Artifacts

Archive for the ‘Registry’ Category


Bluetooth Personal Area Network (PAN) Service Artifcacts (Broadcom Widcomm)

Posted by:  /  Tags: , ,

Author Name
Matt Nelson
Submission Title
Bluetooth Personal Area Network (PAN) Service Artifcacts (Broadcom Widcomm)
Artifact or Program Version
Broadcom Widcomm
Artifact Description
These artifacts contain information you can glean from the registry pertaining to network/PAN services available for the Broadcom Widcomm stack. Further investigation of these artifacts can reveal what was available to other systems. A follow-up post will detail the systems connected.


Extracted from the registry of a Windows 7 x64 system with a Broadcom 2070 Bluetooth radio device.
Registry Keys
-= Primary registry key =-


HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm


-= Bluetooth Services Definitions =-


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0001]
“Name”=”Bluetooth Serial Port”
“SecurityId”=dword:00000001
“UUID”=dword:00001101
“GUID”=”{00001101-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Establish a virtual serial port connection with a remote Bluetooth device. The connection can then be used by any application that supports the COM port number assigned.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0002]
“Name”=”Network Access”
“SecurityId”=dword:00000002
“UUID”=dword:00001102
“ModemInstalled”=dword:00000000
“GUID”=”{00001102-0000-1000-8000-00805F9B34FB}”
“RasConnection”=”BluetoothNullConnection”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Establish a network connection to a remote Bluetooth device. The connection may provide access to an external network or the Internet.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000
“UserName”=”"
“Password”=”"
“Autoconnect”=dword:00000001
“EnableAutoReconnect”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0003]
“Name”=”Dial-up Networking”
“SecurityId”=dword:00000003
“UUID”=dword:00001103
“ShowWizard”=dword:00000000
“ModemInstalled”=dword:00000000
“GUID”=”{00001103-0000-1000-8000-00805F9B34FB}”
“RasConnection”=”BluetoothConnection”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Connect to the Internet using a Bluetooth-enabled telephone, modem or other remote Bluetooth device that offers the Dial-up Networking service.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0004]
“Name”=”PIM Item Transfer”
“SecurityId”=dword:00000005
“UUID”=dword:00001105
“GUID”=”{00001105-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Exchange business cards with a remote Bluetooth device. Send Personal Information Manager (PIM) items such as calendar items, contacts, notes and messages to a remote Bluetooth device.”
“InstallOnDemand”=dword:00000001
“OPPType”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0005]
“Name”=”File Transfer”
“SecurityId”=dword:00000006
“UUID”=dword:00001106
“GUID”=”{00001106-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Browse another Bluetooth device’s Public Folder or send and receive files to and from another Bluetooth device.”
“InstallOnDemand”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0006]
“Name”=”Fax”
“SecurityId”=dword:0000000b
“UUID”=dword:00001111
“ModemInstalled”=dword:00000000
“GUID”=”{00001111-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Use the fax capabilities of a Bluetooth telephone, modem or other remote Bluetooth device that offers the fax service.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0007]
“GUID”=”{00001104-0000-1000-8000-00805F9B34FB}”
“Name”=”PIM Synchronization”
“SecurityId”=dword:00000004
“UUID”=dword:00001104
“AcceptBusinessCards”=dword:00000001
“AcceptCalendarItems”=dword:00000000
“AcceptEmailMessages”=dword:00000000
“AcceptNotes”=dword:00000000
“SaveInPIM”=dword:00000001
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Synchronize the Personal Information Manager (PIM) database on this computer with the PIM database on a remote Bluetooth device.”
“InstallOnDemand”=dword:00000001
“SyncBusinessCards”=dword:00000000
“SyncCalendarItems”=dword:00000000
“SyncEmailMessages”=dword:00000000
“SyncNotes”=dword:00000000
“PreferredProfile”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0008]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000008
“UUID”=dword:00001108
“Authentication”=dword:00000001
“Name”=”Headset”
“Encryption”=dword:00000001
“GUID”=”{00001108-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth headset or other remote Bluetooth device acting as a headset. When connected, the remote device can be used as a replacement for this computer’s local microphone and speakers for voice calls (PC telephony) or voice recognition applications.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0009]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:0000000c
“UUID”=dword:00001112
“Authentication”=dword:00000001
“Name”=”Audio Gateway”
“Encryption”=dword:00000001
“GUID”=”{00001112-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth-enabled phone or other remote Bluetooth device as an Audio Gateway. When connected, this computer replaces the remote device’s speakers and microphone.”
“InstallOnDemand”=dword:00000001
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0010]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000011
“UUID”=dword:00001126
“Authentication”=dword:00000001
“Name”=”Printer”
“Encryption”=dword:00000001
“GUID”=”{00001126-0000-1000-8000-00805F9B34FB}”
“Description”=”Add a Bluetooth-enabled printer to your list of available printers. This printer can then be used as if it was physically connected to this computer.”
“InstallOnDemand”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0011]
“Authorization”=dword:00000000
“SecurityID”=dword:00000012
“UUID”=dword:00001124
“Authentication”=dword:00000000
“Name”=”Human Interface Device”
“Encryption”=dword:00000000
“GUID”=”{00001124-0000-1000-8000-00805F9B34FB}”
“Description”=”Use a Bluetooth enabled mouse, keyboard or other interface device.”
“InstallOnDemand”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0012]
“Name”=”Image Push Client”
“SecurityId”=dword:00000014
“UUID”=dword:0000111b
“GUID”=”{0000111B-0000-1000-8000-00805F9B34FB}”
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Encryption”=dword:00000001
“Description”=”Send image files to another Bluetooth device.”
“InstallOnDemand”=dword:00000001
“PutImageToPrinterTimeout”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0013]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000008
“UUID”=dword:0000110b
“Authentication”=dword:00000001
“Name”=”Stereo Audio”
“Encryption”=dword:00000001
“GUID”=”{0000110B-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth stereo headphone or speakers. When connected, the remote device replaces this computer’s speakers.”
“InstallOnDemand”=dword:00000000
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0014]
“Name”=”Hands-free Audio”
“Encryption”=dword:00000001
“GUID”=”{0000111E-0000-1000-8000-00805F9B34FB}”
“Description”=”Establish an audio connection between this computer and a Bluetooth headset or other remote Bluetooth device acting as a headset. When connected, the remote device can be used as a replacement for this computer’s local microphone and speakers for voice calls (PC telephony) or voice recognition applications.”
“InstallOnDemand”=dword:00000000
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000008
“UUID”=dword:0000111e
“Authentication”=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0015]
“UUID”=dword:0000110a
“SecurityID”=dword:0000000c
“Auto”=dword:00000001
“Authorization”=dword:00000000
“Authentication”=dword:00000001
“Name”=”Audio Sink”
“Encryption”=dword:00000001
“GUID”=”{0000110A-0000-1000-8000-00805F9B34FB}”
“Description”=”Connect to the source of an audio stream like media player.”
“InstallOnDemand”=dword:00000000
“ComPortNumber”=dword:00000000
“UserInstalled”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0016]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000006
“UUID”=dword:00001304
“Authentication”=dword:00000000
“Name”=”Video Sink”
“Encryption”=dword:00000000
“GUID”=”{00001304-0000-1000-8000-00805F9B34FB}”


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Applications\0017]
“Authorization”=dword:00000000
“Auto”=dword:00000001
“SecurityID”=dword:00000006
“UUID”=dword:00001303
“Authentication”=dword:00000000
“Name”=”Video Source”
“Encryption”=dword:00000000
“GUID”=”{00001303-0000-1000-8000-00805F9B34FB}”

Bluetooth Connected Device Artifcacts (Broadcom Widcomm)

Posted by:  /  Tags: , ,

Author Name
Matt Nelson
Submission Title
Bluetooth Connected Device Artifcacts (Broadcom Widcomm)
Artifact or Program Version
Broadcom Widcomm
Artifact Description
These artifacts contain information you can glean from the registry pertaining to connected bluetooth devices for the Broadcom Widcomm stack. The connected external Bluetooth devices are broken in to the Bluetooth device MAC addresses in the primary registry entry.

Extracted from the registry of a Windows 7 x64 system with a Broadcom 2070 Bluetooth radio device.
Registry Keys
-= Primary Registry Key =-

[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\....]


-= Connected Devices Artifacts =-


——————————————————————————
Example Device 1 – external host MAC (laptop named N3943874)
——————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\00:02:72:1f:b3:8b] <<< ”Name”=hex:4e,33,39,34,33,38,37,34,00 <<<<< N3943874
“DevClass”=hex:3e,01,04
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00,00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000000
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000000
ProgramFilesShortcutRemovedByBTW”=dword:00000000
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,44,00,4f,00,\
52,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,30,00,36,00,31,\
00,00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000001
“BroadcomFeatures”=dword:00000003


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\00:02:72:1f:b3:8b\0] <<<< services add sub keys
“ServiceNameUTF8″=hex:46,69,6c,65,20,54,72,61,6e,73,66,65,72,00 <<<<< File Transfer
“UUID”=dword:00001106
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


—————————————————————————
Example Device 2 – external host MAC (phone named iPhone)
—————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38] <<<< host MAC
“Name”=hex:69,50,68,6f,6e,65,00 <<<<< iPhone
“DevClass”=hex:7a,02,0c
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000000
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000000
ProgramFilesShortcutRemovedByBTW”=dword:00000000
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,44,00,4f,00,\
52,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,32,00,30,00,33,00,35,\
00,00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000002
“BroadcomFeatures”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38\0] <<<< services add sub keys
“ServiceNameUTF8″=hex:41,56,52,43,50,20,44,65,76,69,63,65,00 <<<<< AVRCP Device
“UUID”=dword:0000110c
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\68:a8:6d:ab:29:38\1] <<<< services add sub keys
“ServiceNameUTF8″=hex:41,75,64,69,6f,20,53,6f,75,72,63,65,00 <<<<< Audio Source
“UUID”=dword:0000110a
“Security”=dword:00000000
“DefaultConnection”=dword:00000000
“SdpAttr”=dword:00000000


———————————————————————————
Example Device 2 – external host MAC (device named Roku Player)
———————————————————————————


[HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\cc:6d:a0:3e:c8:7a] <<<<< Device MAC
“Name”=hex:52,6f,6b,75,20,50,6c,61,79,65,72,00 <<<<< Roku Player
“DevClass”=hex:00,04,24
“Features”=hex:00,00,00,00,00,00,00,00
“TimeStamp”=dword:000040f8
“FTPAuthorizationExpires”=hex:00
“OPPAuthorizationExpires”=hex:00
“BIPAuthorizationExpires”=hex:00
“BPPAuthorizationExpires”=hex:00
“DoNotAutoConfigure”=dword:00000000
“AllowWakeup”=dword:00000000
“HidDisabled”=dword:00000000
“DefaultAudio”=dword:00000000
“Manufacturer”=dword:ffffffff
“LmpVersion”=dword:00000000
“LmpSubVersion”=dword:00000000
“BRCMStack”=dword:00000000
“Code”=hex:00
“RemoteName”=hex:00
“HandsfreeCfg”=dword:00000002
“ConnectHfIfAvConnected”=dword:00000000
“HandsFreeVersion”=dword:00000000
“PopUpGenForAccessPIM”=dword:00000000
“ShowUI”=dword:00000001
“DisableCallNumber”=dword:00000000
“ManualDun”=dword:00000000
“DesktopShortcutRemovedByBTW”=dword:00000001
ProgramFilesShortcutRemovedByBTW”=dword:00000001
“PIMSyncInit”=dword:00000000
“PIMAcceptBizcard”=dword:00000000
“PIMAcceptCalendarItems”=dword:00000000
“PIMAcceptEmailMessages”=dword:00000000
“PIMAcceptNotes”=dword:00000000
“IconPath”=hex:00,00
“AllowHFCalls”=dword:00000001
“VoiceRecognitionEnabled”=dword:00000000
“SupportBroadcomFeatures”=dword:00000000
“BroadcomFeatures”=dword:00000000

NTUSER Trust Records

Posted by:  /  Tags: , , ,  /  Comments: 1

Andrew Case

Office

The TrustRecord field inside of Office’s NTUSER holds the full path to documents that were downloaded from untrusted places (e.g. a web browser download), and that the user had to explicitly tell Office to trust. This “trust” prompt is shown when the user wants to edit the document or run macros inside of it.

The artifact is interesting because it holds not only the full path in a MRU listing, but the value of the particular name/value is the time it was trusted.

Software\Microsoft\Office\14.0\PowerPoint\Security\Trusted Documents\TrustRecords

The path part after “Office” will differ per-version of Office, but the rest of the path is the same.

NTUSER hive

RegExtract – http://www.woanware.co.uk/?page_id=209 – The “OfficeDocuments” plugin will extract this information

PsTools Artifacts

Posted by:  /  Tags: , ,  /  Comments: 1

John Lukach

PsTools Suite 2.44

PsTools are a common resource used to manage remote systems. During execution of PsExec, PsFile, PsGetSID, PsInfo, PsKill, PsList, PsLoggedOn, PsLogList, PsPasswd, PsService, PsShutDown, and PsSuspend the EULA software license agreement must be accepted. A registry entry is created allowing you to determine which tools have been used on a specific machine. I used the RegRipper framework by Harlan Carvey to create a new plugin that will be available at: http://regripper.wordpress.com to harvest these artifacts.

\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsExec\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsFile\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsGetSID\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsInfo\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsKill\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsList\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsLoggedOn\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsLogList\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsPasswd\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsService\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsShutDown\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsSuspend\EulaAccepted

http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

http://forensicartifacts.com/wp-content/uploads/gravity_forms/3-b56c65f0d638cb782e8f437e4b2147cf/2012/07/PsTools-Plugin.jpg

Cloud-based Forensic Artifacts: Mozy Home and Mozy Stash

Posted by:  /  Tags: , , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Mozy Home 2.12, Mozy Stash 0.11

Description
Mozy is known for its online backup service. It’s recently added synchronization via Stash (still in beta). Runs on Windows, Mac, iOS, and Android.

A sample of artifacts from the installation and use of Mozy Home 2.12 and Mozy Stash 0.11 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\Mozy Inc, \ControlSet001\Enum\Root\LEGACY_MOZYFILTER\0000

File Locations
Application Data Files: Program Files\MozyHome\Data
AppData\Local\Stash

Application Executable Files: Program Files\MozyHome – MozyBackup.exe, MozyStat.exe
Program Files (x86)\Mozy\Stash – Stash.exe

Sync/Backup Files: Any
%User%\Stash

Files of Interest

cache.dat, changes.dat, filter_raw.log.1, local_backup.dat, manifest.dat, mozy.log, resume.dat, scancache.dat, state.dat, metrics.dat, Stash.log, state.dat

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: Carbonite

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Carbonite 5.2

Description
Online backup storage solution. Runs on Windows, Mac, iPhone, Android, and Blackberry. No synchronization, or collaboration, but you can share files via email (at least from mobile devices).

A sample of artifacts from the installation and use of Carbonite 5.2 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Classes\Applications\CarboniteUI.exe
\ControlSet001\Services\EventLog\Application\CarboniteService

File Locations
Application Data Files: ProgramData\Carbonite

Application Executable Files: Program Files (x86)\Carbonite\Carbonite Backup\ – CarboniteUI.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

Carbonite.log, CarboniteConfig.dat, CarboniteDelta.dat, CarboniteFiles.dat, CarboniteNSE.log, CarbonitePossibleUpgrade.exe, CarboniteRestores.dat, CarboniteUI.log, CarboniteVersions.dat

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: ADrive

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
ADrive 1.5

Description
Provides backup, synchronization, and sharing on Windows, Mac, Linux, and Android. Provides the ability to use FTP, remote file transfer (from other sites directly to your account), collaboration, concurrent logins, and online editing (via Zoho).

Paid versions offer SSL (not available with free), FTP up/down, 16GB file transfers, remote transfer (internet to internet).
Free version can only be used through browser, no local client, w/50GB!
ADrive Desktop (local client) is written in AdobeAIR.

A sample of artifacts from the installation and use of ADrive 1.5 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Wow6432Node\Microsoft\Tracing\ADrive Desktop_RASAPI32
\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\1

File Locations
Application Data Files: AppData\Roaming\com.adrive.ADriveDesktop.9E1195EE779B0F966F518632F3A0F64E53222DC6.1

Application Executable Files: Program Files (x86)\ADrive Desktop\ – ADrive Desktop.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

Adrive.db, install.log (Adobe AIR)

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: TeamDrive

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
TeamDrive 2.4

Description
Synchronize files to the cloud and other designated computers. Backup functionality provided through automated synchronization to cloud. Rather than sharing, provides for collaboration on files. Runs on Windows, Mac, and Linux.

Can sync to their cloud, or your own server.

A sample of artifacts from the installation and use of TeamDrive 2.4 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QTextCodecFactoryInterface:\C:\Program Files (x86)\TeamDrive2.0
\ControlSet001\Services\EventLog\Application\MySQL
\ControlSet002\Services\EventLog\Application\MySQL

File Locations
Application Data Files: AppData\Roaming\TeamDrive

Application Executable Files: Program Files (x86)\TeamDrive2.0\ – TeamDrive2.exe, TeamDrive2Database.exe

Sync/Backup Files: %User%\TeamDrive Spaces

Files of Interest

WebDAVSettings.xml, DirWatcher_log.log, FileWatcher_log.log, log.log, old_20120513_162655_logs.zip, general_log.CSV, slow_log.CSV, db.opt, username_TeamDrive_13.05.2012.pss, Default_username.sakh, desktop.ini, target.lnk

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: SpiderOak

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
SpiderOak 4.4

Description
Cloud-based backup, synchronization, and sharing platform. You can set up and schedule backups of different directories or file types, synchronize files to designated computers, and share with others. Runs on Windows, Mac, Linux, iOS, Android, and Maemo (N900).

A sample of artifacts from the installation and use of SpiderOak 4.4 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\34

File Locations
Application Data Files: AppData\Roaming\SpiderOak

Application Executable Files: Program Files (x86)\SpiderOak\ – SpiderOak.exe, windows_dir_watcher.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

1336254748.22.port, config.dat, config.txt, device_1a.dat, device_2a.dat, dirhash.db, downloads.db, exclude.txt, fs_queue.db, local.dat, oak_20120505145242.log, oak_20120505165227.log, prefs.dat, snapshot.db, Spider_20120505145242.log, Spider_20120505165227.log, Test-skipfilter.db, test.db, test.log, tss_external_orphans_fixed_pandora_sqliite_database, tss_external_orphans_fixed_snapshot.db

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: Dropbox

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Dropbox 1.2

Description
Synchronizes designated directories to the cloud and other associated computers. Can be used for simple file sharing. Not specifically a backup service, but does maintain off-site copies of files, so it kind of qualifies. Runs on Windows, Mac, Linux, iPad, iPhone, Android, BlackBerry.

Current version of Dropbox makes use of encrypted SQLite DB files.

A sample of artifacts from the installation and use of Dropbox 1.2 on a system.  This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1

Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\21

File Locations
Application Data Files:  AppData\Roaming\Dropbox

Application Executable Files:  AppData\Roaming\Dropbox\Bin – Dropbox.exe

Sync/Backup Files:  %User%\Dropbox

Files of Interest

config.db, config.dbx, desktop.ini, filecache.dbx, host.db, sigstore.dbx, unlink.db, entries.log

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm