Cloud Hosted Data in Digital Forensics

Cloud Hosted Data in Digital Forensics

Session overview What is cloud storage? Do we need to worry about it? Collection considerations Forensic artefacts from: Google Drive Office 365/OneDrive Forensic analysis techniques What the future holds Q&A COPYRIGHT NUIX 2014 2

Some background Appears in most 2014 Cyber Security Predictions/Warnings TechTarget report 53% global adoption Seadrill completed a $4bn project Cloud market worth $140bn - $160bn SaaS worth $14bn Over 50% have security concerns Google, Amazon & Microsoft experiencing high growth Office 365 20% of business Huge budgets Over 67 million iphone s of data (2012) 1 exabyte (1018 bytes or 1 billion Gb) Files are small The key enabler of the post PC era COPYRIGHT NUIX 2014 3

Online file storage - Saas Software as a Service On-demand software in the cloud Accessed by browser or thin client The good. No patching or compatibly issues Accessible & collaboration easy Reduced cost in software/hardware The bad. Security/privacy concerns Compliance issues Functionality limited by connectivity Can be abused COPYRIGHT NUIX 2014 4

Cloud is not collection friendly Less data committed to disk RAM/pagefile/hiberfil/unallocated SSD present further issues Generates more structured data Use of local apps are encouraged Browsers are the gateway Compliancy helps.a bit Technical Legal How do we get cloud data? Public vs Private Access generally via a browser or API Where is it? No access to log files Legal considerations & SLAs How can you verify, when you cannot see what you are looking at? COPYRIGHT NUIX 2014 5

Introducing Google drive 15Gb free storage Wide support 30+ file types Cross platform & wide integration Own bespoke file types & apps* gdoc, gslide, gsheet Built in time machine Share & collaborate COPYRIGHT NUIX 2014 6

Google drive quick reference \Users\<USERNAME>\Google Drive Default data store \Users\<USERNAME>\AppData\Local\Google\Drive Local DB s, logs etc HKEY_CURRENT_USER\Software\Google\Drive Some settings HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Specifies if Google is set to auto sync on startup HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S -1-5-18\Products\<INSTALLATIONID>\InstallProperties Installation of Google Drive YYYYMMDD HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GoogleUpdate Usage information including when sync last completed COPYRIGHT NUIX 2014 7

Exercise 1 Review Registry Settings for Google Drive

Digging deeper \Users\<USERNAME>\AppData\Local\Google\Drive\snapshot.db cloud_entry Holds details of files in the cloud cloud_relations Holds cloud ID of file & parent folder if present local_entry Holds details of files stored locally local_relations Holds local ID of file & parent folder if present mapping Maps local ID to cloud ID COPYRIGHT NUIX 2014 9

Interpreting artifacts cloud_entry MD5 Epoch be careful! Unique ID Note a G File (gdoc) is not a file, it s a document. Takes you to the file in G Drive COPYRIGHT NUIX 2014 10

The other tables local_entry Note Google Drive store mapping COPYRIGHT NUIX 2014 11

Exercise 2 Inspect Snapshot.db in Nuix

Digging deeper The verbose history of Google Drive Lists every creation, modification & DELETION! COPYRIGHT NUIX 2014 13

Digging deeper Create 2014-04-08 17:25:49,467 +0100 INFO pid=1732 1728:CloudWatcher Delete common.cloud.cloud_watcher:701 CloudWatcher generated FSChange(Direction.DOWNLOAD, Action.DELETE, ino=281474976745389, name=current Pricing.xlsx, rid=file:0b_v6jxysvpoevl2z25jtjvpngm, parent_ino=281474976745383, is_cancelled=false, cid=2) COPYRIGHT NUIX 2014 14

Exercise 3 Investigate Sync_log.log for Deleted Data

Traditional artifacts Link Files Generated if you use local applications Cloud based applications also generate a link file Prefetch GOOGLEDRIVESYNC.EXE-841A0D94.pf FIREFOX.EXE-18ACFCFF.pf Internet History Interacting with cloud based applications generates data: URL of document opened in history & cache Also local path Look at sessionstore.js (Firefox) Only holds last entry, but can search unallocated {"windows":[ Firefox places.sqlite moz_places table COPYRIGHT NUIX 2014 16

Traditional artifacts Unallocated Space From the logs we know what was created, modified & deleted Including file names, dates and file paths Search the logs for deleted files or write a script Received event RawEvent(DELETE, path=u'\\\\?\\c:\\users\\stuart\\google Drive\\simpleprecisenuixanalysis.docx', time=1389175221.425, ino=16607023626076261l) Post deletion data can be carved May often find 2 copies temp & original? Filenames also help with searches.. COPYRIGHT NUIX 2014 17

Introducing Office 365 & Onedrive Lots of pricing models none are free Limited to MS file types/apps Real time collaboration & management Cross platform Not to dissimilar to standard Office with some quirks Built on OneDrive formerly SkyDrive Still get: Link files Files on disk Office applications But Extra stuff in databases Dates & times are tricky COPYRIGHT NUIX 2014 18

Office 365\onedrive quick reference \Users\<USERNAME>\OneDrive default data store \Users\<USERNAME>\AppData\Local\Microsoft\OneDrive\ Logs & settings including details of files transferred (several folders) \Users\<USERNAME>\AppData\Local\Microsoft\Office\15.0\OfficeFileCache SkyDrive MS Access DB (CentralTable.accdb) HKCU\Software\Microsoft\SkyDrive Windows 64 bit hex (little endian) file time of last refresh HKCU\Software\Microsoft\Windows\CurrentVersion\Run Specifies if SkyDrive is set to auto sync on startup HKCU\Software\Microsoft\Office\15.0\Common\Identity\Identities\<GUID> Holds details of registered account including email HKCU\Software\Microsoft\Office\15.0\Common\Roaming Holds last sync details 128 hex date value HKCU\Software\Microsoft\Office\15.0\Word\Reading Locations List of opened MS Word files key named Document X HKCU\Software\Microsoft\\Office\15.0\Word\User MRU\LiveId_<GUID>\File MRU Most recent used files COPYRIGHT NUIX 2014 19

Digging deeper \Users\<USERNAME>\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\CentralTable.accdb MasterFile Holds details of files in SkyDrive (cloud) & Contains huge amount of metadata CacheProperties Details number of files still to upload & supported file types IncomingEvents Holds details of files stored locally OutgoingEvents Details ID & paths to files being uploaded to SkyDrive ServerTarget Holds URL of SkyDrive \Users\<USERNAME>\AppData\Local\Microsoft\OneDrive\Setup\Logs\<PCNAME><INSTALLDATE-YYYY-MM- DD>.log The verbose history of OneDrive Lists every creation, modification & DELETION! COPYRIGHT NUIX 2014 20

Interpreting artifacts Centraltable & MasterFile Cloud metadata 64bit unicode date Local metadata COPYRIGHT NUIX 2014 21

Summary & conclusions We cannot ignore this investment is huge! Collaborate artefacts: Databases Logs Temp data Deleted File system System files Consider capturing RAM Consider 3 rd party devices Huge opportunity for R&D! COPYRIGHT NUIX 2014 22

Thank you FIND OUT MORE: twitter.com/nuix facebook.com/nuixsoftware linkedin.com/company/nuix youtube.com/nuixsoftware blog.nuix.com COPYRIGHT NUIX 2014 23