This will be my second to last blog post for my Capstone and will cover Internet activity after sharing files from IDrive via Twitter and Facebook. After sharing files within IDrive, I conducted analysis of the acdquisition image of the VM to collect Internet activity, using Internet Evidence Finder v6. I found that IEF was able to capture Internet activity for Facebook and Twitter.
Facebook Artifacts
During analysis of the
Internet activity, the investigator was able to find evidence that Facebook was
linked to IDrive. There was a URL entry
that shows there was a signed request from IDrive to connect to
Facebook. When an investigator enters
this URL into a web browser, a Facebook login page is brought up which says,
“Login to use your Facebook Account with IDrive”.
 |
| IDrive Facebook Request |
 |
| Facebook IDrive Login Request |
Also found
within the results from IEF is another URL string that shows the URL of the
files that were shared to Facebook. When this URL is entered into a
web browser, a Facebook login webpage can be seen that asks the user to login
first to view the files. Once logged
into Facebook, a webpage allowing one to re-share the files to Facebook
timeline is shown.
 |
| Facebook IDrive Shared Files URL |
 |
| Shared Files to Facebook Timeline |
If an investigator copies the
shared URL found in the link shown above (https://www.idrive.com/idrive/sh/sh?k=g2j8k7b3s7),
he/she will be brought to the IDrive home page where he/she can download the
shared files directly from the IDrive website. On this homepage, an investigator
can see the first name of the Facebook user who shared the files.
 |
| Shared Files on IDrive Home |
IEF was also able to pull the
user’s profile picture from Facebook after sharing IDrive files. This could help an investigator possibly see
who the person was that shared the files and where they should start looking
during an investigation into a suspect.
 |
| Facebook User Profile Picture |
IEF
also produces similar results for Twitter. Within the “Social Media URLs” results, an
investigator can find a URL entry containing the message that was Tweeted. This URL contained the actual tweet that was
sent, “check this out”, followed by the URL for the shared files from IDrive. When searching the full URL in a web browser,
the investigator is brought to the Twitter website with a Tweet box containing
the message text and the URL for the shared files from IDrive.
 |
| Twitter IDrive URL |
 |
| Twitter IDrive Retweet |
Again, the results from IEF do not
provide the username of the account that shared the files from IDrive via
Twitter, however; when an investigator retrieves the shared URL for IDrive, he
or she will be brought to the IDrive homepage and view the first name of the
user/account that shared the files, as seen above.
Also, when analyzing
the Internet Activity with IEF v6, an investigator can additionally find the
user ID and password for IDrive, in plaintext, within the “Cloud Service URLs”
results. It appears that when a person
shares files from IDrive, the IDrive website receives a token from the IDrive
desktop application, which contains this data.
 |
| IDrive User ID and Password Token |
No comments:
Post a Comment