Time Marches On!
Well, I thought that would be a cute title. The reality of a software company is that there are current products and there are old products. Sometimes things reach a point where maintenance of older products isn’t reasonable. This can impact users, so anyone in this business tries not to do this too soon.
Since April of 2009 when CD/DVD Inspector version 4 came out we moved version 3 to a status of being maintained but not receiving much attention. This has been the case since 2006 for version 2 of CD/DVD Inspector as well. But if someone had a problem with the product we would work on it. A common term for this is “functionally stablized”, meaning that new features would not be added but if there were problems they would be fixed.
Beginning January 1st 2013 we are going to take the larger step of moving older versions of CD/DVD Inspector to a status of “Obsolete”. Anything earlier than version 4 of CD/DVD Inspector will not be supported and the last build that is on the web site today will be about all there is. The current versions are:
CD-R Inspector version 1 1.2.4, Build 372
CD/DVD Inspector version 2 2.2.0, Build 4
CD/DVD Inspector version 3 3.1.97
What does this mean for current users? If you have an old version of CD-R Inspector or CD/DVD Inspector version 2, we are going to give everyone a short time to upgrade to version 4 for a discounted price of $450. This is a 30% discount off the current price. If you have version 3 we are going to continue our $175 upgrade price until 1 March 2013. It is strongly recommended that you “get current” if you are using the law enforcement/forensic features of the product.
What if you are a customer with CD-R Inspector and are not using it for forensics but want something current? Today the CD/DVD Diagnostic product has nearly all of the features of the original CD-R Inspector product plus support for DVD and Blu-Ray discs. For $40 you can have a current, maintained product that should do everything you need.
Aside from the upgrade opportunities, what changes is this bringing to our customers? Well, I am sorry to say that if you discover a brand-new bug in one of the Inspector products that is being moved to “Obsolete” status it is unlikely that it will be fixed in that version of the product. The message will be that you need to upgrade to the latest version at whatever cost that entails. After 1 March 2013 that will be the full cost of the new product.
We are rolling out a new software assurance program to allow customers to budget better for keeping up with new versions. Previously, when a new version came out there was an upgrade cost that was variable and when a new version was available is obviously also variable. This prevented anyone from really budgeting for this upgrade purchase. What we are offering now is a yearly purchase that will not increase more than 10% a year that you can purchase every year. If you are current with your software assurance you will receive all updates and upgrades at no further cost to you. The expectation is that there will be new versions released somewhat more frequently than has been the case in the past and purchasing the software assurance will result in a savings of at least 1/3rd of the cost of the upgrade price if you are not purchasing the software assurance.
So why are we doing this to our customers? Well, for one thing our customers deserve to understand what we are prepared to do and not prepared to do if they encounter a problem with a product. We haven’t made it official previously and that could cause some problems for people. Clearly we do not have the staff resources to maintain all of the older versions of products that we have – no software company does – so we have to draw the line somewhere. With the software assurance program being implemented we think this will give customers a better way to budget for keeping their software up to date in the future. We are also mindful that many of our customers are relying on our software for information that is used in criminal cases. We want to make sure that product quality does not suffer and customers are informed about product directions.
It is important to us that our customers understand that when they buy a software product from us they are also buying into our support infrastructure. With our consumer products it means that we will do whatever we can to make sure that our products are working for them and they get their data or video back. With our forensic products it means that we will bring our expert knowledge to their problem or question and make sure that not only is the product working 100% but that the user understands what the product is telling them about the data. This is vital for our customers to be able to testify about the smallest details of optical and flash media to ensure a successful outcome.
Cell phones and Chip-off Forensics
About a month ago I started looking into what it would take to have a simple solution for dealing with USB thumb drives, cell phones and other devices with flash memory chips in them when the device was damaged. While this isn’t a hugely common issue, it does happen often enough to be something that is a concern in the forensics community.
The first obvious target was USB thumb drives. A while back these were constructed on a printed circuit board with a small number of chips on it, the big important one being a flash memory chip. If the PC board was damaged it seemed to be a simple matter to get the chip off the board and with the right hardware be able to read it. Well, it turns out that thumb drives are now encapsulated devices without any PC board and completely enclosed in something like epoxy. Whereas before it was a simple matter to get at the flash memory chip today it is mostly impossible. Scratch that target.
The next sort of device is a damaged cell phone. Yes, there is a flash chip in there that could be removed from the PC board. While cell phones are pretty common, they haven’t yet reached the point where they are encapsulated devices like the thumb drives are. This means that if you have a cell phone it would be possible to remove the flash memory chip and read it separately from the phone. That would give you some basics, like text message content, very easily but it is also possible to take this information into tools like Cellebrite and Katana.
Our product Flash Retriever Forensic Edition is something that should be able deal with a chip programmer directly or at least the output files of that sort of device. With the addition of some tools for removing chips and a programmer we should be good to go forward with this, right?
In order to check out the state of things with cell phones I managed to collect up a bunch of fairly simple phones. I started out with the understanding that “smartphones” – Blackberry, iPhone and Android – were going to be excluded from this anyway. So with my nice toolkit, I set down to take some phones apart.
The first phone I got apart was the cheapest Tracphone I could get my hands on. It is made by Samsung and it is an SGH-S125G, if you are interested. It took a bit of work to get it apart without damaging it, but the mission was certainly accomplished – the flash chip was identified and is a BGA-type chip.
I took a couple of other phones apart and until I got to a very old Nokia 5165 every phone had a BGA-type flash chip in it.
A Quad Flat Package type of chip
As you can see from the picture at the right, a BGA type of chip is quite a bit different when it comes to soldering the connections or unsoldering them. While a chip with visible pins, like the QFP chip shown above, can be soldered with an ordinary soldering pencil a BGA chip requires a hot air system in order to melt the solder indirectly. This can be very tricky to do properly without damaging the chip.
A ball grid array type of chip
It needs to be said that today’s consumer electronic devices are manufactured using specialized machines which place the chips on the boards robotically and use large ovens to do the soldering properly. The result is the boards that are produced have an extremely high reliability with failures less than 1% of the output. However, what suffers is repairability – it is extremely difficult to properly remove and replace chips on such boards so a bad chip generally dooms the entire device. It is cheaper to buy a new board (if not the whole device) than it is to try to repair it.
Well, what we are trying to do is remove chips, not repair them. With QFP and similar chips where the pins are visible it is a fairly simple matter to remove these chips. With a minimum of training and trial-and-error someone can successfully remove such chips.
With BGA-type chips it is a completely different matter. It can be an extremely delicate operation and without great care it is very easy to destroy the chip by using too much heat. Just in looking around I found one organization offering a five-day class in BGA chip removal for forensics. And this probably is just the beginning – if you do this all day every day for six months you would be quite good at it, but if it is something you do once or twice a month it is always going to be a very difficult task with lots of destroyed chips.
Because of the difficulties in dealing with BGA type chips and their prevalence in cell phones it looks like we aren’t going to be putting together a package for doing simplistic chip-off forensics. At least not in the next couple of months. The next release of the Flash Retriever Forensic Edition will have the ability to read .HEX files which are output from chip programmers directly – and can then take this file and save it as a raw image file for use with other forensic tools.
I believe there is probably a simple to use BGA chip removal tool out there and all we have to do is find it. It isn’t such an easy task considering that most of the tools are heavily focused on removing a bad chip and then soldering in a new chip and for forensic purposes we aren’t going to consider the much more difficult task of mounting and soldering a BGA chip at all.
If you have any questions about this or chip-off forensics in general, please feel free to email me or add a comment to this topic.
MPEG Streams and Vindex
Recently I have gotten two different users of the Vindex product asking about strange video files that they have not been able to successfully process with Vindex. It turns out that both were complex “program streams” rather than “elemental streams”.
What is a “program stream”? Well, the best example I know of is if you take a DVD (homegrown, not a commercial product) and copy off the .VOB files you have one or more files containing a MPEG-2 program stream. These files are constructed somewhat differently than an elemental stream file and there is navigational data present which is used by a set top DVD player to move between chapters and skip forward and back.
If you have a straight out-of-the-box Windows installation Windows Media Player will refuse to play a MPEG program stream file. However, after installing one of the many “CODEC packs” available for Windows you can convince Windows Media Player to play a program stream. What is happening is the navigational information is simply being ignored, as are any of the other items that are present that do not result in video or audio being played.
There is another sort of program stream that you can run into – the menu. A DVD that has been constructed with a menu will have a file called VTS_01_0.VOB which is rather small. This is, if you look at it, an MPEG-2 program stream file and it does in fact contain some video sequences – but it will not play in a normal manner. This file has subtitle information in it which is used to control how the menu operates. Often the video information in one of these files is a single frame that is looped or paused. Playing such a file with VideoLAN (VLC) sometimes shows something intelligible and sometimes not.
Vindex isn’t designed to deal directly with video files at all. We leave that up to the CODEC that Windows selects through either DirectShow or Media Foundation. After you install one of the CODEC packs for Windows, often such files will be somewhat playable and may be able to be processed by Vindex. The warning is that you may not be seeing the entire content that is present in the file. Because of this examining MPEG-2 Program Stream files is not supported and not recommended.
For version 1.5 of Vindex some changes were made to identify looping or infinite pause VOB files. It isn’t an absolute assurance that such files can be identified, but when one is instead of endlessly trying to process the video Vindex will reject it. If we could identify all MPEG-2 Program Stream files ahead of time, we would and they would be rejected.
To collect all of the content from such files when menu controls are used, one possible solution is to use HandBrake to convert the video to MPEG4 format. To do this properly, all titles and chapters have to be included. The resulting MPEG4 video will be just video and will be able to be examined by Vindex.
The Exciting World of GPU Computing
With multi-core processors it is possible for a single application to branch off into a number of different sub-processes to improve performance. This is generically known as parallelization. Recent graphics co-processors or GPUs have the ability to execute programs in a similar parallel manner, only these processors are architected in a way so as to allow for more data to be processed at a time and often with many more processors.
The major drawback for this has always been that such parallel operations work best when there is a large amount of data which can be processed independently (rather than sequentially) and that the operations to be performed on the data are relatively simple. With graphics this is often the case but can be pretty rare in the case of most general purpose computing.
It turns out that one of InfinaDyne’s products – Vindex – does some parallel processing on the CPU already but new enhancements will make it a good candidate for making use of a GPU to perform much of the work of these enhancements.
There are two major tool sets for making use of a GPU: one from Nvidia called CUDA and OpenCL which originated from Apple. CUDA is Nvidia-specific but has better integration for developers, especially on Windows. OpenCL works on Nvidia, AMD and Intel GPUs which makes applications that use it . Both tool sets work on Windows, Linux and MacOS.
It is not clear how much work there is to transition between CUDA and OpenCL, but because of the better integration and especially debugging support, I am thinking of going down the CUDA road. The one factor against this is more and more forensic professionals are getting MacBook Pro computers which have built-in AMD GPUs. Alternatively, Nvidia-based graphics cards are showing up in high-end forensic workstations for assisting with password cracking. It will be interesting to see how things develop in the future.
Now for something completely different
We have been occupied with the office move and the millions of details that are involved with such a thing. Temporarily, the office was in the basement of my house but before the end of August we will be completely moved into new office space in Davenport, Iowa.
One of the fun things that got decided to do with the office move was to switch from a Panasonic Digital Hybrid phone system to a VOIP/SIP system. Initially, it was decided to try out SIP Hosting where we would have nothing but SIP phones in our location and the phone switchgear at the hosting company. This is pretty popular because of low costs, but there can be some problems.
One of the biggest problems was the hosting company expected us to be a lot more familiar with their system than we were. This led to all sorts of issues where we were not getting phone calls, not getting voice mail. One of the biggest concerns was how things were to be handled when our Internet connection was not active.
After a lot of education and educational experiences, the end result was that it was decided that SIP Hosting wasn’t the way to go at all. With SIP Trunking we would have a box at our office which held the voice mail and we would be completely in control of it – and more or less know when changes were occurring. It does mean that you have to sit and read up on how to actually do all of this configuring.
There are plenty of choices for dealing with SIP Trunking and one of the popular ones is Asterisk. Asterisk is an open-source solution that can run on generic x86 hardware. It runs under Linux and you do need to be pretty comfortable with Linux and editing endless text files in order to set up an Asterisk system. But the advantage is you can buy a cheap PC and have such a system up and running without any other costs.
We decided not to go with Asterisk for a number of reasons and just raw out-of-the-box complexity wasn’t really one of them. One of the things that we discovered with SIP Hosting was that we would also need to have one or more analog phone lines for faxing. Without that sending and receiving faxes gets pretty complicated. It is possible to hook up a VOIP-to-analog interface with Asterisk and be able to do faxing that way, but now you are in the realm of Linux hardware compatibility. Also, you can’t just pick the cheapest generic PC any longer – you need something with compatible slots.
With the desire for what is called FXS added to the hardware mix, I started looking around at other solutions. There was a box from Grandview (the GXE-5024) that sounded like it would be perfect for this application – except it was discontinued after round and round of fixes. It wasn’t ever really finished, much to my dismay. Grandview seems to be a pretty big player in the VOIP phone market, but unfortunately their budget system never seemed to get all the support it needed.
Well, back to searching…
The second option was a little more expensive (street price, same list price) but was currently supported by a company in existance for quite a while – Talkswitch. They have a box that is comparable to the Grandview unit for the same list price but not discounted as heavily, probably because the big discounts were people trying to dump their stock after it was clear Grandview was discontinuing theirs, so the discounts weren’t really that good a deal anyway.
One very large factor in selecting a VOIP PBX unit is the licensing costs. There are several manufacturers that will sell you their hardware cheap but there is a charge for each phone connected, each SIP trunk, etc. So you were thinking you could buy a $1000 piece of hardware but end up spending $2000 in licensing fees. Neither Grandview nor Talkswitch operates this way – I wouldn’t buy into that for a small business.
Talkswitch has some good software for the box and so far it is clear it will do everything we need it to do. Their support is a little restrictive, but that is to be expected with support costs being a huge factor for this sort of thing.
One thing that inspired me to write this was the fact that with our initial SIP Hosting adventure we bought 4 Cisco SPA303G phones. These are nice phones and are represented to be pretty much industry-standard devices so they should work with just about anything, right? Well, my initial conversations with Talkswitch people and resellers indicated that there might be some problems as Talkswitch directly supports only their own phones and those from a few other manufacturers – such as Grandview. It was clear that experience in configuring Cisco phones on a Talkswitch box wasn’t going to be easily found and Talkswitch said they could not assist with such a configuration.
After spending nearly $400 on Cisco phones and having them be pretty much industry-standard I thought it should be possible and could be worked through. We also went with a Talkswitch-recommended SIP Trunking provider (Broadvox) who has been very helpful. Getting connected up with Broadvox has been trivial – highly recommended.
OK, so how did the Cisco configuration go? Well, it turns out that the instructions for connecting a Cisco phone to a Talkswitch box are pretty simple. You need to configure a very small number of items in the Cisco phone to get started even thought the list of items that can be configured is impressively large. I will post the list in the next posting.
The important thing, and something that I hope others find useful, is that it really isn’t hard to configure a Cisco phone to work with Talkswitch at all.
Moving day is coming
InfinaDyne has moved its office several times in the past and it is going to happen again. For a lot of seemingly unimportant reasons we are moving from Chandler, AZ to LeClaire, IA on May 4th.
Moving is distruptive and expensive. There is no getting away from that. Just like a house move, moving the office involves putting everything – and I do mean everything – into boxes. Then one day all the boxes go on to a truck and you just hope everything fits.
Moving is also sometimes an opportunity. We are switching a number of providers and changing the way the phone system works. The link to the Internet will be faster in the new location, but only on the download side of things. All in all, it is expected to be a few days of mass confusion and panic. If you happen to call during the first week after our move, we will try to take care of you as best we can and hide the fact that nobody knows where anything is yet.
The good news is that software companies are generally pretty portable. Nearly all of our customers communicate with us via fax, email and telephone. We do not get a lot of visitors. This means that we can pretty much be in any part of the world and nobody notices – except the employees that may need to work some odd times. We will be moving from Arizona time (Mountain Standard Time year round – no DST here) to Central Time with all of the attendant joys of changing the clocks twice a year. But it means we will be one hour away from Eastern Time rather than three hours in the summer.
As a result of the move the main phone number will be (563) 748-7650. The new fax number is (563) 552-7453. The toll-free number will still be (888) 759-0600. I do not expect any disruption in email service during the move.
Changes, all the time Changes!
One of the most fun things to do is switching web hosting providers. It is almost assured to provide hours of fun-filled searching for obscure details that are different between different hosting providers.
Well, it is that time again. The InfinaDyne web site has been with Voxel.net for more than five years now. I have to say that we haven’t had too many problems with them but they have recently taken some steps toward a more secure environment that have conflicted with our web site maintenance procedures. So we moved on to hopefully just as good a provider. This isn’t meant as a critical review of one hosting provider over another.
I am hoping that we can get everything sorted out with the new configuration within a short period of time. Most of the basics have been taken care of and all of the picky little CGI scripts have been changed. But there is a huge volume of change and the chances of getting all of it 100% right the very first time are pretty low.
Any time you have an environment in which the configuration is spread over hundreds of text files – some HTML, some PERL CGI, and so on there is going to be trouble if there are changes. Unfortunately, I don’t know anyone that has done a really good job of isolating a web site from those sorts of changes.
Anyway, we are rolling with the changes. Change management is one thing, but having to synchronously change a lot of HTML plus every single CGI script is quite another. Fortunately, with a little intelligent design most computer languages allow you to get away from this sort of maintenance even in the face of some pretty severe changes. Visual Basic (aka VB 6) was one of those that really didn’t allow you to isolate things well and did create the sort of maintenance nightmare a web site can be. As well some folks maintaining very large VB projects have found out.
So if you visit the InfinaDyne web site and find something broken, please let us know. And trust that it will get fixed quickly.
