Take a watermarked capture/recording of the phone screen

[U039b]

Users can take a watermarked capture or recording of their phone screen.

[U039b]

Proposed implementation: The entry point is a single command to be executed on the PiRogue. This command will:

1. ask for an arbitrary name corresponding to the victim's name, organization name, etc.
2. ask for the responder's name, email and organization
3. save the information into a JSON file
4. create a directory where the files will be stored
5. tell the victim to take screenshots and/or record the screen of their phone (Android doc, iOS doc)
6. start a droopy server accessible from the isolated network
7. connect the victim's phone to the PiRogue access point
8. browse Droopy URL (has to be simple)
9. upload all the screenshots and/or recordings
10. shutdown the Droopy server
11. append exif data including responder's name, email and organization
12. add a watermark on the files
13. store the checksum of the files

[U039b]

This month

Along with a reorganization of the PiRogue Debian packages, we are introducing a new package pirogue-evidence-collector creating the following entry points:

• pirogue-android to interact with an Android device and run commands on it.
• pirogue-file-drop to expose a web server allowing the user to upload files from their device to the PiRogue.
• pirogue-extract-metadata to extract metadata of a file and save it separately in [original file name].metadata.json.
• pirogue-timestamp to time stamp files by requesting a 3rd-party RFC3161 authority.
• pirogue-intercept-[gated|single] to instrument an Android application to analyze its network traffic.

Next month

We are planning to release this Debian package next month.

Challenges

The primary challenge was to establish a mechanism for offline timestamp verification exclusively reliant upon OpenSSL.

[U039b]

This month

The two commands responsible for intercepting TLS client randoms now utilize friTap. Given that friTap supports a broader range of TLS implementations compared to our initial implementation, we have decided to integrate friTap directly.

We have added the dynamic generation of hooks to the commands pirogue-intercept-[gated|single]. The different Frida hooks to be generated and injected are defined by the user in JSON format. This feature will be documented when the Debian package will be released.

The release of the Debian package has been postponed, more testing has to be performed before its first release.

Next month

We are planning to document and release this Debian package next month.

Challenges

None.

[U039b]

This month

The first version of the pirogue-evidence-collector has been released, but it's not documented yet. This package is now installed by default on PiRogue and provides the user with the following commands:

• pirogue-android to interact with an Android device and run commands on it.
• pirogue-file-drop to expose a web server allowing the user to upload files from their device to the PiRogue. This command needs improvement.
• pirogue-extract-metadata to extract metadata of a file and save it separately in [original file name].metadata.json.
• pirogue-timestamp to time stamp files by requesting a 3rd-party RFC3161 authority.
• pirogue-intercept-[gated|single] to instrument an Android application to analyze its network traffic.

Next month

The implementation of the command pirogue-file-drop is not completed, as it needs to interact with the newly released administration tool to temporarily open a port on the isolated network. This integration will be done next month. Once all the commands are fully functional, we will publish the documentation.

Challenges

None.