Artifacts

Archive for the ‘Windows’ Category


ActionVoip – Windows client

Posted by:  /  Tags: ,

Author Name
Mohammed Faiz Quadri
Artifact or Program Version
4.14 (Same may apply on older versions)
Artifact Description
This artifact is for Actionvoip client for Windows.

ActionVoip is a program to make VOIP calls from the a PC or a Smart phone. It is used by thousands of users worldwide to make free/cheap phones calls. It is not mandatory for a user to provide their identity information while making a call. The user ID shown on the receiving phone is usually an “Unknown” number.
Registry Keys

HKU\<<>>\Software\ActionVoip\ActionVoip\Accounts\Password: <<>>


HKU\<<>>\Software\ActionVoip\ActionVoip\Accounts\Username: “<<>>”

HKU\<<>>\Software\ActionVoip\ActionVoip\CallHistory\<<>>\Count: 0x00000002 —> REG_DWORD value showing the number of calls made from the account

HKU\<<>>\Software\ActionVoip\ActionVoip\CallHistory\<<>>\Call_00: “001234567” —> Values showing the phone number dialed

HKU\<<>>\Software\ActionVoip\ActionVoip\CallHistory\<<>>\Call_01: “0012345678” —> Values showing the phone number dialed

HKU\<<>>\Software\ActionVoip\ActionVoip\<<>>\CallerId: CallerIdForCalls —> Caller ID user for making calls

HKU\<<>>\Software\ActionVoip\ActionVoip\<<>>\CallerId: CallerIdForSMS —> Caller ID user for sending SMS
File Locations
C:\Users\mohfa04\AppData\Roaming\ActionVoip\History_<<>>.dat —> History files showing details of the calls made from the account

Sample Data -

TYPE=CALL
NUMBER=00123456789
NAME=
CALLTYPEV2=2
OTHERPARTYTYPE=2
ENDCAUSE=3
ENDCAUSESIP=-1
ENDCAUSESTRING=
ENDLOCATION=4
CALLSTARTTIME=2013-2-23 16:50:20
CONNSTARTTIME=1970-1-1 5:30:0
CALLENDTIME=2013-3-23 16:50:37
CALLENDTIME=2013-3-23 16:50:37
NEWVOICEMAIL=NO
Research Links
actionvoip.com

Forensic Programs of Use
ProcessExplorer
RegShot

Windows Essentials 2012

Posted by:  /  Tags: , , , , , , ,

Author Name
Matt Nelson – @mattnels
Submission Title
Windows Essentials 2012
Artifact or Program Version
16.4.3508.0205
Artifact Description
“Windows Essentials” – from Wikipedia:
“Windows Essentials (formerly Windows Live Essentials and Windows Live Installer) is a suite of freeware applications by Microsoft that aims to offer integrated and bundled e-mail, instant messaging, photo-sharing, blog publishing, and security services. Essentials programs are designed to integrate well with each other, with Microsoft Windows, and with other Microsoft web-based services such as SkyDrive and Outlook.com, so that they operate as a “seamless whole”.
Windows Essentials 2012 includes the following applications:
Windows Live Messenger
Windows Photo Gallery
Windows Movie Maker
Windows Live Mail
Windows Live Writer
SkyDrive for Windows
Outlook Connector Pack
Windows Live Family Safety (Windows 7 only)
Registry Keys
Registry Entries of interest:
Messenger user account picturefrom Outlook.com:HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\usertileurl: “http://byfiles.storage.msn.com/y1m4gfKDG3PgZg3XzURbeMEzcTjvII7nIA-llg-rJf2qOEhi8TUOBAUYYFMvIBxPlBhcQEvMWuQX4ley0hvAZ2kCg

Messenger user account picture:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\usertilepath: “C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2″
This corresponds to the file in C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Communications Clients\Shared\Mail Primary Account: “user@outlook.com” <—main user account under profile

Safe Senders List:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\
HKEY_USERS\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\00000000
“Flags”=dword:00000001
“Exception”=”somename@someaddress.com

HKEY_USERS\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows Live Mail\PerPassportSettings\800773358\Junk Mail\Safe Senders List\00000001
“Flags”=dword:00000001
“Exception”=”somename2@someaddress2.com

HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@outlook.com

SkyDrive Share:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\UserExtendedProperties\user@outlook.com\cid: “6512e79cec0ce###”

To look at this above share you can utilize the URL https://skydrive.live.com/?cid= and enter the CID number above. This will show you the share drive.

Messenger Credentials:
HKU\S-1-5-21-2940726306-2540122514-3547223788-1000\Software\Microsoft\IdentityCRL\OfflineCreds\user@outlook.com: E1 9E D3 29 60 73 A8 19 93 CD 9A E2 3B 45 38 66 6F 06 F2 F2 2F C8 ED 04 27 CA 67 48 CF E1 B2 FD BF 7A D6 80 CE 88 D8 CA 1E 89 D6 84 F0 E3 A0 72 C8 ED AC 70 2B 0D 19 08 F9 0B A4 4B FD B7 3B 7B E5 83 01 06 F3 35 AF 71 AC 61 2F 98 DD 7B EC 81 E0 D0 63 A9 5C 72 58 D7 20 C7 41 AD 16 67 EB 6D 26 D9 B2 DA A7 17 45 62 04 31 B4 29 61 4A 93 00 C8 60 74 94 D8 CF 1A 89 4D DE 5A 32 D3 9E 93 70

LiveWriter entries of interest:

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27 <—this value is unique to the blog on the system, another blog would have a different “id”

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\Categories\xxxxxxxx <—here will be entries for labels/keywords (used Blogger account for testing)

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\BlogName: “SOMEBLOG TITLE” <—blog title
HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2626959-dc97-4794-a339-aa41b4a5ff27\HomepageUrl: “http://someblog.blogspot.com” <—blog URL

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2647659-dc93-4794-a339-aa41b6a5ff27\Credentials\Username: “someusername” <—blog username

HKU\S-1-5-21-2940736306-2540122514-3547223788-1000\Software\Microsoft\Windows Live\Writer\Weblogs\c2647659-dc93-4794-a339-aa41b6a5ff27\Credentials\Password: 00 01 00 00 00 FF FF FF FF 01 00 00 00 00 00 00 00 0F 01 00 00 00 06 01 00 00 02 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 81 EE 36 19 D3 B8 54 4C 81 ED C0 2B 40 CC 55 39 00 00 00 00 02 00 00 00 00 00 10 66 00 00 00 01 00 00 20 00 00 00 55 2D AA 69 75 48 29 3F 74 76 93 F6 B8 0C FE 49 C7 17 1C 8A 54 2D EC 06 77 E5 1B 1A 89 D9 01 2E 00 00 00 00 0E 80 00 00 00 02 00 00 20 01 00 00 A0 C2 93 F3 FB DF 5B FB E1 65 09 A9 B1 48 15 1E 49 58 F2 39 35 38 3E EE 56 E2 FD 9C A1 A7 39 18 30 00 00 00 B5 F1 1F D0 8A 6D 68 EC 20 70 AA BD 8F D7 DD 5E 9F AD 78 70 DC E0 D0 F2 55 17 1B A1 C5 C9 CE 05 9A 5B DC 81 60 A2 61 77 E7 16 FC 55 92 A9 A6 17 40 00 00 00 2A A4 E8 00 57 26 CE C8 49 EE 04 88 6F 57 D1 37 48 19 62 A3 11 A2 C7 E8 A5 1C B3 E9 C9 81 00 C1 A8 C9 DB 46 8E 1D B1 AC B7 93 76 36 D6 6C 39 25 65 C3 C1 D 5 A7 D1 16 0A FF 60 49 06 9E 4A 56 25 0B <—if password is saved, this is where it is stored
File Locations
Main Program(s) location:
C:\Program Files (x86)\Windows Live
C:\Program Files (x86)\Windows Live\Contacts
C:\Program Files (x86)\Windows Live\Family Safety
C:\Program Files (x86)\Windows Live\Installer
C:\Program Files (x86)\Windows Live\Mail
C:\Program Files (x86)\Windows Live\Messenger
C:\Program Files (x86)\Windows Live\Photo Gallery
C:\Program Files (x86)\Windows Live\Shared
C:\Program Files (x86)\Windows Live\SOXE
C:\Program Files (x86)\Windows Live\Writer

Main user profile locations:
C:\Users\Chuck\AppData\Local\Windows Live Writer
C:\Users\Chuck\AppData\Local\Microsoft\Feeds
C:\Users\Chuck\AppData\Local\Microsoft\Messenger
C:\Users\Chuck\AppData\Local\Microsoft\SkyDrive
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live Mail
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\contacts.edb <—Contacts file
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\dbstore.ini <—LastStartupTime= & LastShutdownTime=
C:\Users\Chuck\AppData\Local\Microsoft\Windows Live\Contacts\user@outlook.com\15.5\DBStore\LogFiles

Messenger Log of importance:
C:\Users\Chuck\AppData\Local\Microsoft\Messenger\contactslog.txt

SkyDrive Log of importance:
C:\Users\Chuck\AppData\Local\Microsoft\SkyDrive\setup\logs\yyyy-mm-dd_timecreated_xxx-xxx.log <–contains info usersid tie to SkyDrive and other info.

Messenger user account (corresponds with Outlook.com picture):
C:\Users\Chuck\AppData\Local\Microsoft\Messenger\user@outlook.com\ObjectStore\UserTile\uVeLvZdl2a7TybTJn8wW0wYsWA4=.dt2
Research Links
http://en.wikipedia.org/wiki/Windows_Essentials
http://media.blackhat.com/bh-us-11/Bursztein/BH_US_11_Bursztein_Owade_WP.pdf
http://windows.microsoft.com/en-us/windows-live/essentials
Forensic Programs of Use
Sysinternals Process Monitor
Regshot

Skype shared.xml and the “ContraProbeResults” tag

Posted by:  /  Tags:

Author Name
Hal Pomeranz

Submission Title
Skype shared.xml and the <ContraProbeResults> tag

Artifact or Program Version
All versions

Artifact Description
Skype is a popular instant messaging, audio, and video teleconferencing program. The Skype application data directory contains a file named shared.xml. As the extension implies, the file is XML formatted, but most of the entries are encoded. This encoding has not been documented or reversed to my knowledge.

Of interest is one of the non-encoded fields, set off with the <ContraProbeResults> tag. This tag contains a list with an IP address and varying port numbers:


<NatTracker>
<ContraProbeResults>71.224.218.86:52514 71.224.218.86:53485 71.224.218.86:64410 71.224.218.86:58455 71.224.218.86:52870</ContraProbeResults>

Testing shows that the IP address reflects the “externally visible” IP address of the workstation where Skype is running– in other words the IP address of the outermost NAT gateway connecting the device to the Internet. There is no documentation from Skype related to the contents of the shared.xml file, so this finding is based purely on observation. Eoghan Casey references this artifact in his “Handbook of Digital Forensics and Investigation” but makes no conclusive statements regarding its meaning.

This artifact can be useful for attribution as it indicates the IP address the computer was connecting to the Internet from as of the last time Skype updated this entry. This may help tie a subject to a particular IP address and activity originating from that address.

Multiple versions of shared.xml may be found in unallocated, indicating that the Skype software sometimes deletes and recreates this file. String searching in unallocated for “<ContraProbeResults>” can turn up historical IP information related to the local system.

Immediately following the <ContraProbeResults> tag are additional encoded entries under the <ProbeResults> list. The individual tags in the list appear to be dates in “Unix Epoch Format” (seconds since Jan 1, 1970) with a leading underscore. While the entries themselves are encoded, hexadecimal IP addresses, possibly followed by 16-bit port numbers, can be observed.

In the example below, you can pick out the encoded form of “71.224.218.86” as “47E0DA56″. The meaning of the rest of the data in each entry is unknown.


<NatTracker>
<ContraProbeResults>71.224.218.86:52514 71.224.218.86:53485 71.224.218.86:64410 71.224.218.86:58455 71.224.218.86:52870</ContraProbeResults>
<PreviousNatType>9</PreviousNatType>
<ProbeResults>
<_1369067520>321AEDF742E647E0DA56CAD34E4600653A9D47E0DA56E525182F9A83109E47E0DA56C4836C27919C0A7047E0DA56FEDE9D37388F01BB47E0DA56EB4A6FDD4D9B01BB47E0DA56CBD74108B203F8FD47E0DA56E092AD33B2721E9947E0DA56F319AD3AE4F3925A47E0DA56CC1C424B0CAF0FE747E0DA56C529</_1369067520>
<_1369071616>BCBF23A3557447E0DA56D49EB144790FAF6947E0DA56D23356A428112F0647E0DA56CDE19D37EB9901BB47E0DA56CFA96FDD4A1901BB47E0DA56DB95</_1369071616>
<_1369075712>BDDE8F8C71C847E0DA56F4AB32509337D23E47E0DA56F162</_1369075712>

If these observations are correct, <ProbeResults> then gives the analyst a time-stamped history of IP addresses used by the local machine when accessing the Internet. Again, this is obviously useful for attribution, as well as indicating networks that the system may have connected to in the past. Simply decode the XML tag to find the date and time, then take the last six bytes of each entry– the first four bytes of the six should be the IP address.

File Locations
\Skype\shared.xml

Research Links

http://books.google.com/books?id=xNjsDprqtUYC&pg=PA56&lpg=PA56&dq=skype+contraproberesults&source=bl&ots=X1xOC47CuG&sig=-npWdZi2I9zCdhgxWAWqHPOLVc8&hl=en&sa=X&ei=pc2bUf-ZLcOjigKVzoF4&ved=0CE0Q6AEwAw#v=onepage&q=skype%20contraproberesults&f=false

TeamViewer 8

Posted by:  /  Tags: , ,  /  Comments: 3

Author Name
Matt Nelson

Submission Title
TeamViewer 8

Artifact or Program Version
8.0.16447

Artifact Description
TeamViewer is a program that provides remote desktop software, remote control access, VPN capabilities, file transfers, etc. It can be installed, run temporarily, or used as portable application. One interesting capability is that it can determine if the Remote and Local host are on the same network and it will conduct P2P activity and connect directly, rather than use gateway servers. It is also proxy aware…you can configure it to connect through your network proxies or even a TOR proxy.

While there are important artifacts in the registry, there are a few important files that can help decipher details and events that occurred with the software.

#1 file on Local Host:
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer8_Logfile.log <—–wealth of knowledge in this file

“CMD_MEETING_AUTHENTICATION From=155xxx982 To=312xxx388 L=53″ <—– “ID” to “ID”connecting information

“CT11 GWT.CmdUDPPing.UDPMasterReply 208.1xx.1x.18:12364:51347″ <—– connecting IP address:port:port

“CMeetingControl[1]::AddParticipant(): Participant[155xxx982,-1919357301] Role_Spectator, Role_Organizer”
“CStreamManager::JoinMeeting() participant=[312xxx388,537743816] key=0xf757b7eafe00641d3a8e” <—– This key is present on both systems connection logs.

Note: there are more interesting fields in the “TeamViewer8_Logfile.log”, seek it out if you suspect Teamviewer was installed.

Remote Host:
Connections.txt = C:\Users\dude\AppData\Roaming\TeamViewer\Connections.txt <—– this simple file contains the “ID” of the remote host connected to. Fields in this file include date, time connected and date/time disconnected and the user the app ran under.

Local Host:
C:\Program Files (x86)\TeamViewer\Version8\Connections_incoming.txt <—– this simple file contains the “ID” of the remote host that connected to the “local” system. Fields in this file include date, time connected and date/time disconnected and the user the app ran under.

Below is a file transfer entry logged in the TeamViewer8_Logfile.log:

2012/12/17 22:34:31.853 2960 2740 G1 – File transfer request from 155 xxx 982 allowed
2012/12/17 22:34:32.658 2960 2740 G1 – Views folder
2012/12/17 22:34:57.358 2960 2740 G1 – Views folder C:\Users\Chuck\Desktop\
2012/12/17 22:35:04.333 2960 2740 G1 – Processing file transfer…
2012/12/17 22:35:04.333 2960 2740 G1 – Write file C:\Users\Chuck\Desktop\test.txt
2012/12/17 22:35:04.343 2960 2740 G1 – File transfer finished.
2012/12/17 22:35:04.348 2960 2740 G1 – Views folder C:\Users\Chuck\Desktop\
2012/12/17 22:35:12.153 2960 2588 G1 Ending CFileTransferThreadServer…
2012/12/17 22:35:12.153 2960 2740 G1 – File transfer server shut down.
2012/12/17 22:35:12.153 2960 2588 G1 The CFileTransferThreadServer has ended.

Registry Keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\DisplayName: “TeamViewer 8″
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\DisplayIcon: “C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\Publisher: “TeamViewer”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\HelpLink: “http://www.teamviewer.com”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\UninstallString: “C:\Program Files (x86)\TeamViewer\Version8\uninstall.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\NoRepair: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\VersionMajor: 0x00000008
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\VersionMinor: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\InstallLocation: “C:\Program Files (x86)\TeamViewer\Version8″
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\DisplayVersion: “8.0.16447”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts\TeamViewer8 (TrueType): “teamviewer8.otf”
HKLM\SOFTWARE\Classes\.tvc\: “TeamViewerConfiguration”
HKLM\SOFTWARE\Classes\.tvs\: “TeamViewerSession”
HKLM\SOFTWARE\Classes\teamviewer8\shell\open\command\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe” %1″
HKLM\SOFTWARE\Classes\teamviewer8\URL Protocol: “”””
HKLM\SOFTWARE\Classes\teamviewer8\: “URL:teamviewer8 Protocol”
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\shell\open\command\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe” –control “%1″”
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\shell\open\command: “”
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\shell\open: “”
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\DefaultIcon\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe”,0″
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\shell: “”
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\DefaultIcon: “”
HKLM\SOFTWARE\Classes\TeamViewerSession\shell\open\command\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe” –play “%1″”
HKLM\SOFTWARE\Classes\TeamViewerSession\shell\open\command: “”
HKLM\SOFTWARE\Classes\TeamViewerSession\shell\open: “”
HKLM\SOFTWARE\Classes\TeamViewerSession\DefaultIcon\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe”,0″
HKLM\SOFTWARE\Classes\TeamViewerSession\shell: “”
HKLM\SOFTWARE\Classes\TeamViewerSession\DefaultIcon: “”
HKLM\SOFTWARE\Classes\tvjoinv8\shell\open\command\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe” %1″
HKLM\SOFTWARE\Classes\tvjoinv8\URL Protocol: “”””
HKLM\SOFTWARE\Classes\tvjoinv8\: “URL:tvjoinv8 Protocol”
HKLM\SOFTWARE\TeamViewer\Version8\DefaultSettings\Autostart_GUI: 0x00000000
HKLM\SOFTWARE\TeamViewer\Version8\AccessControl\AC_Server_AccessControlType: 0x00000000
HKLM\SOFTWARE\TeamViewer\Version8\StartMenuGroup: “TeamViewer 8″
HKLM\SOFTWARE\TeamViewer\Version8\InstallationDate: “2012-12-17″
HKLM\SOFTWARE\TeamViewer\Version8\InstallationDirectory: “C:\Program Files (x86)\TeamViewer\Version8″
HKLM\SOFTWARE\TeamViewer\Version8\Always_Online: 0x00000000
HKLM\SOFTWARE\TeamViewer\Version8\Security_ActivateDirectIn: 0x00000000
HKLM\SOFTWARE\TeamViewer\Version8\Version: “8.0.16447”
HKLM\SOFTWARE\TeamViewer\Version8\ClientIC: 0x19F1085A
HKLM\SOFTWARE\TeamViewer\Version8\MIDInitiativeGUID: “{3ae73f42-112a-4506-9735-2efdc6a80ec1}”
HKLM\SOFTWARE\TeamViewer\Version8\ProxyAutoList: ‘;;’
HKLM\SOFTWARE\TeamViewer\Version8\ClientID: 0x12A323AC
HKLM\SOFTWARE\TeamViewer\Version8\LastUpdateCheck: 0x50CFE30B
HKLM\SOFTWARE\TeamViewer\Version8\UsageEnvironmentBackup: 0x00000002
HKLM\SOFTWARE\TeamViewer\Version8\LicenseType: 0x00002710
HKLM\SOFTWARE\TeamViewer\Version8\UpdateVersion: 00
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{C95C73E4-4669-44F7-946C-84B2E2208D14}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe|Name=Teamviewer Remote Control Application|”
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{5D6EBB7F-E15E-47FF-A7C5-4B1817143199}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe|Name=Teamviewer Remote Control Application|”
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{2D57F017-02ED-4095-A2C1-1BEB534D9A27}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe|Name=Teamviewer Remote Control Service|”
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{7B189A6A-2E6A-4902-B5A3-350B1328B3FC}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe|Name=Teamviewer Remote Control Service|”
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\Type: 0x00000010
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\ErrorControl: 0x00000001
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\ImagePath: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe””
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\DisplayName: “TeamViewer 8″
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\WOW64: 0x00000001
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\ObjectName: “LocalSystem”
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\Description: “TeamViewer Remote Software”
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\FailureActions: 80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 D0 07 00 00 01 00 00 00 D0 07 00 00 00 00 00 00 00 00 00 00
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{C95C73E4-4669-44F7-946C-84B2E2208D14}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe|Name=Teamviewer Remote Control Application|”
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{5D6EBB7F-E15E-47FF-A7C5-4B1817143199}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe|Name=Teamviewer Remote Control Application|”
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{2D57F017-02ED-4095-A2C1-1BEB534D9A27}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe|Name=Teamviewer Remote Control Service|”
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{7B189A6A-2E6A-4902-B5A3-350B1328B3FC}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe|Name=Teamviewer Remote Control Service|”
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\Type: 0x00000010
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\ImagePath: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe””
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\DisplayName: “TeamViewer 8″
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\WOW64: 0x00000001
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\ObjectName: “LocalSystem”
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\Description: “TeamViewer Remote Software”
HKU\[USERSID]\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\C:\Users\Chuck\Downloads\TeamViewer_Setup_en.exe: 0x00000001
HKU\[USERSID]\Software\Classes\Local Settings\MuiCache\6B\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042: “Peer to Peer Trust”
HKU\[USERSID]\Software\Classes\Local Settings\MuiCache\6B\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10: “System Health Authentication”
HKU\[USERSID]\Software\Classes\Local Settings\MuiCache\6B\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103: “Domain Name System (DNS) Server Trust”
HKU\[USERSID]\Software\Classes\Local Settings\MuiCache\6B\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843: “BitLocker Drive Encryption”
HKU\[USERSID]\Software\Classes\Local Settings\MuiCache\6B\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844: “BitLocker Data Recovery Agent”
HKU\[USERSID]\Software\TeamViewer\Version8\Buddy_QuickPresExclusions: ‘chrome.exe devenv.exe mediamonkey.exe msnmsgr.exe opera.exe psr.exe super.exe wlmail.exe wlxphotogallery.exe’
HKU\[USERSID]\Software\TeamViewer\Version8\Buddy_QuickPresExclusions_Version: 0x00000003
HKU\[USERSID]\Software\TeamViewer\Version8\MainWindowHandle: 0x00120306
HKU\[USERSID]\Software\TeamViewer\Version8\Meeting_UserName: “Chuck”
HKU\[USERSID]\Software\TeamViewer\Version8\Buddy_WindowPos: ‘1 1131 220 1361 755′

File Locations
C:\Program Files (x86)\TeamViewer\Version8\
C:\Users\dude\AppData\Roaming\TeamViewer\
C:\Program Files (x86)\TeamViewer\Version8\TVExtractTemp\
C:\Users\Chuck\AppData\Local\Temp\TeamViewer\Version8

Research Links

http://www.teamviewer.com/en/index.aspx

Forensic Programs of Use
Regshot
ProcessHacker

AxCrypt Artifacts

Posted by:  /  Tags:

Author Name
Matt Nelson

Artifact or Program Version
AxCrypt 1.7.2976.0

Artifact Description
From the AxCrypt website: (http://www.axantum.com/axcrypt/)

AxCrypt is the leading open source file encryption software for Windows. It integrates seamlessly with Windows to compress, encrypt, decrypt, store, send and work with individual files.

Features:

Password Protect any number of files using strong encryption.

Right-click integration with Windows Explorer makes AxCrypt the easiest way to encrypt individual files in Windows.

Double-click integration makes it as easy to open, edit and save protected files as it is to work with unprotected files.

Many additional features, but no configuration required. Just install it and use it.

AxCrypt encrypts files that are safely and easily sent to other users via e-mail or any other means. Self-decrypting files are also supported, removing the need to install AxCrypt to decrypt.

Registry Keys
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\axcrypt.File

HKLM\SOFTWARE\Classes\CLSID\{C3DFC144-30F8-4138-81F9-578DBEB9324A}

HKLM\SOFTWARE\Classes\CLSID\{C3DFC144-30F8-4138-81F9-578DBEB9324A}\InprocServer32

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\axcrypt.File

HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\87A9C44140AFC0B46B4FF660E3C886D5

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\87A9C44140AFC0B46B4FF660E3C886D5

KLM\SOFTWARE\Classes\.axx

HKLM\SOFTWARE\Classes\axcrypt.File

HKLM\SOFTWARE\Classes\axcrypt.File\CLSID

HKLM\SOFTWARE\Classes\axcrypt.File\DefaultIcon

HKLM\SOFTWARE\Classes\axcrypt.File\shell

HKLM\SOFTWARE\Classes\axcrypt.File\shell\open

HKLM\SOFTWARE\Classes\axcrypt.File\shell\open\command

HKLM\SOFTWARE\Classes\axcrypt.File\shellex

HKLM\SOFTWARE\Classes\axcrypt.File\shellex\PropertySheetHandlers

HKLM\SOFTWARE\Classes\axcrypt.File\shellex\PropertySheetHandlers\{C3DFC144-30F8-4138-81F9-578DBEB9324A}

HKLM\SOFTWARE\Axantum

HKLM\SOFTWARE\Axantum\AxCrypt

HKU\[USERSID]\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Axantum AxCrypt

HKU\[USERSID]\Software\Axantum

HKU\[USERSID]\Software\Axantum\AxCrypt

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{38350E9E-D50E-454A-BAFC-58BBDDBE08C4}\DisplayName: “AxCrypt 1.7.2976.0″

HKLM\SOFTWARE\Axantum\AxCrypt\FileExtension: “.axx”

HKLM\SOFTWARE\Axantum\AxCrypt\ProductName: “AxCrypt”

HKLM\SOFTWARE\Axantum\AxCrypt\CLSID: “{C3DFC144-30F8-4138-81F9-578DBEB9324A}”

HKLM\SOFTWARE\Axantum\AxCrypt\ShowActivationMenu: 0x00000000

HKLM\SOFTWARE\Axantum\AxCrypt\KeyWrapIterations: 0x00003A98

HKLM\SOFTWARE\Axantum\AxCrypt\AllowPrograms: 0x00000000

HKLM\SOFTWARE\Axantum\AxCrypt\DisableSaveEncryptionKey: 0x00000000

HKLM\SOFTWARE\Axantum\AxCrypt\DisableSaveDecryptionKey: 0x00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\installed: 0x00000001

HKU\[USERSID]\Software\Axantum\AxCrypt\CompressThreshold: 0x00000014

HKU\[USERSID]\Software\Axantum\AxCrypt\ServerMode: 0x00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\ServerErrorShellCmd: “”

HKU\[USERSID]\Software\Axantum\AxCrypt\EventLogLevel: 0x00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\NoShowUnsafeWipeWarn: 0x00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\SaveEncKey: 0x00000001

HKU\[USERSID]\Software\Axantum\AxCrypt\SaveDecKey: 0x00000001

HKU\[USERSID]\Software\Axantum\AxCrypt\NoDecryptMenu: 0x00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\DisableRenameMenu: 0x00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\TryBrokenFile: 0x00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\AllowAnyExtension: 0x00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\FastModeDefault: 0x00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\KeepTimeStamp: 0x00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\AllowPrograms: 0x00000000

File Locations
C:\Program Files\Axantum\AxCrypt

Research Links

http://www.axantum.com/axcrypt/

Forensic Programs of Use
Regshot – http://regshot.sourceforge.net/

MiTeC HEX Editor – http://www.mitec.cz/hex.html

wxHexEditor – http://www.wxhexeditor.org/

Other Information
First 21 bytes for AxCrypt encrypted file(s):

C0 B9 07 2E 4F 93 F1 46 A0 15 79 2C A1 D9 E8 21 15 00 00 00 02

Raw:

0000000 C0 B9 07 2E 4F 93 F1 46 A0 15 ….O..F..

0000010 79 2C A1 D9 E8 21 15 00 00 00 y,…!….

0000020 02 .

Bluetooth Personal Area Network (PAN) Service Artifcacts (Broadcom Widcomm)

Posted by:  /  Tags: , ,

Author Name
Matt Nelson
Submission Title
Bluetooth Personal Area Network (PAN) Service Artifcacts (Broadcom Widcomm)
Artifact or Program Version
Broadcom Widcomm
Artifact Description
These artifacts contain information you can glean from the registry pertaining to network/PAN services available for the Broadcom Widcomm stack. Further investigation of these artifacts can reveal what was available to other systems. A follow-up post will detail the systems connected.


Extracted from the registry of a Windows 7 x64 system with a Broadcom 2070 Bluetooth radio device.
Registry Keys
-= Primary registry key =-


HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm


-= Bluetooth Services Definitions =-


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0001]
“Name”=”Bluetooth Serial Port”
“SecurityId”=dword:00000001
“UUID”=dword:00001101
“GUID”=”{00001101-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Establish a virtual serial port connection with a remote Bluetooth device. The connection can then be used by any application that supports the COM port number assigned.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0002]
“Name”=”Network Access”
“SecurityId”=dword:00000002
“UUID”=dword:00001102
“ModemInstalled”=dword:00000000
“GUID”=”{00001102-0000-1000-8000-00805F9B34FB}”
“RasConnection”=”BluetoothNullConnection”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Establish a network connection to a remote Bluetooth device. The connection may provide access to an external network or the Internet.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000
“UserName”=””
“Password”=””
“Autoconnect”=dword:00000001
“EnableAutoReconnect”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0003]
“Name”=”Dial-up Networking”
“SecurityId”=dword:00000003
“UUID”=dword:00001103
“ShowWizard”=dword:00000000
“ModemInstalled”=dword:00000000
“GUID”=”{00001103-0000-1000-8000-00805F9B34FB}”
“RasConnection”=”BluetoothConnection”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Connect to the Internet using a Bluetooth-enabled telephone, modem or other remote Bluetooth device that offers the Dial-up Networking service.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0004]
“Name”=”PIM Item Transfer”
“SecurityId”=dword:00000005
“UUID”=dword:00001105
“GUID”=”{00001105-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Exchange business cards with a remote Bluetooth device. Send Personal Information Manager (PIM) items such as calendar items, contacts, notes and messages to a remote Bluetooth device.”
“InstallOnDemand”=dword:00000001
“OPPType”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0005]
“Name”=”File Transfer”
“SecurityId”=dword:00000006
“UUID”=dword:00001106
“GUID”=”{00001106-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Browse another Bluetooth device’s Public Folder or send and receive files to and from another Bluetooth device.”
“InstallOnDemand”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0006]
“Name”=”Fax”
“SecurityId”=dword:0000000b
“UUID”=dword:00001111
“ModemInstalled”=dword:00000000
“GUID”=”{00001111-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Use the fax capabilities of a Bluetooth telephone, modem or other remote Bluetooth device that offers the fax service.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0007]
“GUID”=”{00001104-0000-1000-8000-00805F9B34FB}”
“Name”=”PIM Synchronization”
“SecurityId”=dword:00000004
“UUID”=dword:00001104
“AcceptBusinessCards”=dword:00000001
“AcceptCalendarItems”=dword:00000000
“AcceptEmailMessages”=dword:00000000
“AcceptNotes”=dword:00000000
“SaveInPIM”=dword:00000001
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Synchronize the Personal Information Manager (PIM) database on this computer with the PIM database on a remote Bluetooth device.”
“InstallOnDemand”=dword:00000001
“SyncBusinessCards”=dword:00000000
“SyncCalendarItems”=dword:00000000
“SyncEmailMessages”=dword:00000000
“SyncNotes”=dword:00000000
“PreferredProfile”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0008]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000008
“UUID”=dword:00001108
“Authentication”=dword:00000001
“Name”=”Headset”
“Encryption”=dword:00000001
“GUID”=”{00001108-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth headset or other remote Bluetooth device acting as a headset. When connected, the remote device can be used as a replacement for this computer’s local microphone and speakers for voice calls (PC telephony) or voice recognition applications.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0009]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:0000000c
“UUID”=dword:00001112
“Authentication”=dword:00000001
“Name”=”Audio Gateway”
“Encryption”=dword:00000001
“GUID”=”{00001112-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth-enabled phone or other remote Bluetooth device as an Audio Gateway. When connected, this computer replaces the remote device’s speakers and microphone.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0010]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000011
“UUID”=dword:00001126
“Authentication”=dword:00000001
“Name”=”Printer”
“Encryption”=dword:00000001
“GUID”=”{00001126-0000-1000-8000-00805F9B34FB}”
“Description”=”Add a Bluetooth-enabled printer to your list of available printers. This printer can then be used as if it was physically connected to this computer.”
“InstallOnDemand”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0011]
“Authorization”=dword:00000000
“SecurityID”=dword:00000012
“UUID”=dword:00001124
“Authentication”=dword:00000000
“Name”=”Human Interface Device”
“Encryption”=dword:00000000
“GUID”=”{00001124-0000-1000-8000-00805F9B34FB}”
“Description”=”Use a Bluetooth enabled mouse, keyboard or other interface device.”
“InstallOnDemand”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0012]
“Name”=”Image Push Client”
“SecurityId”=dword:00000014
“UUID”=dword:0000111b
“GUID”=”{0000111B-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Send image files to another Bluetooth device.”
“InstallOnDemand”=dword:00000001
“PutImageToPrinterTimeout”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0013]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000008
“UUID”=dword:0000110b
“Authentication”=dword:00000001
“Name”=”Stereo Audio”
“Encryption”=dword:00000001
“GUID”=”{0000110B-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth stereo headphone or speakers. When connected, the remote device replaces this computer’s speakers.”
“InstallOnDemand”=dword:00000000
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0014]
“Name”=”Hands-free Audio”
“Encryption”=dword:00000001
“GUID”=”{0000111E-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth headset or other remote Bluetooth device acting as a headset. When connected, the remote device can be used as a replacement for this computer’s local microphone and speakers for voice calls (PC telephony) or voice recognition applications.”
“InstallOnDemand”=dword:00000000
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000008
“UUID”=dword:0000111e
“Authentication”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0015]
“UUID”=dword:0000110a
“SecurityID”=dword:0000000c
“Auto”=dword:00000001
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Name”=”Audio Sink”
“Encryption”=dword:00000001
“GUID”=”{0000110A-0000-1000-8000-00805F9B34FB}”
“Description”=”Connect to the source of an audio stream like media player.”
“InstallOnDemand”=dword:00000000
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0016]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000006
“UUID”=dword:00001304
“Authentication”=dword:00000000
“Name”=”Video Sink”
“Encryption”=dword:00000000
“GUID”=”{00001304-0000-1000-8000-00805F9B34FB}”


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0017]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000006
“UUID”=dword:00001303
“Authentication”=dword:00000000
“Name”=”Video Source”
“Encryption”=dword:00000000
“GUID”=”{00001303-0000-1000-8000-00805F9B34FB}”

Bluetooth Connected Device Artifcacts (Broadcom Widcomm)

Posted by:  /  Tags: , ,

Author Name
Matt Nelson
Submission Title
Bluetooth Connected Device Artifcacts (Broadcom Widcomm)
Artifact or Program Version
Broadcom Widcomm
Artifact Description
These artifacts contain information you can glean from the registry pertaining to connected bluetooth devices for the Broadcom Widcomm stack. The connected external Bluetooth devices are broken in to the Bluetooth device MAC addresses in the primary registry entry.

Extracted from the registry of a Windows 7 x64 system with a Broadcom 2070 Bluetooth radio device.
Registry Keys
-= Primary Registry Key =-

[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\….]


-= Connected Devices Artifacts =-


——————————————————————————
Example Device 1 – external host MAC (laptop named N3943874)
——————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\00:02:72:1f:b3:8b] <<< “Name”=hex:4e,33,39,34,33,38,37,34,00 <<<<< N3943874
“DevClass”=hex:3e,01,04
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00,00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000000
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000000
ProgramFilesShortcutRemovedByBTW”=dword:00000000
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,44,00,4f,00,\
52,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,30,00,36,00,31,\
00,00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000001
“BroadcomFeatures”=dword:00000003


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\00:02:72:1f:b3:8b\0] <<<< services add sub keys
“ServiceNameUTF8″=hex:46,69,6c,65,20,54,72,61,6e,73,66,65,72,00 <<<<< File Transfer
“UUID”=dword:00001106
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


—————————————————————————
Example Device 2 – external host MAC (phone named iPhone)
—————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38] <<<< host MAC
“Name”=hex:69,50,68,6f,6e,65,00 <<<<< iPhone
“DevClass”=hex:7a,02,0c
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000000
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000000
ProgramFilesShortcutRemovedByBTW”=dword:00000000
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,44,00,4f,00,\
52,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,30,00,33,00,35,\
00,00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000002
“BroadcomFeatures”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38\0] <<<< services add sub keys
“ServiceNameUTF8″=hex:41,56,52,43,50,20,44,65,76,69,63,65,00 <<<<< AVRCP Device
“UUID”=dword:0000110c
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38\1] <<<< services add sub keys
“ServiceNameUTF8″=hex:41,75,64,69,6f,20,53,6f,75,72,63,65,00 <<<<< Audio Source
“UUID”=dword:0000110a
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


———————————————————————————
Example Device 2 – external host MAC (device named Roku Player)
———————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\cc:6d:a0:3e:c8:7a] <<<<< Device MAC
“Name”=hex:52,6f,6b,75,20,50,6c,61,79,65,72,00 <<<<< Roku Player
“DevClass”=hex:00,04,24
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000001
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000001
ProgramFilesShortcutRemovedByBTW”=dword:00000001
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000000
“BroadcomFeatures”=dword:00000000

Forensic Artefacts FrostWire

Posted by:  /  Tags: ,  /  Comments: 1

Vee

FrostWire Version b5

[root]User/xxx/FrostWire
This folder contains five subfolders that contain the actual .torrent files and the actual media that has been downloaded. The subfolders contained within the abovementioned folder are:

•Incomplete: Within this folder, the temporary tracker of the media is saved while in the process of being downloaded, this is the metaphorical bookmark that enables the software to stop and start as the user wishes.
•Saved: This folder contains the artifacts of .torrent files that the user wishes to save- to be able to download at another time.
•Shared: This folder contains all the .torrent trackers that the user has uploaded or created. FrostWirev.5 enables the creation of .torrent trackers.
•Torrent Data: Possibly one of the most important folders, this is where the software saves the actual downloaded media.This is a system automated process, which remains standard.
•Torrent: This folder contains the actual .torrent tracker file, which is the tracker and that is created to download the requested item. For each item downloaded, two entries are created -A .torrent file is created that contain the creation time, the SHA 1 value of the downloaded item, and from where it was downloaded. The second entry created is in unallocated space, which contains the exact same information.
[root]user/xxx/AppData/Roaming/FrostWire

This folder essentially contains a few very important artifacts, which contain important evidentiary information on what was downloaded.

•Createtimes.cache: This cache file contains the SHA-1 value that is assigned to all uploaded media when a .torrent file is created and uploaded to the distribution websites. The SHA-1 value is that of the whole file when it was originally uploaded.This is verified once the item has been downloaded to ensure that the right and complete item has been downloaded.
•Download.dat: This database file contains all the names, identification SHA-1 values of all the files and media downloaded by the user using FrostWire v.5. This can be used to identify what was downloaded when the actual physical items are no longer on the machine.
•Fileurns.cache & Fileurns.bak: These two files essentially contain the same information. When a download is started the software logs the SHA-1 value of the file to ensure that the completed file is downloaded. The SHA-1 value can be used to identify whether a certain item matched the online version of the said file.
•FrostWire.props: This property file contains the selection made by the user upon installation. Here you can determine what changes have been made to the default settings of FrostWire v.5.
•Hostiles.txt: This contains a log of all subnet Masks currently running on the FrostWire v.5 network.
•Library.dat: This database is of all media that is saved by the user to the FrostWire v.5 library, even if it was not physically downloaded onto the machine.

Identifying Searches Done Using FrostWire v.5:
When a user searches for a specific item to download, that search is stored in various places on the local machine:

1.[root]/$Logfile: Contains the search term searched for, where it was found along with the SHA-1 identification hash value.
2.[root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex/SystemIndex.gthr: The header information contained within this gather log, is the search term and how the system and the software communicated.This information is gathered by the two tracing protocols mentioned early Rasapi 32 and RASMANCS.
3.[root]users/xxx/.FrostWire/search_db.h2.db :This is the database that FrostWire v.5 uses to record all searches done by the users.The information recorded is the following:

i. URL Details, where the .torrent file is residing.
ii. The search term searched.
iii. The magnet link and corresponding SHA-1 hash value.
iv. The creation date in Unix that .torrent tracker was created.
4.[root]users/xxx/.FrostWire/search_db/search_db/_28.tii: This is the actual entry in the database for each search term done by the user.This contained what the search term was and the corresponding file ID.
5.[root]users/xxx/.FrostWire/search_db_searchdb__28.tis:This is a record of the search results for the particular search term, meaning that for every .tii file a corresponding .tis file can be found.

Examining a .torrent File and the Artifacts Found:

The file header for .torrent files in hex is:

0x64 38 3A 61 6E 6E 6F 6F 63 65 35 39 (As viewed in hex)

d8:announce59 (As viewed in text)

Contained in this .torrent file is the following information:
File Meaning
http://tracker.torrentbox.com The website that the .torrent file was uploaded to and stored on
2710 The initial port used to communicate to the website initially.
77.247.176.132:80 The IP address communicated with along with the port used for downloading.
1238229350 Unix creation date of the torrent.
Linux Books The name of the item downloaded.
31C8D8C7748C9CC8090C4C2A Identification SHA-1 hash value.

The registry keys SOFTWARE, SECURITY,SYSTEM and the Ntuser.dat were examined and the following artifacts or changes were identified:

1.HKEY/LOCAL MACHINE/SOFTWARE/Current Version: (These changes can be seen in the NTUSER.DAT as well)
This contained the following relevant information of the software FrostWire v.5:
i. Display Name
ii. Publisher
iii. Help Link
iv. URL
v. URL Info
vi. Display Version
vii. Uninstall Command
2.HKEY/LOCAL MACHINE/SOFTWARE/Classes:
This contained the following relevant information of the software FrostWire v.5:
i. FrostWire Toolbar
ii. FrostWire.exe files location.
3. HKEY/LOCAL MACHINE/SOFTWARE/FrostWire:
This contained the following relevant information of the software FrostWire v.5:

i.The executable command used to access and run FrostWire v.5.

4.HKEY/LOCAL MACHINE/SOFTWARE/Tracing:

This contained the following relevant information of the software FrostWire v.5:

i.This contains two tracing mechanisms that Microsoft uses to manage and monitor software, which is the Rasapi 32 command and the RASMANCS command. The information saved is saved in [root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex/SystemIndex.gthr:

5.HKEY/LOCAL MACHINE/SYSTEM:
For FrostWire v.5 to be able to function, a change has to be made within how the system operates:

i.When installing FrostWire v.5, the software automatically change the FireWall policy to create an exception to allow communication from FrostWire v.5 and the downloading servers, thus bypassing the firewall completely.
6.HKEY/LOCAL MACHINE/SECURITY:
No changes could be identified within this registry key.

[root]User/xxx/FrostWire
[root]user/xxx/AppData/Roaming/FrostWire
[root]/$Logfile
[root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex/SystemIndex.gthr
[root]users/xxx/.FrostWire/search_db.h2.db
[root]users/xxx/.FrostWire/search_db/search_db/_28.tii
[root]users/xxx/.FrostWire/search_db_searchdb__28.tis

http://articles.forensicfocus.com/2012/07/19/forensic-examination-of-frostwire-version-5/

FTK
FTK Imager
Raptor
SIFT
RegRipper

http://forensicartifacts.com/wp-content/uploads/gravity_forms/3-b56c65f0d638cb782e8f437e4b2147cf/2012/07/Forensic-Examination-of-FrostWire-Version-5_VSchmitt.pdf

Using Apple Time Capsule with Microsoft Windows

Posted by:  /  Tags: , , , ,

John Lukach

AirPort Utility 5.6.1 for Windows

The AirPort Utility for Windows allows Microsoft computers using Bonjour to access the Apple Time Capsule hard disk. The drive is available as a network share through UNC mapping on your PC. The binary data stored in HKEY_Users\S-1-5-1234567890-1234567890-123456789-1000\Software\AppleInc.\Preferences\com.apple.airport.diskagent will provide confirmation of which volume is associated with your Apple Time Capsule. An external USB connection is available so you could have two volumes listed.

If the end-user setup Windows Backups than you will be able to gain additional insight into the size of the disk with the free space available that may be beneficial in identifying the external USB drive.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\Rules\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\PresentableName

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\UniqueName

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\TargetDevices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\UserDataExclusions

User defined inclusions are listed as numbered keys under the Rules folder containing specific paths.

NTUSER Trust Records

Posted by:  /  Tags: , , ,  /  Comments: 1

Andrew Case

Office

The TrustRecord field inside of Office’s NTUSER holds the full path to documents that were downloaded from untrusted places (e.g. a web browser download), and that the user had to explicitly tell Office to trust. This “trust” prompt is shown when the user wants to edit the document or run macros inside of it.

The artifact is interesting because it holds not only the full path in a MRU listing, but the value of the particular name/value is the time it was trusted.

Software\Microsoft\Office\14.0\PowerPoint\Security\Trusted Documents\TrustRecords

The path part after “Office” will differ per-version of Office, but the rest of the path is the same.

NTUSER hive

RegExtract – http://www.woanware.co.uk/?page_id=209 – The “OfficeDocuments” plugin will extract this information