app forensics Archives | Forensic Blogs

November 29, 2018 by LCDI

Application Forensics Update 2

Introduction

Over the past fifteen weeks, the App Forensics team investigated several pieces of mainstream monitoring software. We are now focusing on new software, getting it operational, and investigating its internal workings. Examining how the software interacts with the device is central to our larger motive of understanding the programs. For example if they’re safe, and what a company can access.

Progress

The App Forensics team is working hard on investigating the newest monitoring software, FlexiSpy. We are currently combing through data pulled from a tablet with the software and comparing it to a normal tablet that did not have the software installed. By doing this, we hope to find specific changes and additions made by the software that clues us into the program’s operations. In addition to this our team has also performed several network captures of data transferred to and from the tablets. This shows us which servers the software is talking to and what it’s sending and receiving.

Conclusion

Once we go through the data, we should be able to get a good handle on what the software is doing. We will continue to analyze the data collected from the tablets and look for changes and behaviors in the tablets to better understand what the software is changing. Moving forward, we will compare the data we generate on this software to the others we analyzed and draw conclusions about what they have in common.

Stay tuned for more updates to come and follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Application Forensics Update 2 appeared first on The Leahy Center for Digital Investigation.

October 26, 2017 by LCDI

Application Analysis Update 1

Introduction

This project focuses on searching for artifacts left by common desktop applications. We will be analyzing each application within Windows 10. It is the second most popular version of windows. We began by generating data on virtual machines with the chosen applications. The next step is to use various forensic tools to extract information that could be of forensic interest. This includes any artifacts that could be relevant either for security or for use in a forensic investigation.

Analysis: Web App Security

In this project, we will be analyzing artifacts left by three different apps: Steam, Lastpass, and Fitbit. Based on LastPass’s emphasis on security, we expect that it will yield the least amount of artifacts. Likewise, Steam is notorious for not keeping chatlogs on the user’s side, whether PC or on a mobile device. As such, it would make sense to assume that the amount of information stored on the host is minimal. But, Fitbit may save crucial information on the host for offline use of the app.

Choosing the Applications

In narrowing the list of possible applications down, there were many reasons why we chose each app. This includes its large number of users, how important it was that the application is secure, as well as for other traits based on the purpose of the app.

Steam

Application

The first app, Steam, is a gaming and social media platform common on PCs. It has a massive user base of over 125 million. Steam is well known for not retaining chat logs. Steam saves achievements on the servers rather than the host. Due to the large amount of information that the app could store on the host, our team chose it as a viable candidate. Our team is planning to look for artifacts related to in game actions as well as any action done on Steam (Wishlist, login info, Screenshots, etc). Our team will also be looking for any artifacts that have any personal information as well as information about friends of that user.

Last Pass

LastPass is a password manager that is available as a desktop and mobile app, as well as an extension on many browsers. The application is popular for its security, as well as the simple design. It has a user base of over 7 million people. LastPass can contain passwords for many websites, making it a target for attacks. It is also available without purchasing the subscription, making it even more popular.

Fitbit

Fitbit is a brand of fitness tracker. The device syncs using Bluetooth to a personalized account through a PC or mobile device. Fitbit has a user base of over 10 million people, and is popular among a variety of ages. The information is viewable online, on a mobile device, or through the desktop application. Fitbit logs movement and allows users to log other health information in the app. Fitbit then uses this information to display progress over time.

Conclusion

As of now, all teams have made excellent progress on analyzing the artifacts generated by the applications. We hope that the artifacts we generate will help us determine potential threats and dangers to the apps we are using. The results from the information our team has gathered are not finalized yet. But we are eager to share our results with you when they are.

Like all members of the LCDI, we welcome and encourage feedback. To give us any feedback you have, use the comment section below.

You can read our past research into other applications here.

Like the Leahy Center for Digital Investigation (LCDI) on Facebook and follow us on Twitter to get notified of more project updates.

The post Application Analysis Update 1 appeared first on The Leahy Center for Digital Investigation.

December 21, 2016 by LCDI

Mobile App Forensics: Final Blog Update

Introduction: The LCDI’s Mobile App Forensics team is wrapping up the academic semester, but that doesn’t mean we’ve run out of things to show you. Over the past fifteen weeks, we have analyzed five applications in the Android and iOS marketplaces. With both some major successes and disappointing failures, we as a team are confident […]

The post Mobile App Forensics: Final Blog Update appeared first on Computer & Digital Forensics Blog.