Samsung Smart Fridge
From Just Solve the File Format Problem
				
								
				(Difference between revisions)
				
																
				
				
								
				| Kayvon2008  (Talk | contribs)  (→User partition) | Kayvon2008  (Talk | contribs)   (→System-data partition) | ||
| (10 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | Samsung Smart Fridges with the Family Hub software are smart fridges that run Tizen. A dataset shared by VTO labs has an image of  | + | {{FormatInfo | 
| + | |formattype=physical | ||
| + | |subcat=Networked devices | ||
| + | }}'''Samsung Smart Fridges''' with the Family Hub software are smart fridges that run Tizen. A dataset shared by VTO labs has an image of  all of the partitions like the system and data partition. The blog ZENA forensics has analyzed the dataset for evidence. (Just like a historian, EVERYTHING counts for a case to be solved) | ||
| ==Storage format== | ==Storage format== | ||
| They use a GPT partitioning schema and it has a total of 21 partitions. | They use a GPT partitioning schema and it has a total of 21 partitions. | ||
| Line 27: | Line 30: | ||
| *The "\var\lib\bluetooth\<BT_MAC>\cache" folder contains various files, named as a Mac Address. In the provided dataset 6 files are stored in the folder. Every file contains a device name. They seem to be "seen" devices, although more testing is needed. | *The "\var\lib\bluetooth\<BT_MAC>\cache" folder contains various files, named as a Mac Address. In the provided dataset 6 files are stored in the folder. Every file contains a device name. They seem to be "seen" devices, although more testing is needed. | ||
| *The "\var\lib\buxton2\system.db" contains information about OS settings. The database needs more research to understand the exact content, but it apparently contains interesting configuration and information embedded in BLOB data. Here follow the full settings list. | *The "\var\lib\buxton2\system.db" contains information about OS settings. The database needs more research to understand the exact content, but it apparently contains interesting configuration and information embedded in BLOB data. Here follow the full settings list. | ||
| − | < | + | |
| + | <pre style="white-space: pre-wrap;  | ||
| + | white-space: -moz-pre-wrap;  | ||
| + | white-space: -pre-wrap;  | ||
| + | white-space: -o-pre-wrap;  | ||
| + | word-wrap: break-word;"> | ||
| db/refrigerator/modelType | db/refrigerator/modelType | ||
| Line 164: | Line 172: | ||
| db/setting/lcd_backlight_normal | db/setting/lcd_backlight_normal | ||
| − | </ | + | </pre> | 
| **Some of these BLOB data can be easily read, like the Wi-Fi BSSID Address that in the provided dataset is 70:2c:1f:41:e2:42 . | **Some of these BLOB data can be easily read, like the Wi-Fi BSSID Address that in the provided dataset is 70:2c:1f:41:e2:42 . | ||
| *The "\var\lib\connman\settings" file contains information about network services (WiFi, Bluetooth, Wired, Cellular) and if they are enabled or not. | *The "\var\lib\connman\settings" file contains information about network services (WiFi, Bluetooth, Wired, Cellular) and if they are enabled or not. | ||
| Line 176: | Line 184: | ||
| *The application stores its data in the "\user\home\owner\apps_rw\org.tizenglazecamera\". In the provided dataset three JPG pictures of the content of the fridge were found in the "\shared\trusted\"subfolder. All of them were taken on 7th February 2018 at 18:41:12 UTC. | *The application stores its data in the "\user\home\owner\apps_rw\org.tizenglazecamera\". In the provided dataset three JPG pictures of the content of the fridge were found in the "\shared\trusted\"subfolder. All of them were taken on 7th February 2018 at 18:41:12 UTC. | ||
| + | ===Tizen Browser=== | ||
| + | |||
| + | *The Tizen OS 3.0 has a default browser named "Tizen Browser", based on Chromium. Details about the browser are available on the tvmode.org website. The Tizen Browser stores information in 2 main locations in the user partition: the "\user\home\owner\apps_rw\org.tizen.browser\" folder and the "\user\data\browser-provider\database\" folder. | ||
| + | *The "\user\data\browser-provider\database\.browser-provider-history.db" file contains browser history, including visit date, URL and page title for each visited website. In the provided dataset we can find 4 Google searches ("funny cats", "thug life cats", "starman live", "best of he man") and two viewed YouTube videos (https://m.youtube.com/watch?v=M-P3l9ezaF8 and https://m.youtube.com/watch?v=bMjVvg8jOO4). | ||
| + | *The "\user\data\browser-provider\database\.browser-provider-tabs.db" contains information about opened tabs. In the provided dataset you can find a single in entry in the "tabs" table, as shown in picture: it includes an URL (https://m.youtube.com/watch?v=bMjVvg8jOO4) and a creation date value (2018-02-07 18:18:30). | ||
| + | *The "\user\home\owner\apps_rw\org.tizen.browser\data\chromium-elf\cache" folder contains browser cache items. As the Tizen Browser is based on Chromium, the Cache can be parsed with ChromeCacheView or Hindsight. | ||
| + | ===Glympse Family Map=== | ||
| + | *The Glympse Family Map is a location-sharing service "which allows users to seamlessly share their location using a variety of devices within the Tizen ecosystem".  | ||
| + | *This app is based on Chromium and it also uses a Cache folder ("\user\home\owner\appr_rw\gfamilymap\data\chromium-elf\cache\") that can be parsed with ChromeCacheView or Hindsight. | ||
| + | *By analyzing the images stored in the cache folder I was able to find some Google Maps images geolocated at the VTO Labs headquarter, where probably the fridge was used and then acquired. | ||
| + | *Some logs files about the Glympse service are stored in the "\user\home\owner\appr_rw\com.glympse.tizen.frapp.service\data\glympse". They seem to contain information about sync with the Glympse service, but more research and testing is needed. | ||
| + | ===Samsung Connect=== | ||
| + | *The "\user\home\owner\apps_rw\com.samsung.samsung-connect" folder contains Samsung Connect App data. This app "provides users a simple, unified way to control and monitor smart devices in one app". | ||
| + | *The "\user\home\owner\apps_rw\com.samsung.samsung-connect\shared\data\sc.db" file contains references to other devices: in the provided dataset a "SAMSUNG SM-G930V" and a "Pixel 2" (table "device_table"). | ||
| + | ===Energystar=== | ||
| + | *The "\user\home\owner\apps_rw\org.tizen.energystar" folder contains energy information. The "\user\home\owner\apps_rw\org.tizen.energystar\shared\trusted\usage.db" seems containing information about power usage with hourly timestamps ("power_usage_table" table). | ||
| + | ===iHeart Hub Radio=== | ||
| + | * The "\home\owner\apps_rw\4GKFs7KtEh\" folder contains the iHeartHub Radio app data. This app is based on Chromium and it also uses a Cache folder ("\user\home\owner\appr_rw\4GKFs7KtEh\data\chromium-elf\cache\") that can be parsed with ChromeCacheView or Hindsight. | ||
| + | * The app seems to suggest radios based on the fridge location (Denver, Colorado). | ||
| + | ===Media folder=== | ||
| + | *The "\home\owner\media\" folder contains user media files. The internal structure seems self explicative, even though the provided dataset only contains predefined documents and pictures. | ||
| + | ===Other stuff=== | ||
| + | |||
| + | Some other possibly interesting files are: | ||
| + | *\home\owner\.applications\dbspace\.context-service.db | ||
| + | *\home\owner\.applications\dbspace\privacy\.calendar-service.db | ||
| + | *\home\owner\.config\chromium-efl\IconDatabase\WebpageIcons.db | ||
| + | *\home\owner\media\Documents\.calendar_rotate.db | ||
| + | *\home\owner\apps_rw\org.tizen.browser\data\.browser.settings.db | ||
| + | *\home\owner\apps_rw\org.tizen.browser\data\.browser.bookmark.db | ||
| + | *\home\owner\apps_rw\org.tizen.browser\data\.browser.certificate.db | ||
| + | *\home\owner\apps_rw\org.tizen.menu-screen\data\dbspace\menu_screen.db | ||
| + | *\home\owner\apps_rw\org.tizen.setting\data\setting.cfg | ||
| + | *\home\owner\apps_rw\org.tizen.smarthome.service\data\subscriptionDB | ||
| + | *\home\owner\apps_rw\org.tizen.smarthome.service\data\pref.db | ||
| + | *\home\owner\share\.svoice_da_db.db | ||
| ==Links== | ==Links== | ||
| * https://blog.digital-forensics.it/2020/12/a-journey-into-iot-forensics-episode-1.html | * https://blog.digital-forensics.it/2020/12/a-journey-into-iot-forensics-episode-1.html | ||
| + | |||
| + | [[Category:Samsung]] | ||
Latest revision as of 06:52, 31 December 2021
Samsung Smart Fridges with the Family Hub software are smart fridges that run Tizen. A dataset shared by VTO labs has an image of all of the partitions like the system and data partition. The blog ZENA forensics has analyzed the dataset for evidence. (Just like a historian, EVERYTHING counts for a case to be solved)
| Contents | 
[edit] Storage format
They use a GPT partitioning schema and it has a total of 21 partitions.
- Partition 19 and 18 contain System data.
- Partition 20 has settings by the user.
- Partition 21 has user data.
[edit] RootFS Partition
- \etc\os.release contains details about the installed OS. In the file we see the installed os is Tizen 3.0.
- \etc\tizen-build.conf contains more OS info including build date.
- The "\usr\apps" folder contains the pre-installed applications. This is archivist gold because it has apps.
All apps have a bundle name or a sort-of 10 characters-long GUID.
[edit] System-data partition
This partition has settings.
- The "\etc\localtime" file contains information about the timezone set on the device (in the provided dataset America/Denver, where VTO Labs is located)
- The "\dnsmasq.leases" file contains information about leases by the DNSmasq service. The provided dataset contains the following values: 
- 1517956504, that translates to 6th February 2018 at 10:35:04 UTC
- 4c:66:41:5c:7e:92, a MAC address manufactured by Samsung Electro-Mechanics
- 192.168.7.61, a local IP address
- Samsung-SM-G930V, a smartphone model
- 01:4c:66:41:5c:7e:92, a MAC address by an unknown manufacturer
 
- The "\dbspace\5001\.account.db" file contains information about the Samsung account, including username and email address (in the provided dataset "connectedkitchenvto@gmail.com")
- The "\dbspace\.notification.db" file contains notification settings (per app).
- The "\dbspace\.alarmmgr.db" file contains alarm settings (per app).
- The "\var\lib\bluetooth\" folder contains a subfolder apparently named as the Bluetooth MAC Address of the device. In the provided dataset the folder name is 70:2C:1F:41:E2:43, which is a Bluetooth MAC Address manufactured by Wisol, a Samsung company.
- The "\var\lib\bluetooth\<BT_MAC>\settings" file contains the device Bluetooth name (in the provided dataset "[Refrigerator] Samsung").
- The "\var\lib\bluetooth\<BT_MAC>\cache" folder contains various files, named as a Mac Address. In the provided dataset 6 files are stored in the folder. Every file contains a device name. They seem to be "seen" devices, although more testing is needed.
- The "\var\lib\buxton2\system.db" contains information about OS settings. The database needs more research to understand the exact content, but it apparently contains interesting configuration and information embedded in BLOB data. Here follow the full settings list.
db/refrigerator/modelType db/usb/sel_mode db/pwlock/factory_boot db/wifi/country_code db/setting/country_code db/pwlock/setup_wizard_started db/menu_widget/language db/menu_widget/regionformat db/privacy_policy/agree db/refrigerator/ModelSupportedIceMaker db/account/msg db/samsungaccount/signin db/pwlock/setup_wizard db/menuscreen/numofpages db/setting/timezone_id db/setting/cityname_id db/setting/timezone db/dnet/statistics/wifi/totalsnt db/dnet/statistics/wifi/totalrcv db/softap/hide db/softap/security file/private/wifi/wifi_off_by_airplane db/refrigerator/checkModelId db/otn/otn_download_version db/photoalbum/default_album db/refrigerator/MicomInfoModelIdStr db/refrigerator/ModelSupportedDoor db/photoalbum/last_album db/refrigerator/FirstWarning db/wifi/wifi_disconnect_count db/nfc/feature db/nfc/enable db/audio/volume/kantmeq/product_model db/audio/volume/kantmeq/standard db/audio/volume/kantmeq/music db/audio/volume/kantmeq/movie db/audio/volume/kantmeq/speech db/audio/volume/kantmeq/silver db/audio/volume/kantmeq/stadium db/audio/volume/kantmeq/icehockey db/audio/volume/kantmeq/african_cinema db/audio/volume/kantmeq/indian_cinema db/audio/volume/kantmeq/party db/audio/volume/kantmeq/rugby db/audio/volume/kantmeq/reserved5 db/refrigerator/MicomInfoLastSwVersion4 db/refrigerator/TchefMode db/refrigerator/DoorAlarm db/refrigerator/EnergySaver db/refrigerator/icetype db/refrigerator/TemperatureUnit db/wifi/bssid_address file/private/wifi/last_power_state file/private/contacts-service/default_lang db/pwlock/function_state db/indicator/rm db/clogger/global_ID db/svoice/ref_room db/svoice/setting/lang db/isf/input_keyboard_uuid db/refrigerator/MicomInfoAddr1 db/refrigerator/MicomInfoAddr2 db/refrigerator/MicomInfoAddr3 db/refrigerator/MicomInfoModelId1 db/refrigerator/MicomInfoModelId2 db/refrigerator/MicomInfoModelId3 db/refrigerator/MicomInfoModelId4 db/dnet/statistics/wifi/lastsnt db/dnet/statistics/wifi/lastrcv file/private/isf/autocapital_allow file/private/isf/autoperiod_allow db/refrigerator/coolselectzoneState db/refrigerator/stepFreezerTemp db/refrigerator/setFreezerTemp db/refrigerator/setPowerFreeze db/refrigerator/setPowerCool db/refrigerator/DispenserLock db/refrigerator/DispenserIceMaking db/refrigerator/DispenserIceOff db/refrigerator/DispenserFilter db/refrigerator/HandleLighting db/refrigerator/SterilizationCleaner db/refrigerator/stepFridgeTemp db/refrigerator/setFridgeTemp db/refrigerator/CoolingOff db/refrigerator/RefOption01 db/refrigerator/RefOption02 db/refrigerator/RefOption03 db/refrigerator/RefOption04 db/refrigerator/RefOption05 db/refrigerator/RefOption06 db/energystar/defrost/status db/energystar/defrost/activate db/refrigerator/RefOption07 db/refrigerator/RefOption08 db/refrigerator/RefOption09 db/refrigerator/RefOption10 db/refrigerator/RefOption11 db/refrigerator/RefOption12 db/energystar/dr/override db/refrigerator/MicomInfoYear db/refrigerator/MicomInfoProject db/refrigerator/MicomInfoVersion db/refrigerator/RefOption13 db/refrigerator/ModelDiodeOption db/refrigerator/MicomInfoSwVersion1 db/refrigerator/MicomInfoSwVersion2 db/refrigerator/MicomInfoSwVersion3 db/refrigerator/MicomInfoSwVersion4 db/refrigerator/MicomInfoType1 db/refrigerator/MicomInfoType2 db/refrigerator/rm_state db/energystar/dr/level db/setting/Brightness db/refrigerator/displayFreezerTemp db/refrigerator/displayFridgeTemp db/refrigerator/DeoFilter db/wifi/wifi_ui_onoff_status db/browser/user_agent db/svoice/manager/bos_response db/svoice/manager/response file/private/sound/volume/system db/bluetooth/bt_ui_onoff_status file/private/bt-core/flight_mode_deactivated db/bluetooth/lestatus file/private/libug-setting-bluetooth-efl/visibility_time db/bluetooth/status db/bluetooth/dpm db/refrigerator/MicomUsedMonth db/isf/input_language file/private/sound/volume/media file/private/sound/volume/notification db/mic_key/status db/setting/lcd_backlight_normal
- Some of these BLOB data can be easily read, like the Wi-Fi BSSID Address that in the provided dataset is 70:2c:1f:41:e2:42 .
 
- The "\var\lib\connman\settings" file contains information about network services (WiFi, Bluetooth, Wired, Cellular) and if they are enabled or not.
- In the provided dataset there is a subfolder named wifi_702c1f41e242_436f6e6e65637465644b69746368656e56544f32_managed_none which contains a settings file with information about the Wi-Fi network the device was connected to. In the provided dataset the Wi-Fi network name is ConnectedKitchenVTO2 and the last assigned IP address is 172.16.42.126.
[edit] User partition
The user partition contains most of the user data.
[edit] Tizen Glaze Camera
- The Glaze Camera is a built-in camera solution for a refrigerator that supports food management. I was not able to find a lot of technical details about this service, but the GitHub opensource script Python Family Hub mentions it. Some non-technical details about the service are also available here.
- The application stores its data in the "\user\home\owner\apps_rw\org.tizenglazecamera\". In the provided dataset three JPG pictures of the content of the fridge were found in the "\shared\trusted\"subfolder. All of them were taken on 7th February 2018 at 18:41:12 UTC.
[edit] Tizen Browser
- The Tizen OS 3.0 has a default browser named "Tizen Browser", based on Chromium. Details about the browser are available on the tvmode.org website. The Tizen Browser stores information in 2 main locations in the user partition: the "\user\home\owner\apps_rw\org.tizen.browser\" folder and the "\user\data\browser-provider\database\" folder.
- The "\user\data\browser-provider\database\.browser-provider-history.db" file contains browser history, including visit date, URL and page title for each visited website. In the provided dataset we can find 4 Google searches ("funny cats", "thug life cats", "starman live", "best of he man") and two viewed YouTube videos (https://m.youtube.com/watch?v=M-P3l9ezaF8 and https://m.youtube.com/watch?v=bMjVvg8jOO4).
- The "\user\data\browser-provider\database\.browser-provider-tabs.db" contains information about opened tabs. In the provided dataset you can find a single in entry in the "tabs" table, as shown in picture: it includes an URL (https://m.youtube.com/watch?v=bMjVvg8jOO4) and a creation date value (2018-02-07 18:18:30).
- The "\user\home\owner\apps_rw\org.tizen.browser\data\chromium-elf\cache" folder contains browser cache items. As the Tizen Browser is based on Chromium, the Cache can be parsed with ChromeCacheView or Hindsight.
[edit] Glympse Family Map
- The Glympse Family Map is a location-sharing service "which allows users to seamlessly share their location using a variety of devices within the Tizen ecosystem".
- This app is based on Chromium and it also uses a Cache folder ("\user\home\owner\appr_rw\gfamilymap\data\chromium-elf\cache\") that can be parsed with ChromeCacheView or Hindsight.
- By analyzing the images stored in the cache folder I was able to find some Google Maps images geolocated at the VTO Labs headquarter, where probably the fridge was used and then acquired.
- Some logs files about the Glympse service are stored in the "\user\home\owner\appr_rw\com.glympse.tizen.frapp.service\data\glympse". They seem to contain information about sync with the Glympse service, but more research and testing is needed.
[edit] Samsung Connect
- The "\user\home\owner\apps_rw\com.samsung.samsung-connect" folder contains Samsung Connect App data. This app "provides users a simple, unified way to control and monitor smart devices in one app".
- The "\user\home\owner\apps_rw\com.samsung.samsung-connect\shared\data\sc.db" file contains references to other devices: in the provided dataset a "SAMSUNG SM-G930V" and a "Pixel 2" (table "device_table").
[edit] Energystar
- The "\user\home\owner\apps_rw\org.tizen.energystar" folder contains energy information. The "\user\home\owner\apps_rw\org.tizen.energystar\shared\trusted\usage.db" seems containing information about power usage with hourly timestamps ("power_usage_table" table).
[edit] iHeart Hub Radio
- The "\home\owner\apps_rw\4GKFs7KtEh\" folder contains the iHeartHub Radio app data. This app is based on Chromium and it also uses a Cache folder ("\user\home\owner\appr_rw\4GKFs7KtEh\data\chromium-elf\cache\") that can be parsed with ChromeCacheView or Hindsight.
- The app seems to suggest radios based on the fridge location (Denver, Colorado).
[edit] Media folder
- The "\home\owner\media\" folder contains user media files. The internal structure seems self explicative, even though the provided dataset only contains predefined documents and pictures.
[edit] Other stuff
Some other possibly interesting files are:
- \home\owner\.applications\dbspace\.context-service.db
- \home\owner\.applications\dbspace\privacy\.calendar-service.db
- \home\owner\.config\chromium-efl\IconDatabase\WebpageIcons.db
- \home\owner\media\Documents\.calendar_rotate.db
- \home\owner\apps_rw\org.tizen.browser\data\.browser.settings.db
- \home\owner\apps_rw\org.tizen.browser\data\.browser.bookmark.db
- \home\owner\apps_rw\org.tizen.browser\data\.browser.certificate.db
- \home\owner\apps_rw\org.tizen.menu-screen\data\dbspace\menu_screen.db
- \home\owner\apps_rw\org.tizen.setting\data\setting.cfg
- \home\owner\apps_rw\org.tizen.smarthome.service\data\subscriptionDB
- \home\owner\apps_rw\org.tizen.smarthome.service\data\pref.db
- \home\owner\share\.svoice_da_db.db

