Forensic Analysis of a Roku XS 2

Abstract

 

The Roku XS 2 is digital media streaming devices made by Roku Incorporation. The Roku is a relatively new device. The first generation of Roku was introduced on May 20th, 2008 (Roku Inc. Press Release, 2008). The current version of the Roku XS 2 uses a proprietary version of Linux Kernel 2.6.19 for its operating system. Since the introduction of the first Roku, which only streamed Netflix, there have been several additional models sold by Roku Inc. (www.roku.com). Not only have the number of models increased but the number of online streaming services have grown. Where in the beginning it was only Netflix, users can now stream media from Vudu, HBO Go, Crackle, ESPN, Fox, Amazon Prime, Hulu and Daily Burn (www.roku.com). As with other technologies, the Roku has rapidly evolved. So it is necessary for law enforcement to have up to date policies and procedures for collecting digital evidence (Cameron, 2001). At some point consumers realize that new technologies can be used for unauthorized and possibly unlawful purposes (Palmer, ND).

 

Introduction

 

The goal of this process is to develop a method that meets digital/cyber forensic standards for retrieving and handling evidence from the Roku XS 2.  When developing this process for the Roku XS 2, there are several challenges that must be meet. First, evidence collection, handling and maintenance must withstand the challenges of the court room. For officers this data can be a key part to their investigation and the potential evidence found could be critical to the prosecution of a crime (Cameron, 2011). So it only elevates the importance of collecting digital evidence. To meet these challenges a strict set of controls, rules or guidelines must be in place. For Law Enforcement there are several guidelines for dealing with digital evidence. Part of the procedure for handling the Roku XS 2 will be based off the following guidelines. These guidelines were specifically developed by the National Institute of Justice (NIJ) for digital evidence handling. The NIJ has four additional documents that they have released. These documents are to be used as guidelines for Law Enforcement in handling digital evidence. Following these guidelines will help insure that this process can meet any challenges it faces.

When looking at different forensic tools to use, they as well need to be able to withstand the challenges of the court room. There are a number of commercial of the shelf (COTS) products available to use (Bennett, 2011).  Throughout this process a variety of tools will be used to attempt find data or evidence from the Roku XS 2. It is important for this process that any data collected be “forensically correct” (Charters, 2009). According to Charters to be “forensically correct” it must meet all of the following criteria:

  • Collected and maintained in accordance with a defined procedure
  • It must be verifiable as authentic
  • It must be verified as relevant
  • It must be collected in a reliable manner
  • It must preserve the original evidence to the extent possible (Charters, 2009).”

It is imperative in a real world situation, that any data collected from this process, which could be used as evidence, stand up to these tests.

 

Steps of the Process

 

Device Information:
The following technical specs of the Roku XS 2 were found at www.roku.com. The specs also include the inputs and out puts of the device.

  • Networking:
  • 802.11 (a/b/g/n compatible) with WEP, WPA, and WPA2 support
  • Video Output
  • 480p
  • 720p
  • 1080p
  • Audio Output
  • Digital over HDMI (7.1 and 5.1 surround pass through).
  • Analog stereo (left/right/composite video RCA).
  • Operating System
  • Linux based OS called Roku OS proprietary software.
  • Linux (Kernel 2.6.19)
  • Remote Control
  • Roku Standard Remote with Channel Shortcut Buttons Streaming player includes IR receiver (compatible with various universal remotes)
  • Power Consumption
  • Less than 3.0W (typical) when streaming HD video
  • Power Input
  • 12V – 0.5A power adapter
  • Size
  • 3.7 x 3.7 x 1.2 inches
  • Weight
  • 3.5 ounces
  • Misc. Input/Outputs
  • LED light
  • USB port
  • Roku Architecture (Roku Steaming Player Development Guide, 2011):
    roku architecture
  • The Roku architecture was built with security in mind. The device uses a programing language called BrightScript. The Architecture “Sand-boxes” the application, which segregates them from other areas of the system. The scripts by design have limited access to the Roku’s platform resources. The scripts are only able to access the scripting layer of the BrightScript components. As stated in the development guide, this process is to safeguard the integrity of the platform and prevents unauthorized access to the OS or other 3rd party content. Additionally, the other applications cannot interact with one another, the system or private data. Data from the applications are stored securely and separately. This particular data is stored in an unique part of the systems registry. By creating a set of developer ID keys, in the registry, the applications can share data (Roku Steaming Player Development Guide, 2011).

 

Pre-Acquisition Phase

 

The Roku XS 2 device that was used in this test was purchased from Amazon.com. The device was refurbished, it was sent with two remotes, a power cord, HDMI and video cable. Pictures of the device and components were taken as soon as the box was opened.  An inspection of the device showed that there was no preinstalled media or storage devices. Prior to any evidence collection, there were several control put in place. First, the device was set up per the manufacturer’s instructions. The exact steps will be discussed later. Second, an independent process was set up so to place data on the device. The applications used, time started and duration of the usage was logged. Third, a brand new Micro SD card was purchased from Frys and was placed in the Roku XS 2 device.

Device Setup

The following steps were taken, in order, to get the Roku XS 2 operational.

  1. The 8GB Micro SD card was installed into the Micro SD slot.
  2. Using the HDMI cable that was provided, the Roku XS 2 was connect to a Sony Bravia LCD TV.
  3. The power supply was plugged in to the device. Once plugged in the Roku XS 2 automatically powered on.
  4. The initial set up screen came up on the TV. Using one of the remotes, I advanced to the next step in the set up process.
  5. Next, the device needed to be connected to the Internet. It had two connection options: WIFI or Wired Ethernet.  I selected the WIFI option, it immediately began to search for available WIFI networks. I selected my home WIFI network, it then prompted me for security key. There were issues with getting the device connected. (See the issue section for details.)
  6. After connecting to the network, the device automatically started and completed an update.
  7. The next step was to set up the time zone. This device was set to the Eastern Time zone.
  8. The next step was to activate the Roku. The system gave a four (4) character alphanumeric code and a website address to navigate to. On a separate device, I went to the web address, selected the device, and entered the code given by the Roku XS 2.
  9. Since I was a new user, I had to create a Roku account. I came up with my username, password, and created the account. The system then redirected me to the device activation screen. I entered the code that was displayed on the TV.
  10. After entering the code, the web site required a credit card number. This credit card is used to charge for TV shows or movies rented on the device.
  11. The next screen had you chose from their base channels. I selected 19 channels, ranging from the Fox, Fox News, Disney, HBO, and A&E.
  12. As soon as the channels were added, the Roku began to automatically update and download those channels I added from the website. There were 25 updates in total.
  13. The final step in the device set up process was to activate my accounts for the different streaming services.

Data

For a period of one week the device was used to place data on the device. For each usage the channel(s) used were logged along with time started and the duration of the usage. The purpose of this log was to be used after the examination to validate or invalidate the findings.

Acquisition

1. After completing the device setup and the data insertion process, I took the Micro SD card out, put it in the adapter, engaged the manual lock on the SD card adapter, and then place it in the SD card slot on my computer. The laptop recognized the card. I check the properties of the Micro SD card see figure 1.

Figure 1: SDHC (E:) Properties
Figure 1 SDHC

2. After seeing that there was not data on the Micro SD card, I ejected it from the computer, took it out of the adapter, and placed it back in the Roku Device. From there I went to the settings option and navigated to “About”. At this screen, it showed that the Micro SD card was not formatted. There was an option for formatting the Micro SD card. After making the selection I was able to format the card. After the card formatted it showed that 7% of the 7.8GB was used.

3. I powered the device off, took the Micro SD card out, placed it back into the adapter and put the card into my laptop. Immediately the computer popped up a message saying the card was not recognized and gave me the option to reformat it. I chose not to reformate the card.

4. I opened up FTK Imager version 3.1.5.0, went to file\create image disk and created a .dd (raw) image of the Micro SD card. Upon the completion of the image I took the following screen shots.

Figure 2: Image 1 Drive/Image Verify Results
Figure 2 Image Verify

Figure 3: Image 1/Image Summary
Figure 3 Image Summary

5. Next in FTK, I attached the image as an evidence item. The image was not recognized and came up as “Unrecognized file system (unknown type). In the “File Type” window of FTK, it showed the size of the drive as 7,820,400 and it was completely unallocated space.

6. I created a second image in FTK making it a “SMART” image. Again this image came up as an unrecognized file system and in the “File Type” window of FTK, it showed the image as completely unallocated space.

Figure 4: Image 2 Drive/Image Verify Results
Figure 4 Image Verify

Figure 5: Image 2/Image Summary
Figure 5 Image Summary

7. Since FTK did not recognize the disk I moved to Autopsy. Autopsy was not able to load the image.

Figure 6: FTK Screen Shot

Figure 6 FTK Screen shoty

8. Since I the Micro SD card was not initially formatted to the Roku when the first controlled test was run, I decided to rerun the controlled data insertion. This test was ran for five (5) days.

9. Since the Micro SD card was formatted to the Roku, I attempted to use a VM with Deft Linux installed on it. The goal was to mount the SD card or the image to the Linux system (See the issue and problems section for details).

10. While getting the VM set up I connected the Roku up to the router using an Ethernet cable. With the device powered on and hooked up to a monitor, I navigated to the “Settings” option. Displayed in the player information are the device’s MAC address, IP address, Serial Number and the attached account.

Figure 7:Roku Player Info
Figure 7 Roku Player Info2
 

11. Once the Roku was connected to the network, I loaded and ran NMAP on my laptop. I ran a couple of different scans using NMAP, an intense scan and a slow comprehensive scan. Below are some of the results of the scans. The idea to use NMAP came from looking at the web site http://www.hackingnetflix.com/2008/07/roku-has-posted.html.

Figure 8: Nmap Topology
Figure 8 Nmap Top

  • § Intense scan
  • § PORT STATE SERVICE    VERSION 8060/tcp open  tcpwrapped MAC Address: (MAC Address was removed) (Roku)
  • § Device type: general purpose|storage-misc
  • § Running (JUST GUESSING): Roku Linux 2.6.X (92%), QNAP embedded (91%), Linux 2.6.X (88%)
  • § Aggressive OS guesses: Roku 2 XS media player (Linux 2.6.32) (92%), QNAP TS-109 NAS device (Linux 2.6.32) (91%), Linux 2.6.14 – 2.6.30 (88%), Linux 2.6.32 – 2.6.36 (88%), Linux 2.6.35 (87%)
  • § Figure 8: NMAP Topology

Figure 9: NMap Host Details
Figure 9 Nmap Host Details

  • § Slow Comprehensive Scan
    § PORT STATE SERVICE VERSION
  • §1900/udp open upnp?
    | upnp-info:
  • §| Roku.IP.address|
    Server: Roku UPnP/1.0 MiniUPnPd/1.4
  • §|_    Location: http://roku.ip.address:8060/
  • §MAC Address: (MAC Address removed)  (Roku)
  • §Too many fingerprints match this host to give specific OS details

12. With this information I attempted to gain access to the Roku through the network.

13. There were a couple of different methods used to attempt to gain access to the Roku, over the network. First, I opened up the program puTTY to try to connect to the device using SSH. The Roku IP address was used entered to Host Name (or IP Address) field. Since NMAP showed that port 8060 was open I entered it in to the Port field. After entering in the required information I click on Open to connect to the Roku XS 2. The connection timed.  Several more attempts were made using different port numbers: 80, 22, 8080, 25 e.c.t. The same results as the first attempt were achieved.

Figure 10: puTTY SSH
Figure 10 puTTY SSH

14. Next I attempted using “Telnet” through puTTY. Again I used the Roku XS 2’s IP address and port 8060. As with the attempts using SSH, the connection timed out. I also tried using the same port numbers with no connection being made.

Figure 11: puTTY Telnet
Figure 11 puTTY Telnet

15. Next I attempted to connect to the Roku XS 2 through Internet Explorer. I entered in the Roku’s IP address in IE’s address bar. The IE page could not be found error came up.

16. After doing some research on line, I discovered that the Roku as a developers/debug mode that can be activated.  Debug mode: Home x3, Up x2, Right, Left, Right, Left (www.ehow.com). It will prompt you to “Enable installer and restart” or cancel. When you click the top choice it advances to the next page where it prompts you to set a password for the development webserver. The default username is Rokudev.

Figure 12 Roku Developer Settings
Figure 12 Roku Developer

17. Once the device restarted, I went to IE and typed in the IP address for the Roku again.

Figure 13: Roku Developer Log In Screen
Figure 13 Roku Developer Log on

Figure 14: Roku Developer Installer and Utilities Page
figure 14 Roku Developer App Installer and Utilities

18. When the developer application was installed TCP port 8080 was opened up. I went back to puTTY and attempted to make a Telnet connection to the Roku XS 2. This time it made a successful connection to the device (See the Issues and Problems section for more detials).

19. I also attempted using some of the additional programs that were apart of the puTTY download: plink.exe, pscp.exe, psftp.exe and pageant.exe. I was able to get a connection to the Roku XS 2 with plink.exe but I was not able to get further than the initial connection.

20. I also attempted using the Windows built in Telnet program (see the Issues and Problems section for more details).

21. I went to the Roku Developer’s site and downloaded the Roku SDK, the developers guide.  There are a number of useful applications that an investigator could use from the Roku SDK download: Filebrowser.zip, ds2dtest.zip, metadata.zip.

22. Following the instructions from the developers guide I was able to upload a file browser utility to the Roku device. From this utility I was able to view the USB drive that I had connected and the on board storage media (this includes the Micro SD card).

Figure 15: File Browser application
Figure 15 Roku File Browser

23. In the web developer mode in IE, going to the utilities page you can get a screen shot of the development application being run by the Roku. In figure 13 I loaded the web server application to the device. The screen shot captured the exact shot of what was being displayed on the monitor. The developer application has to be running for the screen shot to work.

Figure 16: Web Delevoper Utilities Page/Screen shot
Figure 16 Developer Screen Shot

24. To get the telnet to connect the Development Application on the Roku must enabled and running. In a command prompt window (CMD), type in telnet. Next, type in open roku.ip.address 8085 and hit enter. This will display the debug mode. When you upload a file to the Roku and launch it from with in the Roku it will display output. When  I ran the bs2dtest.zip the output was showing up the command prompt window (See figure 19).

25. Additionally, I installed Wireshark on my computer and was able to see the network traffic from my laptop to the Roku. Wireshark did pick up activity as I was scrolling through the different options within what ever web development application that I was in.

Figure 17: Wire Shark activity (IP address intentionally blacked out)
Figure 17 WireShark

Figure 18: Telnet/Debug output
Figure 18 Telnet Debug

 

Issues and Problems

 

  1. It took several attempts to get the device connected to the WIFI. I was only able to get the WIFI to connect after moving the device multiple times. Even though the signal indicator showed full strength, the WIFI card seemed it needed to be in the “right” location to work.
  2. The first updated failed. The screen displayed an error and that it could not connect to the Internet. After moving the device again, I had to reconnect it to the network. Eventually, I had to do a full reset of the wireless router.
  3. Before starting the testing period, I put in the Micro SD card and began with the controlled data insertion. After the testing period was done I placed the Micro SD card in the adapter and then put the card into my laptop. My laptop recognized the device and showed that it did not have any information stored on it.
  4. As stated above Windows did not recognize the Micro SD card as a valid file system. Subsequently FTK after imaging the disk was not able pull any information off of the disk. FTK showed nothing but unallocated space on the card. Even after creating a second image in a different format, the card was still unrecognized by FTK.
  5. The fifth issue I had was that Autopsy would not load the image. I attempted to attach the image twice with no success.
  6. I attempted to use two different virtual machines (VM) loaded with the Deft Linux distro and Kali Linux distro. My goal was to see if I could mount the Micro SD card to the Linux OS. Unfortunately I could not get the VM software to load the SD card as a drive nor could I get the image to copy over from the Windows 7 environment to the VW environment.
  7. After installing the developer mode on the Roku, using puTTY, I was able to make a Telnet connection to the Roku XS 2 using port 8080. However, once the command prompt screen was up, I could not get any commands to work other than the command “exit”.
  8. At first, trying to use the Windows Telnet program gave me an error. The error stated that the program could not be used with my version of Windows. After going to www.microsoft .com and searched the problem. To get it to work, I had to go to Control\Panel\Program Features\Turn on Windows Features. I then turned on Telnet services which then allowed me to run the Telnet program through the command prompt.

Learning Opportunities

The Roku XS 2 appearance makes it look deceptively simple. The device dimensions are just less than 4 inches x 4 inches x 1.5 inches. It has eight input/outputs with two being used for communication to the network. The vast majority of the information available on the Roku devices comes from Roku Incorporated. When searching for this specific device through the major search engines, Yahoo, Google, and Bing, there seemed to be a lack of information. The sites that I did find, had information on older versions of the Roku. There appears to be a void in knowledge on the newer devices outside of the manufacturer. The learning opportunities for the Roku devices I would classify as plentiful.  The biggest learning opportunity, as I see it, is learning to code in the BrightScript language. It may be possible to use this code to allow communication through other open ports. There are at least five other ports besides 8085, that are opened up when the developer mode is enabled.

As the testing progressed and the methods changed, my own technical limits were challenged and fully reached. My programming knowledge and network analysis skills need to be improved. This skills would potentially allow me to see vulnerabilities through what is being outputted by NMAP or WireShark. Again, enhancing my programming capabilities could allow me to write custom code to work within the system to locate potential evidence or artifacts. One option that might be explored along with the network forensics is for a live acquisition method. The research completed for this test did not show any results on how to complete a live acquisition on this device. There are several evidentiary challenges with doing a live acquisition that this research did not go into.

 

Conclusion

 

The Roku XS 2 by design has one purpose, to stream media. With that purpose in mind the manufacture built it very well. The device’s configuration is relatively simple. As stated earlier there are only a handful of input and outputs. This simplicity makes it very user friendly and the learning curve to use this device is very small.  As the examination of this device progressed, it became evident that the device is more complex than it appears. During the acquisition one of the first things discovered was the level of security on the device. After the failed attempt to get a readable image from the Micro SD card, as well as initial failed attempts to gain access over the network, I developed a sense that the device had several layers of security built in to it. This guess was confirmed by reviewing the software architecture from the Roku Streaming Player Development Guide (2011). As we learned in previous labs, this is similar to other devices like the Raspberry Pi and the Android OS, the Roku’s software architecture is “sand-boxed”. Outside of using the device as it was intended, the only way to gain access to the system is by using the Roku System Development Kit (SDK) (Roku Streaming Player Development Guide, 2011). This presents a challenge for examiners and investigators wanting to examine this device or the other devices in Roku’s product line. While the examiner or investigator can access the system, it must be done while the device is on.  More research is needed on how and what changes in the system when it is on and being used. That information then could be used on the feasibility of a live acquisition.

There were some notes that were made during this process. The first note was in reference in checking to see if the developer mode was enabled. First the examiner or investigator needs to get the IP address of the device. Next, the examiner/investigator would type the device IP in to the address bar of a web browser. If the developers log on screen comes up the device is rooted (see figure 15).  Otherwise, if the web page displays “Page could not be found”, then the device is not rooted. The second note was that the developer ID is set by the manufacture. On the other had the developer password can be changed without needing to know the previous password. This process was very educational, it was very challenging. This process showed the challenges that will be faced by examiners and investigators as they come across other mobile and embedded devices.

 

 

References

Roku Incorporated. (2008). Netflix Teams with Streaming Media Innovator Roku on Player that instantly streams movies from Netflix Directly to the TV [Press Release]. Retrieved from http://wwwimg.roku.com/static/press/

Stuart, Cameron. (2011). Digital Evidence. Retrieved January 2014, 2014, from http://www.fbi.gov/stats-services/publications/law-enforcement-bulletin/august-2011/digital-evidence

Roku Incorporated. (2011). Roku Software Development Guide. Retrieved March 8th, 2014, from www.roku.com

Ashcroft, J. Daniels, D., Hart, S. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement.  Washington DC. : U.S. Department of Justice Office of Justice Programs.

Roku Incorporated. (2011). Retrieved January 2014, from www.roku.com

Palmer, G. (ND). Forensic Analysis in the Digital World, The MITRE Corporation.

Roku Has Posted Source Code for the Netflix Player; Hacking Begins. (2008). Retrieved January 2014 from http://www.hackingnetflix.com/2008/07/roku-has-posted.html

Charters, I. (2009). The Evolution of Digital Forensics: Civilizing the Cyber Frontier (pp. 21): Creative Commons Attribution.

Bennett, D. W. (2011). The Challenges Facing Computer Forensics Investigators in Obtaining Information from Mobile Devices for Use in Criminal Investigations. Retrieved January 2014, from http://articles.forensicfocus.com/2011/08/22/the-challenges-facing-computer-forensics-investigators-in-obtaining-information-from-mobile-devices-for-use-in-criminal-investigations/

 

 

Leave a Reply