Forensic Blogs

An aggregator for digital forensics blogs

by

Mobile App Forensics Intern Blog 2

Introduction

Over the past month, our team has analyzed the applications Expedia and Google Trips. These apps help users plan trips to locations abroad with features to order reservations and plan day trips. Our goal for analyzing these applications was to find out how much information they hold for forensic investigators. This will in turn give investigators an easier time catching suspects.

Findings

The application Expedia has very little, if any, information on the system itself. It appears to only store information if the user purchases a ticket. The only other thing we found was sometimes there may be a flight plan stored on the system, but that’s it.

Google Trips, on the other hand, stores most if not all of the information on the system itself. Specifically, it contains all reservations, day trips, and other user input on the system. The application also stores all locations and events of the city that the user is visiting. If a person uses this application rigorously it would provide investigators with a lot of information. The application relies on MIDs, or a set of identifiers provided by Google. When correlated with the locations using certain items in the database, one can easily find the location of the corresponding MID.

Conclusion

The team’s next project will involve game app forensics. What information do apps downloaded from the playstore keep? What is stored internally? The team’s goal is to find as much information as we can about internally stored device data from two game apps. The apps are unknown as of now. Stay tuned for updates by checking out @champforensicslcdi on Instagram and @ChampForensics on Twitter!

The post Mobile App Forensics Intern Blog 2 appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis: Conclusion

Introduction:

To close out our list of Web Apps, we finished up on Discord. It has been an interesting experience for us to work with the three diverse apps over the last semester. Our analysis on Discord brought our research to a close. Seeing several key similarities with our first application Slack, it was an ideal application to close out our research for the side by side comparison.

Our Process:

With our final app, we utilized similar testing methods to Slack; we created a set of Test Channels and generated user data. After that was done, our team made a clone of the Virtual Machine, then deleted Discord on the original and promptly analyzed the images. In our findings, we noticed very similar behavior in storage of cached images when compared with Slack, although the content they each stored varied greatly. To read more about this topic, check our report which will be published soon.

In comparison of these apps, Dropbox was the most straightforward. However, it lacked the robustness of the other Web Apps as it lacked the expansiveness of XML. The app did not change much from the front end in terms of design. For the User Data, Dropbox’s local sql database provided information of what files were found on the Machine, along with deleted files visible in the cache. In contrast, Slack and Discord were two sides of the same coin. They both featured a strong use of XML to manage their styles, and featured images of user profiles and stored the urls of certain cached images. Discord did end up having one major difference. We were able to find bits of the messages amongst Win7enterpriseTest1\C\Users\User\AppData\Roaming\discord\Cache in messages?limit=50. We’ll have a deeper indepth look at this in our final report.

Analysis: Discord Artifacts

Going into Discord, we expected to find close to nothing on the local files of the web application, but after getting a closer look, we found out we couldn’t be more wrong. Discord has a strong security statement stating that they take the reasonable steps to ensure a user’s information is protected.

Application

The uses of caching and SQLite formatting allowed us to recover artifacts such as the aforementioned chat logs to the images and files uploaded. Interestingly, one of Discords more interesting features is its database’s storage of frequently used Emojis. In comparison, the Business Web Applications tried to stick to the bare minimum and focus on the bare bones such as only having time stamps and ID values. Dropbox’s Local Database primarily focused on this with it having extensive storage on File information, though it was lacking in the niches of Discord, which, as mentioned before, even stored emoji usage. A more extensive comparison can be found in our Final Report.

Conclusion:

With increased integration of platforms such as Discord, Dropbox and Slack, there will be an increased need for privacy. Implementation without security will continue to allow various security flaws to exist. However, it must be remembered that with the need for Security comes the need of usability. To remain a strong web application with a following, an ease of use, and efficiency must be maintained.

Through the process, our group learned a lot and got deeper insights on Web App Forensics. We hope this Blog can hold you over before the final report drops. Stay tuned!

Questions or comments? Please share with us in the comment section below! You can also reach out to our Twitter and Facebook or email us at lcdi@champlain.edu.

The post Application Analysis: Conclusion appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis: A Closer Look At Business Apps

Application Analysis Introduction 

The Application Analysis team has continued examining the desktop-based web applications for both Mac and PC. We are currently finalizing our tests with Slack and DropBox. They were searching for files that could hold company, user, and file information. While these are only tests in the context of a real world scenario, this info represents important organization information from things like employee info to upcoming projects and intellectual property.

Application Analysis: Slack Artifacts

Prior to starting our tests on Slack, our goals were to recover user data and messages. Using Guidance Software’s EnCase 8, we were able to meet our goals and research our findings.
We found several useful artifacts from our macOS Sierra data generation with Encase.  The relevant data we found was located at:\Users\test\Library\Application Support\Slack\Cache. In the file slack-teams, we managed to find the username the person logged in used, their userID, and the ID of the team they were a part of. There are also urls to different sizes of the team’s logo on slack. The urls (example: https://s3-us-west-2.amazonaws.com/slack-files2/avatars/2016-08-23/72112878551_1f33a19b4d74ef683b3e_original.png) contain the date of when the avatar was uploaded.

application analysis

In the file slack-settings we found data about the client itself such as the version number, version name, and platform. This entry also has a field for isWin10 and isBeforeWin10, which raises questions about the differences between the Windows 10 version of Slack and other versions.

application analysis

Application Analysis: Dropbox Artifacts

In our investigation of Dropbox we focused on what document data Dropbox stores and what it leaves on a client computer through its Web App. One of the most lofty statements made by Dropbox is it encrypts data at rest with AES 256-bit encryption, but what we found was a little bit more interesting. To investigate the team used the default Dropbox settings, and to our surprise the desktop folder for Dropbox is not encrypted.

application analysis

The issue here is that the AES 256-bit encryption applies to the data on their servers at rest; while leaving the user’s folder unencrypted. Another interesting bit of data was .drop.cache containing a deleted file that was not on the user machine before deletion, but still showed up even though it was deleted on the web browser the file in question is: Get Started with Dropbox (deleted 44ddbfbbf1afaa31a4c4909fe4a9690b).pdf

While it is a simple Dropbox default file if important documents are deleted and still accessible that would pose a security issue, as it could providing people attempting to steal information with the info they need. The usage of SQL databases was found in Dropbox’s app data with the file C\Users\User\AppData\Local\Dropbox\instance1\aggregation.dbx being a example of this.

application analysis

It stored info of all files currently on Dropbox with timestamp server paths and even had a spot for editor names. As this information was easily accessible it would leak what documents the organization stores, the timestamps could help build a timeline and editor name reveal who is working on what document. In the real world, an organization’s information could be leaked and intellectual property could be copied, tracked, and pinpointed to who works on what.  
After deletion the program data (86x), program data, along with the User’s app data was deleted. However the C:\Users\User\Dropbox folder stayed along with the shared folder allowing the user keep all the Dropbox files. If a company tries to issue a deletion of Dropbox from a user’s computer, they would need to take extra precautions, as a terminated employee could still have the files stored on their computer even through the app itself was deleted.

application analysis

Process: Through Windows and Mac

The artifacts we were able to acquire in Windows 7 and Windows 10 on Slack and Dropbox were almost all but the same. Slack on Windows 10 had all the data we found on Windows 7 but because of reasons unknown, we could not view image files pulled from Windows 10. Windows 10 and 7 yielded the same artifact results for Dropbox. We were able to find different cache files and images. However, similar to Slack, while some files could be viewed in Windows 7, larger files could not be viewed in Windows 10.

Windows 7 was interesting as Encase identified the Data_2 and Data_3, which consisted of images, after it was parsed as information from Google Chrome Browsers. The same case occurred on Mac with the Windows 10, which did not have the Data_2 and Data_3 images. The usage of SQL Databases was, in the same way, was present for both Mac and Windows for both Dropbox and Slack. The parsing of these Databases was able to provide info on what apps it is ready to use and what files were stored by the App as in Dropbox’s case.

Conclusion

The usage of SQLite databases by Web Apps is interesting as it ended up being one of the primary sources of evidence of file activity as well as storage information. The caches were unsurprisingly vital to the investigation as cached files gave up a lot of data such as Slack revealing user portraits and Dropbox showing deleted files. Despite the OS differences, the Web Applications all followed the similar file layout across all three OS systems; however, differences were still present. Windows 10s differed in its method of storing cache causing Encase not to parse the data. Oddly enough, all three systems featured the Web Apps using SQLite databases for parts of local storage. Overall, while they did reveal user information, the data could only be used primarily for phishing attacks and Intellectual Property theft. Stay tuned for our final results.

Questions or comments? Please share with us in the comment section below! You can also reach out to our Twitter and Facebook or email us at lcdi@champlain.edu.

The post Application Analysis: A Closer Look At Business Apps appeared first on The Leahy Center for Digital Investigation.