data forensics workshop introduction atelier nord 6 nov 2008

Expanding a clear concern with electromagnetic [EM] phenomena as a question of substance, data forensics extends the spectrum of artistic concerns to embrace data space. Under the mastheads of signal and noise, data, or digital, forensics proposes a further examination of contemporary presence, a materiality and architecture seemingly at odds with a digital realm which humbles its carrier, submitting the aether to status of a lowly medium; that which is modulated.

Data forensics in this instance refers to the artistic and practical analysis of [un]intentional signals, raising questions of both this intention and a modelling of the world.

Data forensics extends a series of practical and theoretical investigations concerned with electromagnetic [EM] phenomena into the world of data space. Spanning signal and noise, digits and decay, data forensics explores the often unintuitive reality that digital data has its own electromagnetic (physical) presence, a physicality that can be read and perhaps even modulated through the carrier medium itself.

Data forensics presents a look-glass exchange between two domains. The digital informs and reveals the physical and vice versa; equally, there is an exchange of practices. For example, we can borrow techniques from real-world forensics, gumshoe-style to examine and attempt to make sense of leaked data emissions, or to expose and elaborate a notion of data sedimentation; examining an archaeology of everyday digital usage. At the same time, technological practices inform traditional forensics, as alternative architectures, ancient constructions and intensities, are revealed by novel, EM-inspired techniques.

Sub-topics under the broad heading of data forensics could include:

making sense of landscape from a forensics perspective, reverse engineering, mapping protocols of hiding onto the real, photo and audio reconnaissance, data sedimentation, data visualisation, TEMPEST, cryptography, mapping of event intensity using GPS, signals, noise and strategies for interpretation of the intentionality of transmissions

defined during working groups at Peenemuende - a place where we were precisely concerned with both hiding (that which is hidden (in language)) as a philosophical concern, and the overlap of a conventional idea of landscape with digital projection (simulation and description); the contours of an other environment.

… yes the “Allied” planes all would have been, ultimately, IG-built, by way of Director Krupp, through his English interlocks—the bombing was the exact industrial process of conversion, each release of energy placed exactly in space and time, each shock-wave plotted in advance to bring precisely tonight's wreck into being thus decoding the Text, thus coding, recoding, redecoding the holy Text…

[GR. p. 521]

Divining and providing ideas for a future (data) archeology. Key concepts include physical data sedimentation, decoding and paranoia, cryptography. techniques for the examination of promiscuous data leakage, and making sense of/within a landscape.

At the same time, the workshop provoked an examination and critique of pervasive surveillance technologies; it is worth noting that parallel to the development of space technology, the first CCTV system was installed at Test Stand VII in Peenemünde in 1942. Aerial reconnaissance of the site also stands as an important test case within this field.

An obvious relationship with media archeology and a question of this parallel of stratification, sedimentation and landscape with a so-called data-space. Links also to the practice of photo reconnaissance in which PM is noted as a test case.

refers to the study and potential control of compromising emanations (CE) which can be used to recover the plain text (or other information) of encoded/national security related nature. CE potentials include acoustic, and electromagnetic radiation [including in this wide spectrum visible light (optical emanations)]

Compromising emanations are [ thus] defined as unintentional intelligence-bearing signals which, if intercepted and analyzed, may disclose the information transmitted, received, handled, or otherwise processed by any information-processing equipment.

[Wikipedia - note the relation to intentionality and intelligence]

TEMPEST is a form of side-channel attack [In cryptography, a side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms … For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information which can be exploited to break the system.[Wikipedia]]

recursion - a codename which reveals nothing but is precisely concerned with revelation (a potential fake or red herring)

a (paranaoic) understanding of the world and (comic) model for perception:

TEMPEST as a reflective model…

for "perception", as a reflexive model for consciousness/rationalism

• each stage of the model examined: -detection -decoding -reconstruction
• making of a model

TEMPEST as being revealed (the already signalled or encoded). Model revelation (pink light).

Analogue

• AM
• FM
• SSB - single sideband
• PM
• SM

Digital

• Orthogonal frequency-division multiplexing [OFDM]
• Phase-shift keying [PSK]

and many more

what is 802.11 encoding/modulation?

one aspect is spread spectrum (Hedy Lamarr):

Frequency-hopping spread spectrum (FHSS) is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver.

modulation in this case is: Gaussian Frequency-Shift Keying (GFSK) is a type of Frequency Shift Keying modulation that utilizes a Gaussian filter to smooth positive/negative frequency deviations, which represent a binary 1 or 0. It is used by DECT, Bluetooth¹, Cypress WirelessUSB, Nordic Semiconductor and z-wave devices. For Bluetooth the minimum deviation is 115 kHz.

http://en.wikipedia.org/wiki/GFSK

See also:

http://en.wikipedia.org/wiki/OFDM

and:

http://en.wikipedia.org/wiki/Complementary_code_keying

[in an outside world]

what/where is abstraction in the world except as language and construction in the world

question of if this layered OSI model could (or would have already) enter(ed) the world.

physical layer - identifiable only as such

physical layer is a red herring as OSI model "in the world" bites its own tail. simulation theory

• how detection/collection qualitatively determines the data set for analysis (time, stripping of protocols and layers by the OS or routing hardware)

detection is thus not transparent

To imagine some kind of taxonomy or system of classification - exploratory tools, active and passive probes, reconstruction, interpretative, visualisation, decryption and encryption, a beginning to making sense.

That this taxonomy could also follow and to some extent critique (or allow for a philosophical examination of) the OSI model of networking:

electricity and magnetism and related. field theory!

static, magnets, current

what is out there?

[mobile phones, DECT, 802.11(bg etc.), RFID, wideband emissions, 50 Hz power lines, broadcast radio and digital TV (DVB), radar, natural radio]

and how it interacts with bodies/architecture/materials/flux

modulation

detection using simple amplifier. low frequency. direct translation into sound waves. antennas

cantenna (waveguide antennas)

http://www.turnpoint.net/wireless/cantennahowto.html

http://flakey.info/antenna/waveguide/ [with calculator for waveguide distances and so on]

[use of tetrapaks was also successfully tested in Berlin]

http://www.reseaucitoyen.be/wiki/index.php/BoiteDeLait

http://www.reseaucitoyen.be/wiki/index.php/Home_made - good resource

http://www.saunalahti.fi/~elepal/antenna2.html - also with link to calculator

High Frequency (100 MHz-2.4GHz) receiver based on Analog Devices AD8313.

logarithmic detectors. different parts of the frequency spectrum

• small router or switch analysis with photodiode and amplifier

Simple C code for phototransistor TEMPEST using BPW42 and parallel port

http://1010.co.uk/temppar.c

:./temppar <delay>

(RSSI - Received Signal Strength Indication). What this tells us about the signal - which frequencies:

wavemon, xoscope, iwspy:

http://users.skynet.be/chricat/signal/signal-strength.html

see also:

http://www.1010.co.uk/scrying_tech_notes.html

visualisation now enters the picture

• mapping signal strength

modules, mapping, mobile code execution, LRA

baudline, wi-spy http://www.kismetwireless.net/spectools/

USRP/software defined radio: spectrum analysis, AM receiver, TV, plotting (where is plotting stuff: http://www.1010.co.uk/org/notes.html#sec-7)

examples on that page

grc as patching app

Into demodulation and decoding - bbn-examples - wireless signals

and how we can examine and make sense of it

kismet:

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.

Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.

http://www.kismetwireless.net/

wireshark, tcpdump, arpwatch, pypcap, airsnort

Wireshark is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file. Wireshark's native capture file format is libpcap format, which is also the format used by tcpdump and various other tools.

netstat, netcat (nc), ntop, nmap, ngrep, tcpdump, snort, hping2, dsniff

scapy

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

detection/collection/analysis at micro/macro levels eg. long term (using access points and batteries) or coarse grained analysis

serial port and USB sniffing, keyboards, hard drive (conventional digital forensics - dd, strings, AFF-enhanced forensics format), acoustic emanations, steganography (steghide,nlstego), timing attacks and entropy, memory, execution and gdb

raw file/data analysis - baudline (file open and bit view option), dd, strings, devdisplay, raw files in octave (histogram):

myfile = fopen("testrnd_delay_none", "r+")

x =fread(myfile, "uchar");

hist(x)

hist(x(1:50))

plot(x)

fclose(myfile)

http://www.1010.co.uk/org/data_forensics.html

http://www.1010.co.uk/tech_notes2.html

R, gnuplot, octave, matplotlib, basemap

see scrying examples

• mapping with GPS
• GeoIP maps: http://www.maxmind.com/app/c
• correlations

Introduction all participants

Introduction to theory and techniques of data forensics: experiments, demonstrations, software, hardware - an overview.

Data collection expedition in Oslo city centre

Discussion of previous day’s research

Discussion of artist works within the field of data forensics

Assessment of relevant techniques by each participant

Commence personal projects in Oslo interior/exterior

Discussion of personal projects

Further collective experiments and suggestions for future work and direction

Sketches for artistic work

1-background 2-collection 3-decoding and interpretation 4-visualisation/recoding 5-packet creation