Artifacts

Archive for the ‘Programs’ Category

8

MAY

Facebook Artifacts

Posted by:  /  Tags: , , , ,

Frank McClain

Metadata from Posts, Comments, and Messages

Facebook artifacts for Post, Comment, Message (not necessarily in that order):

Comment (ampersand separated):
charset_test=
fb_dtsg=AQDnBZEP
feedback_params={“actor”:”4286109357″,”target_fbid”:”8457139026″,”target_profile_id”:”4286109357″,”type_id”:”22″,”assoc_obj_id”:”",”source_app_id”:”0″,”extra_story_params”:[],”content_timestamp”:”1336396534″,”check_hash”:”BEOzzl5d9kPtd56X”,”source”:”1″}
translate_on_load=
add_comment_text_text=mmm, chocolate muffins…;)
add_comment_text=mmm, chocolate muffins…;)
link_data={“qid”:”5997325849936326255″,”mf_story_key”:”1055615292714765287″}
comment_replace=optimistic_comment_8228420818_0
comment=1
__user=1181507002
phstamp=165816811066906980789

Notes: Actor and Target_Profile_ID refers to the original post author. Target_FBID is apparently the author of the previous comment. Facebook user IDs encountered during research were 10-digit numeric. Content_Timestamp is Unix format.

Post (ampersand separated):
fb_dtsg=DGRnKTIV
xhpc_composerid=y6ud29_4
xhpc_targetid=1181507002
xhpc_context=home
xhpc_fbx=1
xhpc_timeline=
xhpc_ismeta=1
xhpc_message_text=If I can find a post cached on my system, why does it not show up in my pcap? It’s somewhat rhetorical; I *will* find it.
xhpc_message=If I can find a post cached on my system, why does it not show up in my pcap? It’s somewhat rhetorical; I *will* find it.
composertags_place=
composertags_place_name=
composer_predicted_city=
composer_session_id=3867336142
is_explicit_place=
audience[0][value]=40
composertags_city=
disable_location_sharing=false
nctr[_mod]=
pagelet_composer __user=1181507002
phstamp=165816811066906980749

Notes: XHPC_TargetID and Pagelet_Composer_User are both the post author’s Facebook ID.

Message (comma separated):
for (;;);{“__ar”:1
“payload”:{“threads”:[{"thread_id":"id.489415769211708"
"last_action_id":"1891362734339000000"
"participants":["fbid:1181507002","fbid:1504162673"]
“name”:null,”snippet”:”this is a test. i’m looking for forensic artifacts… :)
“snippet_has_attachment”:false
“is_forwarded_snippet”:false
“snippet_attachments”:[]
“unread_count”:0
“image_src”:”"
“timestamp_absolute”:”Sat, 05 May 2012 18:48:55 -0700″
“timestamp_relative”:”5 minutes ago”
“timestamp”:1336268935102
“is_canonical_user”:true
“is_subscribed”:true
“is_canonical_group”:false
“group_id”:null
“is_canonical_live_listen”:false
“live_listen_id”:null
“is_chatlogger_thread”:false
“root_message_threading_id”:”\u005Q9YO9TyvIIwiNeg75i3DSjanpwiI6QMqXP\u0050messages.facebook.com>”
“folder”:”inbox”
“is_archived”:false,”chat_clear_time”:-9223372036854775808
“mode”:2}]
“actions”:[{"message_id":"id.489415769211708"
"threading_id":"\u005Q9YO9TyvIIwiNeg75i3DSjanpwiI6QMqXP\u0050messages.facebook.com>"
"author":"fbid:1181507002"
"timestamp":1336268935102
"timestamp_absolute":"Sat, 05 May 2012 18:48:55 -0700"
"timestamp_relative":"5 minutes ago"
"is_unread":false
"is_forward":false
"forward_count":0
"forward_message_ids":null,"source":"source:titan:web"
"folder":"inbox","body":"this is a test. i'm looking for forensic artifacts... :) "
"subject":null
"has_attachment":false
"attachments":[]
“raw_attachments”:null
“is_html”:false
“thread_id”:”id.489415769211708″
“action_id”:”1891362734339000000″
“action_type”:”ma-type:user-generated-message”}]
“end_of_history”:[{"type":"thread","id":"id.489415769211708"}]
“roger”:null
“payload_source”:”server_fetch_thread_info”}}

Notes: Last_Action_ID and Action_ID are the same. Payload, Actions, Thread_ID, and End_of_History all contain the same number, referred to as a message or thread ID. Timestamp (twice) is Unix format. Root_Message_Threading_ID and Threading_ID are the same; this may refer to a profile path.

Filetype: PCAP

Applications Used:

Wireshark
tshark
DIgitalDetective DCode
Woanware Encoder

Notes: 

Evidence was collected by running Wireshark while creating user content on Facebook – Posts, Comments, and Messages. Text-searching did not always work as anticipated (ie, finding my keywords), so I also converted the pcap to text using tshark, and ended up creating additional Facebook content to extend testing.  This was all performed on a Windows system, no portable apps or devices were used.

I cleaned up the content, transforming URL encoding into ASCII, split out into individual lines, etc. The parenthetical statement for each content type indicates the separator. All metadata associated with the user content has been randomly changed (while preserving the format) to anonymize. Timestamps are the exception.

I have not tried to determine “what it all means.” My main goal was to determine the artifacts differentiating a post, message, and comment.

10

APR

Join.Me Screen Sharing

Posted by:  /  Tags: , , ,

Author Name
John Lukach
Submission Title
Join.Me Screen Sharing
Artifact or Program Version
Join.Me on Windows 7
Post Category
Cloud Based
Submission Tags
Join.Me, Cloud, Screen Sharing, Windows
Artifact Description
Join.Me is a cloud screen sharing application that allows remote collaboration and presentations. Additional security information and system requirements can be found by browsing to the product website at: https://join.me
Registry Keys
Join.Me stores information in the following hive structure for each specific user account on the system.

NTUSER.DAT -> \Software\Join.Me\
NTUSER.DAT -> \Software\Microsoft\Windows\CurrentVersion\Uninstall\Join.Me\
USRCLASS.DAT -> \Join.Me\
File Locations
Join.Me has some low hanging fruit in the form of logs that can be found in C:\Users\Username\AppData\Local\Join.Me directory.
Forensic Programs of Use
Using full packet captures you will be able to see network connections communicating to https://secure.join.me during an active screen sharing session.

21

MAR

RSS Gadget

Posted by:  /  Tags: , ,

John Lukach

Feed Headlines 1.1.0.0 for Windows Gadget Platform on Windows 7 x64

Windows Gadget Platform allows the Feeds Headlines (RSS) mini-program to be displayed on the desktop. The RSS Gadget determines which feeds and how many to display from settings stored in the C:\Users\Username\AppData\Local\Microsoft\Windows Sidebar\Settings.ini file. These feeds are managed by Internet Explorer using the FeedStore.FeedsDB-MS file found under the C:\ Users\Username\AppData\Local\Microsoft\Feeds path. Other files organized in sub-folder structures in this directory that normally contain the tilde (~) would indicate independent feeds and content downloaded by the RSS Gadget.

The NTUSER.DAT registry hive contains three keys that automate the feed updates under the Software\Microsoft\Feeds path. SyncStatus is used to enable automatic feed updates based on the yes value of “1”. DefaultInterval lets you determine if the updates should occur every 15 minutes, 30 minutes, 1 hour, 4 hours, 1 day, or 1 week intervals. SynTask correlates to a key in the SOFTWARE registry hive that provides a Last Written time stamp of when the scheduled task last ran to update the feeds under Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Sychronization{guid}.

14

MAR

Outlook Email Saving Options

Posted by:  /  Tags: , , , ,

John Lukach

Outlook 2010 & Aid4Mail 2.4

Microsoft Outlook 2010 by default allows users to save email messages externally as a MSG, OFT, HTML, MHT, or TXT file format. Microsoft Office programs can have add-ins installed that extend the available functionality of the software. Verifying if any add-ins exists in Outlook can be done by checking the SOFTWARE and NTUSER.DAT registry hives for the following folder path: Microsoft\Office\Outlook\Addins.

Other applications can access email using a Messaging Application Programming Interface (MAPI) connection. One example is Aid4Mail an email conversion program from Fookes Software that adds additional file format export options such as PDF, ZIP, XML, and others. The file formats and export paths used by the application can be found in the C:\Users\\AppData\Roaming\Aid4Mail\Aid4Mail.ini file.

Not every application using MAPI connections will leave as obvious of an artifact thus leaving it up to the specific developer on what email formats will be available. One option is to determine what specific DLL’s are used by an executable such as C:\Windows\SysWow64\mapi32.dll or C:\Program Files (x86)\Microsoft Office\Office14\olmapi32.dll for example. Another is using a time line approach to determine if a MAPI configuration was abnormally accessed by looking for creation and deletion of C:\Users\\Documents\Outlook Files\~Outlook.pst.tmp without other normal Outlook behavior.

25

FEB

iCloud Service on Windows

Posted by:  /  Tags: , ,

John Lukach

iCloud Control Panel for Windows v1.01

Apple is commonly known for artifacts left on the iPhone, iPad, iPod, and Mac but can also be found on Windows if the iCloud service was enabled. The goal of this post is to provide the application level artifacts that could potentially determine who, what, and when email, contacts, calendar items, tasks, bookmarks, and photos were transferred between devices. It is important to note that operating system artifacts such as registry, event logs, and others will be available for correlation and validation of your findings too.

iCloud maintains detailed logs located in C:\Users\\AppData\Roaming\Apple Computer\Logs to determine the time line of when the features provided by the service were used. Log file naming schema follows this example format asl.221320_23feb12.log based on initial start up and system reboots. Photo Stream log entries provide more granular information on when photos are transferred plus the Bookmark log entries even disclose the primary Apple ID.

The preferences defined for each specific user who used the iCloud service can be found in this directory C:\Users\\AppData\Roaming\Apple Computer\Preferences. Specifically the mobilemeaccounts.plist file contains the account information along with configuration details on each service being used. Additionally the com.apple.dav.bookmark.msie.plist file is of interest as it lists what bookmarks are being transferred to Internet Explorer or Safari.

Media Stream artifacts are located in the C:\Users\\AppData\Roaming\Apple Computer\MediaStream folder. The root level contains a SQLite database called local.db that has the Apple ID plus locations where pictures are uploaded and downloaded on the system. The same path has a DL and UL folder with logs indicating dates and times that a specific number of files were uploaded/downloaded to the locations defined in the database. Each file is assigned a unique asset number like this 0142e0bf66ffe3f3ed826c51e6d3cc4f0eaad7db8d in the logs. It would be nice to determine the algorithm used by Apple, allowing the identification of images outside the defined locations if anyone happens to know?

At this time, there does not appear to be any application specific artifacts for Mail, Calendar, Contacts and Tasks in the iCloud service thus you should be able to use the forensic tool of choice to parse Microsoft Outlook information from the system.

Final artifact of interest is when the iCloud Control Panel is opened you are presented the option to manage the service storage. Looking at the Backups section may give you some insight on the number of mobile devices such as iPhones, iPads, and iPods that are archiving to iCloud with the last successful completion date.

21

DEC

SSH Server Connections

Posted by:  /  Tags: , , ,

Author Name
Matonis

Artifact Name
Determine SSH Servers Users Connected To

Artifact/Program Version
PuTTY

Categories
User Activity, Active Machines

Description
SSH is a popular and practical management protocol for system administrators and nefarious users alike. In windows systems, the multifaceted terminal client, PuTTY, does not log by default but conditionally stores ssh host keys within the registry. This information can be beneficial to an analyst during a relevant incident/investigation to ascertain historical attributes about user activity and server authenticity.

Contained within the user’s NTUSER.DAT hive, the subkeys (outlined below) have the following syntax which are indicative of a successful SSH connection but not a successful SSH login:

rsa2@[port]:[hostname/IP]

The Last Write Time value of the NTUSER.DAT/Software/SimonTatham/SshHostKeys corresponds to the time the last ssh server was first connected to, as opposed to the last time the user had ssh’d to the server. If a user has connected to a server multiple times, these keys are not updated, in this event network logs are a more suitable quantitative source.

If a user chooses to save their PuTTY profile (connection preferences, servers, logs, etc), it will be stored under the NTUSER.DAT/Software/SimonTatham/Sessions.

Registry Keys
To determine servers connected to via SSH:
NTUSER.DAT/Software/SimonTatham/SshHostKeys -> Subkeys correspond to successful SSH connections but not SSH logins.

To determine PuTTY configurations based on saved profiles:
NTUSER.DAT/Software/SimonTatham/Sessions -> Subkeys will correspond to profiles user created.

 

Related Posts:

13

OCT

Nmap / Zenmap

Posted by:  /  Tags: , , ,

Author Name
Frank McClain

Artifact Name
Nmap/Zenmap

Artifact/Program Version
4.6, 5.1

Description
Artifacts remaining on system after a scan using Nmap/Zenmap (especially Zenmap).  This is not from the standpoint of showing that the application was run, or by whom (so no prefetch, user assist, etc), nor proving that the application was installed at some point. This is from the standpoint of showing the use (ie, how) an application was put to, and the timeframe (ie, when) involved.

In c:\program files\nmap\zenmap\ a file was created when a scan was saved.  This had the same user-selected name as the saved scan, with the extension USR.  So if the scan saved was “test” then the subsequent file would be “test.usr.”  If you find one of these, you can bet the user saved a scan; this file should be identical to that.  It is an XML file that has all the information about the scan.

In %User%\.zenmap (hidden folder) there are primarily three files of interest:  recent_scans.txt, target_list.txt and zenmap.db. Recent_scans.txt is a list of saved scans (or perhaps the .USR instance, it’s inconclusive at this point); all it has is a list of files with their paths.  Target_list.txt is a list of all target IP addresses, separated by semicolons; it has no other information, not even an associated date.  Zenmap.db is the fun one; it’s a SQLite database that contains a history of what scans were run – type of scan, target IP, XML output (ie, basic scan detail) and time.

%User%\%Local%\Temp has another potential treasure trove of evidence.  You may find temporary files (with no extension) located at this level.  Some contain no data, some contain only a small amount, and others provide a detailed breakdown of the scan, really the veritable motherlode, as it shows the time of the scan, each target port, protocol, scan times, and so on.  Very good stuff, when present.  The temporary files that had only a little content basically mirrored the type of content in the USR files, so if you don’t have one, you might have the other and still have some insight into the scan.

And a slightly tangential question posed on twitter was how to identify a scan with packets.  Fairly simple, right – just start Wireshark, run an Nmap scan, and review the results.  Turns out across multiple types of scans run, that there are 60-byte packets, and all have the following content:  00 0d 60 da b4 e7 00 11  25 d1 04 e0 08 00 45 00.  That’s obviously not the entire contents of each packet, but that was consistent across all packets I saw.

File Locations
c:\program files\nmap\zenmap\*.usr (where * is the user-provided filename)
%User%\.zenmap\recent_scans.txt
%User%\.zenmap\target_list.txt
%User%\.zenmap\zenmap.db (SQLite db)
%User%\%Local%\Temp\tmpf5nhgm (these all start with “tmp” and appear to have 6 more characters following)

Research Links
http://forensicaliente.blogspot.com/2011/10/artifacts-created-by-nmapzenmap.html

Forensic Programs of Use
Nmap for Windows (cli) - http://nmap.org/download.html
Zenmap GUI for Nmap for Windows - http://nmap.org/download.html
SQLite Database Browser - http://sqlitebrowser.sourceforge.net/
Wireshark - http://www.wireshark.org/download.html

 

1

JUL

Dropbox Config Files (Windows)

Posted by:  /  Tags: , , ,

Author Name
Frank McClain

Artifact Name
Dropbox Config Files (Windows)

Artifact/Program Version
Dropbox 1.1.35 (Windows)

Description
Dropbox is a file-synchronization, backup, and (even) sharing service.
It has applications that run on Windows ®, Mac, Linux, iPhone,
Android and Blackberry. Once downloaded and installed, their
application will run when the OS starts. It adds a systray item that
allows you to access the settings (‘Preferences’), and your files.
The application creates a ‘My Dropbox’ folder inside the user’s
‘My Documents’ folder, for local cached/offline copies of the
files (this default location can be changed). These will then synch
with the web storage and across all other computers connected to the
account that are online. Multiple computers can be connected to one
account; if these are on the same network, a feature called ‘LAN
synch’ allows them to communicate with one another directly when
synching files, in order to reduce bandwidth consumption (as a note,
the synch only transfers the data that is changed, not the entire
file).

Registry Keys
With a clean installation, there were 173 registry keys created and 58
values set (captured via Sysinternals ProcMon). During
uninstallation, there were 153 changes to the registry (logged with
regshot), including 49 deletions:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2\:
“{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3\:
“{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4\:
“{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Dropbox\InstallPath:
“C:\Documents and Settings\username\Application Data\Dropbox\bin”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\UninstallString:
“”C:\Documents and Settings\username\Application
Data\Dropbox\bin\Uninstall.exe”"
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLocation:
“C:\Documents and Settings\username\Application Data\Dropbox\bin”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayName:
“Dropbox”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayIcon:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\Dropbox.exe,0″
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayVersion:
“1.1.35″
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\URLInfoAbout:
“http://www.dropbox.com”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\HelpLink:
“http://www.dropbox.com”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\NoModify:
0×00000001
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\NoRepair:
0×00000001
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\Publisher:
“Dropbox, Inc.”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\*\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\Directory\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\*\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\Directory\Background\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\Directory\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”

File Locations
The majority of Dropbox’s configuration and user info are stored in
SQLite database files in %appdata% under the Dropbox directory.
config.db
filecache.db
sigstore.db
host.db
unlink.db
Two are not actually SQLite files: host.db (plain text) and unlink.db
(not sure?).

Config.db contains some info about the local Dropbox installation and
account. It shows what it calls the “host_id” which appears to be
an md5 hash value. It also lists the email address associated with
the account (could be useful during an investigation). Also shown is
the current version/build for the local application.

Filecache.db has several tables, but the one I think is of the most
interest is ‘file_journal;’ it contains a listing of all directories
and files inside ‘My Dropbox.’ It appears these are only the live
files, not deleted ones.

Sigstore.db records SHA-256 hash and size information about each file,
but no names etc.

These can be viewed with a SQLite viewer, or parsed with other
programs (see research links).

Inside the user’s Dropbox folder is a hidden directory,
.dropbox.cache. This contains a record of files created/modified (and
saved) on another linked system. There are copies of the files
themselves, for each revision/save, and an entries.log file that
appears to contain encoded information about each of those files.

Research Links





(some more research to be posted
soon)

Forensic Programs of Use
(not forensic, but good for
viewing the SQLite db files)
(haven’t tried it yet, may be able to parse deleted records from the
SQLite db files)

Other Info
The Dropbox Reader python scripts are handy to parse through the
SQLite db files quickly and get output that way, rather than trying to
load up individually in a viewer. They’re designed specifically to
work with Dropbox’s implementation, and present the information in a
more meaningful way.

I had some issues getting them to work properly and they were very
responsive and helpful. Apparently one of my files is a bit of an
oddball (missing some information) so it won’t parse correctly;
they’re working on a fix for that.

1

JUN

Evernote note storage

Posted by:  /  Tags: ,

Author Name
Joseph W Shaw II

Artifact Name
Evernote note storage

Program Version
Evernote 4.3.1.4479

Description
Evernote is a tool used to capture, store, and share ideas and
information in the form of multimedia notes mixing text, images, pdfs,
and other document types into searchable “notes.” These notes are
stored in an SQLite database format. Records are appended to the end
of the database. As records are deleted, they are overwritten by new
records. However, data records can be retained inside of the database
when the SQLIite database is viewed in Text or Hex view.

File Locations
On Windows 7: C:\Users\\AppData\Local\Evernote\Evernote\Database\.exb

Forensic Programs of Use
SQLite Database Browser
EnCase 6.18.1.3 64bit

Old Record Search Hit

18

FEB

Google Chrome Browser Profile (Windows Vista/Windows 7)

Posted by:  /  Tags: , , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder (Windows Vista/Windows 7)

Artifact/Program Version
Windows Vista/Windows 7

Description
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step. We see lots of articles on IE & Firefox, but what about Google’s Chrome Browser? Like Firefox before it, Chrome is steadily gaining in the browser market share. This post looks to point out where to find the Chrome user’s Profile folder. Most times, this will be saved as “Default”, but be on the look out for multiple profiles. Once you locate and extract the Chrome Profile folder (listed below) from your image, you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it. You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)

Cookies

Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HardDrive\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx

ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70