Methods:
In order to conduct my research, I had to start off with a clean Windows system that had no prior data generated on it. In order to do this, I created a Virtual Machine (VM) installed with a fresh copy of Windows 7 Professional Edition (x64 bit ). When setting up the VM, I created a user called "Capstone_PC". See the below table for more specs. on my VM:
Once I setup my VM, and installed all of the Windows updates, I copied DumpIt, Process Monitor, and RegShot to my VM desktop from my host machine. I then created a snapshot of the VM, to have a clean image before conducting my research, in case I needed to start over again. Once I did this, I went to www.idrive.com and created an account using the name "Capp Stone" with my college email address.
I then downloaded the IDrive Windows Executable to my VM's desktop.
Before conducting any of my research with IDrive, I took a snapshot of the registry using RegShot and I ran Process Monitor to monitor any of the running processes generated by IDrive. After finishing each of my steps, I took a second snapshot of the registry with RegShot, to compare any registry changes, and I captured the VM's RAM using DumpIt.
Then, I took a snapshot of the VM after each step, and I imaged each snapshot, which are stored as .vmdk (Virtual Machine Disk) files, with FTK Imager. These images were used to conduct most of my analysis. In total, I have 12 acquisition images to sift through.
Initial Analysis:
After briefly analyzing my first few images with FTK Imager, I found that IDrive stores its data in two locations. These locations are C:\Program Files (x86)\IDriveWindows
and C:\Users\Capstone_PC\AppData\Local\IDrive. The most important data, from a forensics standpoint, is located in this second location.
In the colby.lahaie@mymail.champlain.edu subdirectory, located: C:\Users\Capstone_PC\AppData\Local\IDrive\IBCOMMON\, I found a file called "20140125222358363.txt". This file contains the directories that were automatically synced to IDrive after install. This file is also contained with in the AutoSync subdirectory located within the colby.lahaie@mymail.champlain.edu subdirectory.
Also found within this subdirectory is a .ini file labeled "idriveserver.ini". .ini files are text files containing configuration information. This file shows the IP Address for Pro Softnet, which is the company that makes IDrive, the total quota given to me in IDrive, the type of account I have, and the size of the data currently backed up to IDrive.
In the WIN-UTORKF6HPTE subdirectory, located: C:\Users\Capstone_PC\AppData\Local\IDrive\IBCOMMON\logs\colby.lahaie@mymail.champlain.edu\, I found a file called "01-25-2014_01252014222407.xml". This file contains data showing the date and time that a backup to IDrive was started, how many files were added to the backup set, the IDrive username, the computer name, and what type of backup it was.
There is also another file located in the same directory called "WIN-UTORKF6HPTE.xml". This file contains the current size of the data in the current backup, the file count of files in the backup, and the last backup time.
After analyzing the logfile.pml generated by Process Monitor, I found 4 services/executables that were added to the VM after installing IDrive. These services/executables were reaching out to idrive.com, 1uweb.com, and deploy.static.akamaltechnologies.com, when IDrive was running. These four files were:
idwutil_600.exe,
id_win.exe,
id_service.exe,
and id_bglaunch.exe.
Stay tuned for my next blog.
No comments:
Post a Comment