Posts Tagged ‘Mozy Stash’

Cloud-based Forensic Artifacts: Mozy Home and Mozy Stash

Posted by:  /  Tags: , , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Mozy Home 2.12, Mozy Stash 0.11

Mozy is known for its online backup service. It’s recently added synchronization via Stash (still in beta). Runs on Windows, Mac, iOS, and Android.

A sample of artifacts from the installation and use of Mozy Home 2.12 and Mozy Stash 0.11 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\Mozy Inc, \ControlSet001\Enum\Root\LEGACY_MOZYFILTER\0000

File Locations
Application Data Files: Program Files\MozyHome\Data

Application Executable Files: Program Files\MozyHome – MozyBackup.exe, MozyStat.exe
Program Files (x86)\Mozy\Stash – Stash.exe

Sync/Backup Files: Any

Files of Interest

cache.dat, changes.dat, filter_raw.log.1, local_backup.dat, manifest.dat, mozy.log, resume.dat, scancache.dat, state.dat, metrics.dat, Stash.log, state.dat

Research Links

Forensic Programs of Use
ProcessHacker –
CurrPorts –
Wireshark –
FileInfo –
RegShot –
Registry Decoder –
NetWitness Investigator –
Notepad++ –
SQLiteDBBrowser –
HxD –
HEX Editor –
Encoder –
DCode –
DbVisualizer –
TrID –
File –