exfiltration forensics in the age of the cloud

Exfiltration Forensics in the Age of the Cloud

Frank McClain, GCFA, GCIH, CHFI

InfoSec Analyst, CSIRT Lead PrimeLending, A PlainsCapital Company

Who is this guy? Grew up in Ham radio, won a computer at age 11 Specialized electronics repair in the military Working in technology since 2003, mostly small business Little bit of IA, IS, IR, with mostly IT (which I don't find interesting) Found and got into DF in 2007, with small consulting firm Entered corporate in 2011 at PrimeLending, A PlainsCapital Company

How might you know me? Blog – Forensicaliente.blogspot.com Twitter - @littlemac042 ForensicArtifacts.com (team member, contributor) Forensic email lists – SANS DFIR, Win4n6 Forensic Focus article on Dropbox Forensics Other than that, just another drop of rain in a cloudy sky

What's this all about?

The use of cloud-based backup/synchronization services

Host-based identification and artifacts

Expanding the scope of research

What's the big deal?

“Host-based forensics is dead”

Availability of easy-to-use cloud services

Small business issues

What's the point?

Be aware of the potential as exfiltration channel

Possible exploitation by external attacker

Extremely easy for internal threat

Understand the types of artifacts/footprints on the host

Is it really happening?

Sharon Nelson – RideTheLightning.SenseiEnt.com (Dropbox)

At least two people I know have active IP theft cases (Dropbox)

I worked a breach of contract/IP theft case (Carbonite)

What services are covered here?

Dropbox 1.2 SpiderOak v4.4 TeamDrive v2.4 ADrive v1.5

Carbonite v5.2 Mozy Home v2.12 Mozy Stash v0.11

What kinds of artifacts are we looking at?

Install location Executable name(s) Application data directory

Backup/Sync directory Application data files Network connections

Connections signature Remnants after uninstall

Registry

Application

Data

Methodology

Registry snapshots before and after install (RegShot) Default installation Network connections at rest & during operations (ProcessHacker, CurrPorts) Full network capture (Wireshark) Sync/backup for test file directory (named "Test_Files") Sync/backup on 2nd system for cross-system access Application/Executable general info, file and registry handles (ProcessHacker) List application (executables), application data (data files), & Sync/backup directories (FileInfo) Copy data files for post-uninstall analysis Registry snapshots before and after uninstall (RegShot) Uninstall via Windows applet List executables, data files, and sync/backup directories - post-uninstall (FileInfo) Parse registry hives for remnants and references - post-uninstall (RegDecoder) Review PCAP files, isolate & identify clear-text & encrypted traffic (NetWitness) Analyze contents for files of interest (Notepad++, Calc, Excel, SQLiteDBBrowser, HxD, HEX Editor, Encoder, Decode, DbVisualizer, TrID, File) Primary system running Win7Pro, 64-bit. Secondary system running XP Pro, 32-bit.

* Important Note *

You will see references in screenshots and filepaths, to: “servicename\files_of_interest\...” Where “servicename” is Dropbox, Adrive, etc. This is the location where I stored a copy of various application- related files; whether from Program Files, Application Data, or the Sync/Backup directory. Immediately following “files_of_interest” is where the rest of the path begins. It's relative up to that point. I mention this to minimize confusion for offline readers...

Dropbox

Dropbox Artifact Type Dropbox

Installation Location AppData\Roaming\Dropbox\bin\

Executable Dropbox.exe

Application Data Location AppData\Roaming\Dropbox

%User%\Dropbox

Files of Interest

Network Connection(s)

Network Signature

Uninstall Remnants – Files host.dbx, entries.log

Backup/Sync Location

(default)

config.db, config.dbx, desktop.ini, filecache.dbx, host.db, sigstore.dbx, unlink.db, entries.log

199.47.217.173:443, 199.47.216.178:443, 199.47.216.146:80, 50.16.217.157:443, 75.126.110.108:443, dropbox.com, notify3.dropbox.com

GET /subscribe?host_int=169449187&ns_map=5932257_73227506984566&ts=1139002454 HTTP/1.1

Uninstall Remnants –

Registry

Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1, Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\21


Program

Dropbox.exe, DropboxExt.14.dll, DropboxExt64.14.dll, msvcp71.dll, msvcr71.dll

Dropbox File Type

\Dropbox\files_of_interest\Dropbox\host.db ASCIItext

\Dropbox\files_of_interest\Dropbox\host.dbx ASCIItext

\Dropbox\files_of_interest\Dropbox\config.dbx data

\Dropbox\files_of_interest\Dropbox\filecache.dbx data

\Dropbox\files_of_interest\Dropbox\l\4f9c5ac9 data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b1b data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b1d data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b1e data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b5d data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b5e data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b60 data

\Dropbox\files_of_interest\Dropbox\l\4fcc352e data

\Dropbox\files_of_interest\Dropbox\l\4fcc357c data

\Dropbox\files_of_interest\Dropbox\l\4fcc357d data


\Dropbox\files_of_interest\Dropbox\l\4fcc358d data


\Dropbox\files_of_interest\Dropbox\sigstore.dbx data

\Dropbox\files_of_interest\Dropbox\unlink.db data

\Dropbox\files_of_interest\Dropbox\bin\itag empty

\Dropbox\files_of_interest\Dropbox\config.db SQLite3.xdatabase

Dropbox

Host.db – Decoded:

Host.dbx – Decoded:

Dropbox

Date-Named Directory (“2012-06-06”):

Entries.log – Decoded:

Note: This is inside the .dropbox.cache directory

Dropbox

Dropbox

Network Connections:

Dropbox

Network Signature:

Dropbox SSL Connections:

SpiderOak

SpiderOak Artifact Type SpiderOak

Installation Location Program Files (x86)\SpiderOak\

Executable SpiderOak.exe, windows_dir_watcher.exe

Application Data Location AppData\Roaming\SpiderOak

Any, User-Defined, File Type

Files of Interest


Network Signature uses TLSv1, no unencrypted traffic observed

\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\34

Uninstall Remnants – Files same as files of interest – nothing removed


(default)

1336254748.22.port, config.dat, config.txt, device_1a.dat, device_2a.dat, dirhash.db, downloads.db, exclude.txt, fs_queue.db, local.dat, oak_20120505145242.log, oak_20120505165227.log, prefs.dat, snapshot.db, Spider_20120505145242.log, Spider_20120505165227.log, Test-skipfilter.db, test.db, test.log, tss_external_orphans_fixed_pandora_sqliite_database, tss_external_orphans_fixed_snapshot.db

38.121.104.67:443, 38.121.104.68:44 (Performance Systems International, aka Cogent Communications or PSINet, Inc)


Registry


Program

API-MS-Win-Core-LocalRegistry-L1-1-0.dll, API-MS-Win-Core-ProcessThreads-L1-1-0.dll, API-MS-Win-Security-Base-L1-1-0.dll, bz2.pyd, POWRPROF.dll, pythoncom27.dll, pywintypes27.dll, select.pyd, shared.zip, unicodedata.pyd, win32api.pyd, win32com.shell.shell.pyd, win32event.pyd, win32evtlog.pyd, win32gui.pyd, win32pdh.pyd, win32process.pyd, win32trace.pyd, win32ui.pyd, winxpgui.pyd, _ctypes.pyd, _hashlib.pyd, _socket.pyd, _ssl.pyd, _win32sysloader.pyd

SpiderOak File Type

\SpiderOak\files_of_interest\oak_20120505145242.log ASCIIC++programtext,withverylonglines,withCRLFlineterminators

\SpiderOak\files_of_interest\oak_20120505165227.log ASCIIC++programtext,withverylonglines,withCRLFlineterminators

\SpiderOak\files_of_interest\spider_20120505145242.log ASCIIEnglishtext,withverylonglines,withCRLFlineterminators

\SpiderOak\files_of_interest\spider_20120505165227.log ASCIIEnglishtext,withverylonglines,withCRLFlineterminators

\SpiderOak\files_of_interest\config.txt ASCIItext

\SpiderOak\files_of_interest\exclude.txt ASCIItext

\SpiderOak\files_of_interest\prefs.dat ASCIItext

\SpiderOak\files_of_interest\tss_external_blocks_pandora_sqliite_database\00000014 ASCIItext

\SpiderOak\files_of_interest\test.log ASCIItext,withCRLFlineterminators

\SpiderOak\files_of_interest\tss_external_orphans_fixed_pandora_sqliite_database ASCIItext,withnolineterminators

\SpiderOak\files_of_interest\tss_external_orphans_fixed_snapshot.db ASCIItext,withnolineterminators

\SpiderOak\files_of_interest\backup_system_ignore_this_folder.lock empty

\SpiderOak\files_of_interest\dirhash.db SQLite3.xdatabase

\SpiderOak\files_of_interest\download_cache\downloads.db SQLite3.xdatabase

\SpiderOak\files_of_interest\fs_queue.db SQLite3.xdatabase

\SpiderOak\files_of_interest\object_cache\device_1a.dat SQLite3.xdatabase

\SpiderOak\files_of_interest\object_cache\device_2a.dat SQLite3.xdatabase

\SpiderOak\files_of_interest\pandora_sqliite_database SQLite3.xdatabase

\SpiderOak\files_of_interest\snapshot.db SQLite3.xdatabase

\SpiderOak\files_of_interest\sync\test-skipfilter.db SQLite3.xdatabase

\SpiderOak\files_of_interest\sync\test.db SQLite3.xdatabase

SpiderOak

oak_20120505145242.log

SpiderOak

spider_20120505145242.log

SpiderOak

entry_time path journal_num last_session_start last_session_recno last_session_size

1336248614 c:\Users\Frank\Documents\SpiderOak 1001

1336248614 c:\Users\Frank\Documents\SpiderOak\TEST_FILES 1002 0 6 103

decoded: Sat, 05 May 2012 15:10:14 -0500

sync_id sync_name time_added

1 test 2012-05-05 21:52:59

device_1a.dat (SQLite3 db)

Test.db – SQLite3 db:

SpiderOak

Network Connections:

SpiderOak

Network Signature:

SpiderOak

SSL Connections:

TeamDrive

TeamDrive Artifact Type TeamDrive

Installation Location Program Files (x86)\TeamDrive2.0\

Executable TeamDrive2.exe, TeamDrive2Database.exe

Application Data Location AppData\Roaming\TeamDrive

%User%\TeamDrive Spaces

Files of Interest


Network Signature

none

Uninstall Remnants – Files desktop.ini, target.lnk


(default)

A few examples: WebDAVSettings.xml, DirWatcher_log.log, FileWatcher_log.log, log.log, old_20120513_162655_logs.zip, general_log.CSV, slow_log.CSV, db.opt, littlemac042_TeamDrive_13.05.2012.pss, Default_littlemac042.sakh, desktop.ini, target.lnk

46.137.108.17:80, 79.125.8.233:80, td2ec2in4mv1euwest.teamdrive.net, reg.teamdrive.net. Connections going to AmazonAWS in Dublin.

PUT /primespace/vol05/29720/protolog/last.log?P1RID=1&pb-id=tt31385962996753839188459838 HTTP/1.1 (application/octet-stream)


Registry

\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QTextCodecFactoryInterface:\C:\Program Files (x86)\TeamDrive2.0, \ControlSet001\Services\EventLog\Application\MySQL, \ControlSet002\Services\EventLog\Application\MySQL


Program

File Type\TeamDrive\files_of_interest\TeamDrive\logs\CTransferListThread_log.log ASCIIEnglishtext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\log.log ASCIIEnglishtext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CLogPollerThread_log.log ASCIIEnglishtext,withverylonglines,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CFSSynchronizerThread_log.log ASCIInewstext,withverylonglines,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\mysql\data\pbxt\location ASCIItext

\TeamDrive\files_of_interest\TeamDrive\mysql\data\td2\db.opt ASCIItext

\TeamDrive\files_of_interest\TeamDrive\mysql\data\TeamDrive2Database.pid ASCIItext

\TeamDrive\files_of_interest\TeamDrive\logs\CApiModuleThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CArchiveCacheWorkerThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CArchiverDeamonThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CDelayedArchiverThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CDownLoadMessageThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CEventListenerThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CFSJobArchiverThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CFSRuleEngineDeamonThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CGUIFileEventBufferThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CJobManagerThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CLogBackupThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CMessageBuilderThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CReaderWriterThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CScanJobWorkerThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CScannerDeamonThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CSynchronizerDeamonThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CThreadedReceiverThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CWatcherDeamonThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\DirWatcher_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\FileWatcher_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\mysql\data\TeamDrive2Database.err ASCIItext,withCRLFlineterminators

TeamDrive

TeamDrive.ini:

TeamDrive

TDStart.ini:

TeamDrive TeamDrive2Database.err:

A few other files to look at:

CFSRuleEngineDeamonThread_log.log

CFSSynchronizerThread_log.log

CScanJobWorkerThread_log.log

Xlog-1.xt

TeamDrive DNS Connections:

TeamDrive Network Connections:

TeamDrive Network Signature:

ADrive

ADrive Artifact Type Adrive

Installation Location Program Files (x86)\ADrive Desktop\

Executable ADrive Desktop.exe

Application Data Location


Files of Interest


Network Signature

none

Uninstall Remnants – Files same as files of interest

AppData\Roaming\com.adrive.ADriveDesktop.9E1195EE779B0F966F518632F3A0F64E53222DC6.1


(default)

Adrive.db, index.dat (History.IE5, Content.IE5, Cookies), install.log (Adobe AIR)

65.49.56.133:443, 65.49.56.133:80, adrive.com, www31.adrive.com

34947 > https [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1, https > 34947 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=128, 34947 > https [ACK] Seq=1 Ack=1 Win=65700 Len=0, Client Hello


Registry

\Wow6432Node\Microsoft\Tracing\ADrive Desktop_RASAPI32, \Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\1


Program

ADrive

File Type

SQLite3.xdatabase,userversion300200

\ADrive\files_of_interest\Install.log

Adrive\files_of_interest\com.adrive.ADriveDesktop.9E1195EE779B0F9

66F518632F3A0F64E53222DC6.1\Local Store\ADrive.db

UTF-

8Unicode(withBOM)Englishtext,withverylo

nglines,withCRLF,LFlineterminators

ADrive

ADrive

LogEntries Table

ADrive

Adobe AIR Install Log

ADrive

Network Connections

ADrive

Network Signature:

ADrive SSL Connections

Carbonite

Carbonite Artifact Type Carbonite

Installation Location

Executable CarboniteUI.exe

Application Data Location ProgramData\Carbonite


Files of Interest


Network Signature

none

Uninstall Remnants – Files none

Program Files (x86)\Carbonite\Carbonite Backup\


(default)

Carbonite.log, CarboniteConfig.dat, CarboniteDelta.dat, CarboniteFiles.dat, CarboniteNSE.log, CarbonitePossibleUpgrade.exe, CarboniteRestores.dat, CarboniteUI.log, CarboniteVersions.dat

4.53.54.244:443, 8.26.56.26:53, 38.97.103.136:80 web6.site11.carbonite.com, carbonite.com

GET /Download/v5.2.1181/CarboniteUpgrade-en.exe HTTP/1.1, User-Agent: CarboniteUI, Host: www.carbonite.com, Cache-Control: no-cache


Registry

\Classes\Applications\CarboniteUI.exe, \ControlSet001\Services\EventLog\Application\CarboniteService


Program

Carbonite

File Type\Carbonite\files_of_interest\Carbonite\Carbonite Backup\CarboniteNSE.log ASCIItext,withCRLFlineterminators

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\CarboniteUI.log ASCIItext,withCRLFlineterminators

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\ScriptTests.txt ASCIItext,withCRLFlineterminators

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\ShowAll.txt ASCIItext,withCRLFlineterminators

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\Carbonite.log

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\CarboniteNSE.strings

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\CarboniteService.strings

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\CarboniteUI.strings

ASCIItext,withverylonglines,withCRLF,L

Flineterminators

UTF-

8Unicode(withBOM)Englishtext,withver

ylonglines,withCRLFlineterminators

UTF-



UTF-



Carbonite File Handles

Carbonite Carbonite.log

Carbonite CarboniteFiles.dat

Carbonite

Network Connections

Carbonite

Network Signature:

Carbonite SSL Connections

Mozy Home/Stash

Artifact Type Mozy (Home & Stash)

Installation Location Program Files\MozyHome, Program Files (x86)\Mozy\Stash

Executable MozyBackup.exe, MozyStat.exe, Stash.exe

Application Data Location Program Files\MozyHome\Data, AppData\Local\Stash

Any, %User%\Stash

Files of Interest


Network Signature

banner.1332213388.json

Uninstall Remnants – Files metrics.dat, Stash.log, state.dat, .accountinfo.ini, desktop.ini


(default)

cache.dat, changes.dat, filter_raw.log.1, local_backup.dat, manifest.dat, mozy.log, resume.dat, scancache.dat, state.dat, metrics.dat, Stash.log, state.dat

173.243.50.163:443, 173.243.50.190:443, 173.243.50.240:443, 74.112.148.76, 8.26.56.26, 156.154.70.22, 173.243.52.180, 173.243.52.200, 74.112.148.220, 74.112.148.85, 173.243.52.210, 173.243.51.62, 173.243.50.145, 216.54.220.68, 173.243.51.98, 173.243.51.80, 173.243.51.30, 173.243.50.245, 173.243.50.211, 173.243.50.184, 173.243.50.181, 173.243.50.173, 173.243.50.162, 173.243.50.157, 173.243.50.154, 173.243.50.135, 74.112.149.3, mozyops.com, *.mozy.com

GET /dev/null HTTP/1.1, Host: client.mozy.com, User-Agent: kalypso/2.12.1.160, Content-Length: 1048576; HEAD /dev/null HTTP/1.1, Host: client.mozy.com, User-Agent: kalypso/2.12.1.160, HTTP/1.1 200 OK, Date: Sun, 27 May 2012 20:58:11 GMT, Server: Apache, Last-Modified: Wed, 25 May 2011 15:45:49 GMT, ETag: "5923aa-23-4a41b993fa540", Accept-Ranges: bytes, Content-Length: 35, Content-Type: text/html


Registry\Software\Mozy<COMMA> Inc, \ControlSet001\Enum\Root\LEGACY_MOZYFILTER\0000


Program

Mozy Home/Stash

File Type\Mozy\files_of_interest\Data\mozy.log ASCIIEnglishtext,withCRLFlineterminators

\Mozy\files_of_interest\desktop.ini ASCIItext,withCRLFlineterminators

\Mozy\files_of_interest\Stash\Stash.log ASCIItext,withverylonglines,withCRLFlineterminators

\Mozy\files_of_interest\Data\filter_raw.log empty

\Mozy\files_of_interest\.accountinfo.ini Little-endianUTF-16Unicodetext,withCRLF,CRlineterminators

\Mozy\files_of_interest\Data\cache.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\changes.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\local_backup.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\manifest.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\resume.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\scancache.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\state.dat SQLite3.xdatabase

\Mozy\files_of_interest\Stash\metrics.dat SQLite3.xdatabase

\Mozy\files_of_interest\Stash\state.dat SQLite3.xdatabase

Mozy Home/Stash

Scancache.dat (Home)

Mozy Home/Stash

Metrics.dat (Stash)

Mozy Home/Stash

State.dat (Stash)

Mozy Home/Stash

A few other files of note:

Manifest.dat (Home), “user” table

Mozy.log (Home)

Stash.log (Stash)

Mozy Home/Stash

Network Connections

Mozy Home/Stash Network Signature:

Mozy Home/Stash

SSL Connections

Very important to remember – while applications were uninstalled and some files were deleted ... No files or tools were injured in the making of this presentation. And NO dongles were used. Ever.

Thank you very much for your time. I'm open to questions, now or later: http://twitter.com/littlemac042 http://www.linkedin.com/in/frankmcclain