windows Archives | Forensic Blogs

April 30, 2020 by LCDI

Free Password Managers – Live Testing

One of the most useful tools a person can use in their online life is a password manager. A password manager is a tool used to store records of a person’s usernames and passwords for their accounts. This can be used for any account, from email to social media. Luckily, there are many free password managers available to use. Our project at the Leahy Center is to investigate free password managers. We are ranking five password managers on their security, user-friendliness, and customizability. However, because of the time it takes to complete live testing, so far we have only tested two password managers: KeePass and RoboForm.

Current Tests KeePass Step 1: Examine the layout

At first glance, KeePass seems outdated. The interface isn’t as simple as other password managers, and there are an abundance of tabs. The options under each tab seem to go on forever. That doesn’t even include the options under the application settings! But KeePass has a secret: customization. There are dozens of plugins available for download. Plugins are downloadable software add-ons that provide extra settings for base application. All in all, KeePass is one of the best password managers for layout, but if you are not very tech minded, our team would advise you to steer clear.

Step 2: Test the creation of accounts

Creating a password can seem intimidating, but is actually a simple process. The key is to let KeePass do most of the work. To start, right click on the open window and select “Add Entry” from the menu. This takes you to a window that allows you to add a title for the entry, a username, a URL and finally your password. Conveniently, KeePass will generate a password for you. This means you never have to worry about sufficient complexity or remembering an impossibly long password.

Once you have created the password it will appear on a table in the main KeePass window. You can also categorize your passwords through tags. On top of being able to create a password, you can also configure KeePass to automatically type in your passwords. This feature, unfortunately, requires a bit of fiddling to get working. If you are not a very techy person it will not be as easy to use.

Step 3: Use within browsers

Using KeePass in a browser can be inconvenient at times , but it is one of the most universal password managers. This is because it employs simulated key presses; you need to activate the auto type from within KeePass, but because of this it works in any browser as long as there is a text field. If you cannot get the auto type to work you can simply copy and paste the password from KeePass. However, like auto type, this requires you to keep switching between KeePass and your browser. There is a keyboard shortcut that can be applied (Ctrl-V), yet still it can be an inconvenience to keep switching. Overall, using KeePass can get tedious but its universality is unparalleled.

Preliminary Conclusion

In conclusion, KeePass is an excellent free password manager. It is open source and more secure than other free password managers. It takes advantage of simulated keypresses instead of cloud storage. There are some downsides to it though. You can’t sync your password vault across devices and it does take a bit of work to learn how to use KeePass to its full potential. While we would not recommend KeePass for widespread commercial use, if you are computer savvy and you don’t want to put your trust in cloud storage, then this would be the perfect manager for your personal use.

Verdict: Alan Turing Approves!

RoboForm Step 1: Examine the layout

RoboForm is similar to their predecessors in the organization style. Tabs along the left side display the account types and important settings, with the more advanced options in a drop-down bar at the top. This makes it easy for quick access, as more of the advanced options are underneath the drop-down bar.

However, that doesn’t make RoboForm a perfect fit; the only way to create accounts is from the browser extensions themselves. Even then, the records are only created after you sign into the account, which then RoboForm will prompt for you to save the account. The only ways to reach the Help section are available through the desktop application and by searching RoboForm’s website. There isn’t a Help section within the browser extension. This doesn’t mean that RoboForm is a bad password manager. All it means is that it is probably better to install both the browser extension and the desktop application for you to get the full experience.

Step 2: Test the creation of accounts

As mentioned previously, RoboForm will only allow you to create a record through the browser extension after you sign into an account. This can be a bit of a pain, as that means you can only create records this way. However, you can import records through the desktop application straight from a browser or other password manager, or even a CSV file. There isn’t the full range of import options available in other password managers, but it is a fair amount.

You can also launch the website from the manager, where it will autofill your data and log you in. It isn’t a revolutionary idea, but it does work. There’s also a variety of records that can be created. One special feature is that RoboForm can save records for other desktop applications. This isn’t seen as much for free password managers. The Security Center is also quite useful, telling you your password’s strength, age, and if it has been reused or is a duplicate. The feature is usually only available in paid password managers, so this is a great incentive for RoboForm!

Step 3: Use within browsers

RoboForm provides extensions for the four core web browsers: Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera. There are also extensions for Internet Explorer and Safari. As for the actual use of the extension, everything works. Auto-fill works, updating passwords after a change is automatic, and there is syncing across browsers, with a customizable password generator available when you create an account. Of course, you can only create records after signing in, but you can edit your records from the extension as well as print the list of records. You can even access the Security Center from the extension! All in all, the browser extension seems more developed than the desktop application. So, if you have to pick between the desktop application and the browser extension, I recommend the extension.

Preliminary Conclusion

RoboForm is a comprehensive password manager with both free and paid versions available. However, after examining the free version, I see no need currently to upgrade from the free, as there are a great many deal of features available already. The only benefits I can see to upgrading would be cloud storage and for syncing across devices. In conclusion, RoboForm is great for people who need a simplistic password manager that aren’t worried as much about customizing their record-keeping and manager.

Verdict: Get it for Mom!

The post Free Password Managers – Live Testing appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

November 15, 2019 by LCDI

Application Analysis Blog 1

What is Application Analysis?

Artifacts are a subject of fascination, full of information from their time and location. An application leaves markers on systems that often go undetected by the user. These digital artifacts are small bits of information, ranging from profile icons to private messages. This information could be a threat, and it’s crucial that any consumer be aware of their app’s security. This means that if someone else gets into your system, they might be able to unearth info that could allow them to steal from or impersonate you.

The goal of this project is to find out what information remains after one removes an app from the system. Through this, we can learn what programs are secure and prevent any security risks.

Image stating

Browsers and User Privacy

In the first few weeks of the semester, we spent time examining the artifacts left by internet browsers. Through this, we uncovered a treasure trove of information in the “Appdata” folder. This folder is where every desktop application stores it’s information. Because it’s deemed unnecessary for user interaction, the Appdata folder is full of user input for most programs. If a normal consumer stumbled upon this, it wouldn’t mean much to them. However, this is all the juicy bits of data that were part of your account on a program. This could be very useful for someone trying to take control of your accounts. For example, one of the files within this folder holds your Cookies, small temporary files that are responsible for holding small, session-long pieces of data.

We took a look at the browser Firefox, made by the company Mozilla. There are three folders under Appdata: Local, LocalLow, and Roaming. The browser stores data that it accesses in a local server so that it can access it again, like your browser homepage.

Your credit card information that was put into Amazon is held in that file, as is your Facebook password. This is a risk for everyone and it needs to be addressed to make users more aware of their safety online and offline.

An image of the information under the Firefox tab in Roaming

What types of applications will we be looking at?

After working with browsers, we started researching other applications to investigate. We decided to investigate Steam, Google Drive, Dropbox, Viber, and Twitter. Steam is a popular gaming PC gaming platform that, as of April 2019, has a billion accounts and 90 million users. It’s important that such a giant in the video game industry keeps its users’ information private. Google Drive is similar to Dropbox, but is better funded and more used. We are curious to see how much of a difference this makes security-wise for each user. Viber is a small Peer-to-Peer (P2P) application for smartphone and desktop use. P2P gives users equal permissions, allowing for fast data movement. Finally, Twitter is a large worldwide social media application that has had a history of insecurity in its system.

Conclusion

During the course of this semester, we will these desktop applications on our virtual machines. Doing this will generate data from the program into the Appdata folder. After this, we will completely uninstall the applications from the system, and investigate the data leftover, analyzing the trail of data to see if one could abuse it.

We will start next week with analyzing our first application, and we will be sure to let everyone know the verdict on our next blog!

Stay up to date with Twitter, Instagram, and Facebook by following @ChampForensics so you always know what we’re up to!

The post Application Analysis Blog 1 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

October 6, 2019 by Mila

Masad Clipper and Stealer – Windows spyware exfiltrating data via Telegram (samples)

2019-09-25 Juniper. Masad Stealer: Exfiltrating using Telegram
“Masad Clipper and Stealer” steals browser information, computer files, and automatically replaces cryptocurrency wallets from the clipboard with its own.It is written using Autoit scripts and then compiled into a Windows executable.
It uses Telegram to exfiltrate stolen information.

Download. Email me if you need the password (see in my profile)

Download 2

Malware Inventory (work in progress)

Links updated: Jan 19, 2023

Masad Stealer: Exfiltrating using Telegram - Juniper Blogs
KPOT Analysis: Obtaining the Decrypted KPOT EXE

Hashes
SHA256SHA1MD51acf5a461ee16336eb8bbf8d29982c7e26d5e11827c58ca01adac671a28b52ad6001b34c17c122d201613fffd846b056614b66dae03234c2259c474aeb69500423ddeed7290a1b89517dec10bfd9938a0e86ae8c53b0c78ed7c60dc99e4f8e5837f4f24a32800c10588053813f55bf8c87771311c5f7f38e2df4c1cf093c8373a8f2f194e77b69a27937a1068f130a90b44781eea3351ba8a2776d0fede9699ba8b32f3198de045ba2a67b06344e4f1cf85086f6b584316ec53d5e548368f1c4d8f0d908f5f4ff671df5f1da87e44bca3cc360c64cc7449ec1dc26b7d1708441d471bf3d36cd330db35762942fe5483e6b82220eeeef12e531eb3347fea16ac11082ce517dd23eee335bedfc6bcd8205cf97d52551a96dacb089ac41463d21cab2b004ba8c38ffc6cb5fb0958ddd34db5b79a15cb61f5260f0b9d807faa160e6d49590e4b5fdf9653eb1ffbdae8cb4f1f2d7174779aa23c5a25c7cdbaba9c6c655c918dac3d9823ac62ebed9d7d3e94e1eaafc074a279a6b82fe801d3c8be9d16df2ef5623b177040029ab0fd56cd7e493b46a331ef18bd303d703f6d341be258ac3d95961ff0a67d4bf792f9e896530e193b091dca29c2ea9740352af2c9cc926deba7dffc452f213f7f05fa462aac76def5b53351b3b1ddb41124ca368b6755e62e5c0ff79ea1e3bd146ee8a349af309b4acf0558a9c667e78293ae16167ab646381c277c2ca84319ceb57bacb2c92c4cdc7665adb1cda5897d4df4a560f88ba933cefbe9a8034f0ba34e7d18481a7db7451c8ef4b6172fb0cad6db0513a5100749407e97085af470c75ef004f2235d30af44fc26a3f2317507a09d91014469b0453843ba3c528d11d1df62a969a282e9e54534fb3845962672ad6d8bbc29cb6d062f5b8100890c0f1894544b3f99168377ec46c38e9114a0607b4488cd539b8b0b443abd121e3b763054180cd4e24c0a78b49055ad36dbc849f1a096cddf2db8cee0b9338c21d7bec99308ce4bf409417b642cd9432000a5c19d22dfb1d606e5539399aa1a536baafd2f8d5ce4b04b7eec6530a4a9d40510177468fadc235253e5a74530a8c9d990f3c5027fc204ffa42262b7570b6fccb435d4d38a3610fc5d8b73da810646407c333fe52186281965a5949d8f94e17ebcd4cb6d0a7c19f49facbfc1b1c74111e5ceb83550d6c8f7698584b2e7c62061447a6a2583ed6957180c205e7ebe4411664672359b393f530fc2fc144134b9d4b10d94f6381b446a1728b116d62e65c1a52db45235af12caf7e38c0fd114077927d501606575ba9ab38ecfb3407d432a4388980d7e3539d74a950dab23d00ac848d76a227f4fe282b7ddfd82a6dfc4c25da2735a684462b42fe4e1c413d8e34135cee7610890497183eb6251efef307ea013fe17bb23077b4f80df48b91b425eda058285ca0a957fe6c253827f344da4ba8692d77a4e21a1df4251594be2d27d87dd8aed231874332ca462fb462e4f68450d2c2c22d4bcddda77b3f3f74a2bdffd167917686e139016fa511f6546ed439d2606c6db8821685a99f5a14ef3f710668b58dc89c69265c83749c62ee0131710bf26931cb1e463a8fbda3b0c34df85677d8f752dc1e1a5eeba0c922be594fbfa878f631c0632f6c4d260b00918817ff66a1f9f15efe44c1a58460856d635fca52631305f1fefc58eafa74496524b660ebf41953d5c6e212fc306cdb0c6519f3571ec66288405dab43332ca03812617f85fb08832fbbe1f1d89901fe034b8a819485e20d841195e2e8a7ae5b41ff709887bb216984d37863c08b9fdd969297d35d353804c949eca23103b1de05278b49f42c3ab6b06f4bf20aafa5f2faefaa84c16ecd0487db2df1802dd4ee4ae3b62b5f08937dd5c77c4366ee61cbd7e636aea8540836a60036d6fc04acda8f33a6d35eb577c27754c2f2b4d6f4869576c7c4e11b2c5e9b017683ae89826114662dad8553d5eeed5217b57047f22bc964e294d7ab314c34e5934d91a5a918c0bd4dd98008383fc52045ad896449fa7f0037593bb730ed1ef88aa547006dbcaa05b60a9d625852ac4f2d0d805ab16498815535d9f08c39c4cf396427f3a345e5c09a4c9d5469e9095813418260045c2b11e499e4eaa0ffb25293f90f580c464157df4c6aacc0b893ed366f9f307326e59efa61e5153450dddaf7e5bb24aabf66eecd0c8b79cf0b5f1fbc05dc8baca492b748adeb01fb4904e02723b59211ecde222f7b12d91e87f898e0d41c0f2c22d4e9278a942326877fc368da780b72140535d4c2d391e76dc8181d31ad5c4547ceae4d0550c8460524c16a6105afc056760e872c4966656256c9dc37f485d3fa8f6cf13061cb1ea38ae0d5d2edfd95134aefcf640c24a1ab5344a96150fb05edb00a0e5ff70e899857549e3263c887a799416c8bbab43ab130ca1be9bbd78c42c30dc551a3cb3bc935c0eae79b79f17942e439c2722241f765d2ad4fb58edd76a4adea96f852b81760a425befaa11ea37c0cdea2622630bf2a0c94bb95042211ab614d5d9782064bc38d40c88f32c0410479cbd61caa40f332cfcda8c0ef579ede59eff23caa1e57fd171a5b1a88e9583b42439851a91a940eb31105ab29cb314846da2ed43b820bfec2059823b936d782bea7bc16abd9923dddb56fff82df7a565b4570d299486697310f277018b2cc6226dca6c7678cac6718c8584f7231340ad8cd7c03477559fdf48b261f916ce97ffc6817a4772705df68e6ccca8181009dc7d8766a85d85bb6a26ee69b66fee968affb1fc7756deb0e29807a06681d09a0425990be76b31816795875469e3dcf78484a999183324da9affdf2aaeff508d1dc473e1b8f6313447b8a4b49671ddeb8a4ee4b1ccf6b823ee82e400ba25b1f532cd369d7e536475a470e2011b77ffeaf7bb3bc988f7cd32d411f2a9888afc72c7a892e2a1def55128a3da6f70129acdbf9dbe955cfe7fc84d6636a34ad1a11dbaa1daec179e426bdcd9887b3d26dc06b202417c08f951df31bec02e35c9a4656bb3a3bdf631bb37605a855d77ab16377a8a314982f723fcc6fae9ca15f15fbae58cb97b0d48a0248461e78e34e6d530338e3e5b91f209a1662678505dfaad6d10b84c73544eb748d547cb5bad9bdebc12c530dab0a65c37ffd72612fa70531f3a402c1662ed6adffbf2b1b65cf902d1df763698eb76d21e4e94b4c62971418c972722d984ff6da2bc26a0aca4c7f209cc39c05bbf6e72b5b24c0c81e0671bf17b1e78d9f124ddd69c257189f1e814bb9e3731c00926fc2371e6ebe2654f3950ca02e553cd98c83e945ee3013aa40897baec0305b34a2b4030025e039c54c2d3923057447494ca0923d7645604faaa864a079adeb741a5d6e65507a2819b2fee4835d396077d9f8e6995e28c789d8b24e982ac53d5d6ba453de73b796f85c8a7de71407d6e3c4206edda3a19b790ea12f785256510dde367d3313b5267536a58ca0c27dbdac7c693f57e1a92f7393daf7ead9a44b12e35f850705798fc879a6defec886d31f6375712466dd794a96f030fb4e859ee6a97c50c973a73dced3640befe37f579cfd15367ce6a9bbede2ad3a1e779f02539ccd07bff735e0823add9730b2c259564a8fe72333604a5686e30f6242f01db6d77ac21211992ceae4e66e1e03c1cb39d61e03645b9369f28252ca769314c6bf63ff4d32d8a0a42e81ea39304fb7ab13c880fe593ef5538fbf66b3b3e1cb7b9b8bdfe3d0e95feaed685a784aed14d087b019ba2eb0274947a840d2bdbae4ae36742107d057478328df8f538102508de00b0c4b37c7b5a85a0e7a2c4197c3794c8bb2eb5763bf6083040ca51e83415f27c9412d9e3d700bd0841493b207bc96abf944ab0ca709a695ce6c35c029dd7577e29f403d7144698b417a2edceb31a9c0d05e5f13c6caee0576b154151dc8ace5c57f109e6bb211a019db20c4f0127c4d13c7703f730bf492768c0cda049c85493df4e97db3db4ddc94075ba62cb6a895ac5ba5b6472680d47410a238a56bf6b1bde63cee9b81902efd187fdd56ecee5853754ce0a19d5ab5c3b02429886e2d4f0bcc97ce130ae89647f648d3e96548a391a29f9d176b913e7f693355700aaadbb90dcf547bd8f4074af97416d8b84ea64b2f3319064aa4bce64ad0c2e2d3957175a996b925e9391a69140caf6e4adba928694ffe66dd575413a40839f2807593aa21c711526cff1249cc45b61ce8d28d87f8edc6616447e38168e610bed142f0b9c46ea6849baa823deb9075e8df77b891115c019244de09de488bb5c0739485721182c01a82b01d145b5ebe019806885bbaafe37bc10ca09549e41c240b793fd29a70690a5d80b4963d46711f9064b96ff2d0affdef1ecd82d120659db95e2d8a8509ac05f5445d18d32cc7cb103d87098c9702cab7454b52869aeeb6a22919f29a7f19be7509255ce2d8c83ee29a163488438c9ea9014ddf1a9b2d382cc5d7e6baf2587fafaedbab4a78b9b7fd8b55f8c73675005a09008bc91d6bc3b5ad59a630ab4670dca6ac0d926165a3ecfd8d92d8ea2280cd06a5cc32b7d668e2b4b2e68f3a7e2a98ecc6fbb2cb5649daf751fcbfb81bcbef623aadd50330342dc464a31b843b3d8b5767d62a62f5e515ac2b380b208fbe620ff5a7aaf7f3fcf4abc9365e0e77b3ec4b434db14535c5835c9dfb3cbbc7f6fef6034c