Forensic Blogs

An aggregator for digital forensics blogs

by

Application Analysis Blog 1

What is Application Analysis?

Artifacts are a subject of fascination, full of information from their time and location.  An application leaves markers on systems that often go undetected by the user. These digital artifacts are small bits of information, ranging from profile icons to private messages. This information could be a threat, and it’s crucial that any consumer be aware of their app’s security. This means that if someone else gets into your system, they might be able to unearth info that could allow them to steal from or impersonate you.

The goal of this project is to find out what information remains after one removes an app from the system. Through this, we can learn what programs are secure and prevent any security risks.

Image stating

Browsers and User Privacy

In the first few weeks of the semester, we spent time examining the artifacts left by internet browsers. Through this, we uncovered a treasure trove of information in the “Appdata” folder. This folder is where every desktop application stores it’s information. Because it’s deemed unnecessary for user interaction, the Appdata folder is full of user input for most programs. If a normal consumer stumbled upon this, it wouldn’t mean much to them. However, this is all the juicy bits of data that were part of your account on a program. This could be very useful for someone trying to take control of your accounts.  For example, one of the files within this folder holds your Cookies, small temporary files that are responsible for holding small, session-long pieces of data.  

We took a look at the browser Firefox, made by the company Mozilla. There are three folders under Appdata: Local, LocalLow, and Roaming. The browser stores data that it accesses in a local server so that it can access it again, like your browser homepage.

Your credit card information that was put into Amazon is held in that file, as is your Facebook password. This is a risk for everyone and it needs to be addressed to make users more aware of their safety online and offline.

An image of the information under the Firefox tab in Roaming

An image of the information under the Firefox tab in Roaming

What types of applications will we be looking at? 

After working with browsers, we started researching other applications to investigate.  We decided to investigate Steam, Google Drive, Dropbox, Viber, and Twitter. Steam is a popular gaming PC gaming platform that, as of April 2019, has a billion accounts and 90 million users. It’s important that such a giant in the video game industry keeps its users’ information private. Google Drive is similar to Dropbox, but is better funded and more used. We are curious to see how much of a difference this makes security-wise for each user. Viber is a small Peer-to-Peer (P2P) application for smartphone and desktop use. P2P gives users equal permissions, allowing for fast data movement. Finally, Twitter is a large worldwide social media application that has had a history of insecurity in its system.

Conclusion

During the course of this semester, we will these desktop applications on our virtual machines. Doing this will generate data from the program into the Appdata folder. After this, we will completely uninstall the applications from the system, and investigate the data leftover, analyzing the trail of data to see if one could abuse it.

We will start next week with analyzing our first application, and we will be sure to let everyone know the verdict on our next blog!

 

Stay up to date with Twitter, Instagram, and Facebook by following @ChampForensics so you always know what we’re up to!

 

The post Application Analysis Blog 1 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Mobile Forensics Update 2

Introduction

If you read our last blog post, you know that the Mobile Forensic team ran into some issues early on. We are happy to share that we have since overcome those issues, and we’ve hit the ground running with our project. We are no longer using the LG G6 devices mentioned last month due to issues rooting these devices. Instead we are using Nexus 7 tablets running Android 6 and 7.

Two apps we pulled and analyzed data from are Snapchat and Telegram. Before we set up accounts, we had to create different personas for each team member. The personas we came up with were Johan Smith, Tony Pepperoni, and Mallow Operator.

Snapchat

Before we started collecting our data, we had to figure out what actions we would go through so we all had data we could compare. Some of the actions to generate data for Snapchat included adding each other as friends, creating a group chat, and posing to a story. When generating data for analysis, we kept track of who sent chats to whom, what time we did each action, and if anything went wrong. After pulling the data with adb, we compared the timestamps and actions from the pull with our datagen log. We were successfully able to see what Snapchat saves and what we can find on the phone.

Telegram

When we were setting up Telegram, we had to setup Google Voice numbers in order to create our profiles. With Telegram we also had to figure out what actions we wanted to take so that each person could get similar pull results—hence the creation of another datagen. With Telegram our actions included adding contacts, joining different groups, and sending videos and stickers. We kept track of timestamps again and then compared the data and the pull. We decided to use both Cellebrite and adb to see if there was any benefit of one tool over the other. At the moment, we’re still analyzing Telegram to see if there is anything noteworthy so stay tuned!

Conclusion

With these pulls we were able to see what data Snapchat and Telegram save on your phone. We were looking to see if any unusual data was saved by the applications. So far nothing has stood out with either Snapchat or Telegram. The next app we will be doing a datagen and pulling is LinkedIn.

Stay tuned for more updates to come and follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Mobile Forensics Update 2 appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis Introduction

Introduction

This semester, the Application Analysis team chose four Windows applications to perform a forensic analysis on – Spotify, Bitcoin Miner, Speedtest, and Dashlane. In the coming weeks, we will examine the artifacts generated by these applications.

Analysis: Web App Security

We will inspect the applications’ security features. Without proper security features, hackers can access data stored by the application. Noting how the applications handle data will illuminate security features.

The Applications

Spotify is a web-based music streaming application. It has a user base of well over 140 million paid and unpaid users, making it the largest music service available. With a music library of over 30 million songs, it’s clear to see why users love it so much. Spotify features connectivity with friends and celebrities. The team wonders if this could lead to a privacy issue. We will analyze this by recording the data the application stores about music preferences and other personal information.

Bitcoin Miner is the most popular bitcoin mining application in the Microsoft Store. Cryptocurrency has recently emerged as a lucrative investment opportunity. Applications offering users a friendly interface for exchanging and mining cryptocurrencies have followed. We are inquiring about the artifacts left over by mining cryptocurrency.   

SpeedTest is an internet speed testing application that offers “easy, one-click connection testing in under 30 seconds.” It also claims to be “the most accurate and convenient way to test your speed.” Millions of users access this service. Analyzing an application such as this one should be simple. We will be looking into the data that the application stores about you and your device. This data includes age, gender, work experience, education, and browser history.

Dashlane acts as an online password bank. The application stores entered user and online account information. Never again do you need to remember all your passwords. You only need one master password to open Dashlane. The application will log-in to websites through its database and fill out forms with the information you provide. We will examine the artifacts generated by storing information, navigating to websites, and using the autofill feature. For this application, it will be important for us to be on the lookout for potential security risks.

Conclusion

Currently, we are generating and analyzing the artifacts as well as observing security features. We will report on our findings in the blog posts to come.

Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.

The post Application Analysis Introduction appeared first on The Leahy Center for Digital Investigation.