Training Material
Our training sessions (live and recorded) provide LEAs with the required knowledge to operate the LOCARD platform and the developed tools.

Tools
LOCARD has developed relevant tools to empower law enforcement and judiciary bodies in their fight against cyber crime.

Device Message Hijack Investigation

Spyware

SMS-Based Forge ID

Vulnerable App Identification

DNS Data Exfiltration

Hardware – OS

Deviant Behaviour

Device Message Hijack
Device Message Hijack Investigation
Mobfor is an Android device message hijack investigation toolkit so that investigators may assess devices for possible unlawful interception attacks. The usage of this toolkit requires collaboration with the owner of the device being investigated. The toolkit consists of 2 main components: a Memory forensics tool for device hijack investigations, and a supporting Android living-off-the-land (LoTL) pentest tool. The pentest tool extends the popular open-source Metasploit Framework, and the memory forensic tool utilises the open-source dynamic binary instrumentation framework, Frida.

Device Message Hijack Investigation

Spyware

SMS-Based Forge ID

Vulnerable App Identification

DNS Data Exfiltration

Hardware – OS

Deviant Behaviour

Spyware
Spyware
The spyware tool aims to identify whether spy apps are installed on a mobile device by analyzing the network traffic they generate. In particular, the spyware tool relies on a set of machine learning techniques to find patterns in the network traffic that uniquely identifies a specific mobile app.

Device Message Hijack Investigation

Spyware

SMS-Based Forge ID

Vulnerable App Identification

DNS Data Exfiltration

Hardware – OS

Deviant Behaviour

SMS-Based Forge ID
SMS-Based Forge ID
The purpose of the SMS-based forge ID tool is to investigate whether a mobile phone number used for registering an account on instant messaging apps (e.g., Telegram, WhatsApp) is a temporary one released by message receiving websites. The tool scraps the Online SMS Receiving Websites to search for a specific mobile phone number. In particular, it gathers all the real messages from these websites and then searches for a given mobile phone number among them.

Device Message Hijack Investigation

Spyware

SMS-Based Forge ID

Vulnerable App Identification

DNS Data Exfiltration

Hardware – OS

Deviant Behaviour

Vulnerable App Identification
Vulnerable App Identification
The vulnerable app identification tool is a static taint analysis tool that automatically detects the vulnerabilities of an Android app by applying a set of rules. Such rules were formalized from the Android official security and privacy guidelines. The tool requires the APK file of an Android mobile application and it returns the line of source code where the vulnerability has been found.

Device Message Hijack Investigation

Spyware

SMS-Based Forge ID

Vulnerable app identification

DNS Data Exfiltration

Hardware – OS

Deviant Behaviour

DNS Data Exfiltration
DNS Data Exfiltration
DNS is one of the most used protocols when it comes to data exfiltration. The reason behind that is that DNS traffic is by default allowed in firewall installations, and the data will probably be successfully exfiltrated through that. The attacker is required to install a malicious client/agent in the victim’s host and also control a base domain name. This client communicates to a server (that is registered as the DNS server of the attacker owned base domain), sets up a session and can send files stored locally in the victim’s host to that server through a series of DNS queries. DNS data exfiltration tool aims at detecting such attempts through examining the log files of an organisation’s DNS server and reporting all details with regards to data exfiltration sessions detected.

Device Message Hijack Investigation

Spyware

SMS-Based Forge ID

Vulnerable App Identification

DNS Data Exfiltration

Hardware – OS

Deviant Behaviour

Hardware – OS
Tool Hardware – OS
As has been demonstrated in the past, attacks via the exposed USB interface can be used to gain control over locked mobile phones. The presented tool provides an automated way to analyse this interface for potential vulnerabilities. Identified vulnerabilities will be described in a way that aids the development of an exploit which can provide an analyst with access to a locked device. The tool itself is an extension of the popular open-source analysis tool Syzkaller which offers improved utility and performance.

Device Message Hijack Investigation

Spyware

SMS-Based Forge ID

Vulnerable app identification

DNS Data Exfiltration

Hardware – OS

Deviant Behaviour

Deviant Behaviour
Deviant Behaviour
The Deviant Patterns Repository module is implemented using a fault-tolerant, distributed architecture in Python, leveraging a distributed task queue (e.g. RabbitMQ 1) for orchestrating and distributing the jobs to multiple workers, in order to ensure the timely monitoring and analysis of data from multiple sources, including social media and Social Live Streaming Services. As the user-produced data is collected, it’s propagated to Grooming Detection and Explicit Imagery Detection submodules, for identifying patterns of predatory or criminal behaviors.

Device Message Hijack Investigation

Spyware

SMS-Based Forge ID

Vulnerable App Identification

DNS Data Exfiltration

Hardware – OS

Deviant Behaviour

Request Access to LOCARD Training Material

 

The consortium of the project has published several videos intended to facilitate the understanding of the most relevant tools developed throughout the project. If you wish to access the material, please, fill the following form and our team will assess your application.

 

 

Click HERE to download the LOCARD Non-Disclosure Agreement in PDF version.

 

Slide 1
Join the community
Follow us and stay connected and updated.
EU flag Copyright © 2019 - 2022 LOCARD. All rights reserved. This project has received funding from the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement nº 832735. This project reflects only the author’s view and the Commission is not responsible for any use that may be made of the information it contains.