Artifacts

Author Archive


Cloud-based Forensic Artifacts: Mozy Home and Mozy Stash

Posted by:  /  Tags: , , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Mozy Home 2.12, Mozy Stash 0.11

Description
Mozy is known for its online backup service. It’s recently added synchronization via Stash (still in beta). Runs on Windows, Mac, iOS, and Android.

A sample of artifacts from the installation and use of Mozy Home 2.12 and Mozy Stash 0.11 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\Mozy Inc, \ControlSet001\Enum\Root\LEGACY_MOZYFILTER\0000

File Locations
Application Data Files: Program Files\MozyHome\Data
AppData\Local\Stash

Application Executable Files: Program Files\MozyHome – MozyBackup.exe, MozyStat.exe
Program Files (x86)\Mozy\Stash – Stash.exe

Sync/Backup Files: Any
%User%\Stash

Files of Interest

cache.dat, changes.dat, filter_raw.log.1, local_backup.dat, manifest.dat, mozy.log, resume.dat, scancache.dat, state.dat, metrics.dat, Stash.log, state.dat

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: Carbonite

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Carbonite 5.2

Description
Online backup storage solution. Runs on Windows, Mac, iPhone, Android, and Blackberry. No synchronization, or collaboration, but you can share files via email (at least from mobile devices).

A sample of artifacts from the installation and use of Carbonite 5.2 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Classes\Applications\CarboniteUI.exe
\ControlSet001\Services\EventLog\Application\CarboniteService

File Locations
Application Data Files: ProgramData\Carbonite

Application Executable Files: Program Files (x86)\Carbonite\Carbonite Backup\ – CarboniteUI.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

Carbonite.log, CarboniteConfig.dat, CarboniteDelta.dat, CarboniteFiles.dat, CarboniteNSE.log, CarbonitePossibleUpgrade.exe, CarboniteRestores.dat, CarboniteUI.log, CarboniteVersions.dat

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: ADrive

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
ADrive 1.5

Description
Provides backup, synchronization, and sharing on Windows, Mac, Linux, and Android. Provides the ability to use FTP, remote file transfer (from other sites directly to your account), collaboration, concurrent logins, and online editing (via Zoho).

Paid versions offer SSL (not available with free), FTP up/down, 16GB file transfers, remote transfer (internet to internet).
Free version can only be used through browser, no local client, w/50GB!
ADrive Desktop (local client) is written in AdobeAIR.

A sample of artifacts from the installation and use of ADrive 1.5 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Wow6432Node\Microsoft\Tracing\ADrive Desktop_RASAPI32
\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\1

File Locations
Application Data Files: AppData\Roaming\com.adrive.ADriveDesktop.9E1195EE779B0F966F518632F3A0F64E53222DC6.1

Application Executable Files: Program Files (x86)\ADrive Desktop\ – ADrive Desktop.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

Adrive.db, install.log (Adobe AIR)

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: TeamDrive

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
TeamDrive 2.4

Description
Synchronize files to the cloud and other designated computers. Backup functionality provided through automated synchronization to cloud. Rather than sharing, provides for collaboration on files. Runs on Windows, Mac, and Linux.

Can sync to their cloud, or your own server.

A sample of artifacts from the installation and use of TeamDrive 2.4 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QTextCodecFactoryInterface:\C:\Program Files (x86)\TeamDrive2.0
\ControlSet001\Services\EventLog\Application\MySQL
\ControlSet002\Services\EventLog\Application\MySQL

File Locations
Application Data Files: AppData\Roaming\TeamDrive

Application Executable Files: Program Files (x86)\TeamDrive2.0\ – TeamDrive2.exe, TeamDrive2Database.exe

Sync/Backup Files: %User%\TeamDrive Spaces

Files of Interest

WebDAVSettings.xml, DirWatcher_log.log, FileWatcher_log.log, log.log, old_20120513_162655_logs.zip, general_log.CSV, slow_log.CSV, db.opt, username_TeamDrive_13.05.2012.pss, Default_username.sakh, desktop.ini, target.lnk

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: SpiderOak

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
SpiderOak 4.4

Description
Cloud-based backup, synchronization, and sharing platform. You can set up and schedule backups of different directories or file types, synchronize files to designated computers, and share with others. Runs on Windows, Mac, Linux, iOS, Android, and Maemo (N900).

A sample of artifacts from the installation and use of SpiderOak 4.4 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\34

File Locations
Application Data Files: AppData\Roaming\SpiderOak

Application Executable Files: Program Files (x86)\SpiderOak\ – SpiderOak.exe, windows_dir_watcher.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

1336254748.22.port, config.dat, config.txt, device_1a.dat, device_2a.dat, dirhash.db, downloads.db, exclude.txt, fs_queue.db, local.dat, oak_20120505145242.log, oak_20120505165227.log, prefs.dat, snapshot.db, Spider_20120505145242.log, Spider_20120505165227.log, Test-skipfilter.db, test.db, test.log, tss_external_orphans_fixed_pandora_sqliite_database, tss_external_orphans_fixed_snapshot.db

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: Dropbox

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Dropbox 1.2

Description
Synchronizes designated directories to the cloud and other associated computers. Can be used for simple file sharing. Not specifically a backup service, but does maintain off-site copies of files, so it kind of qualifies. Runs on Windows, Mac, Linux, iPad, iPhone, Android, BlackBerry.

Current version of Dropbox makes use of encrypted SQLite DB files.

A sample of artifacts from the installation and use of Dropbox 1.2 on a system.  This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1

Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\21

File Locations
Application Data Files:  AppData\Roaming\Dropbox

Application Executable Files:  AppData\Roaming\Dropbox\Bin – Dropbox.exe

Sync/Backup Files:  %User%\Dropbox

Files of Interest

config.db, config.dbx, desktop.ini, filecache.dbx, host.db, sigstore.dbx, unlink.db, entries.log

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

SSH Server Connections

Posted by:  /  Tags: , , ,

Author Name
Matonis

Artifact Name
Determine SSH Servers Users Connected To

Artifact/Program Version
PuTTY

Categories
User Activity, Active Machines

Description
SSH is a popular and practical management protocol for system administrators and nefarious users alike. In windows systems, the multifaceted terminal client, PuTTY, does not log by default but conditionally stores ssh host keys within the registry. This information can be beneficial to an analyst during a relevant incident/investigation to ascertain historical attributes about user activity and server authenticity.

Contained within the user’s NTUSER.DAT hive, the subkeys (outlined below) have the following syntax which are indicative of a successful SSH connection but not a successful SSH login:

rsa2@[port]:[hostname/IP]

The Last Write Time value of the NTUSER.DAT/Software/SimonTatham/SshHostKeys corresponds to the time the last ssh server was first connected to, as opposed to the last time the user had ssh’d to the server. If a user has connected to a server multiple times, these keys are not updated, in this event network logs are a more suitable quantitative source.

If a user chooses to save their PuTTY profile (connection preferences, servers, logs, etc), it will be stored under the NTUSER.DAT/Software/SimonTatham/Sessions.

Registry Keys
To determine servers connected to via SSH:
NTUSER.DAT/Software/SimonTatham/SshHostKeys -> Subkeys correspond to successful SSH connections but not SSH logins.

To determine PuTTY configurations based on saved profiles:
NTUSER.DAT/Software/SimonTatham/Sessions -> Subkeys will correspond to profiles user created.

 

Related Posts: