January 14, 2015
Searching for Artifacts in Private Messaging App: Cyber Dust
As a burgeoning entrepreneur, I’m a big fan of the TV Show “Shark Tank”. I often tell people that when I was a young cop, I used to watch “Cops” to see what to do and, more importantly, what NOT to do. The same is true for my affinity for “Shark Tank”. Several very successful business people from various industries get to bid or pass on business opportunities from likely entrepreneurs. It’s not only great advertising for the young business owners, but it has the potential to be very lucrative if one of the “Sharks” happens to make them an offer on their proposal. One of the more entertaining Sharks is Mark Cuban, outspoken owner of the Dallas Mavericks NBA team and shrewd, modern business man.
Recently, Cuban has been hard at work promoting a mobile app that was brought to him while on “Shark Tank” called Cyber Dust. According to his own description from The Tonight Show, “…it’s text messaging, but within 24 seconds after it’s read, the message disappears. So that way you can talk to your agent, you can talk about your friends, you can talk about anything… I don’t want to leave a digital footprint, so we came up with Cyber Dust.Once it’s gone, it’s gone.” In fact, when I recently posed the question about a possible forensic footprint being left behind by Cyber Dust to Cuban on Twitter, he replied promptly:
Being the consummate contrarian that I am, I decided to take Cuban up on his quasi-challenge and use a couple of different mobile forensic tools to try and recover data from a mobile device that was using Cyber Dust. My results were admittedly mixed, but interesting nonetheless.
Cyber Dust is available in both iOS and Android platforms and indeed was examined on both (detailed later). The app is a simple messaging app where users can send messages that have a half-life and disappear 24 seconds after being opened. Pictures can also be sent back-and-forth and, if you are “sneaky” enough to try and take a screen shot of the picture that the other party sent, it notifies them of this. Messages you send can also be “pinned” (saved for a time) on your device, but you cannot “pin” the messages of the person with whom you are communicating. There are other features too like “blast” messaging and searching for users by user name. It’s a fairly simple, easy-to-use app that has it’s plusses and minuses, as with all things.
For this [admittedly] very basic experiment, I downloaded the Cyber Dust app on both my iPhone 5s running iOS 8.1.2 and my lab test phone, a pre-pay Samsung Android phone (model SPH-M830) running OS version 4.1.2 (Jelly Bean). Full disclosure: I am NOT an Android user as my primary device.
I used two mobile forensic tools to try and locate data on the devices – Lantern
v. 4.5.4 and Cellebrite
Universal Forensic Extraction Device (UFED) for PC, v. 126.96.36.199.
I actually conducted two tests in this case. For both, I compiled a list of key words which would be used in the message strings between me and another user (iPhone) and between me and myself on a separate account (Android). These key words were:
- Xylophone (which was also “pinned” in the message string)
- BlogMaverick (all one word, with the B and M capitalized, “pinned” in the message string”. This is Mark Cuban’s public user name on Cyber Dust)
- SharkTank (all one word, S and T capitalized)
Additionally, I sent one picture of the cover of a book entitled “Google Hacking” from the iPhone to the Android device via Cyber Dust.
The theory behind inputting specific key words and a unique picture into the message string(s) was to be able to quickly search for and identify artifacts that are unique in nature to our “case” after a successful extraction of the data on the devices. My results were admittedly mixed.
As many in the mobile forensic world may know, a full physical extraction on any iPhone model 4s and later is not currently possible with commercially-available or open-source forensic tools. Nevertheless, I attempted to recover data from Cyber Dust on an iPhone 5s running the most current iOS as of the writing of this article using what I have found to be the most effective iOS examination tool on the market – Lantern. To be blunt, I found nothing. Of course, there was evidence that the app was installed on the device, which in and of itself should tell a trained examiner something, but that’s about it. I surmised that the reason for this is probably that the user-input portion of the app runs mainly in the device RAM volatile memory and therefore, absent a full physical extraction, I was not able to recover any probative data from the device. Often times, some artifacts from device RAM may be written to the empty or unallocated space on the storage medium, but as I was unable to examine that part of the system memory on the iPhone, none of those artifacts could be recovered, even if present.
The results from the Android pre-pay/test phone were much more interesting. I used Cellebrite UFED for PC to make a full physical extraction of the Samsung phone for examination. I further created a logical extraction and a file system extraction, just to see if there would be any additional evidence found. Naturally, in an app of this nature, not much data was recovered from either the logical or file system extractions, but the physical extraction yielded some interesting artifacts.
I conducted key word searches at the physical level to try and find all of the above-listed key words on the device. The search was conducted for both ANSII and Unicode characters to account for any variance. I did not make the search case-sensitive because I knew that any hits would return, whether capitalized or not. The key word “Xylophone” was searched first. Two hits were located, but not from within any app data of Cyber Dust. Rather, they were recovered from the Samsung key log file, which logs all recent key strokes input into the device and is active by default (file: root/data/com.sec.android.inputmethod/…). In fact, there were two unique hits for the same key word (Xylophone) in the same key logger. This is interesting because, while on it’s face, the claim that Cyber Dust does not keep your data may be true, these artifacts(as well as other) were located in a secondary source. This gives a digital forensic examiner something to work with because it tells us that the data may be recoverable from more than one area. It should be noted, however, that only the sender’s messages (those that were typed on the device being examined) were recovered, not the messages received on the device by whomever he was messaging.
The same evidence was found in the same place for the key words “Bababooey” and “BlogMaverick.” Both of these key words, as well as the entire text string from the messages containing those key words (as well as some older messages from standard SMS), were recovered from the Samsung key logger file. While the logger is on by default on Samsung phones, it can sometimes be turned off or replaced by another keyboard. The limitations of this pre-pay phone prevented us from testing this further with alternative key boards. I captured some screen shots in Cellebrite UFED that show the key word hits below:
Key Word: Xylophone
Key Word: Bababooey
One interesting thing of note is the presence of the key word “BlogMaverick”. This turned out to be the only key word that was found in more than one place. As mentioned earlier, BlogMaverick is Mark Cuban’s public user name on Cyber Dust. When a user downloads and installs Cyber Dust on his device, several “friends” are added by default. Among these are “BlogMaverick” and “CDteam” (short for Cyber Dust Team). Interestingly enough, those two screen names were located within the Cyber Dust app files at: Root/dalvik-cache/data@email@example.com@classes.dex.
The screen shot of this artifact is below:
Naturally, I’m not a programmer, so I can’t answer the question whether or not these user names were part of the Cyber Dust app by default and permanently implanted in the code or if they appear in this file because messages were routinely received from both of these user names, but the fact remains that there were these two artifacts recovered from within the Cyber Dust app which indicates two contact names at the very least. If other screen names are added to this list through constant contact as a user, it could prove to be worthwhile recoverable data in the course of an investigation. Obviously, more prolonged testing should be conducted to help answer these questions.
Picture Recovery on Android Device
As stated earlier, one picture of the cover of a book was sent from the iPhone 5s to the Samsung Android phone for testing purposes. After conducting a review of the allocated images from the physical extraction as well as the carved unallocated images from the extraction, I found no evidence of the picture. I further performed a key word search at the physical level for the file name of the picture (IMG_4153.jpg) and no traces of that file name were recovered. I purposely did not take a screen shot of the picture, suspecting it would be found very easily in the picture database on the device. Albeit a basic test, this seems to verify that the pictures received on Cyber Dust do not get saved in any form on the device without affirmative action being taken by the user. It is theoretically possible that a highly trained examiner might be able to recover the image(s) from the device RAM with the proper training and tools, however I’m not aware of any such tools that capture volatile memory from a mobile device.
This search was not attempted on the iPhone 5s because of the limitations on data recovery on iOS devices as stated previously.
This test has served to not only demonstrate some of the potentially recoverable artifacts on a device using Cyber Dust, but also demonstrates the differences in mobile device security and indeed, some of the purported security of the Cyber Dust app itself. It’s obvious that Cyber Dust users on an iOS (Apple) platform with a model 4s or later can probably rest easy that their messages are deleted after having been sent and received for 24 seconds.
However, the multitude of difference in Android-platform devices presents us with a little more muddled conclusion as to whether any evidence can be obtained from the use of Cyber Dust. This initial test dealt with the use of a basic Samsung smart phone running an older operating system. This begs the questions: What (if anything) could be recovered from other manufacturer’s devices? What could be recovered from a Samsung with a newer operating system and/or a device where only a logical extraction is possible? What might a theoretical examination of the volatile memory of the device present insofar as evidence? All of these questions and more lead us to the inevitable conclusion that further testing and reverse-engineering of Cyber Dust needs to be conducted. Make no mistake, there were artifacts recovered from the full physical image of the Android device using Cellebrite UFED for PC. But the artifacts were not all recovered from the Cyber Dust app database and the recovered artifacts were somewhat sporadic in nature (the term SharkTank was not found, although a visual inspection showed it as part of the Samsung key logger file as well).
For Digital Forensic Examiners, the take-away from this test is clear: Even if you are dealing with a case that involves Cyber Dust (or any other private messaging app), it may still be possible to recover data that is valuable to your case. Will you get the entire picture? Probably not. But the role of a Digital Forensic Examiner is often to put pieces of a puzzle together and these pieces may certainly prove valuable in many types of investigations.
It’s certain that Mark Cuban and company have come up with a pretty decent app as far as privacy goes. What’s too early to tell is whether the reverse-engineers and programmers at companies like Cellebrite, XRY, Oxygen Forensics, Magnet Forensics, AccessData and/or Katana Forensics will uncover the need and the skills to work around the app engineering and what implication that may have on future iterations of Cyber Dust. One thing is universally true in Mobile App Development and thus, Mobile Device Forensics – things are always changing, so it’s a constant game of catch-up between developers and forensic tool engineers to see who can keep up.
Patrick J. Siewert, SCERS, BCERT, LCE
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
I welcome any and all feedback on these tests as this is the first time I’ve attempted anything like this.
I do realize this was not an all-encompassing scientific exploration, more of an experiment, but I welcome your feedback and comments on this and possibly future testing of apps and tools.
Update: May, 2015: This is still the most viewed article on our blog, which indicates there’s a high degree of interest in it. We did a follow-up to this article you may want to check out. It’s linked right here: http://prodigital4n6.blogspot.com/2015/04/cyber-dust-privacy-claims-debunked.html
Thanks for all your interest!