Forensic Blogs

An aggregator for digital forensics blogs

by

Application Analysis Blog 2

Application Analysis Continued

On the Application Analysis team, we have been busy recovering data from deleted programs. Please refer to this link for our previous blog post and more information about what we do!

Google Drive

Since our last update, the team has been busy digging through Google Drive. While we found a lot of information, we also learned about some unknown features of the application. When a user starts the installation for Google Drive, the application creates a new folder. Also added is a syncing program to download and upload the files locally. This is important to be aware of because once one deletes a program, this local folder and all the files within are still available.  This is a good feature for user interface, even if it is at the cost of security. If the user has files on their drive and still need them offline, it provides easy access. The problem arises if the user wanted all traces of their google drive gone from their computer in a single deletion.  

In our experiment, we created test profiles and tested all of the capabilities of the application. Then, we investigated what information we could access after deleting the application from the computer.  The separate folder had all of the information that was linked and downloaded to Google Drive and its local folder. The problem with drive storage versus cloud storage is that anything that you have downloaded lacks the need for a user login and password.  In addition, the folder created during installation is shown under “Quick Access” even after deletion, making it easily visible to unwanted users.  

Introducing Axiom

When the team started investigating the evidence in Magnet Axiom (a commercial digital forensics investigation tool), the beneficial applications of this method became apparent. The deletion of the application doesn’t retain the Google user’s information (password, email, name, etc), but the URL to the Google document is.

Picture of analysis tool results for Google Drive

The link to the Google Drive is to the right under Evidence Information

All of the files that were stored under the “Google Drive” folder locally were accessible from Axiom. In addition, all files contained a link back to the drive that can be opened in browser.  When you go to open the file online links from Axiom to the Google Drive, unless you possess the login information, the rest of the information is safe.  In a way this ensures future data security, as any future iterations of files are not accessible after the deletion of the app unless the user is accessing it.  It is a bit of both worlds for accessibility and security, as expected from such a large and well-developed company.

Dropbox

The team has also spent time sifting through Dropbox data from a similarly structured experiment. After we loaded the virtual machine file into Axiom, we saw that the system stores all Dropbox-based files, even after deleting the program from the computer. 

Screenshot showing the dropbox files visible in Axiom

Screenshot showing the dropbox files visible in Axiom

Axiom processes a variety of information: when the user logged into the program, when they downloaded the default Dropbox files, the files/folders Dropbox stores and creates, when they were created, and the direct file paths of the files. 

Screenshot showing specific information about one of the Dropbox files

Screenshot showing specific information about one of the Dropbox files

The system Google implemented is still very much present in Dropbox.  The program created a folder in the file system locally that remained after the deletion of the application.  However, the information in the image above does not include a link back to Dropbox. If there was not a folder for the information, there would be very little distinguishing information within the files showing that Dropbox downloaded them. Dropbox however unlike Google, does not have its own format(Google Documents, Google Presentation, etc) or online application for documents and files, a factor which likely influenced this approach.

Conclusion

Considering the type of user interaction these services provide, this outcome is surprising, but not entirely difficult to understand. It is important information to anyone who may be trying to compromise your data. In order to rid your system of all the above information, the user will need to do it manually. It is clear to see that one can’t delete all of the information by uninstalling the desktop version of the program. 

In the coming weeks we will be investigating Steam. As the largest video game platform worldwide, it would need to keep its users’ data safe.  

We will be sure to let everyone know the verdict on our next Application Analysis blog!

Stay up to date with Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI so you always know what we’re up to!

 

The post Application Analysis Blog 2 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Windows Store and Apps Analysis – MUS2019

Windows Store and Apps (APPX) Analysis

While attending the Magnet User Summit in Nashville, I had the opportunity to sit in on fascinating talks and labs. One of my favorites was the talk about Universal Windows Apps given by our very own Professor Yogesh Khatri and Jack Farley. As somebody who knew next to nothing about UWP apps, I was both impressed and surprised by Microsoft. Let’s talk about some of the highlights!

UWP Apps Pros and Cons

Firstly, what is a UWP app? The Universal Windows Platform is Microsoft’s vision for the future of Windows apps. This vision evolved to include the HoloLens and IoT devices in the equation for one SDK and one user experience. You may not think you use these, but the Windows 10 photo viewer, calculator, and settings menu are UWP apps.

The Microsoft Store securely delivers apps. This helps to ensure the integrity and authenticity of Windows apps. The app packages are also sandboxed, have very limited access to the win32 API, and no access to the registry or computer filesystem outside of their own container folder. That’s where Microsoft surprised me—sandboxing has been a hallmark of Mac App Store apps for years, and it’s great to see this essential security feature come to Windows.

You can manage permissions for these apps and these permissions are called “capabilities”. The apps are also all neatly organized into their own folders, each with a unique directory name. And this is where I am not at all surprised by Microsoft: there are FOUR different naming schemes for these apps and each scheme is used in a different place. This is the sort of confusing and complicated design choice that I would expect of the people who brought us… well, Windows. Further, to interact outside of their folder, they need to link to another process on the system called RuntimeBroker. This seems like a sloppy implementation since there will probably be numerous different RuntimeBrokers running at any given time.

App Use and Functionality 

As for what sorts of artifacts you can find in these container folders, if there is any internet functionality in the app, there will be cookies, history, and so on. There are also folders for files that are synced across Microsoft accounts and a cache for large files that the app can recreate but would rather not.

These apps function like mobile apps in that when they are inactive, they are suspended to conserve resources. The threads are stopped but the app stays in memory (unless Windows needs the memory for something else). Memory pages are stored in C:\swapfile.sys if they need to be set aside for a while. It’s possible that these pages will be compressed.

There was a lot more to talk about, too: what’s leftover after an app is uninstalled (lots of registry stuff!), how you can get lists of installed apps, and so on. The slides and tools from the presentation can be found at https://github.com/ydkhatri/Appx-Analysis if you want to learn more.

I am grateful to have had the opportunity to attend this talk and many others at the conference. Thank you to the LCDI and Magnet Forensics for making this possible!

 

Blog written by Champlain College first year Jessica Hunsberger

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Windows Store and Apps Analysis – MUS2019 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Internet of Things at Magnet User Summit 2019

INTRODUCTION

During the first week of April, I had the privilege of attending the Magnet User Summit in Nashville, Tennessee. Previously held as a separate training right before or after EnFuse in Las Vegas, the Magnet User Summit is a two day conference put on by Magnet Forensics. It features talks and hands on labs covering a wide gamut of topics within the field of digital forensics. I’m grateful for the chance to attend as the keynotes and lecture sessions were all enjoyable. I learned so much about the field of digital forensics directly from industry professionals.

INTERNET OF THINGS FORENSICS

One of the favorite sessions I attended was actually my first session, which was “Internet of Things Forensics”, presented by Jon Rajewski, the director of the LCDI. During the roughly hour long talk, Jon talked about a number of popular Internet of Things (IoT) devices, including the Amazon Echo, Facebook Portal, and the Nest suite of smart home devices. Jon went into detail about each of the devices and his findings about them as a forensic investigator.

One of the more intriguing products Jon discussed was the Facebook Portal.  Jon found that the Facebook Portal ran Android and accessed Facebook via a web portal rather than an application like on our phones. He went into detail about several IoT devices and showed the findings from the LCDI. The culmination of this work is an IoT artifact reference which they’ll release for open use. Through attending Jon’s talk, I learned a lot about the inner workings of IoT devices and their true security.

CONCLUSION

As the Magnet User Summit drew to a close, it was bit bittersweet to leave. Besides the fact that Nashville neared 75 degrees unlike Burlington, I had an incredible opportunity to learn. I gained more knowledge about digital forensics and networked with industry professionals! I am incredibly thankful to Champlain College, the LCDI, and Magnet Forensics for the opportunity to attend this year’s summit. Hopefully I’m able to attend another conference next year!

 

Blog written by Champlain College‘s Jackson Wajer.

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Internet of Things at Magnet User Summit 2019 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.