![Page 1: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/1.jpg)
Exfiltration Forensics in the Age of the Cloud
Frank McClain, GCFA, GCIH, CHFI
InfoSec Analyst, CSIRT Lead PrimeLending, A PlainsCapital Company
![Page 2: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/2.jpg)
Who is this guy? Grew up in Ham radio, won a computer at age 11 Specialized electronics repair in the military Working in technology since 2003, mostly small business Little bit of IA, IS, IR, with mostly IT (which I don't find interesting) Found and got into DF in 2007, with small consulting firm Entered corporate in 2011 at PrimeLending, A PlainsCapital Company
How might you know me? Blog – Forensicaliente.blogspot.com Twitter - @littlemac042 ForensicArtifacts.com (team member, contributor) Forensic email lists – SANS DFIR, Win4n6 Forensic Focus article on Dropbox Forensics Other than that, just another drop of rain in a cloudy sky
![Page 3: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/3.jpg)
What's this all about?
The use of cloud-based backup/synchronization services
Host-based identification and artifacts
Expanding the scope of research
What's the big deal?
“Host-based forensics is dead”
Availability of easy-to-use cloud services
Small business issues
![Page 4: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/4.jpg)
What's the point?
Be aware of the potential as exfiltration channel
Possible exploitation by external attacker
Extremely easy for internal threat
Understand the types of artifacts/footprints on the host
Is it really happening?
Sharon Nelson – RideTheLightning.SenseiEnt.com (Dropbox)
At least two people I know have active IP theft cases (Dropbox)
I worked a breach of contract/IP theft case (Carbonite)
![Page 5: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/5.jpg)
![Page 6: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/6.jpg)
What services are covered here?
Dropbox 1.2 SpiderOak v4.4 TeamDrive v2.4 ADrive v1.5
Carbonite v5.2 Mozy Home v2.12 Mozy Stash v0.11
What kinds of artifacts are we looking at?
Install location Executable name(s) Application data directory
Backup/Sync directory Application data files Network connections
Connections signature Remnants after uninstall
Registry
Application
Data
![Page 7: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/7.jpg)
Methodology
Registry snapshots before and after install (RegShot) Default installation Network connections at rest & during operations (ProcessHacker, CurrPorts) Full network capture (Wireshark) Sync/backup for test file directory (named "Test_Files") Sync/backup on 2nd system for cross-system access Application/Executable general info, file and registry handles (ProcessHacker) List application (executables), application data (data files), & Sync/backup directories (FileInfo) Copy data files for post-uninstall analysis Registry snapshots before and after uninstall (RegShot) Uninstall via Windows applet List executables, data files, and sync/backup directories - post-uninstall (FileInfo) Parse registry hives for remnants and references - post-uninstall (RegDecoder) Review PCAP files, isolate & identify clear-text & encrypted traffic (NetWitness) Analyze contents for files of interest (Notepad++, Calc, Excel, SQLiteDBBrowser, HxD, HEX Editor, Encoder, Decode, DbVisualizer, TrID, File) Primary system running Win7Pro, 64-bit. Secondary system running XP Pro, 32-bit.
![Page 8: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/8.jpg)
* Important Note *
You will see references in screenshots and filepaths, to: “servicename\files_of_interest\...” Where “servicename” is Dropbox, Adrive, etc. This is the location where I stored a copy of various application- related files; whether from Program Files, Application Data, or the Sync/Backup directory. Immediately following “files_of_interest” is where the rest of the path begins. It's relative up to that point. I mention this to minimize confusion for offline readers...
![Page 9: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/9.jpg)
Dropbox
![Page 10: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/10.jpg)
Dropbox Artifact Type Dropbox
Installation Location AppData\Roaming\Dropbox\bin\
Executable Dropbox.exe
Application Data Location AppData\Roaming\Dropbox
%User%\Dropbox
Files of Interest
Network Connection(s)
Network Signature
Uninstall Remnants – Files host.dbx, entries.log
Backup/Sync Location
(default)
config.db, config.dbx, desktop.ini, filecache.dbx, host.db, sigstore.dbx, unlink.db, entries.log
199.47.217.173:443, 199.47.216.178:443, 199.47.216.146:80, 50.16.217.157:443, 75.126.110.108:443, dropbox.com, notify3.dropbox.com
GET /subscribe?host_int=169449187&ns_map=5932257_73227506984566&ts=1139002454 HTTP/1.1
Uninstall Remnants –
Registry
Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1, Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\21
Uninstall Remnants –
Program
Dropbox.exe, DropboxExt.14.dll, DropboxExt64.14.dll, msvcp71.dll, msvcr71.dll
![Page 11: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/11.jpg)
Dropbox File Type
\Dropbox\files_of_interest\Dropbox\host.db ASCIItext
\Dropbox\files_of_interest\Dropbox\host.dbx ASCIItext
\Dropbox\files_of_interest\Dropbox\config.dbx data
\Dropbox\files_of_interest\Dropbox\filecache.dbx data
\Dropbox\files_of_interest\Dropbox\l\4f9c5ac9 data
\Dropbox\files_of_interest\Dropbox\l\4f9c5b1b data
\Dropbox\files_of_interest\Dropbox\l\4f9c5b1d data
\Dropbox\files_of_interest\Dropbox\l\4f9c5b1e data
\Dropbox\files_of_interest\Dropbox\l\4f9c5b5d data
\Dropbox\files_of_interest\Dropbox\l\4f9c5b5e data
\Dropbox\files_of_interest\Dropbox\l\4f9c5b60 data
\Dropbox\files_of_interest\Dropbox\l\4fcc352e data
\Dropbox\files_of_interest\Dropbox\l\4fcc357c data
\Dropbox\files_of_interest\Dropbox\l\4fcc357d data
\Dropbox\files_of_interest\Dropbox\l\4fcc357e data
\Dropbox\files_of_interest\Dropbox\l\4fcc358d data
\Dropbox\files_of_interest\Dropbox\l\4fcc358e data
\Dropbox\files_of_interest\Dropbox\sigstore.dbx data
\Dropbox\files_of_interest\Dropbox\unlink.db data
\Dropbox\files_of_interest\Dropbox\bin\itag empty
\Dropbox\files_of_interest\Dropbox\config.db SQLite3.xdatabase
![Page 12: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/12.jpg)
Dropbox
Host.db – Decoded:
Host.dbx – Decoded:
![Page 13: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/13.jpg)
Dropbox
Date-Named Directory (“2012-06-06”):
Entries.log – Decoded:
Note: This is inside the .dropbox.cache directory
![Page 14: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/14.jpg)
Dropbox
![Page 15: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/15.jpg)
Dropbox
Network Connections:
![Page 16: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/16.jpg)
Dropbox
Network Signature:
![Page 17: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/17.jpg)
Dropbox SSL Connections:
![Page 18: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/18.jpg)
SpiderOak
![Page 19: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/19.jpg)
SpiderOak Artifact Type SpiderOak
Installation Location Program Files (x86)\SpiderOak\
Executable SpiderOak.exe, windows_dir_watcher.exe
Application Data Location AppData\Roaming\SpiderOak
Any, User-Defined, File Type
Files of Interest
Network Connection(s)
Network Signature uses TLSv1, no unencrypted traffic observed
\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\34
Uninstall Remnants – Files same as files of interest – nothing removed
Backup/Sync Location
(default)
1336254748.22.port, config.dat, config.txt, device_1a.dat, device_2a.dat, dirhash.db, downloads.db, exclude.txt, fs_queue.db, local.dat, oak_20120505145242.log, oak_20120505165227.log, prefs.dat, snapshot.db, Spider_20120505145242.log, Spider_20120505165227.log, Test-skipfilter.db, test.db, test.log, tss_external_orphans_fixed_pandora_sqliite_database, tss_external_orphans_fixed_snapshot.db
38.121.104.67:443, 38.121.104.68:44 (Performance Systems International, aka Cogent Communications or PSINet, Inc)
Uninstall Remnants –
Registry
Uninstall Remnants –
Program
API-MS-Win-Core-LocalRegistry-L1-1-0.dll, API-MS-Win-Core-ProcessThreads-L1-1-0.dll, API-MS-Win-Security-Base-L1-1-0.dll, bz2.pyd, POWRPROF.dll, pythoncom27.dll, pywintypes27.dll, select.pyd, shared.zip, unicodedata.pyd, win32api.pyd, win32com.shell.shell.pyd, win32event.pyd, win32evtlog.pyd, win32gui.pyd, win32pdh.pyd, win32process.pyd, win32trace.pyd, win32ui.pyd, winxpgui.pyd, _ctypes.pyd, _hashlib.pyd, _socket.pyd, _ssl.pyd, _win32sysloader.pyd
![Page 20: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/20.jpg)
SpiderOak File Type
\SpiderOak\files_of_interest\oak_20120505145242.log ASCIIC++programtext,withverylonglines,withCRLFlineterminators
\SpiderOak\files_of_interest\oak_20120505165227.log ASCIIC++programtext,withverylonglines,withCRLFlineterminators
\SpiderOak\files_of_interest\spider_20120505145242.log ASCIIEnglishtext,withverylonglines,withCRLFlineterminators
\SpiderOak\files_of_interest\spider_20120505165227.log ASCIIEnglishtext,withverylonglines,withCRLFlineterminators
\SpiderOak\files_of_interest\config.txt ASCIItext
\SpiderOak\files_of_interest\exclude.txt ASCIItext
\SpiderOak\files_of_interest\prefs.dat ASCIItext
\SpiderOak\files_of_interest\tss_external_blocks_pandora_sqliite_database\00000014 ASCIItext
\SpiderOak\files_of_interest\test.log ASCIItext,withCRLFlineterminators
\SpiderOak\files_of_interest\tss_external_orphans_fixed_pandora_sqliite_database ASCIItext,withnolineterminators
\SpiderOak\files_of_interest\tss_external_orphans_fixed_snapshot.db ASCIItext,withnolineterminators
\SpiderOak\files_of_interest\backup_system_ignore_this_folder.lock empty
\SpiderOak\files_of_interest\dirhash.db SQLite3.xdatabase
\SpiderOak\files_of_interest\download_cache\downloads.db SQLite3.xdatabase
\SpiderOak\files_of_interest\fs_queue.db SQLite3.xdatabase
\SpiderOak\files_of_interest\object_cache\device_1a.dat SQLite3.xdatabase
\SpiderOak\files_of_interest\object_cache\device_2a.dat SQLite3.xdatabase
\SpiderOak\files_of_interest\pandora_sqliite_database SQLite3.xdatabase
\SpiderOak\files_of_interest\snapshot.db SQLite3.xdatabase
\SpiderOak\files_of_interest\sync\test-skipfilter.db SQLite3.xdatabase
\SpiderOak\files_of_interest\sync\test.db SQLite3.xdatabase
![Page 21: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/21.jpg)
SpiderOak
oak_20120505145242.log
![Page 22: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/22.jpg)
SpiderOak
spider_20120505145242.log
![Page 23: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/23.jpg)
SpiderOak
entry_time path journal_num last_session_start last_session_recno last_session_size
1336248614 c:\Users\Frank\Documents\SpiderOak 1001
1336248614 c:\Users\Frank\Documents\SpiderOak\TEST_FILES 1002 0 6 103
decoded: Sat, 05 May 2012 15:10:14 -0500
sync_id sync_name time_added
1 test 2012-05-05 21:52:59
device_1a.dat (SQLite3 db)
Test.db – SQLite3 db:
![Page 24: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/24.jpg)
SpiderOak
Network Connections:
![Page 25: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/25.jpg)
SpiderOak
Network Signature:
![Page 26: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/26.jpg)
SpiderOak
SSL Connections:
![Page 27: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/27.jpg)
TeamDrive
![Page 28: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/28.jpg)
TeamDrive Artifact Type TeamDrive
Installation Location Program Files (x86)\TeamDrive2.0\
Executable TeamDrive2.exe, TeamDrive2Database.exe
Application Data Location AppData\Roaming\TeamDrive
%User%\TeamDrive Spaces
Files of Interest
Network Connection(s)
Network Signature
none
Uninstall Remnants – Files desktop.ini, target.lnk
Backup/Sync Location
(default)
A few examples: WebDAVSettings.xml, DirWatcher_log.log, FileWatcher_log.log, log.log, old_20120513_162655_logs.zip, general_log.CSV, slow_log.CSV, db.opt, littlemac042_TeamDrive_13.05.2012.pss, Default_littlemac042.sakh, desktop.ini, target.lnk
46.137.108.17:80, 79.125.8.233:80, td2ec2in4mv1euwest.teamdrive.net, reg.teamdrive.net. Connections going to AmazonAWS in Dublin.
PUT /primespace/vol05/29720/protolog/last.log?P1RID=1&pb-id=tt31385962996753839188459838 HTTP/1.1 (application/octet-stream)
Uninstall Remnants –
Registry
\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QTextCodecFactoryInterface:\C:\Program Files (x86)\TeamDrive2.0, \ControlSet001\Services\EventLog\Application\MySQL, \ControlSet002\Services\EventLog\Application\MySQL
Uninstall Remnants –
Program
![Page 29: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/29.jpg)
File Type\TeamDrive\files_of_interest\TeamDrive\logs\CTransferListThread_log.log ASCIIEnglishtext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\log.log ASCIIEnglishtext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CLogPollerThread_log.log ASCIIEnglishtext,withverylonglines,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CFSSynchronizerThread_log.log ASCIInewstext,withverylonglines,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\mysql\data\pbxt\location ASCIItext
\TeamDrive\files_of_interest\TeamDrive\mysql\data\td2\db.opt ASCIItext
\TeamDrive\files_of_interest\TeamDrive\mysql\data\TeamDrive2Database.pid ASCIItext
\TeamDrive\files_of_interest\TeamDrive\logs\CApiModuleThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CArchiveCacheWorkerThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CArchiverDeamonThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CDelayedArchiverThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CDownLoadMessageThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CEventListenerThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CFSJobArchiverThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CFSRuleEngineDeamonThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CGUIFileEventBufferThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CJobManagerThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CLogBackupThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CMessageBuilderThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CReaderWriterThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CScanJobWorkerThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CScannerDeamonThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CSynchronizerDeamonThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CThreadedReceiverThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\CWatcherDeamonThread_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\DirWatcher_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\logs\FileWatcher_log.log ASCIItext,withCRLFlineterminators
\TeamDrive\files_of_interest\TeamDrive\mysql\data\TeamDrive2Database.err ASCIItext,withCRLFlineterminators
![Page 30: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/30.jpg)
TeamDrive
TeamDrive.ini:
![Page 31: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/31.jpg)
TeamDrive
TDStart.ini:
![Page 32: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/32.jpg)
TeamDrive TeamDrive2Database.err:
A few other files to look at:
CFSRuleEngineDeamonThread_log.log
CFSSynchronizerThread_log.log
CScanJobWorkerThread_log.log
Xlog-1.xt
![Page 33: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/33.jpg)
TeamDrive DNS Connections:
![Page 34: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/34.jpg)
TeamDrive Network Connections:
![Page 35: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/35.jpg)
TeamDrive Network Signature:
![Page 36: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/36.jpg)
ADrive
![Page 37: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/37.jpg)
ADrive Artifact Type Adrive
Installation Location Program Files (x86)\ADrive Desktop\
Executable ADrive Desktop.exe
Application Data Location
Any, User-Defined, File Type
Files of Interest
Network Connection(s)
Network Signature
none
Uninstall Remnants – Files same as files of interest
AppData\Roaming\com.adrive.ADriveDesktop.9E1195EE779B0F966F518632F3A0F64E53222DC6.1
Backup/Sync Location
(default)
Adrive.db, index.dat (History.IE5, Content.IE5, Cookies), install.log (Adobe AIR)
65.49.56.133:443, 65.49.56.133:80, adrive.com, www31.adrive.com
34947 > https [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1, https > 34947 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=128, 34947 > https [ACK] Seq=1 Ack=1 Win=65700 Len=0, Client Hello
Uninstall Remnants –
Registry
\Wow6432Node\Microsoft\Tracing\ADrive Desktop_RASAPI32, \Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\1
Uninstall Remnants –
Program
![Page 38: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/38.jpg)
ADrive
File Type
SQLite3.xdatabase,userversion300200
\ADrive\files_of_interest\Install.log
Adrive\files_of_interest\com.adrive.ADriveDesktop.9E1195EE779B0F9
66F518632F3A0F64E53222DC6.1\Local Store\ADrive.db
UTF-
8Unicode(withBOM)Englishtext,withverylo
nglines,withCRLF,LFlineterminators
![Page 39: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/39.jpg)
ADrive
![Page 40: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/40.jpg)
ADrive
LogEntries Table
![Page 41: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/41.jpg)
ADrive
Adobe AIR Install Log
![Page 42: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/42.jpg)
ADrive
Network Connections
![Page 43: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/43.jpg)
ADrive
Network Signature:
![Page 44: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/44.jpg)
ADrive SSL Connections
![Page 45: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/45.jpg)
Carbonite
![Page 46: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/46.jpg)
Carbonite
![Page 47: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/47.jpg)
Carbonite Artifact Type Carbonite
Installation Location
Executable CarboniteUI.exe
Application Data Location ProgramData\Carbonite
Any, User-Defined, File Type
Files of Interest
Network Connection(s)
Network Signature
none
Uninstall Remnants – Files none
Program Files (x86)\Carbonite\Carbonite Backup\
Backup/Sync Location
(default)
Carbonite.log, CarboniteConfig.dat, CarboniteDelta.dat, CarboniteFiles.dat, CarboniteNSE.log, CarbonitePossibleUpgrade.exe, CarboniteRestores.dat, CarboniteUI.log, CarboniteVersions.dat
4.53.54.244:443, 8.26.56.26:53, 38.97.103.136:80 web6.site11.carbonite.com, carbonite.com
GET /Download/v5.2.1181/CarboniteUpgrade-en.exe HTTP/1.1, User-Agent: CarboniteUI, Host: www.carbonite.com, Cache-Control: no-cache
Uninstall Remnants –
Registry
\Classes\Applications\CarboniteUI.exe, \ControlSet001\Services\EventLog\Application\CarboniteService
Uninstall Remnants –
Program
![Page 48: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/48.jpg)
Carbonite
File Type\Carbonite\files_of_interest\Carbonite\Carbonite Backup\CarboniteNSE.log ASCIItext,withCRLFlineterminators
\Carbonite\files_of_interest\Carbonite\Carbonite Backup\CarboniteUI.log ASCIItext,withCRLFlineterminators
\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\ScriptTests.txt ASCIItext,withCRLFlineterminators
\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\ShowAll.txt ASCIItext,withCRLFlineterminators
\Carbonite\files_of_interest\Carbonite\Carbonite Backup\Carbonite.log
\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\CarboniteNSE.strings
\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\CarboniteService.strings
\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\CarboniteUI.strings
ASCIItext,withverylonglines,withCRLF,L
Flineterminators
UTF-
8Unicode(withBOM)Englishtext,withver
ylonglines,withCRLFlineterminators
UTF-
8Unicode(withBOM)Englishtext,withver
ylonglines,withCRLFlineterminators
UTF-
8Unicode(withBOM)Englishtext,withver
ylonglines,withCRLFlineterminators
![Page 49: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/49.jpg)
Carbonite File Handles
![Page 50: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/50.jpg)
Carbonite Carbonite.log
![Page 51: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/51.jpg)
Carbonite CarboniteFiles.dat
![Page 52: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/52.jpg)
Carbonite
Network Connections
![Page 53: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/53.jpg)
Carbonite
Network Signature:
![Page 54: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/54.jpg)
Carbonite SSL Connections
![Page 55: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/55.jpg)
Mozy Home/Stash
![Page 56: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/56.jpg)
Artifact Type Mozy (Home & Stash)
Installation Location Program Files\MozyHome, Program Files (x86)\Mozy\Stash
Executable MozyBackup.exe, MozyStat.exe, Stash.exe
Application Data Location Program Files\MozyHome\Data, AppData\Local\Stash
Any, %User%\Stash
Files of Interest
Network Connection(s)
Network Signature
banner.1332213388.json
Uninstall Remnants – Files metrics.dat, Stash.log, state.dat, .accountinfo.ini, desktop.ini
Backup/Sync Location
(default)
cache.dat, changes.dat, filter_raw.log.1, local_backup.dat, manifest.dat, mozy.log, resume.dat, scancache.dat, state.dat, metrics.dat, Stash.log, state.dat
173.243.50.163:443, 173.243.50.190:443, 173.243.50.240:443, 74.112.148.76, 8.26.56.26, 156.154.70.22, 173.243.52.180, 173.243.52.200, 74.112.148.220, 74.112.148.85, 173.243.52.210, 173.243.51.62, 173.243.50.145, 216.54.220.68, 173.243.51.98, 173.243.51.80, 173.243.51.30, 173.243.50.245, 173.243.50.211, 173.243.50.184, 173.243.50.181, 173.243.50.173, 173.243.50.162, 173.243.50.157, 173.243.50.154, 173.243.50.135, 74.112.149.3, mozyops.com, *.mozy.com
GET /dev/null HTTP/1.1, Host: client.mozy.com, User-Agent: kalypso/2.12.1.160, Content-Length: 1048576; HEAD /dev/null HTTP/1.1, Host: client.mozy.com, User-Agent: kalypso/2.12.1.160, HTTP/1.1 200 OK, Date: Sun, 27 May 2012 20:58:11 GMT, Server: Apache, Last-Modified: Wed, 25 May 2011 15:45:49 GMT, ETag: "5923aa-23-4a41b993fa540", Accept-Ranges: bytes, Content-Length: 35, Content-Type: text/html
Uninstall Remnants –
Registry\Software\Mozy<COMMA> Inc, \ControlSet001\Enum\Root\LEGACY_MOZYFILTER\0000
Uninstall Remnants –
Program
![Page 57: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/57.jpg)
Mozy Home/Stash
File Type\Mozy\files_of_interest\Data\mozy.log ASCIIEnglishtext,withCRLFlineterminators
\Mozy\files_of_interest\desktop.ini ASCIItext,withCRLFlineterminators
\Mozy\files_of_interest\Stash\Stash.log ASCIItext,withverylonglines,withCRLFlineterminators
\Mozy\files_of_interest\Data\filter_raw.log empty
\Mozy\files_of_interest\.accountinfo.ini Little-endianUTF-16Unicodetext,withCRLF,CRlineterminators
\Mozy\files_of_interest\Data\cache.dat SQLite3.xdatabase
\Mozy\files_of_interest\Data\changes.dat SQLite3.xdatabase
\Mozy\files_of_interest\Data\local_backup.dat SQLite3.xdatabase
\Mozy\files_of_interest\Data\manifest.dat SQLite3.xdatabase
\Mozy\files_of_interest\Data\resume.dat SQLite3.xdatabase
\Mozy\files_of_interest\Data\scancache.dat SQLite3.xdatabase
\Mozy\files_of_interest\Data\state.dat SQLite3.xdatabase
\Mozy\files_of_interest\Stash\metrics.dat SQLite3.xdatabase
\Mozy\files_of_interest\Stash\state.dat SQLite3.xdatabase
![Page 58: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/58.jpg)
Mozy Home/Stash
Scancache.dat (Home)
![Page 59: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/59.jpg)
Mozy Home/Stash
Metrics.dat (Stash)
![Page 60: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/60.jpg)
Mozy Home/Stash
State.dat (Stash)
![Page 61: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/61.jpg)
Mozy Home/Stash
A few other files of note:
Manifest.dat (Home), “user” table
Mozy.log (Home)
Stash.log (Stash)
![Page 62: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/62.jpg)
Mozy Home/Stash
Network Connections
![Page 63: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/63.jpg)
Mozy Home/Stash Network Signature:
![Page 64: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/64.jpg)
Mozy Home/Stash
SSL Connections
![Page 65: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/65.jpg)
Very important to remember – while applications were uninstalled and some files were deleted ... No files or tools were injured in the making of this presentation. And NO dongles were used. Ever.
![Page 66: Exfiltration Forensics in the Age of the Cloud · · 2012-06-29Exfiltration Forensics in the Age of the Cloud Frank McClain, GCFA ... HEX Editor, Encoder, Decode, DbVisualizer](https://reader034.vdocuments.net/reader034/viewer/2022051800/5acdac707f8b9a73128e48da/html5/thumbnails/66.jpg)
Thank you very much for your time. I'm open to questions, now or later: http://twitter.com/littlemac042 http://www.linkedin.com/in/frankmcclain