Lastpass Archives | Forensic Blogs

Introduction

This project focuses on searching for artifacts left by common desktop applications. We will be analyzing each application within Windows 10. It is the second most popular version of windows. We began by generating data on virtual machines with the chosen applications. The next step is to use various forensic tools to extract information that could be of forensic interest. This includes any artifacts that could be relevant either for security or for use in a forensic investigation.

Analysis: Web App Security

In this project, we will be analyzing artifacts left by three different apps: Steam, Lastpass, and Fitbit. Based on LastPass’s emphasis on security, we expect that it will yield the least amount of artifacts. Likewise, Steam is notorious for not keeping chatlogs on the user’s side, whether PC or on a mobile device. As such, it would make sense to assume that the amount of information stored on the host is minimal. But, Fitbit may save crucial information on the host for offline use of the app.

Choosing the Applications

In narrowing the list of possible applications down, there were many reasons why we chose each app. This includes its large number of users, how important it was that the application is secure, as well as for other traits based on the purpose of the app.

Steam

Application

The first app, Steam, is a gaming and social media platform common on PCs. It has a massive user base of over 125 million. Steam is well known for not retaining chat logs. Steam saves achievements on the servers rather than the host. Due to the large amount of information that the app could store on the host, our team chose it as a viable candidate. Our team is planning to look for artifacts related to in game actions as well as any action done on Steam (Wishlist, login info, Screenshots, etc). Our team will also be looking for any artifacts that have any personal information as well as information about friends of that user.

Last Pass

LastPass is a password manager that is available as a desktop and mobile app, as well as an extension on many browsers. The application is popular for its security, as well as the simple design. It has a user base of over 7 million people. LastPass can contain passwords for many websites, making it a target for attacks. It is also available without purchasing the subscription, making it even more popular.

Fitbit

Fitbit is a brand of fitness tracker. The device syncs using Bluetooth to a personalized account through a PC or mobile device. Fitbit has a user base of over 10 million people, and is popular among a variety of ages. The information is viewable online, on a mobile device, or through the desktop application. Fitbit logs movement and allows users to log other health information in the app. Fitbit then uses this information to display progress over time.

Conclusion

As of now, all teams have made excellent progress on analyzing the artifacts generated by the applications. We hope that the artifacts we generate will help us determine potential threats and dangers to the apps we are using. The results from the information our team has gathered are not finalized yet. But we are eager to share our results with you when they are.

Like all members of the LCDI, we welcome and encourage feedback. To give us any feedback you have, use the comment section below.

You can read our past research into other applications here.

Like the Leahy Center for Digital Investigation (LCDI) on Facebook and follow us on Twitter to get notified of more project updates.

The post Application Analysis Update 1 appeared first on The Leahy Center for Digital Investigation.

BSidesDFW_2011 - My Thoughts
Saturday, November 5th.
Check out the website - speakers, planners, sponsoring vendors, etc.

I arrived late to the fun as my daughter had a soccer game early in the morning; I deemed it a good idea to go to that first, so that delayed my start. Then poor choice of routes, road construction (thus the reference to route choice) and heavy traffic on side roads (see road construction), further delayed me, and I pulled up to the Microsoft Technology Center in the wonderful mood that traffic/road issues helps me to find when I'm trying to get somewhere. Yes, folks, that's sarcasm. Drives me nuts, truth be told.

Anyway, I'm an adult, and it's not anyone's fault, so I pulled myself together and went in. I was greeted warmly at the front desk, and situated with my raffle ticket, drink tickets for the after party, and given my APT (Advanced Persistent Texans) t-shirt. Shortly thereafter I had the opportunity to meet Michelle Klinger, the main organizer, and everyone else involved in putting the event together. Great bunch of folks.

Since I was running late, I missed Lodovico Marziale's talk on Registry Decoder. That was a major bummer. I really wanted to learn more about it, and ways to use it, straight from the folks that made it. But I wiped away my tears, and headed upstairs to Michael Gough's talk on "The BIG ONE!!!"

This was an interesting talk, to put it simply. Michael made some very salient points about needing a PLAN, needing to educate top-level management on their role, and train them on what happens in a breach (both good and bad). A big emphasis should be placed on not pointing the finger or - even worse - getting rid of InfoSec personnel when a breach occurs. It's typically seen that InfoSec is to blame for the breach, where in reality it truly is a shared responsibility by different parts of the business. It's important - for a number of reasons - to give the InfoSec team the time and resources to address and remediate the issue. Far too often, we're blamed, and key personnel are removed (aka, fired/terminated/expunged/beheaded - ok, maybe not that last one); this really doesn't help and in fact causes more problems (such as voluntary departures by additional people, public sabotage, and other ongoing problems not directly related).

Another key takeaway was the need for a PLAN (I'm thinking flow charts and everything, maybe even swimlanes! ;)) As Michael described it, if X happens, we will do Y; he related this to plans at a former employer, back when Slammer hit. They actually shut down their internet connection on a Thursday, and didn't enable it again until Monday. That was the plan, and they did it. It cost them a ton of money, but saved the company 3 tons of money (interpretive paraphrase, but you get the point); some people didn't believe they would do it, and gave flack when they did, but in the long run it was worth it.

That was right before lunch, so once I made it through the food line (mmm, BBQ OR mmm, pizza) - hey, as a side note, the fine folks running the event had gotten hooked up with some local beer from McKinney, so anyone interested was able to have a tasty brew as well - I went looking for faces I might know. Sure enough, I saw Kyle Maxwell. He introduced me to a friend of his, Chris Gathright. After a good lunch, there was a raffle drawing, and prizes were given (just not to me).

Kyle and I hung out and talked until Andrew Case's talk on Data Exfiltration. I had to decide between Andrew's talk and Branden Williams' talk on the Anatomy of an Advanced Attack; Andrew's won out. Kyle and I were the only DFIR types in there, and Kyle had been the only one in Lodovico's presentation, but we expected that. For me, most of what Andrew brought up was just a review of information, as it was on host-based forensics (I was hoping for some network exfiltration after a breach, but it wasn't based on that).

However, he did some very cool stuff that I've not done before. He used scalpel to index the image looking for a "header" of a website URL and identify disk offsets. He then used Sleuthkit tools to map between the disk offset and file system, to find what files those existed in; turns out, pagefile had numerous hits on gmail indices. So, he DD'd out sections of the pagefile, and ran scalpel against those with a custom file fignature; this allowed him to successfully carve out multiple emails that were of interest and relevance. He also used Restore Points to help map out USB history; since he had RPs containing setupapi.log and registry files, he was able to pull usage history on almost a per-use basis, to show how many times several devices were used, and when. Now that's cool! Plus he mentioned a "setupapi extractor tool" that I need to find; I've always gone through setupapi.log with Notepad++ which worked quite well, but I'm always up for some new tool to make my job easier.

I wasn't sure which talk to attend next, but I was in the Track 1 room, and Michael Gough had another talk scheduled there, about Hacking a CardKey system; Ian Robertson was part of this as well. Sounded interesting, so I stuck around (Kyle went to sit in on the lightning talks); I'm glad I did, as it was interesting, scary, and informative. So as the story goes, "Peggy" (you know, from the commercials) was poking around on the internet and found some open ports (that didn't seem like they should be open), and was able to connect to them using some protocols that should didn't seem like should be allowed. Hmmm. "Peggy" was interested, and so set about finding out what was going on. Turns out, these were on cardkey systems, and they were infinitely pwnable. In the course of the research, "Peggy" and friends were able to build a mobile app that would unlock these systems (or the doors/gates they secured) at will. Ouch. "Peggy" reported the findings to the appropriate parties, and fortunately did not end up in jail. Whew!

By working with vendors, "Peggy" and friends have been able to help get some changes made that will at least provide the option of AES encryption. Just a side note, never assume you know who's at these things, or that they're one type of people/experience - I was surprised when someone asked what AES was, and why they didn't just use an encrypted password that couldn't be broken; the questioner seemed to have some other very technical knowledge, but it was apparently in a different area that I expected. Anyway, the crux of the biscuit is that these systems are STILL very vulnerable, and if you have any, make darn sure they're not on the internet, or upgrade the ethernet module so that AES is an option (then make sure to enable and configure it). There are still concerns, but at least that's a big help. By the way, I wasn't in on it, but Michael gave a lightning talk about Yubikey usage, and was giving away some free upgrades to LastPass Premium in the cardkey talk. A lot of folks also received Yubikeys, as Yubico was a sponsor. LastPass and Yubikey is a good combo.

The keynote was by Martin McKeay, giving a thought-provoking talk on fundamental flaws in Information Security. This wasn't a technical talk, which he stated up front. It was still very good, though. Don't want that to sound wrong, with the "though" in there. I think folks kind of expect to get down into the nitty gritty at these conferences, and Martin acknowledged that. So I'll put it this way - technical or not, it was a good talk.

My key takeaway was that, as an industry (with a career path) we're very young; only 23 years old. Firefighters, which we're often compared to (and Martin did as well), have centuries of experience, science, and testing behind them. Granted, their knowledge is changing, but they have a strong foundation and a long history. By and large, they KNOW what a fire will do. However, our landscape is changing on an almost-daily basis, our forefathers/frontrunners discovered and made stuff up on the fly, and we're largely continuing in that vein. We need to KNOW infosec, and if what we're doing works. We lack solid metrics, statistics, and facts. Martin pointed to the Verizon Data Breach reports as the best we, as an industry, have, but they really present a small cross-section of what's happened. Same for the Verizon PCI report. I feel kind of like Number 5, saying, "Need more input."

There was an after-party, but I did not stay for that. For whatever reason, I was really feeling tired (maybe being in a Microsoft building all day...), and it being a weekend, spending time with my family is important to me, so I headed on the house. I enjoyed the event, I think it was well-done, fun, great speakers, good swag, and best of all - free. I'm definitely looking forward to next year's.