Home Articles Cloud Forensics: Analyzing MEGASync

Cloud Forensics: Analyzing MEGASync

0
0
1,943

Nowadays almost everybody have an account at this or that cloud service. Dropbox, One Drive, Google Drive are some of the most popular services. There are also some services focused on security of their users data – one of such services is MEGA. According to the developers, “MEGA is fully accessible without prior software installs and remains the only cloud storage provider with browser-based high-performance end-to-end encryption”. But just like other cloud storage services, it has it’s own app for synching – MEGASync, and today we are going to look at its Windows version.

One of the main goals is to find MEGA synchronization folder – files within this folder synchronize with user’s MEGA account automatically. You can use registry forensics for it, let’s look at the following key:

HKU\S-1-5-21-4263662546-2795938078-1341706656-1001\Software\Classes\CLSID\{F673ED46-CA8A-4FB4-9BA7-6907033851E2}\Instance\InitPropertyBag

TargetFolderPath value will show you MEGA folder, in our case it’s “C:\Users\0136\Documents\MEGA”. Also we must note, that in your case user’s SID and CLSID will be different.

Of course, user can delete files from this folder, but if you are provided with account credentials, you can restore deleted files from the Rubbish Bin. By default deleted files are stored in the Rubbish Bin for 30 days, but users can limit the number of days or even delete files immediately.

But how to determine if files were deleted from MEGA folder? Of course, you can start from data recovery, but as far as we understood, it’s not that easy with MEGA as even straight after file deletion there were no traces of deleted files.

So, what else can be done? Let’s go back to registry forensics and check the MRU lists! For example, here is one of recent files opened by notepad.exe:

Figure 1. The values of “Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{DF383F0B-4306-4AD2-B51D-903BBE501392}\RecentItems\{64BF2F8B-1018-482E-8AC0-C45186A42429}”

If it’s not enough, here is another example:

Figure 2. The values of “Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{DF383F0B-4306-4AD2-B51D-903BBE501392}\RecentItems\{A188F1C0-8F25-4E15-8B18-EC035765B8D5}”

What else can be helpful? LNK files!

Figure 3. A LNK file parsed with Eric Zimmerman’s LECmd

Ok, we got evidence of previously existed files in MEGASync folder. What should be done next? As already been said, data recovery didn’t solve our problem, so the only way is to check MEGA’s Rubbish Bin. To do it, we must have valid account credentials. Of course, it’s not always possible, but it seems to be the only way.

If you log in the cloud account and go to the Rubbish Bin, you’ll see folders named with timestamps. These timestamps are dates the files inside them were deleted:

Figure 4. MEGA’s Rubbish Bin

As you can see, users can interact with the service via web-browser. It means that browsing history is another source of MEGA usage evidence.

Finally, like any other app, MEGASync leaves lots of execution artifacts, for example, in Windows registry:

Figure 5. The values of “ControlSet001\Services\bam\UserSettings\S-1-5-21-4263662546-2795938078-1341706656-1001”

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Load More Related Articles
Load More In Articles

Leave a Reply

Your email address will not be published. Required fields are marked *