Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Mozy Home 2.12, Mozy Stash 0.11

Description
Mozy is known for its online backup service. It’s recently added synchronization via Stash (still in beta). Runs on Windows, Mac, iOS, and Android.

A sample of artifacts from the installation and use of Mozy Home 2.12 and Mozy Stash 0.11 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\Mozy Inc, \ControlSet001\Enum\Root\LEGACY_MOZYFILTER\0000

File Locations
Application Data Files: Program Files\MozyHome\Data
AppData\Local\Stash

Application Executable Files: Program Files\MozyHome – MozyBackup.exe, MozyStat.exe
Program Files (x86)\Mozy\Stash – Stash.exe

Sync/Backup Files: Any
%User%\Stash

Files of Interest

cache.dat, changes.dat, filter_raw.log.1, local_backup.dat, manifest.dat, mozy.log, resume.dat, scancache.dat, state.dat, metrics.dat, Stash.log, state.dat

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Carbonite 5.2

Description
Online backup storage solution. Runs on Windows, Mac, iPhone, Android, and Blackberry. No synchronization, or collaboration, but you can share files via email (at least from mobile devices).

A sample of artifacts from the installation and use of Carbonite 5.2 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Classes\Applications\CarboniteUI.exe
\ControlSet001\Services\EventLog\Application\CarboniteService

File Locations
Application Data Files: ProgramData\Carbonite

Application Executable Files: Program Files (x86)\Carbonite\Carbonite Backup\ – CarboniteUI.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

Carbonite.log, CarboniteConfig.dat, CarboniteDelta.dat, CarboniteFiles.dat, CarboniteNSE.log, CarbonitePossibleUpgrade.exe, CarboniteRestores.dat, CarboniteUI.log, CarboniteVersions.dat

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
ADrive 1.5

Description
Provides backup, synchronization, and sharing on Windows, Mac, Linux, and Android. Provides the ability to use FTP, remote file transfer (from other sites directly to your account), collaboration, concurrent logins, and online editing (via Zoho).

Paid versions offer SSL (not available with free), FTP up/down, 16GB file transfers, remote transfer (internet to internet).
Free version can only be used through browser, no local client, w/50GB!
ADrive Desktop (local client) is written in AdobeAIR.

A sample of artifacts from the installation and use of ADrive 1.5 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Wow6432Node\Microsoft\Tracing\ADrive Desktop_RASAPI32
\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\1

File Locations
Application Data Files: AppData\Roaming\com.adrive.ADriveDesktop.9E1195EE779B0F966F518632F3A0F64E53222DC6.1

Application Executable Files: Program Files (x86)\ADrive Desktop\ – ADrive Desktop.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

Adrive.db, install.log (Adobe AIR)

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
TeamDrive 2.4

Description
Synchronize files to the cloud and other designated computers. Backup functionality provided through automated synchronization to cloud. Rather than sharing, provides for collaboration on files. Runs on Windows, Mac, and Linux.

Can sync to their cloud, or your own server.

A sample of artifacts from the installation and use of TeamDrive 2.4 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QTextCodecFactoryInterface:\C:\Program Files (x86)\TeamDrive2.0
\ControlSet001\Services\EventLog\Application\MySQL
\ControlSet002\Services\EventLog\Application\MySQL

File Locations
Application Data Files: AppData\Roaming\TeamDrive

Application Executable Files: Program Files (x86)\TeamDrive2.0\ – TeamDrive2.exe, TeamDrive2Database.exe

Sync/Backup Files: %User%\TeamDrive Spaces

Files of Interest

WebDAVSettings.xml, DirWatcher_log.log, FileWatcher_log.log, log.log, old_20120513_162655_logs.zip, general_log.CSV, slow_log.CSV, db.opt, username_TeamDrive_13.05.2012.pss, Default_username.sakh, desktop.ini, target.lnk

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
SpiderOak 4.4

Description
Cloud-based backup, synchronization, and sharing platform. You can set up and schedule backups of different directories or file types, synchronize files to designated computers, and share with others. Runs on Windows, Mac, Linux, iOS, Android, and Maemo (N900).

A sample of artifacts from the installation and use of SpiderOak 4.4 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\34

File Locations
Application Data Files: AppData\Roaming\SpiderOak

Application Executable Files: Program Files (x86)\SpiderOak\ – SpiderOak.exe, windows_dir_watcher.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

1336254748.22.port, config.dat, config.txt, device_1a.dat, device_2a.dat, dirhash.db, downloads.db, exclude.txt, fs_queue.db, local.dat, oak_20120505145242.log, oak_20120505165227.log, prefs.dat, snapshot.db, Spider_20120505145242.log, Spider_20120505165227.log, Test-skipfilter.db, test.db, test.log, tss_external_orphans_fixed_pandora_sqliite_database, tss_external_orphans_fixed_snapshot.db

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Dropbox 1.2

Description
Synchronizes designated directories to the cloud and other associated computers. Can be used for simple file sharing. Not specifically a backup service, but does maintain off-site copies of files, so it kind of qualifies. Runs on Windows, Mac, Linux, iPad, iPhone, Android, BlackBerry.

Current version of Dropbox makes use of encrypted SQLite DB files.

A sample of artifacts from the installation and use of Dropbox 1.2 on a system.  This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1

Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\21

File Locations
Application Data Files:  AppData\Roaming\Dropbox

Application Executable Files:  AppData\Roaming\Dropbox\Bin – Dropbox.exe

Sync/Backup Files:  %User%\Dropbox

Files of Interest

config.db, config.dbx, desktop.ini, filecache.dbx, host.db, sigstore.dbx, unlink.db, entries.log

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm