazon Standard Identification Number>-type_NWPR-v_6.azw
Screen Saver Pictures
mmblk0p1\NONAME-ext3\opt\screen_saver
Kindle-FAT32\documents\<Newspaper Title><Date>-asin_<Amazon Standard Identification Number>-type_NWPR-v_6.mbp
Screenshots
Kindle-FAT32\documents\screen_shot-<number>.gif
Personal Documents

Kindle-FAT32\documents\<title>-asin_<SHA-1>-<0-8>-azw-type_PDOC-v_0.azw
Thank You Letter
Kindle-FAT32\documents\Thank You Letter-asin_ThankYouLetter_ ATVPDKIKX0DER_A1VC38T7YXB528-type_PSNL-v_0.azw
Kindle-FAT32\documents\<title>-asin_<SHA-1>-<0-8>-azw-type_PDOC-v_0.mbp
Kindle-FAT32\documents\Thank You Letter-asin_ThankYouLetter_ ATVPDKIKX0DER_A1VC38T7YXB528-type_PSNL-v_0.mbp
Kindle-FAT32\documents\<title>-asin_<SHA-1>-<0-8>-converted-azw-type_PDOC-v_0.azw
User Highlights and Notes
Kindle-FAT32\documents\My Clippings.txt



Table 2: Kindle Statistics

Statistic
Location
3G/WIFI
Kindle-FAT32\system\Audible Activation.sys
B006xxxxxxxxxxxx = 3G, B008xxxxxxxxxxxx = WIFI only, B00Axxxxxxxxxxxx = 3G Europe[3]
mmblk0p2\LocalVars-ext3\java\prefs\com.amazon.ebook.framework\Features
mmblk0p2\LocalVars-ext3\wan\info
Book Collections
Kindle-FAT32\system\collections.json
Bookmarks
mmblk0p2\LocalVars-ext3\java\prefs\browser\bookmarks_wv
Browser Cookies
mmblk0p2\LocalVars-ext3\browser\cookies
Browser Settings
mmblk0p2\LocalVars-ext3\java\prefs\browser\settings_wv
Current Location in Last Book Read
Kindle-FAT32\system\userannotlog
Device Email Address
mmblk0p2\LocalVars-ext3\java\prefs\com.amazon.ebook.reader\social-clipping\social-prefs
mmblk0p2\LocalVars-ext3\java\prefs\reginfo
Device Name
mmblk0p2\LocalVars-ext3\java\prefs\reginfo
Device Password/Hint
mmblk0p2\LocalVars-ext3\java\prefs\DevicePasswork.pw
Device Settings
mmblk0p2\LocalVars-ext3\java\prefs\com.amazon.ebook.framework\prefs
Firmware Version
Kindle-FAT32\Update_<previous version>-<current version>.bin
Keywords searched by user
Kindle-FAT32\system\Searched Indexes (didn't find meaningful info in here, but should look into this more)
Kindle Time
Kindle-FAT32\system\com.amazon.ebook.booklet.reader\reader.pref
Last Book Read
Kindle-FAT32\system\com.amazon.ebook.booklet.reader\reader.pref
Personal Info
mmblk0p2\LocalVars-ext3\java\prefs\com.amazon.ebook.booklet.home\com.amazon.ebook.booklet.home.prefs
Registered User
mmblk0p2\LocalVars-ext3\java\prefs\reginfo
Serial Number
Kindle-FAT32\system\AudibleActivation.sys
Time last listened to Audio Book
mmblk0p2\LocalVars-ext3\java\prefs\audiofilecache
APs Accessed
Unknown location
IMEI
Unknown location
IP Address
Unknown location
MAC Address
Unknown location
Social Networks
Unknown location
Web Browsing History
Unknown location



5.     CONCLUSIONS

The unknown locations shown in Table 2 present a forensic challenge.  A telnet session was established between a computer and the Kindle using the privilege escalation method.  However, after a short time the telnet session would report that the connection to the host was lost seemingly causing the imaging process to cease.  Further research should be conducted to discover if the connection loss is a result of the programming in the Kindle updates used as described in this paper.  Other methods should be explored to gain root access to the Kindle because this method writes to the user partition and was not designed for forensic acquisition, or it should be determined if root access is needed at all for forensic analysis.  Is the information within the system partitions necessary?  It is the opinion of the author that much of the information found within these system partitions can add critical evidence to an investigation.

Another forensic challenge is the consistency of files.  Further research must be conducted in order to understand all file extensions within the Kindle and fully understand personal document conversion.  Emailing documents to the user’s Kindle email address was used for the personal document conversion process, but it yielded three different naming conventions.  Additionally, converting the same document through the same process produced different visible results on occasion.  This will be problematic if there is a future hash library of known good and bad files.  The conversion process may render alternate results and documents may evade detection by the hash library.  A fuzzy hash algorithm may eliminate this issue.

A future concern that must be researched is the Kindle Development Kit (KDK).  Unknown and undocumented content will enter the market when the KDK is released to the public.  However, the KDK may produce active content of evidentiary value such as calendars and photo galleries, but these items will need to be tested and researched.  Other obfuscation and security issues should be explored, specifically with files appearing as downloaded books and the security of Whispernet.

A final consideration is shielding.  The wireless capabilities can be turned off within the Kindle settings, but a Kindle should be shielded if its wireless state is unknown.  This research determined the possibility of downloaded content overwriting older content when disk space is full and has been proven impossible in its factory state, but future active content applications created by malicious users may be able to erase content, perhaps even from a remote location.  Only FTK was used for analysis in this research.  Other tools should be tested with the Kindle.  The challenges are many, but this paper has provided an introduction to the forensics of the Kindle, which the author hopes the reader finds useful.

6.     REFERENCES

[1]     Allen, K. (2009, December 28). Amazon e-book sales overtake print for first time. In guardian. Retrieved December 13, 2010, from http://www.guardian.co.uk/business/2009/dec/28/amazon-ebook-kindle-sales-surge
[2]     Amazon Kindle User’s Guide. Retrieved from http://kindle.s3.amazonaws.com/Kindle_User's_Guide_English.pdf
[3]     Amazon.com Help: Kindle Software Update Latest Generation. (n.d.) Retrieved from http://www.amazon.com/gp/help/customer/display.html/ref=hp_navbox_top_kindlelgi?nodeId=200529700
[4]     Arrington, M. (2010, January 29). 3 Million Amazon Kindles Sold, Apparently. In TechCrunch. Retrieved December 13, 2010, from http://techcrunch.com/2010/01/29/3-million-amazon-kindles-sold-apparently/
[5]     Baig, E. C. (2010, July 29). Amazon unveils 3rd-generation Kindle e-book reader. In USA Today. Retrieved December 13, 2010, from http://www.usatoday.com/tech/news/2010-07-29-amazon29_ST_N.htm
[6]     disi. (2010, October 20). Quick Kindle 3 root shell via USB [Msg 118]. Message posted to http://www.mobileread.com/forums/showthread.php?p=1172506#post1172506
[7]     Dowling, Paul. (Producer). (2011, February 13). Forensic Files [Television broadcast]. United States: truTV.
[8]     Gutzeit, Andreas. (Director). (2009, August 16). The Man Who Lives with Monsters [Television broadcast]. Australia: Crime and Investigation Network.
[9]     Kindle Wireless Reading Device, Wi-Fi, Graphite, 6" Display with New E Ink Pearl Technology. (n.d.) Retrieved from http://www.amazon.com/dp/B002Y27P3M/ref=btech_kindle_wifi
[10]  Kindle Development Kit for Active Content. (n.d.) Retrieved from http://www.amazon.com/kdk/
[11]  lstefek. (2010, September 15). Quick Kindle 3 root shell via USB [Msg 74]. Message posted to http://www.mobileread.com/forums/showpost.php?p=1110675&postcount=74
[12]  NiLuJe. (2010, June 22). Fonts & ScreenSavers Hack for Kindles [Msg 1]. Message posted to http://www.mobileread.com/forums/showthread.php?t=88004
[13]  Ratcliffe, M. (2009, December 26). Updating Kindles sold estimate: 1.49 million. In ZDNet. Retrieved December 13, 2010, from http://www.zdnet.com/blog/ratcliffe/updating-kindles-sold-estimate-149-million/486
[14]  Rose, C. (Interviewer) & Bezos, J. (Interviewee). (2010). Jeff Bezos, Founder & CEO, Amazon.com [Interview transcript]. Retrieved Charlie Rose Web site: http://www.charlierose.com/view/interview/11138
[15]  Stradlin, Izzy & Hudson, Saul (1988). Used to Love Her [Recorded by Guns N’ Roses]. On G N’ R Lies [CD]. Los Angeles, California: Geffen.
[16]  Sullivan, T., & Maiken, P. T. (1983). Killer Clown: John Wayne: The John Wayne Gacy Murders (p. 33). New York, NY: Pinnacle.
[17]  Wilhelm, A. (2010, July 29). How many Kindles have been sold?. In The Next Web. Retrieved December 13, 2010, from http://thenextweb.com/us/2010/07/29/how-many-kindles-have-been-sold/



7.     APPENDIX









5 comments:

  1. Nice work.. makes me want to go back and do some more work on this project.

    ReplyDelete
  2. You have done some fine work in this area, Marcus. Thanks for the contribution to the community. I'm sure it's just the beginning for what will be an exciting career to watch unfold.

    ReplyDelete
  3. Thanks Allyn and Eric! I hope to bring a tangible impact in the future.

    ReplyDelete
  4. "this isn't a technical blog" ... ??? um. yes it is. it's over my sweet little pea-pickin head. congrats on a great blog, marc!

    ReplyDelete