Forensic Blogs

An aggregator for digital forensics blogs

by

Cloud Forensics Update 1

Introduction to cloud Forensics Update Following initial research into the various cloud storage services involved in this project, the Cloud Forensics team has been assessing all possible avenues it can take to analyze as many artifacts as possible. We have appropriated an external hard drive to store images related to the project so that we […]

The post Cloud Forensics Update 1 appeared first on Computer & Digital Forensics Blog.

by

Cloud Forensics

INTRODUCTION to Cloud Forensics Storing data “on the cloud” is one of the tech industry’s newest buzzwords. Cloud storage is the process of preserving digital information through large networks of virtualized servers owned by a host company. You, the client, send data through the Internet to one of these services, which distributes it among their storage […]

The post Cloud Forensics appeared first on Computer & Digital Forensics Blog.

by

Dropbox Forensics Follow-Up

Several months ago I started on a quest to research locally-created artifacts related to the use of Dropbox on Windows systems. This took several months of work as time allowed, in order to complete the outline I was following. This culminated in a blog post on SANS, a more complete article hosted on Forensic Focus, and a summary of artifacts on Forensic Artifacts. However, that's not all I have to offer on the subject. Yes, folks, for a limited time only, when you buy all three you get a fourth for free! That's a $19.95 value, included at no extra cost! (shipping & handling not included; residents of the UK must pay VAT - I know, it sucks)

At the end of the article (hosted on Forensic Focus), I wrapped up with some outstanding items, or possible other things to research. I have spent some more time going over some (only some, not all) of those; this follow-up post will cover my additional research:
1. Does unlinking (local or web) change the registry?
2. What impact does uninstallation have on the registry?
3. What are the various “hash” values; what do they signify?
4. Do the IP addresses vary with geographic area?
5. What data is transferred across the unencrypted connection?
6. Do the SQLite databases contain deleted entries, and how can those be parsed?
7. Are file/system IDs or encoded info stored in the databases, 'entries.log' or elsewhere?

1. Instead of doing ProcMon or RegMon by Sysinternals, I ran regshot 1.8.2 to create snapshots before & after each unlinking. Initially I kept getting BSOD'd every time it would scan the registry but switching systems eliminated that issue. Ultimately there were no obvious registry changes related to the unlinking (local or web).

2. I used regshot before & after the uninstallation as well, and quickly identified 49 deleted entries (truncated here; complete on Forensic Artifacts):

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiersDropboxExt1: "{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiersDropboxExt2: "{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}"
HKUS-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxSoftwareDropboxInstallPath: "C:Documents and SettingsusernameApplication DataDropboxbin"
HKUS-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}: "DropboxExt"
HKUS-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}: "DropboxExt"
HKUS-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxSoftwareMicrosoftWindowsCurrentVersionUninstallDropboxUninstallString: ""C:Documents and SettingsusernameApplication DataDropboxbinUninstall.exe""
HKUS-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_ClassesCLSID{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}: "DropboxExt"
HKUS-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_ClassesCLSID{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}: "DropboxExt"
HKUS-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_ClassesCLSID{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}: "DropboxExt"
HKUS-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_ClassesCLSID{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}: "DropboxExt"

I've x'd out some of the SIDs to (hopefully) make it easier to focus, and because I didn't want to post the full SIDs on the internet. I left the first segment for some of the SIDs since that part makes a noticeable, incremental change.

3. There is actually a correlation between "hash" values in the various config files. It should be noted that Dropbox hashes the files in 4MB chunks, and stores the hashes the same way (base64 encoded). Thus, there may be multiple hash values for a single file (but only when it's larger than 4MB). Here's where I've followed the trail of hash:
filecache.db block hash field
entries.log 5th section is hash
sigstore.db stores hash (and size in bytes)

4. I know that some application updates will reach out to different servers based on geographic location, and I wondered if this was the same for Dropbox. Using NirSoft CurrPorts, it was easy to gather the active connections here in Texas. I had reason to take a trip to California, so I did the same thing there. Finally, I established a VPN connection to another country and checked the connections that way as well.

There were some minor variations between the locations for IP addresses, although host names remained largely the same. The one thing that did not change in any of these, was the IP and host name for the sole HTTP (unencrypted to port 80) connection.

5. So then there's the question of this single unencrypted connection. I had not previously examined the content of this traffic, but I have now, using Netwitness Investigator to isolate the connection stream of interest and exporting that out for posterity and more review.

It's basically a "Hello, here I am" and "Let's keep the connection going" type of conversation. Of course, it's in clear text. My only concern is that it transmits the namespace ID (from config.db, root_ns), and possibly that of shared directories as well (there's a second entry that follows the namespace format, but I haven't been able to confirm that yet). With some of the Dropbox-related security issues that have recently come to the surface, I'm a little concerned about this data being transmitted in the clear, especially when I don't know for sure if it can be exploited (and since the IP address and host name are always the same).

6. Deleted entries within the SQLite database files can indeed be recovered. I suspected as much, but I'm not a DB (or SQLite) guru. Historically I've relied on others to develop a tool I can use for this purpose, and I've stuck to my guns in this instance. CCL-Forensics has a product designed for this purpose, called epilog; while it's a commercial product, there is a 7-day trial available.

I must say, it works quite nicely. I removed some files from my Dropbox folder just for this test (relocated to another directory), and then downloaded (have to register, but no sales personnel have contacted me yet), installed, and ran epilog. They have some videos on YouTube, but I found the info I needed in their Help file. There are some different methods to recover deleted entries, but I simply focused on the "Free Page Analysis" which parses the link list or freelist within the database. It very definitely did what I needed it to do.

Edit: I intended to note that to export a report-type of info from Epilog you basically have the option of going to an XML file, which may not be directly what you need. For me, I wanted to look at the data in a spreadsheet. Most methods to convert XML to CSV revolve around going through a couple steps (ie, XSLT), I found XSlicer to be very helpful.

7. And yes, other encoded data does exist within different config files. Dropbox makes use of base64 encoding, and one of the key places is the "entries.log" file located within the ".dropbox.cache" directory inside the user's Dropbox folder. (This set of artifacts is discussed in more detail in the Forensic Focus article.) By cross-referencing with the various parsed database files, I was able to decipher the entries.log (pipe-delimited) file:
1st section is filename (as it exists in .dropbox.cache directory)
2nd section is root_ns/path
3rd section is unix epoch timestamp
4th section is size (bytes)
In addition, the host.db file, 2nd row is user's Dropbox path.

So that pretty much wraps things up. I did not do any research into alternate file transfer methods (I think Dropship has addressed that rather well), but I did note that if you share a file (Public folder) you can get the link to that file; that link can be transferred via email, IM, etc, and the file downloaded by whomever has the link.

Some other resources:
I've already mentioned epilog, which I think has great potential.

There's also Dropbox Reader by ATC-NY; it's a set of python scripts to parse the SQLite files (they pull from the Dropship project). In addition to something like a SQLite Browser this can be very helpful to gather and cross-reference information.

Derek Newton has done some good research, hosted on his blog.
Forensic Artifacts
Security Issues

Great paper on cloud security (with focus on Dropbox) by SBA-Research; the actual download is here

I've mentioned the Dropship project a couple times, but it has been "officially" shut down. Research determined that it was possible to "share" files without using the Public folder, thus potentially facilitating illegal file-sharing. Although Dropship is no longer developed (by the originator) other forks can be found.

I think that's about it, folks. Unless something else comes up to pique my interest (I'm open to suggestions), I think I'm about done with Dropbox research for now. It's been a lot of fun going through this process, and I've learned a lot, which is also good. Hopefully this will all prove useful - to myself and others - in our forensicating efforts.