Artifacts

Cloud-based Forensic Artifacts: TeamDrive

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
TeamDrive 2.4

Description
Synchronize files to the cloud and other designated computers. Backup functionality provided through automated synchronization to cloud. Rather than sharing, provides for collaboration on files. Runs on Windows, Mac, and Linux.

Can sync to their cloud, or your own server.

A sample of artifacts from the installation and use of TeamDrive 2.4 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QTextCodecFactoryInterface:\C:\Program Files (x86)\TeamDrive2.0
\ControlSet001\Services\EventLog\Application\MySQL
\ControlSet002\Services\EventLog\Application\MySQL

File Locations
Application Data Files: AppData\Roaming\TeamDrive

Application Executable Files: Program Files (x86)\TeamDrive2.0\ – TeamDrive2.exe, TeamDrive2Database.exe

Sync/Backup Files: %User%\TeamDrive Spaces

Files of Interest

WebDAVSettings.xml, DirWatcher_log.log, FileWatcher_log.log, log.log, old_20120513_162655_logs.zip, general_log.CSV, slow_log.CSV, db.opt, username_TeamDrive_13.05.2012.pss, Default_username.sakh, desktop.ini, target.lnk

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment