Artifacts

Mac OS X User Preference Settings

Posted by:  /  Tags: , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X User Preference Settings
Artifact Description
Num. 1 is the directory containing user preference settings for applications and utilities


Num. 3 is the plists containing the names of volumes mounted on the desktop that have appeared in the sidebar list


Num. 4 is Global Preferences Plist


Num. 5 contains directories, files, and apps that have appeared in the Dock


Num 6 contains the list of attached iDevices


Num 7 is the SQLite database that keeps track of files that have the quarantine extended attribute that is given to applications, scripts, and executables downloaded from potentially untrustworthy locations/people. The SQLite database contains URLS, email addresses, email subjects, and other potentially useful information.
File Locations
1) User preferences directory
– %%users.homedir%%/Library/Preferences/*


2) iCloud user preferences
– %%users.homedir%%/Library/Preferences/MobileMeAccounts.plist


3) Sidebar Lists Preferences
– %%users.homedir%%/Preferences/com.apple.sidebarlists.plist


4) Global Preferences
– %%users.homedir%%/Library/Preferences/.GlobalPreferences.plist


5) Dock database
– %%users.homedir%%/Library/Preferences/com.apple.Dock.plist


6) Attached iDevices
– %%users.homedir%%/Library/Preferences/com.apple.iPod.plist


7) Quarantine Event Database
– %%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
– %%users.homedir%%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
Research Links
https://github.com/pstirparo/mac4n6


http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location


https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.

 

Mac OS X: iOS device backup locations

Posted by:  /  Tags: , , , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X: iOS device backup locations
Artifact Description
Num. 1 is the main directory inside a Mac containing iOS device backups


Num. 2 is a plist file in plain text. It stores data about the backed up device (such as device name, GUID, ICCID, IMEI, Product type, iOS version, serial numbers, UDID etc.) and the iTunes software used to create the backup (iTunes version number, iTunes settings).


Num. 3 is a plist file in plain text and it describes the content of the backup. Inside this file we can find the list of applications installed on the backed up device. For every application there are the name and the particular version. Inside the file there is also the date the backup was made, the backup type (encrypted vs. unencrypted) and some information about the iDevice and the iTunes software used.


Num. 4 is a binary file that stores the descriptions of all the other files in the backup directory. It contains a record for each element in the backup.


Num. 5 It’s a plist file in binary format and it stores information about the completion of the backup
File Locations
1) iOS device backups directory
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*


2) iOS device backup information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist


3) iOS device backup apps information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist


4) iOS device backup files information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd


5) iOS device backup status information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist
Research Links
https://github.com/pstirparo/mac4n6


http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location


https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.

 

Mac OS X “Recent Items”

Posted by:  /  Tags: , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X “Recent Items”
Artifact Description
Num. 1 contains info about the recently opened applications, files, and servers


Num. 2 contains info about the recently opened files specific for each application
File Locations
1) Recent Items
– %%users.homedir%%/Library/Preferences/com.apple.recentitems.plist


2) Recent Items application specific
– %%users.homedir%%/Library/Preferences/*LSSharedFileList.plist
Research Links
https://github.com/pstirparo/mac4n6


http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location


https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.

 

Mac OS X System Logs

Posted by:  /  Tags: , , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X System Logs
Artifact Description
Num. 1 is the main folder containing the system logs.


Num. 2 Contains Apple System Logs (asl). Filename format as YYYY.MM.DD.[UID].[GID].asl,


Num. 4 contains install date of system, as well as date of system and software updates
File Locations
1) System Log files main folder
– /var/log/*


2) Apple System Log
– /var/log/asl/*


3) Audit Log
– /var/audit/*


4) Installation log
– /var/log/install.log
Research Links
https://github.com/pstirparo/mac4n6


http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location


https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.

Mac OS X Sleep/Hibernate and Swap Image File

Posted by:  /  Tags: , , ,

Author
Pasquale Stirparo, @pstirparo
Artifact Description
Contents of RAM are written into the sleepimage file when the computer is put to sleep.
Numerous swap files may be found in the /var/vm/ directory with the naming convention of swapfile# (swapfile0, swapfile1, swapfile2, etc.)
File Locations
/var/vm/sleepimage
/var/vm/swapfile#
Research Links
https://github.com/pstirparo/mac4n6

http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location

https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.

 

Mac OS X Autorun Locations

Posted by:  /  Tags: , ,

Author Name
  pstirparo
Submission Title
  Mac OS X Autorun Locations
Post Category
  System
Submission Tags
  Apple, OSX, System
Artifact Description
  These artifacts refer to autorun programs and daemons that run at system startup.
File Locations
  Launch Agents files
– ‘/Library/LaunchAgents/*’
– ‘/System/Library/LaunchAgents/*’

Launch Daemons files
– ‘/Library/LaunchDaemons/*’
– ‘/System/Library/LaunchDaemons/*’

Startup Items file
– ‘/Library/StartupItems/*’
– ‘/System/Library/StartupItems/*’

Research Links
  https://github.com/pstirparo/mac4n6
http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location
https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
  These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com

So that the effort is made only once, and the output reused everywhere.

Dissecting VLC – Windows 7 x32

Posted by:  /  Tags: , , , , , , , ,  /  Comments: 1

Author Name
Carlos A. Amorocho Acosta

Artifact Name
VLC media player 2.2.1 for win32

Artifact/Program Version
VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various streaming protocols.

vlc-2.2.1-win32.exe [1] -> SHA-1 checksum: 4cbcea9764b6b657d2147645eeb5b973b642530e (verified with sha1sum)

Value “CompanyName”, “VideoLAN”
Value “ProductName”, “VLC media player”
Value “ProductVersion”, vlc-2.2.1-win32.exe”
Value “FileVersion”, ” VLC 2.2.1″
Value “FileDescription”, “VLC media player”
Value “LegalCopyright”, “Copyright \251 @COPYRIGHT_YEARS@ VideoLAN and VLC Authors”
Value “LegalTrademarks”, “VLC media player, VideoLAN and x264 are registered trademarks from VideoLAN”

Description
Text

Registry Keys
Keys added: 1272 -> Obtained from Regshot
Values modified: 46 -> Obtained from Regshot

Summary
HKLM\SOFTWARE\Classes\Applications\vlc.exe
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithVLC
HKLM\SOFTWARE\Classes\CLSID\{9BE31822-FDAD-461B-AD51-BE1D1C159921}
HKLM\SOFTWARE\Classes\CLSID\{E23FE9C6-778E-49D4-B537-38FCDE4887D8}
HKLM\SOFTWARE\Classes\Directory\shell\AddToPlaylistVLC
HKLM\SOFTWARE\Classes\Directory\shell\PlayWithVLC
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithVLC
HKLM\SOFTWARE\Classes\Interface\{0AAEDF0B-D333-4B27-A0C6-BBF31413A42E}
HKLM\SOFTWARE\Classes\Interface\{465E787A-0556-452F-9477-954E4A940003}
HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vlc-plugin
HKLM\SOFTWARE\Classes\TypeLib\{DF2BBE39-40A8-433B-A279-073F48DA94B6}
HKLM\SOFTWARE\VideoLAN\VLC\

The rest is the file Regshoot.txt

Also try to get the proxy server address from Windows internet settings

/* Open the key */
if( RegOpenKeyEx( HKEY_CURRENT_USER, “Software\\Microsoft”
“\\Windows\\CurrentVersion\\Internet Settings”,
0, KEY_READ, &h_key ) == ERROR_SUCCESS )
return NULL;

DWORD len = sizeof( DWORD );
BYTE proxyEnable;

/* Get the proxy enable value */
if( RegQueryValueEx( h_key, “ProxyEnable”, NULL, NULL,
&proxyEnable, &len ) != ERROR_SUCCESS
|| !proxyEnable )
goto out;

/* Proxy is enabled */
/* Get the proxy URL :
Proxy server value in the registry can be something like “address:port”
or “ftp=address1:port1;http=address2:port2 …”
depending of the configuration. */

This code is an fragment of VLC media player source code [2]

File Locations
During the installation download the files in temp user profile, immediately ends execution of the current process this folder is cleaned.

C:\Users\\AppData\Local\Temp\

Filename + Modified Count + Created Count + Deleted Count + Full Path + Extension
metachannels.luac + 1 + 1 + 0 + C:\Program Files\VideoLAN\VLC\lua\sd\metachannels.luac + luac (end process)
ns92A1.tmp + 4 + 1 + 1 + C:\Users\\AppData\Local\Temp\nsn9E1.tmp\ns92A1.tmp + tmp (clean folder)

C:\Program Files\VideoLAN\ (main folder: view root folders in tree.txt)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN (direct access)
C:\Users\Public\Desktop (direct access)
C:\Users\\AppData\Roaming\vlc (configuration files for user: playlist,screen sizes, etc.)

Research Links
[1] http://get.videolan.org/vlc/2.2.1/win32/vlc-2.2.1-win32.exe
[2] http://get.videolan.org/vlc/2.2.0/vlc-2.2.0.tar.xz
[3] ftp://ftp.videolan.org/pub/videolan/
[4] http://www.videolan.org/
[5] http://ganesh.videolan.org
[6] http://update.videolan.org
[7] http://www.piriform.com/ccleaner
[8] https://lists.gnupg.org/pipermail/gnupg-announce/2004q4/000184.html
[9] https://code.google.com/p/regshot/
[10] http://processhacker.sourceforge.net/
[11] https://notepad-plus-plus.org/
[12] https://technet.microsoft.com/en-us/library/bb896645.aspx
[13] https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
[14] https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
[15] http://www.nirsoft.net/utils/folder_changes_view.html
[16] https://www.cert.at/downloads/software/procdot_en.html
[17] https://github.com/Crypt0s/FakeDns
[18] http://portswigger.net/burp/
[20] https://remnux.org/

Forensic Programs of Use
VMware ( Windows 7 x32 & Remnux)
ccleaner burp suite
without AV tcpdump
sha1sum fakedns
regshot procdot
processHacker
notepad++
process Explorer
process Monitor
autoruns
folderChangesView

Other Info
Update process: program sends requests data (get) from a update.videolan.org (server) and then sends responses back “status-win-x86” to the client

Request Method: GET
Request URI: /vlc/status-win-x86
Request Version: HTTP/1.0
Host: update.videolan.org:80\r\n
User-Agent: NSPlayer/7.10.0.3059\r\n
Full request URI: http://update.videolan.org:80/vlc/status-win-x86
Expert Info (Chat/Sequence): GET /vlc/status-win-x86 HTTP/1.0\r\n

File for review.zip contains: Please rename File for review.ioc to File for review.zip
* imports dll.txt
* modules.txt
* regshot.txt
* root folders in tree.txt
* systeminfo.txt
* threads.txt
* status-win-x86
* dump.pcap
* process Monitor dump.csv
* graphics for update process.png
* graphics run with update process.png
* graphics run withou update process
* vlc512x512.png

  • No related posts found

ActionVoip – Windows client

Posted by:  /  Tags: ,

Author Name
Mohammed Faiz Quadri
Artifact or Program Version
4.14 (Same may apply on older versions)
Artifact Description
This artifact is for Actionvoip client for Windows.

ActionVoip is a program to make VOIP calls from the a PC or a Smart phone. It is used by thousands of users worldwide to make free/cheap phones calls. It is not mandatory for a user to provide their identity information while making a call. The user ID shown on the receiving phone is usually an “Unknown” number.
Registry Keys

HKU\<<>>\Software\ActionVoip\ActionVoip\Accounts\Password: <<>>


HKU\<<>>\Software\ActionVoip\ActionVoip\Accounts\Username: “<<>>”

HKU\<<>>\Software\ActionVoip\ActionVoip\CallHistory\<<>>\Count: 0x00000002 —> REG_DWORD value showing the number of calls made from the account

HKU\<<>>\Software\ActionVoip\ActionVoip\CallHistory\<<>>\Call_00: “001234567” —> Values showing the phone number dialed

HKU\<<>>\Software\ActionVoip\ActionVoip\CallHistory\<<>>\Call_01: “0012345678” —> Values showing the phone number dialed

HKU\<<>>\Software\ActionVoip\ActionVoip\<<>>\CallerId: CallerIdForCalls —> Caller ID user for making calls

HKU\<<>>\Software\ActionVoip\ActionVoip\<<>>\CallerId: CallerIdForSMS —> Caller ID user for sending SMS
File Locations
C:\Users\mohfa04\AppData\Roaming\ActionVoip\History_<<>>.dat —> History files showing details of the calls made from the account

Sample Data –

TYPE=CALL
NUMBER=00123456789
NAME=
CALLTYPEV2=2
OTHERPARTYTYPE=2
ENDCAUSE=3
ENDCAUSESIP=-1
ENDCAUSESTRING=
ENDLOCATION=4
CALLSTARTTIME=2013-2-23 16:50:20
CONNSTARTTIME=1970-1-1 5:30:0
CALLENDTIME=2013-3-23 16:50:37
CALLENDTIME=2013-3-23 16:50:37
NEWVOICEMAIL=NO
Research Links
actionvoip.com

Forensic Programs of Use
ProcessExplorer
RegShot

Windows Essentials 2012

Posted by:  /  Tags: , , , , , , ,

Author Name
Matt Nelson – @mattnels
Submission Title
Windows Essentials 2012
Artifact or Program Version
16.4.3508.0205
Artifact Description
“Windows Essentials” – from Wikipedia:
“Windows Essentials (formerly Windows Live Essentials and Windows Live Installer) is a suite of freeware applications by Microsoft that aims to offer integrated and bundled e-mail, instant messaging, photo-sharing, blog publishing, and security services. Essentials programs are designed to integrate well with each other, with Microsoft Windows, and with other Microsoft web-based services such as SkyDrive and Outlook.com, so that they operate as a “seamless whole”.
Windows Essentials 2012 includes the following applications:
Windows Live Messenger
Windows Photo Gallery
Windows Movie Maker
Windows Live Mail
Windows Live Writer
SkyDrive for Windows
Outlook Connector Pack
Windows Live Family Safety (Windows 7 only)
Registry Keys
Registry Entries of interest:
Messenger user account picturefrom Outlook.com:HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\usertileurl: “http://byfiles.storage.msn.com/y1m4gfKDG3PgZg3XzURbeMEzcTjvII7nIA-llg-rJf2qOEhi8TUOBAUYYFMvIBxPlBhcQEvMWuQX4ley0hvAZ2kCg

Messenger user account picture:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\usertilepath: “C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2″
This corresponds to the file in C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Communications Clients\Shared\Mail Primary Account: “user@outlook.com” <—main user account under profile

Safe Senders List:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\
HKEY_USERS\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\00000000
“Flags”=dword:00000001
“Exception”=”somename@someaddress.com

HKEY_USERS\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\00000001
“Flags”=dword:00000001
“Exception”=”somename2@someaddress2.com

HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@outlook.com

SkyDrive Share:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\cid: “6512e79cec0ce###”

To look at this above share you can utilize the URL https://skydrive.live.com/?cid= and enter the CID number above. This will show you the share drive.

Messenger Credentials:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\OfflineCreds\user@outlook.com: E1 9E D3 29 60 73 A8 19 93 CD 9A E2 3B 45 38 66 6F 06 F2 F2 2F C8 ED 04 27 CA 67 48 CF E1 B2 FD BF 7A D6 80 CE 88 D8 CA 1E 89 D6 84 F0 E3 A0 72 C8 ED AC 70 2B 0D 19 08 F9 0B A4 4B FD B7 3B 7B E5 83 01 06 F3 35 AF 71 AC 61 2F 98 DD 7B EC 81 E0 D0 63 A9 5C 72 58 D7 20 C7 41 AD 16 67 EB 6D 26 D9 B2 DA A7 17 45 62 04 31 B4 29 61 4A 93 00 C8 60 74 94 D8 CF 1A 89 4D DE 5A 32 D3 9E 93 70

LiveWriter entries of interest:

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27 <—this value is unique to the blog on the system, another blog would have a different “id”

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\Categories\xxxxxxxx <—here will be entries for labels/keywords (used Blogger account for testing)

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\BlogName: “SOMEBLOG TITLE” <—blog title
HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\HomepageUrl: “http://someblog.blogspot.com” <—blog URL

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2647659-dc93-4794-a339-aa41b6a5ff27\Credentials\Username: “someusername” <—blog username

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2647659-dc93-4794-a339-aa41b6a5ff27\Credentials\Password: 00 01 00 00 00 FF FF FF FF 01 00 00 00 00 00 00 00 0F 01 00 00 00 06 01 00 00 02 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 81 EE 36 19 D3 B8 54 4C 81 ED C0 2B 40 CC 55 39 00 00 00 00 02 00 00 00 00 00 10 66 00 00 00 01 00 00 20 00 00 00 55 2D AA 69 75 48 29 3F 74 76 93 F6 B8 0C FE 49 C7 17 1C 8A 54 2D EC 06 77 E5 1B 1A 89 D9 01 2E 00 00 00 00 0E 80 00 00 00 02 00 00 20 01 00 00 A0 C2 93 F3 FB DF 5B FB E1 65 09 A9 B1 48 15 1E 49 58 F2 39 35 38 3E EE 56 E2 FD 9C A1 A7 39 18 30 00 00 00 B5 F1 1F D0 8A 6D 68 EC 20 70 AA BD 8F D7 DD 5E 9F AD 78 70 DC E0 D0 F2 55 17 1B A1 C5 C9 CE 05 9A 5B DC 81 60 A2 61 77 E7 16 FC 55 92 A9 A6 17 40 00 00 00 2A A4 E8 00 57 26 CE C8 49 EE 04 88 6F 57 D1 37 48 19 62 A3 11 A2 C7 E8 A5 1C B3 E9 C9 81 00 C1 A8 C9 DB 46 8E 1D B1 AC B7 93 76 36 D6 6C 39 25 65 C3 C1 D 5 A7 D1 16 0A FF 60 49 06 9E 4A 56 25 0B <—if password is saved, this is where it is stored
File Locations
Main Program(s) location:
C:\Program Files (x86)\Windows Live
C:\Program Files (x86)\Windows Live\Contacts
C:\Program Files (x86)\Windows Live\Family Safety
C:\Program Files (x86)\Windows Live\Installer
C:\Program Files (x86)\Windows Live\Mail
C:\Program Files (x86)\Windows Live\Messenger
C:\Program Files (x86)\Windows Live\Photo Gallery
C:\Program Files (x86)\Windows Live\Shared
C:\Program Files (x86)\Windows Live\SOXE
C:\Program Files (x86)\Windows Live\Writer

Main user profile locations:
C:\Users\Chuck\AppData\Local\Windows Live Writer
C:\Users\Chuck\AppData\Local\Microsoft\Feeds
C:\Users\Chuck\AppData\Local\Microsoft\Messenger
C:\Users\Chuck\AppData\Local\Microsoft\SkyDrive
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live Mail
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\contacts.edb <—Contacts file
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\dbstore.ini <—LastStartupTime= & LastShutdownTime=
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\LogFiles

Messenger Log of importance:
C:\Users\Chuck\AppData\Local\Microsoft\Messenger\contactslog.txt

SkyDrive Log of importance:
C:\Users\Chuck\AppData\Local\Microsoft\SkyDrive\setup\logs\yyyy-mm-dd_timecreated_xxx-xxx.log <–contains info usersid tie to SkyDrive and other info.

Messenger user account (corresponds with Outlook.com picture):
C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2
Research Links
http://en.wikipedia.org/wiki/Windows_Essentials
http://media.blackhat.com/bh-us-11/Bursztein/BH_US_11_Bursztein_Owade_WP.pdf
http://windows.microsoft.com/en-us/windows-live/essentials
Forensic Programs of Use
Sysinternals Process Monitor
Regshot

Skype shared.xml and the “ContraProbeResults” tag

Posted by:  /  Tags:

Author Name
Hal Pomeranz

Submission Title
Skype shared.xml and the <ContraProbeResults> tag

Artifact or Program Version
All versions

Artifact Description
Skype is a popular instant messaging, audio, and video teleconferencing program. The Skype application data directory contains a file named shared.xml. As the extension implies, the file is XML formatted, but most of the entries are encoded. This encoding has not been documented or reversed to my knowledge.

Of interest is one of the non-encoded fields, set off with the <ContraProbeResults> tag. This tag contains a list with an IP address and varying port numbers:


<NatTracker>
<ContraProbeResults>71.224.218.86:52514 71.224.218.86:53485 71.224.218.86:64410 71.224.218.86:58455 71.224.218.86:52870</ContraProbeResults>

Testing shows that the IP address reflects the “externally visible” IP address of the workstation where Skype is running– in other words the IP address of the outermost NAT gateway connecting the device to the Internet. There is no documentation from Skype related to the contents of the shared.xml file, so this finding is based purely on observation. Eoghan Casey references this artifact in his “Handbook of Digital Forensics and Investigation” but makes no conclusive statements regarding its meaning.

This artifact can be useful for attribution as it indicates the IP address the computer was connecting to the Internet from as of the last time Skype updated this entry. This may help tie a subject to a particular IP address and activity originating from that address.

Multiple versions of shared.xml may be found in unallocated, indicating that the Skype software sometimes deletes and recreates this file. String searching in unallocated for “<ContraProbeResults>” can turn up historical IP information related to the local system.

Immediately following the <ContraProbeResults> tag are additional encoded entries under the <ProbeResults> list. The individual tags in the list appear to be dates in “Unix Epoch Format” (seconds since Jan 1, 1970) with a leading underscore. While the entries themselves are encoded, hexadecimal IP addresses, possibly followed by 16-bit port numbers, can be observed.

In the example below, you can pick out the encoded form of “71.224.218.86” as “47E0DA56”. The meaning of the rest of the data in each entry is unknown.


<NatTracker>
<ContraProbeResults>71.224.218.86:52514 71.224.218.86:53485 71.224.218.86:64410 71.224.218.86:58455 71.224.218.86:52870</ContraProbeResults>
<PreviousNatType>9</PreviousNatType>
<ProbeResults>
<_1369067520>321AEDF742E647E0DA56CAD34E4600653A9D47E0DA56E525182F9A83109E47E0DA56C4836C27919C0A7047E0DA56FEDE9D37388F01BB47E0DA56EB4A6FDD4D9B01BB47E0DA56CBD74108B203F8FD47E0DA56E092AD33B2721E9947E0DA56F319AD3AE4F3925A47E0DA56CC1C424B0CAF0FE747E0DA56C529</_1369067520>
<_1369071616>BCBF23A3557447E0DA56D49EB144790FAF6947E0DA56D23356A428112F0647E0DA56CDE19D37EB9901BB47E0DA56CFA96FDD4A1901BB47E0DA56DB95</_1369071616>
<_1369075712>BDDE8F8C71C847E0DA56F4AB32509337D23E47E0DA56F162</_1369075712>

If these observations are correct, <ProbeResults> then gives the analyst a time-stamped history of IP addresses used by the local machine when accessing the Internet. Again, this is obviously useful for attribution, as well as indicating networks that the system may have connected to in the past. Simply decode the XML tag to find the date and time, then take the last six bytes of each entry– the first four bytes of the six should be the IP address.

File Locations
\Skype\shared.xml

Research Links
http://books.google.com/books?id=xNjsDprqtUYC&pg=PA56&lpg=PA56&dq=skype+contraproberesults&source=bl&ots=X1xOC47CuG&sig=-npWdZi2I9zCdhgxWAWqHPOLVc8&hl=en&sa=X&ei=pc2bUf-ZLcOjigKVzoF4&ved=0CE0Q6AEwAw#v=onepage&q=skype%20contraproberesults&f=false