Friday, March 21, 2014

Hidden Behind the Cumulonimbus

After conducting some additional analyses, I have found a very important folder.  I found this folder located at: C:\Users\Capstone_PC\AppData\Local\IDrive\.  This folder is called IDTEMP.


IDTEMP Folder


When first conducting my analysis on my first few acquisition images, I found this file in only a few of the images.  At first, I did not know why this folder showed up in some images, but not others.  But, after conducting some more tests with IDrive, I was able to find out what this folder is and why it only shows up at certain times.

When I first took my snapshot of my VM, after installing IDrive, I closed IDrive before creating the snapshot.  When I acquired the snapshot and opened it in FTK Imager for an initial analysis, I did not see this IDTEMP folder.



 However, after searching through the RAM image, with WinHex, which I dumped with DumpIt, I found an entry pointing to this folder.



Why did the IDTEMP folder disappear?  It wasn't until after I finished conducting all of my tests with IDrive that I was able to figure out why this folder disappeared and what data it contains.  After analyzing the datas, I found that this folder disappears when IDrive is exited by the user.  Once the user logs back in his or her account in the IDrive application, this folder reappears.

Within this folder are some very key files.



One of these files is a text file, "Outputfile_stringencode_stringencodepswd.txt", containing an encrypted string of the password.

Outputfile_stringencode_stringencodepswd.txt


 There is another file called "OutputFile_GetQuota.txt", which contains the total quota in the users IDrive account (stored in bytes), the used quota (stored in bytes), which is the size of the data that is currently backed up to IDrive, the file count, and whether or not the backup was a success or not.

OutputFile_GetQuoata.txt


 There are also two files called "Authlist_Args.txt", and "Quota_Args.txt".  These two files have almost very similar data stored in them.  They contain the port number used (443), the temp folder, the locations of the output files and error files, the username of the IDrive account, and the IP Address used to reach out to the Pro Softnet servers.

Authlist_Args.txt

Quota_Args.txt
Another important file is the "Outfile_Authlist.txt".  This file contains the folder names of the computers that were connected to IDrive and used to backup data, the modified time of these folders, and the amount of data sent and received.

Outfile_Authlist.txt


I also found that there was one file, which was missing from the above screenshots, which ONLY appears after the very first log in to the IDrive Windows application.  This file is called "Outfile_stringencode_stringencodekey.txt".  This file appears to be an encoded string of the private or public encryption key.  I cannot say for certain which key this is as I have tried to use it to decrypt the encoded password, and I do not know the specific type of 256-bit AES encryption method that IDrive uses.

Outfile_stringencode_stringencodekey.txt



Posted by at No comments:
Labels: , , , , , , , , , ,

Wednesday, March 12, 2014

What's Life Like in the Clouds?

It has been a long couple of months and I have been busy working on my capstone, among other classwork. I have made substantial progress on my project.  This post will outline my methods and initial findings up until this point.

Methods:
In order to conduct my research, I had to start off with a clean Windows system that had no prior data generated on it.  In order to do this, I created a Virtual Machine (VM) installed with a fresh copy of Windows 7 Professional Edition (x64 bit ).  When setting up the VM, I created a user called "Capstone_PC".  See the below table for more specs. on my VM:


Once I setup my VM, and installed all of the Windows updates, I copied DumpIt, Process Monitor, and RegShot to my VM desktop from my host machine.  I then created a snapshot of the VM, to have a clean image before conducting my research, in case I needed to start over again.  Once I did this, I went to www.idrive.com and created an account using the name "Capp Stone" with my college email address.



I then downloaded the IDrive Windows Executable to my VM's desktop.



Before conducting any of my research with IDrive, I took a snapshot of the registry using RegShot and I ran Process Monitor to monitor any of the running processes generated by IDrive.  After finishing each of my steps, I took a second snapshot of the registry with RegShot, to compare any registry changes, and I captured the VM's RAM using DumpIt.

 Then, I took a snapshot of the VM after each step, and I imaged each snapshot, which are stored as .vmdk (Virtual Machine Disk) files, with FTK Imager.  These images were used to conduct most of my analysis.  In total, I have 12 acquisition images to sift through.



 Initial Analysis:
After briefly analyzing my first few images with FTK Imager, I found that IDrive stores its data in two locations.  These locations are C:\Program Files (x86)\IDriveWindows



 and C:\Users\Capstone_PC\AppData\Local\IDrive.  The most important data, from a forensics standpoint, is located in this second location.


 In the colby.lahaie@mymail.champlain.edu subdirectory, located: C:\Users\Capstone_PC\AppData\Local\IDrive\IBCOMMON\, I found a file called "20140125222358363.txt".  This file contains the directories that were automatically synced to IDrive after install.  This file is also contained with in the AutoSync subdirectory located within the colby.lahaie@mymail.champlain.edu subdirectory.


Also found within this subdirectory is a .ini file labeled "idriveserver.ini".  .ini files are text files containing configuration information.  This file shows the IP Address for Pro Softnet, which is the company that makes IDrive, the total quota given to me in IDrive, the type of account I have, and the size of the data currently backed up to IDrive.



 In the WIN-UTORKF6HPTE subdirectory, located: C:\Users\Capstone_PC\AppData\Local\IDrive\IBCOMMON\logs\colby.lahaie@mymail.champlain.edu\, I found a file called "01-25-2014_01252014222407.xml".  This file contains data showing the date and time that a backup to IDrive was started, how many files were added to the backup set, the IDrive username, the computer name, and what type of backup it was.



 There is also another file located in the same directory called "WIN-UTORKF6HPTE.xml".  This file contains the current size of the data in the current backup, the file count of files in the backup, and the last backup time.


After analyzing the logfile.pml generated by Process Monitor, I found 4 services/executables that were added to the VM after installing IDrive.  These services/executables were reaching out to idrive.com, 1uweb.com, and deploy.static.akamaltechnologies.com, when IDrive was running.  These four files were:

 idwutil_600.exe,

id_win.exe,

id_service.exe,

and id_bglaunch.exe.


 Stay tuned for my next blog.

Posted by at No comments:
Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)