Tools


This page lists some software / infosec projects to which I have contributed.


DISCLAIMER and legal paraphernalia: This is highly experimental work and is provided as-is, with no warranties of any kind. Use it at your own risk. Actually you shouldn't expect major hassles, but don’t blame me if the software bricks your device.


Having said this, thank you for being here and reading about my work :) If you are a bot, hey, thanks anyway! Bots are cool! I have many friends who are bots, and they’re really nice!


Revealer Toolkit (RVT)

RVT is a forensic analysis framework written in Perl that relies on The Sleuth Kit tools.

This project emerged while a bunch of geeks, working in digital forensics cases at INCIDE, needed to boost the available open-source tools with other features. We built “something” on top of TSK that was scriptable, fit our needs and workflow, and had a very decent throughput.

The project was initiated by Jose Navarro ‘Dervitx’ at the end of 2008, and between 2009 and 2012 we had quite a lot of fun with this little piece of crap :)

Given that Google Code closes its doors, I have mirrored the repo [here] mainly for historical purposes. I don’t intend to maintain or update the project, although you never know.


During the last days of the project, back in 2012, I focused on the RVT_parse module which processes different file types recursively in order to extract basic text strings from all of them, and performs keyword searches with regular expressions and boolean operators. These are some of the file types supported:

- Office formats: Apple Keynote, Numbers, and Pages; Office; OpenOffice / ODT; Office XML; PDF.

- E-mail containers: DBX, EML, EMLX, MSG, PST, OST. In the case of whole mailboxes (DBX, PST, OST) messages are extracted individually, and searches can include an index of matching email messages.

- Graphic formats (metadata are extracted): GIF, JPG, PNG, PSD, TIFF.

- Compressed files: BKF (Windows backup), ARJ, BZ, BZ2, CAB, CPIO, DD images, JAR files, RAR, TAR, ZIP, 7ZIP.

- Text files, with as many extensions as you can imagine, including things such as Internet browsing history.

- Other: EVT (Windows events), LNK, RPM, ISO 9660 filesystems, SQLite databases.

- And of course, all of this is done on (un)deleted files as well.



Lockup

Lockup is a proof of concept software tool that we wrote to address the threats presented by a number of default system services that exist in modern iOS versions and that can be abused to compromise the device security, giving attackers awesome capabilities such as: sniffing network traffic from the target device’s networks, capturing audio and video from the device, surreptitiously installing applications… The problem itself has been around for some time, and if you want some good literature about it I recommend Mactans: injecting malware into iOS devices via malicious chargers (by Lau et al., presented at Black Hat 2013) and Identifying back doors, attack points, and surveillance mechanisms in iOS devices, a great paper by Jonathan Zdziarski that recently put this issue back in the spotlight.

We talked about Lockup at the DFRWS 2015 EU (poster) and at the SecureSysComm Workshop on Security and Privacy in Systems and Communication Networks. (paper; slides).


Lockup on iOS 7:

Before you start: you will need a device running iOS 7.1.2, jailbroken and with an SSH server installed. Other iOS 7 releases might be OK as well.

Download this tarball and transfer it to your iOS device. For the rest of these instructions you must be logged as root in the device (or use sudo).

Uncompress it in the root of your filesystem (c’mon! be brave!):

        # tar xfz lockup-ios7-v0.1.tgz -C /

Load this service for periodic purging of pairing records:

        # launchctl load /System/Library/es.pope.lockup-purge.plist

Finally, to operate on the different service profiles, run:

        # lockup-profile

Profit!


Lockup on iOS 8 & 9:

In case you need to know:

Starting with iOS 8 the list of services (what used to be /System/Library/Lockdown/Services.plist) no longer exists as a separate file. Instead, its contents have been moved within the lockdownd binary itself, in a section near the end of the file.

I’ve checked and it’s possible to disable services by altering this part of the binary, shortening the PLIST and padding at the end of it with zeros. My intention now is to script something that automatically detects the offset of this PLIST inside the lockdownd binary to patch it, so that we don't depend on precalculated offsets (for each specific device and iOS release).

Luis 'Pope' Gómez_Miralles, 2020