Profile picture
Jan 23rd 2020, 17 tweets, 6 min read
My Authors
Read all threads
To play with FTI's findings, I'm doing forensics on a second phone, namely my current iPhone XS. It makes me even more suspicious of FTI's conclusions.
One of FTI's conclusions is that they looked at several phones with normal baseline traffic, with only Bezos's showing an anomaly after you downloaded that video from MBS. As far as I can tell, this must be a lie. That's not how these things work. All phones show weird anomalies.
I'm using only 4 programs here:
1. iTunes, to grab backup of my iPhone
2. "iPhone Backup Extractor" to extract 'DataUsage.sqlite'
3. "sqlitebrowser" to get the ZLIVEUSAGE table and execute an SQL query to get data from that table
4. 'Microsoft Excel" to graph the data
I plug my phone into my laptop, tell it to trust the computer, then go into iTunes to create a backup.
I go into iPhone Backup Extractor and this backup appears in the list, so I just click on it.
I then go to the "Expert Mode" tab and navigate the tree to DataUsage file and hit the "extract" button, saving thing as a file under my Documents folder.
Now I run the sqlitebrowser and open that file:
I then run the following SQL query to extract just the data I want, and to convert the timestamp. The query is from github.com/mac4n6/APOLLO/…
I then save the results view as a CSV file and open in Excel.
There's multiple entries per day, or usually zero entries (as I'll describe below). I therefore create column G with a list of days (first row is 1/1/2019, subsequent ones are +1 the previous). Then in column H, the formula you see to sum.
I then create a line graph for columns G and H to get the following result.
So here's the thing about those spikes: they are highly inaccurate. If you open an app, do some traffic, and completely close the app (such as by turning off the phone), then it'll accurately reflect that traffic for that day.
But if you are like me and open an app and leave it running in the background for months, then things get wonky. There will be only one entry in the database for all that activity.
So why did Uber send 56-megabytes of data? it didn't -- it's that I closed all the apps around Xmas, so causes apps to finalize which data all the traffic for months was going to be accounted for. Likewise, 9gigs for Twitter and 2.5gigs for Brave reflect months of traffic.
You see that @iamevltwin already handled this in her original scripts, grabbing multiple timestamps for the process, not just the one from this table.
mentions Why the heck is there 100-megabytes of UPLOAD in the Podcast app when I only DOWNLOAD them? Looks suspicious, like the Saudi's hacked me. There is so much inexplicable behavior by apps in this data.
mentions Anyway, I've tried to document this so that everyone can replicate this sort of forensics on your own phone. If you've already decided that MBS/HackingTeam hacked your phone, you'll find much to support this conclusion.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Rob ☃️ Graham (not at Shmoocon this year)

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
Rob ☃️ Graham (not at Shmoocon this year)
@ErrataRob
Jan 30th 2020
Attorneys won't provide legal advice for free or for a small fee, doctors won't look at your kid's rash, and really, cybersecurity professionals shouldn't be looking at people's computers.
One reason is the risk of being sued when there's a mistake -- you are asking them to accept a considerable financial risk for free.

The second reason is the a high chance of a mistake.
Let's ask a lawyer "Is port scanning legal?". What I don't tell them is that I'm running nmap with a script that also automatically logs onto the system, so when I get arrested for CFAA violations, I sue the lawyer who told me it was legal for legal malpractice.
Read 10 tweets
Profile picture
Rob ☃️ Graham (not at Shmoocon this year)
@ErrataRob
Jan 30th 2020
At some point we have to call this "Saudi hacks Bezos" story "fake news". It's debunked, yet the media still pushes it. Sure, this story does point out it's purely "circumstantial', but then goes on to treat as almost certainly true.
As, as my non-technical and technical deep dives demonstrate, the FTI report contains no evidence of a hack. It's a conspiracy theory that treats things the investigators don't understand as evidence -- much like UFO believers.
blog.erratasec.com/2020/01/theres…
By "at some point" I mean, maybe not initially, when breaking news is always problematic. I mean a week later after people have had time to digest the story and fact check it, finding problems, and it's STILL treated as fact.
Read 8 tweets
Profile picture
Rob ☃️ Graham (not at Shmoocon this year)
@ErrataRob
Jan 28th 2020
So my latest blogpost is chock full of details you didn't realize you cared about, such as where Apple puts files when it backs up your iPhone. It stores them in files named with the SHA1 hash of the original filename.
There are easy-to-use GUIs for extracting files from iPhone backups, like "iPhone Backup Extractor", but you can extract the "ChatStorage.sqlite" file from the backup yourself by grabbing the file named "7c7fba66680ef796b916b067077cc246adacf01d".
I mention their product because that's what I started with, but also because it's got a lot of good additional technical information on their website:
iphonebackupextractor.com/blog/iphone-ba…
Read 3 tweets

Related threads

Profile picture
Larry Sanger
@lsanger
Nov 10th 2019
Before I ever heard anything about #Pedogate or #Pedowood, I had the following thought, which takes on new meaning for me.

So, actresses get undressed in public—very, very much in public—for Hollywood studios. This is perfectly normal. We're just talking about nude scenes. 👇
But, if you have any sense of history, I invite you to imagine what most people would have thought of this before the advent of video and especially before photography. Nude paintings and sculpture were common, but taking your clothes off to simulate sex? Unthinkable.
Consider how many #MeToo and #Pedowood predators run things in Hollywood. Consider that—this is perfectly real—so many careers are advanced through "the casting couch." Hollywood is trash.

In this context, for some directors and producers, nude scenes must work like voyeurism.
Read 10 tweets
Profile picture
Kārtik | கார்த்திக் | ಕಾರ್ತಿಕ
@SandalBurn
Sep 3rd 2019
One thing I've found very curious in popular discourse around language in India is that language contact is reduced to the process of loaning words; this incredibly fascinating linguistic phenomenon is reduced to its lexical aspect. This ends up obscuring all the amazing stuff
that language contact makes possible, these perspectives it offers us. Lexical borrowing is probably the least interesting form it takes, it's also the most superficial in many ways. Doesn't take much for a literary register to borrow vocab from a prestige language - the vast
volume of English words that have made it to Indian languages is a great example.

People borrow words all the time, sure, but imagine influenced by a language so much you start modeling your own *grammar* and sound systems after it. Way cooler than just borrowing words right?
Read 8 tweets
Profile picture
emptywheel
@emptywheel
Jun 8th 2019
One of the prosecutors who pick up the Mystery Appellant case, Zia Mustafa Faruqui, also picked up Manafort's case.

(See page 125)

dcd.uscourts.gov/sites/dcd/file…
Note; the timing of the Mystery Appellant's refusal to do an evidentiary hearing and Mueller's hasty finish is interesting.
Note, that the Mystery Appellant was handed from Zainab Ahmed to Zia Mustafa Faruqui, makes it even more likely the company is a Gulf State company.
Read 12 tweets
Profile picture
Mona
@Monaheart1229
Feb 21st 2019
It is said that the 'best defense is a good offense' and while Trump is extremely, suspiciously defensive @ Andrew McCabe's revelations, his offense is only derision-which makes me even more suspicious.. #ThursdayThoughts
washingtonpost.com/politics/trump…
2-"President Trump has called former FBI acting director Andrew McCabe a liar, a disgrace to the country and, on Wednesday, “a poor man’s J. Edgar Hoover” — the latest example of efforts by the president and his supporters to undercut the credibility of an impending report on
3-"Russian interference in the 2016 election.The attacks on McCabe in particular serve a dual, if internally contradictory, purpose for Trump: to discredit McCabe’s highly critical new book while using it to advance a case that he is the victim of a corrupt “deep state” plotting
Read 28 tweets
Profile picture
Nick Weil
@nick_weil
Oct 21st 2018
Starting to realize how central the #Skripal affair is to the post-election collusion narrative. Which makes it even more suspicious in my mind
It was brought up by @intelhistorian today at a panel and he framed it as a move by Putin which broke all the “rules” of international spying. That Skipal was supposed to be off limits for the rest of his natural life since he was “traded” between Russia and the US in the past
The Skripal event has been closely studied by @ClimateAudit and others and it’s not a clear cut thing. But it IS a sure thing in the minds who buy the collusion narrative. It’s not even a question.
Read 5 tweets
Profile picture
Ryan Goodman
@rgoodlaw
Oct 17th 2018
BOMBSHELL in #Khashoggi reporting

WSJ has DETAILED info on the tapes (location off killing, doctor telling others to listen to music, no interrogation).

• Saudis would now know if Turkey knows exactly what happened
• No interrogation taking place would mean straight murder 1/
Other implications:

Wall Street Journal report says tape indicates Khashoggi "killed in the office of the Saudi consul general"

That makes it even more suspicious that Consul General has left Turkey for Riyadh.

Didn't want to stick around for interview with investigators? 2/
If Turkey has tape like this, good luck to Pompeo-Trump-MBS covering this up. If Ankara wants to, could draw them out in their coverup story and then drop the tapes for world to see/hear.

Read @aaronstein1 analysis of how Turkey's playing this so far:
3/
Read 5 tweets

Trending hashtags

#LOLwut #Bangladesh #Pentagon #tradewar #Iran #technology #Shenzhen #Threadnought #Shanghai #tariffs #BOI #ThoughtsAndPrayers #DRAM #Corn #California #HongKong #Vietnam #Asia #Senate #HowEmbarrassing #Austria #drones #Canada #cryptocurrency #SPX
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!