Forensic Blogs

An aggregator for digital forensics blogs

by

Application Analysis Introduction

Introduction

This semester, the Application Analysis team chose four Windows applications to perform a forensic analysis on – Spotify, Bitcoin Miner, Speedtest, and Dashlane. In the coming weeks, we will examine the artifacts generated by these applications.

Analysis: Web App Security

We will inspect the applications’ security features. Without proper security features, hackers can access data stored by the application. Noting how the applications handle data will illuminate security features.

The Applications

Spotify is a web-based music streaming application. It has a user base of well over 140 million paid and unpaid users, making it the largest music service available. With a music library of over 30 million songs, it’s clear to see why users love it so much. Spotify features connectivity with friends and celebrities. The team wonders if this could lead to a privacy issue. We will analyze this by recording the data the application stores about music preferences and other personal information.

Bitcoin Miner is the most popular bitcoin mining application in the Microsoft Store. Cryptocurrency has recently emerged as a lucrative investment opportunity. Applications offering users a friendly interface for exchanging and mining cryptocurrencies have followed. We are inquiring about the artifacts left over by mining cryptocurrency.   

SpeedTest is an internet speed testing application that offers “easy, one-click connection testing in under 30 seconds.” It also claims to be “the most accurate and convenient way to test your speed.” Millions of users access this service. Analyzing an application such as this one should be simple. We will be looking into the data that the application stores about you and your device. This data includes age, gender, work experience, education, and browser history.

Dashlane acts as an online password bank. The application stores entered user and online account information. Never again do you need to remember all your passwords. You only need one master password to open Dashlane. The application will log-in to websites through its database and fill out forms with the information you provide. We will examine the artifacts generated by storing information, navigating to websites, and using the autofill feature. For this application, it will be important for us to be on the lookout for potential security risks.

Conclusion

Currently, we are generating and analyzing the artifacts as well as observing security features. We will report on our findings in the blog posts to come.

Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Application Analysis Introduction appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis Update 1

Introduction

This project focuses on searching for artifacts left by common desktop applications. We will be analyzing each application within Windows 10. It is the second most popular version of windows. We began by generating data on virtual machines with the chosen applications. The next step is to use various forensic tools to extract information that could be of forensic interest. This includes any artifacts that could be relevant either for security or for use in a forensic investigation.

Analysis: Web App Security

In this project, we will be analyzing artifacts left by three different apps: Steam, Lastpass, and Fitbit.  Based on LastPass’s emphasis on security, we expect that it will yield the least amount of artifacts. Likewise, Steam is notorious for not keeping chatlogs on the user’s side, whether PC or on a mobile device. As such, it would make sense to assume that the amount of information stored on the host is minimal. But, Fitbit may save crucial information on the host for offline use of the app.

Choosing the Applications

In narrowing the list of possible applications down, there were many reasons why we chose each app. This includes its large number of users, how important it was that the application is secure, as well as for other traits based on the purpose of the app.

Steam

Application

The first app, Steam, is a gaming and social media platform common on PCs. It has a massive user base of over 125 million. Steam is well known for not retaining chat logs. Steam saves achievements on the servers rather than the host. Due to the large amount of information that the app could store on the host, our team chose it as a viable candidate. Our team is planning to look for artifacts related to in game actions as well as any action done on Steam (Wishlist, login info, Screenshots, etc). Our team will also be looking for any artifacts that have any personal information as well as information about friends of that user.     

Last Pass

Application

LastPass is a password manager that is available as a desktop and mobile app, as well as an extension on many browsers. The application is popular for its security, as well as the simple design. It has a user base of over 7 million people. LastPass can contain passwords for many websites, making it a target for attacks. It is also available without purchasing the subscription, making it even more popular.

Fitbit

Fitbit is a brand of fitness tracker. The device syncs using Bluetooth to a personalized account through a PC or mobile device. Fitbit has a user base of over 10 million people, and is popular among a variety of ages. The information is viewable online, on a mobile device, or through the desktop application. Fitbit logs movement and allows users to log other health information in the app. Fitbit then uses this information to display progress over time.

Conclusion

As of now, all teams have made excellent progress on analyzing the artifacts generated by the applications. We hope that the artifacts we generate will help us determine potential threats and dangers to the apps we are using. The results from the information our team has gathered are not finalized yet. But we are eager to share our results with you when they are.   

Like all members of the LCDI, we welcome and encourage feedback. To give us any feedback you have, use the comment section below.

You can read our past research into other applications here.

Like the Leahy Center for Digital Investigation (LCDI) on Facebook and follow us on Twitter to get notified of more project updates.

The post Application Analysis Update 1 appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis: Conclusion

Introduction:

To close out our list of Web Apps, we finished up on Discord. It has been an interesting experience for us to work with the three diverse apps over the last semester. Our analysis on Discord brought our research to a close. Seeing several key similarities with our first application Slack, it was an ideal application to close out our research for the side by side comparison.

Our Process:

With our final app, we utilized similar testing methods to Slack; we created a set of Test Channels and generated user data. After that was done, our team made a clone of the Virtual Machine, then deleted Discord on the original and promptly analyzed the images. In our findings, we noticed very similar behavior in storage of cached images when compared with Slack, although the content they each stored varied greatly. To read more about this topic, check our report which will be published soon.

In comparison of these apps, Dropbox was the most straightforward. However, it lacked the robustness of the other Web Apps as it lacked the expansiveness of XML. The app did not change much from the front end in terms of design. For the User Data, Dropbox’s local sql database provided information of what files were found on the Machine, along with deleted files visible in the cache. In contrast, Slack and Discord were two sides of the same coin. They both featured a strong use of XML to manage their styles, and featured images of user profiles and stored the urls of certain cached images. Discord did end up having one major difference. We were able to find bits of the messages amongst Win7enterpriseTest1\C\Users\User\AppData\Roaming\discord\Cache in messages?limit=50. We’ll have a deeper indepth look at this in our final report.

Analysis: Discord Artifacts

Going into Discord, we expected to find close to nothing on the local files of the web application, but after getting a closer look, we found out we couldn’t be more wrong. Discord has a strong security statement stating that they take the reasonable steps to ensure a user’s information is protected.

Application

The uses of caching and SQLite formatting allowed us to recover artifacts such as the aforementioned chat logs to the images and files uploaded. Interestingly, one of Discords more interesting features is its database’s storage of frequently used Emojis. In comparison, the Business Web Applications tried to stick to the bare minimum and focus on the bare bones such as only having time stamps and ID values. Dropbox’s Local Database primarily focused on this with it having extensive storage on File information, though it was lacking in the niches of Discord, which, as mentioned before, even stored emoji usage. A more extensive comparison can be found in our Final Report.

Conclusion:

With increased integration of platforms such as Discord, Dropbox and Slack, there will be an increased need for privacy. Implementation without security will continue to allow various security flaws to exist. However, it must be remembered that with the need for Security comes the need of usability. To remain a strong web application with a following, an ease of use, and efficiency must be maintained.

Through the process, our group learned a lot and got deeper insights on Web App Forensics. We hope this Blog can hold you over before the final report drops. Stay tuned!

Questions or comments? Please share with us in the comment section below! You can also reach out to our Twitter and Facebook or email us at lcdi@champlain.edu.

The post Application Analysis: Conclusion appeared first on The Leahy Center for Digital Investigation.