Adding Vendors to Bluetooth Devices in Physical Analyzer
One of the nicest features about today's forensics software is its expandability. No matter how many people a forensics tool producer hires, they are NOT going to be able to anticipate every need. First of all, there are just too many different devices, applications, operating systems and users to be able to decode everything we may run across. Second, most programmers are not forensics people. They may not completely understand exactly what it is we want when it comes to data extraction types, reporting, analysis and organization of data. So, the addition of a scripting tool like Python to their product can help immensely in customizing our experience with the tool.
Looking up vendors by their MAC address
Every time I see an extraction in any software for Bluetooth devices, I want to be able to find out what the manufacturer/vendor of the device is in order to match that record with another actual device, whether its a computer or another mobile device. Let's be honest, I'm not terribly interested in Bluetooth headsets or hands-free kits, but... anyway...There are various places on the Internet where you can find the vendor or manufacturer of a device by its MAC (media access control) address. Just about any networkable device will have a MAC address, which is its physical address. One of the sites is hwaddress.com, another is macvendors.com.
A MAC address consists of two parts, each three bytes long:
The first part is the OUI (Organizationally Unique Identifier) which names the vendor or maker of the device. The second part is a unique identifier for the device, which is somewhat like a serial number. For example, the following MAC address, 40:6c:8f:31:1a:0b is assigned to an Ethernet card and if we take a look on macvendors.com, we'll see that the manufacturer is Apple. The 40:6c:8f part tells us it's an Apple device and the 31:1a:0b part is just the unique identifier for our particular device (Ethernet, WiFi or Bluetooth adapter).
When I've come across MAC addresses in Physical Analyzer, whether they belong to Bluetooth devices or WiFi networks, I usually look them up to find out what brand they are. That way it should be easier to match it to the actual device, should we eventually come across it.
But the idea for this script really comes from me trying to find out if I could add to an existing piece of analyzed data or model in Physical Analyzer. It turns out you can.
from physical import * #necessary import for PA
item = 0 #set counter to 0
#these are the vendors, in order, for the devices already listed in PA
vendors = ["BlackBerry", "Huawei", "LG", "Samsung", "LG", "Samsung", "Samsung"]
#iterate through all the bluetooth devices in PA and add the corresponding vendor from the
#table to the device's "Info" property/attribute
for device in ds.Models[BluetoothDevice]:
device.Info.Value = vendors[item]
item += 1
So, here's what I got from that (for that particular phone):
 |
| Screenshot 1: View in Physical Analyzer before the script, showing the existing Bluetooth devices enumerated |
 | |
|
 | |
|
Anyway, urllib2.urlopen can be used to access http://api.macvendors.com to pull the vendor for a particular MAC address. Their API page is located here: http://www.macvendors.com/api
And, yes, in case you're wondering, I did donate to their page. I'm amazing.
With urllib2, the script became even more simple and universal to any phone with Bluetooth Devices enumerated by Physical Analyzer. Here it is:
#necessary imports, both for scripts in PA and to use urllib2
from physical import *
import urllib2
url = "http://api.macvendors.com/" #set our url to the proper location
for device in ds.Models[BluetoothDevice]: #for to iterate through BT devices
device.Info.Value = urllib2.urlopen(url+str(device.MACAddress)).read()
That last line does this:
1. Pulls each MAC Address from the existing BT devices as "device.MACAddress"
2. Converts the MAC Address to a string, as required by urllib2.urlopen.
3. With that and the url from before, runs urllib2.urlopen, which reads the vendor name from the macvendors API.
4. Assigns that result to the BT devices's "Info" property (device.Info.Value sets this).
So, the script just iterates through the existing Bluetooth devices, pulls each MAC Address from the device's "MACAddress" property, converts it to a string required by urlopen, looks it up, gets the vendor, then populates that info in the device's "Info" attribute/property.
The results look like this (note, this particular phone only has three BT devices enumerated):
 |
| Screenshot 4: The vendors (pulled from macvendors) populating the Information column |
Hopefully you can get some use out of this, not just to add vendors to Bluetooth Devices, but for adding information carved to any type of Analyzed Data. Make sure, however, that you are certain it's correct before you go adding stuff willy-nilly to your results. Document everything.
Later.
No comments:
Post a Comment