We decided to continue our cloud forensics series, but focus on more popular desktop applications, this time it’s going to be Google Drive for Windows. We will divide the post into a few parts, focusing on different sources of potential digital evidence: file system, registry, SQLite databases and web-browsing history. File system The most trivial part – the goal is …
So, we decided to finish our write-up today. The forth part – the most interesting part. Intrusion! Again, no more AXIOM, only free and open source tools! Method of Attack What was the method of attack the threat actor used? So, we started from Windows Event Logs analysis, and very soon found our favorite base64-encoded string in Windows PowerShell.evtx: The …
Hope you are having a great Sunday, and we are continuing our write-up. No more AXIOM, by the way! You wanted open source tools for CTF solution, we did it đ Application for Exfil Which application was used to exfiltrate data on the compromised system? Let’s look into itsupport user profile folder: Dropbox and OneDrive both look very suspicious, let’s …
We are continuing our write-up. The second part will walk you through the solution of the second set of CTF problems – Misc. Timezone Again, very easy task, but it’s only the beginning. You can find the flag in Timezone Information section of AXIOM, or via manual analysis of TimeZoneInformation key: As you can see, the flag is Mountain. VSN …
Yesterday Troy Schnack and Kevin Pagano suggested on Twitter that it would be good to write how I solved Magnet User Summit CTF. I thought it was a good idea, and decided to do it with my friend Igor Mikhaylov. This will be a series of posts, and the first part is dedicated to anti-forensics. Wiping App This is really easy …
As you may know, David Cowen runs Sunday Funday Challenges, and one of the most recent was Zone.Identifier challenge. I haven’t won, but I decided to post my submission as it contains some additional info. So, here we go: Windows XP SP2 introduced Zone.Identifier Alternative Data Stream, that is created alongside with the file downloaded from the Internet or intranet. …
Everything started from an encrypted container on a flash drive, which couldn’t be opened for some reason. The examination confirmed, that the container didnât accept the password provided. The first thought was the customer forgot the right one. But we decided to try to find a solution to open it. We started from checking NTFS file system. Analysis revealed the …
Windows Phones are not frequent guests of our digital forensic lab, especially now, as Microsoft stopped developing the platform. Nevertheless, sometimes we have to forensicate such devices, so it’s very important to have methods of fast and simple data extraction. For quite a long time the only option of physical extraction has been JTAG or Chip-off techniques, but thanks to …
We continue our unforgetable journey to the world of cloud forensics. This time we are going to forensicate pCloud desktop application – pCloud Drive. pCloud is a file storage and synchronization service, emerged on September 13, 2013. The service supports cloud storage, file sharing, data backup and user collaboration. As of May 2018, pCloud has over 8 000 000 registered users all over the world, …
It seems we really enjoy forensicating desktop apps for cloud services. Last week we started from really secure cloud service app – Mega. This time we are going to continue with another, much more forensically friendly app, – Box. So Box is a popular enterprise content management platform, but, of course, can be used by regular users for managing content in the …
Login
