 |
| IDTEMP Folder |
When first conducting my analysis on my first few acquisition images, I found this file in only a few of the images. At first, I did not know why this folder showed up in some images, but not others. But, after conducting some more tests with IDrive, I was able to find out what this folder is and why it only shows up at certain times.
When I first took my snapshot of my VM, after installing IDrive, I closed IDrive before creating the snapshot. When I acquired the snapshot and opened it in FTK Imager for an initial analysis, I did not see this IDTEMP folder.
However, after searching through the RAM image, with WinHex, which I dumped with DumpIt, I found an entry pointing to this folder.
Why did the IDTEMP folder disappear? It wasn't until after I finished conducting all of my tests with IDrive that I was able to figure out why this folder disappeared and what data it contains. After analyzing the datas, I found that this folder disappears when IDrive is exited by the user. Once the user logs back in his or her account in the IDrive application, this folder reappears.
Within this folder are some very key files.
One of these files is a text file, "Outputfile_stringencode_stringencodepswd.txt", containing an encrypted string of the password.
 |
| Outputfile_stringencode_stringencodepswd.txt |
There is another file called "OutputFile_GetQuota.txt", which contains the total quota in the users IDrive account (stored in bytes), the used quota (stored in bytes), which is the size of the data that is currently backed up to IDrive, the file count, and whether or not the backup was a success or not.
 |
| OutputFile_GetQuoata.txt |
There are also two files called "Authlist_Args.txt", and "Quota_Args.txt". These two files have almost very similar data stored in them. They contain the port number used (443), the temp folder, the locations of the output files and error files, the username of the IDrive account, and the IP Address used to reach out to the Pro Softnet servers.
 |
| Authlist_Args.txt |
 |
| Quota_Args.txt |
Another important file is the "Outfile_Authlist.txt". This file contains the folder names of the computers that were connected to IDrive and used to backup data, the modified time of these folders, and the amount of data sent and received.
 |
| Outfile_Authlist.txt |
I also found that there was one file, which was missing from the above screenshots, which ONLY appears after the very first log in to the IDrive Windows application. This file is called "Outfile_stringencode_stringencodekey.txt". This file appears to be an encoded string of the private or public encryption key. I cannot say for certain which key this is as I have tried to use it to decrypt the encoded password, and I do not know the specific type of 256-bit AES encryption method that IDrive uses.
 |
| Outfile_stringencode_stringencodekey.txt |
No comments:
Post a Comment