Artifacts

Posts Tagged ‘Carbonite’


Cloud-based Forensic Artifacts: Carbonite

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Carbonite 5.2

Description
Online backup storage solution. Runs on Windows, Mac, iPhone, Android, and Blackberry. No synchronization, or collaboration, but you can share files via email (at least from mobile devices).

A sample of artifacts from the installation and use of Carbonite 5.2 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Classes\Applications\CarboniteUI.exe
\ControlSet001\Services\EventLog\Application\CarboniteService

File Locations
Application Data Files: ProgramData\Carbonite

Application Executable Files: Program Files (x86)\Carbonite\Carbonite Backup\ – CarboniteUI.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

Carbonite.log, CarboniteConfig.dat, CarboniteDelta.dat, CarboniteFiles.dat, CarboniteNSE.log, CarbonitePossibleUpgrade.exe, CarboniteRestores.dat, CarboniteUI.log, CarboniteVersions.dat

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm