As police forces use increasingly high tech tools to find evidence, their computer forensic teams are getting the latest software from Waterloo Region’s Magnet Forensics.
The company now has a huge global presence, so why have the company’s leaders chosen to stay in Waterloo Region?
Guelph Police Const. Bruce Hunter uses Magnet Forensics software to trace a suspect’s online history.
It’s been a little over a week now since we released IEF v5.7 and the response has been great. We are truly fortunate to have great customers and people who support us and the work we do. Nothing makes us happier than the success stories we get back from our customers; you are the reason we work hard to improve the software, so that it works hard for you.
I thought it would be helpful to go into more detail on a few key features in v5.7. I hope you find this useful and feel free to contact us for more info. In no particular order:
Browser Activity (including Chrome Incognito/Firefox Private Browsing)
This is an exciting new artifact that requires a bit of background info. The Browser Activity artifact recovers browser-related URLs, including Chrome Incognito and Firefox Private Browsing URLs, HTTP request artifacts from multiple browsers, and regular web browsing. Yes, even though Chrome and Firefox do a much better job in their “private browsing” modes than IE, the URLs can still be found in live RAM, the pagefile.sys/hiberfil.sys files, and possibly unallocated space. (On an unrelated note, I love how all the browsers advertise their private browsing modes as being good for “shopping for a birthday present”…I don’t think there are many people out there who saw private browsing as a great way to hide their gift shopping, but maybe I’m just jaded.) 
But I digress…So, these artifacts do not include the usual data we hope and expect to see with browser history, they won’t have meta data like the Windows username, dates/times, etc. And while the intended use for this artifact is to recover private/incognito browsing, various types of browsing activity will be recovered due to the nature of this artifact. Please note when viewing results that some recovered URLs can be from background browser processes related to certificate authorities, etc. Those will be fairly obvious, however. You won’t be seeing searches for “clown porn” or other obvious user activity being launched by the browser on its own, of course…That being said, this artifact is meant to assist with intelligence gathering and to recover browsing history when dealing with extreme cases where only private browsing was used or other forms of anti-forensics were employed. I wouldn’t hang my hat on web history from this artifact alone but it’s a great resource when dealing with a savvy suspect.
Google Maps
We also think this will be a very interesting new addition for many people. It’s a bit of a two-fold feature. We first filter all recovered web history for Google Maps URLs, and then parse out any interesting data that is present, such as the location/address the user entered, the starting point/destination of a route, latitude and longitude coordinates, the route type of the search, any additional addresses in the route, the date/time the search was performed, and more. Sometimes more or less fields are present, depending on how and where Google Maps was accessed.
The second thing we do is carve through all data (pagefile.sys/hiberfil.sys file, unallocated clusters, etc) for Google Maps URLs and parse the data out of the URL much like how we do it in the above scenario. The nice thing about this part of the search is that even if a URL is not identifiable as belonging to a specific browser’s web history (fragmented, missing data, etc), we can still find it and parse out the relevant map usage details.
These artifacts could be very useful in missing children and luring cases where a child may have obtained Google Map directions to a suspect’s location or meeting point. In these cases, data indicating if some kind of public transit route (bus, train, etc.) was queried could be very valuable in quickly tracking down the whereabouts of the child.
Web History Categorization
Finally, I’ll talk a bit about the new web categorization we’ve added in IEF v5.7. Essentially what we are doing here is filtering all the recovered web history records for dating sites (Match.com, Plenty Of Fish, eHarmony, etc), classifieds sites (Craigslist, Backpage, etc), cloud services (Dropbox, Skydrive, Google Drive, etc), social media sites (Facebook, Twitter, LinkedIn, etc), and Web Chat sites (Chatroulette, Omegle, Tinychat) and placing those URLs in quick-reference categories for you to view. Our intention is to help you get to the important, relevant records faster and easier.
That’s all for now, there’s many more new artifacts/features in v5.7 which I may cover in a later blog post. In the meantime, please upgrade to v5.7 if you are a current user of IEF to take advantage of these new additions, or if you are on an older version of IEF (or have never used IEF), please download a trial now!
As always, please feel free to let us know what you think or share with us your ideas for continuing to improve IEF.
Thanks and have a great end-of-the-week! (and to our US customers, Happy Thanksgiving!)
Jad
A pre-recorded 1 hour webinar training session by Glenn Bard, CTO, PATCtech is now available to view online.
Topics in the webinar include:
INTERNET EVIDENCE FINDER (IEF) has been recommended in a report published by the NIJ Electronic Crime Technology Center of Excellence. The report provides a review of the software, walking through IEF’s special features, and includes detailed results of product testing that was conducted as a part of the evaluation.
The report finds that IEF is not only able to discover Internet artifacts every time it is run, but also consistently recovers data that was not expected to be found – that an investigator may not have thought to look for. It states that IEF is a tool that would “enhance the efficiency of justice,” and concludes that, “There is no doubt IEF is a superior tool and should be a part of every investigator’s toolbox,” providing a large return on investment to groups investigating digital evidence.
The National Institute of Justice (NIJ) Electronic Crime Technology Center of Excellence (ECTCoE) conducts electronic crime and digital evidence tool, technology and training testing and evaluations in support of the NIJ Research, Development, Testing and Evaluation (RDT&E) process. This process includes five phases:
RIM Park , 2001 University Ave East, Waterloo, ON N2K 4K4
February 6th 2013 from 10:00 am – 3:30 pm
INTERNET EVIDENCE FINDER (IEF) v5.7.1 is now available for download.
Features in this release include:
IEF Standard and Triage
Report Viewer
To download this latest release, please use the download links on the sidebar on the right.
In my last blog post, I delved into some of the new features/artifacts included in v5.7 of IEF (released last month). This time, I’d like to tell you about what we’re doing with pictures and videos and a backup service called Carbonite.
Pictures & Video
In IEF v5.7 we now search for and carve pictures files (.jpg, .jpeg, .jpe, .png, .bmp, .gif, .ico, .tif, .tiff). We’ll also carve pictures out of thumbs.db and thumbcache_*.db files. Beyond just recovering the pictures, we’ve also added some features to help you filter results and zero-in on the relevant items. You can filter based on the amount of skin tone detected, and if a face and/or breasts were detected in the picture.
With videos , we currently look for files with extensions .wmv, .mp4, .mov, .avi, .mkv, .divx, .3pg, .mpg , .mpeg, and then pull key frames out of the video and allow you to utilize the same filtering tools we provide for pictures. In the future, we’ll be adding the option to carve videos as well.
Carbonite
On to online backup, an addition to our cloud artifact support. Carbonite is a cloud-based backup service that runs in the background and automatically updates/uploads files as they are modified or created. (It’s also a metal alloy that was made from carbon, mixed with tibanna gas, compressed, and flash-frozen into blocks for transport and used to freeze the body of Han Solo in Star Wars: The Empire Strikes Back…that’s not the Carbonite we’re talking about today though.)
An interesting feature of Carbonite is that all data is encrypted using 128-bit Blowfish encryption on the local machine before being sent to Carbonite’s servers over an SSL connection. Because of this additional protection, it’s possible some people will feel comfortable using Carbonite to backup files that are of a not-so-legal nature.
IEF v5.7 will carve these file sync records from this log file and from unallocated clusters, the pagefile/hiberfil.sys files, live RAM captures, and other areas. These artifacts can give you some insight into which files were backed-up, especially important if they have since been deleted.Another nice feature of Carbonite, this time for forensic examiners, is a log file that lists (amongst a lot of other diagnostic info) files that have been uploaded or updated. This log file is stored in the [root]\ProgramData\Carbonite\Carbonite Backup folder (on Windows 7/Vista) in a file named, you guessed it, Carbonite.log.
That’s all for this post…hope you found it useful! And if you got here via a Google search for something Star Wars related, sorry about that.
Stay tuned for next week’s post when we unveil a really cool new (and free!) tool.
Have a great week!
Jad
This week I’d like to share some interesting information about Google Maps and unveil a new free tool.
Google Maps needs no introduction, I’m sure everyone reading this blog is very familiar with it and has used this service from Google many times. Google Maps can play a big part in an investigation, whether it’s a runaway youth, a kidnapping, luring, or a homicide. If a child has looked up directions to meet up with someone they met on the Internet, this can provide some great leads for an investigator. Similarly, a killer who is looking for a place to dump a body could use Google Maps to find a “good” location and will leave tracks behind on their computer.
Google Maps uses a tile system to display maps. Each tile is downloaded and pieced together to display the complete map, and has a “x,y” coordinate as well as a zoom level. When using Internet Explorer, these tile files will be saved in the Temporary Internet Files folder(s) in a couple filename formats:
lyrs=m@196000000&hl=en&src=app&x=5&y=8&z=4&s=Galileo[1].png
&x=5&y=8&z=4.png
Both formats include the x,y,z (zoom) coordinates. Each tile file is 256×256 pixels and as you can imagine (depending on the zoom level) it’s hard to get a good idea of where on the map the user was looking, based on that one tile. Some investigators have had to go through the tedious process of manually piecing tiles back together or trying to locate a tile file on Google Maps.
Today we’re releasing a new (free!) tool called Google Maps Tile Investigator (GMTI). What this tool will do for you is take a tile’s x,y,z coordinates and download the surrounding tiles for you, displaying them in a similar fashion that Google Maps would. It can also convert that x,y,z data to the latitude, longitude coordinates and then open Google Maps in your default browser with those coordinates.
The other helpful feature is the ability to search through a folder/subfolders for filenames that match the Google Maps filename format and pull out the x,y,z coordinates for you, again with the option of converting them to their latitude, longitude coordinates.
Here are some screenshots with descriptions:
This is the main screen of GMTI. Here you are either manually enter x,y,z coordinates (an example provided) and view it within GMTI with surrounding tiles, or you can launch your default browser and view the latitude, longitude for the x,y,z coordinates. If you choose to view the tile with surrounding tiles you’ll get a view similar to this:
This is a condensed view, but you’ll see that the selected/source tile is highlighted and the surrounding tiles have been downloaded from Google. You are able to move left, right, up, down, and zoom in and out using controls at the top right, and take a screenshot using the “Save” button (not visible in this screenshot).
The other option is to have GMTI search a folder/subfolders for file names that match the format Google Maps uses for its tile files. Below is a screenshot of what you could find using that option and searching a user’s profile folder:
As you can see, a number of files were found in IE’s temporary internet files folders. From here you can highlight a file and view it internally along with surrounding tiles, or (again) view the location of the corresponding latitude/longitude in your default browser via Google Maps. If you choose the latter option, you’ll get a view similar to this:
Finally, if you’d like to get an overview of what someone was searching for or mapping out, the “Convert all tiles to lat, long” button on the previous GMTI screenshot provides a cool ability. In our example, you’ll get a screen like this:
Now that we have this data, we can copy it all and paste it into a website that will plot all these points onto a Google Map view. This is a site I’ve used that “just works”, but I’m sure there are others you can try: http://www.darrinward.com/lat-long/
Here’s the view you get and if you try this out yourself, you’ll see that as you zoom in you start to see clusters of points which quickly indicate to you where someone has been searching or exploring on Google Maps:
In the zoomed out view, you’ll likely see points in the ocean and other locations that don’t make sense. These are just tiles that were downloaded when someone was in the the fully zoomed-out view.
Hopefully that gives you a good idea of how to use our Google Maps Tile Investigator and how it can provide some valuable information in various investigations.
In IEF v5.8 we’ll be incorporating these features and taking it a level further, providing you with as much data regarding Google Maps usage as possible, and making it easy for you to get to this data. Be on the look out for v5.8 in January 2013.
Download
Now to the important part. To download GMTI, please go to the Google Maps Tile Investigator v1 page.
Thanks for tuning in this week and I hope you found this post useful and that GMTI will come in handy for you in your investigations.
Have a great week and happy holidays to everyone!
Jad
Welcome to our last blog post of the year! Today I’m going to provide information about Facebook URLs that will hopefully help you out when examining web history and trying to determine which user was logged in to Facebook vs URLs that just indicate a profile was viewed. This can be important when trying to tie Facebook activity to a specific account/person from a computer that had multiple users or guest access.
Facebook URLs – Who’s Logged In?
First off, here are a couple examples indicating a profile was viewed:
http://www.facebook.com/cool.facebook.username
Or an older version: http://www.facebook.com/profile.php?id=1000003483744733
As you can see, especially in the first example, there’s not much to go on. These URLs could indicate a user viewed someone else’s profile, or viewed their own. (Just to clarify, when I refer to URLs as being “older versions” in this context, I mean that Facebook has changed how they form their URLs and these are older formats that were used.)
However, the following URLs, if found in web history records, can provide some clues as to who was actually logged-in:
http://www.facebook.com/inbox/?ref=mb#/muffins?v=feed&story_fbid=179234345383515
http://www.facebook.com/pound.cake?ref=profile#/pound.cake?v=info&edit_info=all
These two are older versions of Facebook URLs, the first indicating that “muffins” was viewing a message in their Facebook inbox. The second indicates that “pound.cake” was editing their profile. As I’m sure you’ll agree, these are actions that apply only to a logged-in user (i.e. you can’t view a friend’s inbox or edit their profile) and are good indicators of who was logged in at the time of the history record containing this URL.
The following two URLs are newer examples that can also indicate who was logged-in:
http://www.facebook.com/old.chris?viewas=100000686899395&returnto=profile&privacy_source=privacy_lite
http://www.facebook.com/old.chris?ref=tn_tnmn
The first example is the URL found when a user (“old.chris” in this example) uses the new feature in Facebook where you can see what your profile looks like to the public. You can also use this URL to see what specific users see on your profile by replacing “100000686899395” (which appears to be a static Facebook ID representing “the public”) with a friend’s username or user ID.
The second URL is a little more vague, I haven’t been able to determine what the referrer “tn_tnmn” represents, it appears to have been “tn_tinyman” at one time and is something Facebook could be using for tracking its site usage or how people get around on Facebook. The key thing here is that in the testing I’ve done, you’ll only see this referrer attached to the logged-in username. I was able to consistently get it to show up by going to my Account Settings and then clicking the link containing my name at the top right of the page, to the left of the “Find Friends” link.
There seems to be a fair bit of concern over this referrer out on the web, poor Billy thinks it’s the government clamping down on the “anti-establishment” people on Facebook: (parts of the below screenshot have been redacted to protect the “innocent”, but you can see this bizarre thread in its entirety here: Why is this my url?)
That’s all for now! Hope you find the above helpful when looking at Facebook URLs in web history.
IEF Frontline
The second part of this blog post is about an exciting new product we’ll be releasing very soon.
Please click on this survey link to get a sneak peek and provide your opinion on a new product called IEF Frontline launching in January 2013.
It’s a drastically scaled down version of IEF targeted at non-technical (or less technical) users including: Law enforcement investigators (i.e. child exploitation), parole/probation officers, border security/customs agents, and frontline patrol officers that have no formal forensic or computer training. The product (comes on a USB stick) and can do a quick scan (5-15 min) in common areas/locations for Internet history, IM chat messages, and pictures & videos.
Happy New Year and Thank You!
Finally, we’d like to wish everyone a happy and prosperous New Year in 2013, especially our customers and our employees. 2012 was an exciting and busy year for us as we took our flagship product, Internet Evidence Finder (IEF), to the next level and started developing new products to be released in early 2013. It was great to meet many of you at tradeshows and conferences and we hope to see you again this year.
Please stay safe as this holiday season wraps up, especially those who have to work through it. As always, we’re here to help in any way we can. Thanks again to everyone for all your support and for making us a part of your digital forensics life!
Best regards,
Jad and the Magnet Forensics Team
University of Waterloo, DC 1301 Fishbowl
Friday January 25th from 11:30- 1:30 (lunch will be provided)
With a strong commitment to helping thousands of its customers in the world’s top law enforcement, military, government and corporate organizations recover data from a broad range of Internet-related communications, Magnet Forensics (formerly JADsoftware) has unveiled v5.8 of its industry-leading forensic software, INTERNET EVIDENCE FINDER™ (IEF) – including several forensic firsts!
1. Dropbox decryption – a forensics first!*
2. Web Video Recovery – another forensics first!
3. Google Maps Tiles & Geo-Location Visualization
4. Support for NewsGroup Messages (yEncoded File Support)
5. New Artifact Support Added
*Dropbox decryption is currently available with IEF TRIAGE only.
IEF v5.8 is available today starting at $999 USD.
Existing customers with a Software Maintenance & Support (SMS) subscription can upgrade to IEF v5.8 for free by visiting our customer portal: www.magnetforensics.com/support/login/.
Customers without an SMS subscription can email sales@magnetforensics.com or call 519-342-0195 for pricing.
To download a FREE 14-day free trial, please visit: www.magnetforensics.com/trial
Magnet Forensics (formerly JADsoftware) is a global leader in the development of forensic software that recovers data from a broad range of Internet-related communications. Our flagship product, INTERNET EVIDENCE FINDER™ (IEF) was created by a former police officer and forensic examiner who recognized the need for an easy to use, comprehensive tool to help perform digital investigations. Since its creation, IEF has quickly become a trusted solution for thousands of the world’s top law enforcement, government, military and corporate organizations – used to recover Internet evidence like social media communications, webmail, browser activity (and more) to support their most important investigations. www.magnetforensics.com.
Guest Blog Post by: Paul Henry, vNet Security
The case (sanitized) was rather straightforward:
In a recent divorce case a client was concerned that a great deal of information had been presented by opposing council regarding his/her web surfing habits, chat conversations and information contained only within personal emails that were not sent to opposing councils client. The client was convinced that the only way the information could have been obtained was if spy software had been installed on his/her laptop by their spouse – the spouse had easy unobstructed access to the laptop.
The client’s attorney provided the laptop in question and requested it be analyzed in the most cost effective manner as possible to determine if any spy ware had been installed on the laptop. A forensics image of the laptop was created and it was brought back to the lab for processing.
Having worked with spy software detection in the past on both PC’s and cell phones I have a collection of strings and registry locations / keys I search for that allows me make a reasonable determination if (or if not) spy software is installed. In some cases URL’s associated with the spy software vendor can be found embedded within .exe and .dll files as well as in unallocated space, shadow volumes, and hiberfiles etc. Hence a comprehensive search for URLS / Internet Activity with IEF would be the most cost effective approach.
Now that was fast!
The first hit was found less then 10 minutes in to the search (Figure 1)
The hit was a URL embedded within an executable file “artugdx.exe”. While the search continued I started FTK Imager to examine the image to validate the hit (Figure 2).
The examination with FTK Imager validated the finding within IEF. I then exported the file “artugdx.exe” from FTK Imager and submitted the file to www.virus total.com for analysis. The VirusTotal analysis showed that 8 out of 46 AV products detected the file as Spectorsoft eBlaster spy software (Figure 3). It is important to note that Spectorsoft typically names the files randomly hence simply searching for a file name would be a bad approach – searching for embedded strings is much more effective.
The software once installed can be configured to record literally all user behavior on the device it is installed on. It can send scheduled reports or alert immediately on given activity. It records: email sent & received, website visits, chat conversations, online searches, keystrokes, Facebook and other social media interactions, files uploaded and downloaded, program activity, user activity and much more – see (Figure 4)
The software is advertised as being stealthy and does not show up in the system try, task list or under the Windows Programs folder (Figure 5) and (Figure 6). However as demonstrated by IEF its use of un-obfuscated strings within its executable files renders it easily and quickly detectable when using the right tool – IEF.
It should be noted that in some states the installation of spy software such as Spectorsoft eBlaster without notification of all parties that might use the device that the software is installed upon is a wiretap violation and felony. As an example in Florida there have been civil cases where it was concluded that “because the spyware installed by the wife intercepted the electronic communication contemporaneously with transmission, copied it and routed the copy to a file in the computer’s hard drive, the electronic communications were intercepted in violation of the Florida Act.” (http://news.cnet.com/2100-1030_3-5577979.html)
The details provided in using IEF even before the scan was fully completed along with the verification of the finding by FTK Imager and subsequent analysis of the file “artugdx.exe” by Virus Total allowed me to quickly determine with a reasonable level of certainty that Spectorsoft eBlaster spy software had in fact been installed on the laptop. The client and council were notified of the finding and were given the option to have additional analysis performed to determine specifically “who” was receiving the reports from the spy software. They decided that, as they would not be pursuing civil litigation regarding the installation of the spyware that simply having proof that it was in fact installed on the laptop at all met with their needs (motion to suppress illegally obtained evidence) and further analysis would not be necessary.
When this review started at the beginning of August 2012, Internet Evidence Finder (IEF) was a project of Jad Saliba of JADSoftware. At that time the version was 5.41.
The interface was simple, and IEF was an easy to use tool that found a lot of artifacts and displayed them in an easy to follow report.
Read the full comprehensive review by BitHead here.
University of Waterloo, Mike and Ophelia Lazaridis Quantum Nano Centre,
200 University Avenue West
Waterloo, Ontario N2L 3G1,
Canada,
519-404-7465
Tuesday, February-26-13 6:00 PM – 9:00 PM (EST)
Jad Saliba created the Internet Evidence Finder program while he was a cop with the Waterloo Regional Police. Before long, the software was helping law enforcement agencies around the world — including the FBI, the CIA and Homeland Security — catch bad guys, and Saliba had turned in his badge to run Magnet Forensics full-time.
With a strong commitment to helping thousands of customers in the world’s top law enforcement, military, government and corporate organizations recover data from a broad range of Internet-related communications, Magnet Forensics (formerly JADsoftware) has launched a new forensic software, IEF FRONTLINE; the industry’s simplest preview tool designed for non-technical personnel looking to conduct a ‘first look’ of a suspect’s computer.
Find Evidence Quickly
Easy to Use; Requires Minimal Training
Comprehensive Reporting
Forensically Sound
First-responders & frontline personnel, including:
Increased investigative efficiencies and an enhanced digital forensics process
To learn more about IEF Frontline, and how your organization can benefit: Download a FREE whitepaper or watch a quick video.
IEF FRONTLINE is available today at $199/yr. USD. To purchase, please visit us online at: http://store.magnetforensics.com, email sales@magnetforensics.com, or call 519-342-0195 for more information.
Magnet Forensics (formerly JADsoftware) is a global leader in the development of forensic software that recovers data from a broad range of Internet-related communications. Our flagship product, INTERNET EVIDENCE FINDER™ (IEF) was created by a former police officer and forensic examiner who recognized the need for an easy to use, comprehensive tool to help perform digital investigations. Since its creation, IEF has quickly become a trusted solution for thousands of the world’s top law enforcement, government, military and corporate organizations – used to recover Internet evidence like social media communications, webmail, browser activity and more to support their most important investigations. www.magnetforensics.com
Hello everyone,
Hopefully 2013 has been good to you so far! It’s been a while since my last blog post, 2013 has been a busy year for us right from the get-go. We hope you enjoyed Paul Henry’s post a couple weeks ago, I always like seeing how someone might use IEF or other forensic tools in ways sometimes unintended by the authors.
Today the big announcement is IEF Frontline. Just released yesterday, Frontline is a scaled-down, simplified, and fast (a search takes 5-15 minutes) edition of IEF. Focusing on the essentials (pictures/videos, Internet history, and chat), IEF Frontline is targeted at first responders and less-technical personnel (i.e. not trained in digital forensics). It’s not a triage tool; we prefer to call it a “preview” or “first look” tool. There are lots of great triage tools out there (including IEF Triage which will continue to grow in features and functionality), Frontline is not one of them.
Triage tools certainly have their place in the investigative process but require a technical background or digital forensics training. What we’re trying to do (and I think we’ve succeeded) is to provide a low-cost tool that child exploitation investigators, parole and probation officers, border security agents, and patrol officers can use to get a quick look at what’s on a computer and to qualify it for seizure.
Here’s the problem (and this isn’t news to any of you): the number of devices per investigation are increasing and the amount of data on those devices is increasing. Budgets for the most part, however, are not. And even if they were, there’s just no way to keep up with the barrage of data by simply adding more forensic examiners. The time has come for us to empower the frontline and other non-forensically trained personnel to assist in digital investigations. Download our free white paper to read more about why we believe this is so important to the forensics process.
Can they do a full examination without any training? Of course not. But can they plug a thumb drive into a computer and run a program to get a quick look at what’s on that computer to determine if it needs to be seized or not? We think so, if that program is extremely simple to use and forensically “safe”. Frontline is not bootable. Why? The folks we are catering this tool to don’t know the forensic considerations around booting a suspect’s computer with a thumb drive or CD, nor do they want to know, and we shouldn’t be wasting their time teaching them these risky procedures when they won’t have the frequency of usage to stay sharp. It’s like any other training: you use it or lose it. They are experts and have skills and talents in other areas; we want to give them a tool that allows them to continue to focus on those areas and have a safe and easy way to quickly preview a computer.
The first concerns about Frontline are usually around it being forensically sound. Frontline runs from a thumb drive, does not install anything on the target computer, does not modify any last accessed dates/times, and saves all the recovered data back to the thumb drive in date/time stamped folders. The only 2 things that are added to the target computer are a USB drive entry in the registry and a prefetch file, both of which are unavoidable (and explainable) and make up a tiny footprint. To learn more about how Frontline is forensically sound, click here.
Ease of use? Frontline has one screen where you select what you want to search (Internet, Chat, Pictures/Video), enter a case number/name, and click Scan Computer. That’s it. The search starts and a simplified report viewer pops up where items can be reviewed and bookmarked. Frontline ships in a ruggedized Pelican case and with a Quick Start Guide to ensure the USB thumb drive is always protected and step-by-step instructions are always right there.
In the end, you have to try it to see for yourself what Frontline can do. Please visit our IEF Frontline webpage to learn more and you can request a free trial here.
Sorry for the long post! As always, we look forward to your feedback.
Stay safe out there,
Jad
Happy Friday, everyone! Today I would like to introduce a new free tool we’ve just released, called Dropbox® Decryptor. But first, some background.
Dropbox uses a file named filecache.dbx to store details about files that have been or will be synced to the Dropbox cloud. This file used to be a SQLite database (named filecache.db) and was easily viewed in a SQLite browser. In early 2012 Dropbox released an update that encrypted this file, and hence the new filename “filecache.dbx”.
In mid-January of this year, we released IEF Triage v5.8 that added support for decrypting this file on a live system. Support will be added to IEF Standard for decrypting this file on a dead box (or forensic image) in the near future, but for now we wanted to release this free tool to allow you to decrypt these files on your own. The main limitation right now is that it only currently works on files obtained from a Windows XP or Vista system due to how Dropbox does the encryption. We hope to add support for Windows 7 when this capability is put into IEF.
So, on to the tool and how to use it! You’ll need to collect the following items first:
- The filecache.dbx file (located in [root]\Documents and Settings\username\Application Data\Dropbox on XP, or [root]\Users\Jad\AppData\Roaming\Dropbox on Vista)
- The entire Protect folder for that user (located in [root]\Documents and Settings\username\Application Data\Microsoft on XP, or [root]\Users\Jad\AppData\Roaming\Microsoft on Vista)
- A file containing the raw bytes from the Dropbox “Client” value under the “ks” key in the registry/NTUSER.dat file (full path is HKEY_CURRENT_USER\Software\Dropbox\ks)
- And finally, the user’s Windows login password
The dbx file and Protect folder are easy to grab, and you can use various registry viewers to pull out the Client value data. The file containing that data should look something like this:
Once you have those items, install and run the Dropbox Decryptor tool and point it at all the respective files or folders:
Click Decrypt and you’ll get a filecache.db file saved in the output folder you specified which can then be opened by any SQLite browser. The ‘file_journal’ table is the one you’ll be most interested in:
Download
Click the link below to download Dropbox Decryptor v1:
// ]]>
We hope you find this tool to be useful, please let us know what you think and if you run into any issues (via the Contact Us button below).
// ]]>
As always, thanks for stopping by and have a great weekend!
Jad
Welcome to a “Part 2” of my last blog post where I announced our new free tool for decrypting the Dropbox filecache.dbx file. The response has been overwhelming and we appreciate all the comments and feedback. We really do have a great digital forensics community.
Please note that IEF Triage has supported decrypting and parsing the filecache.dbx file on a live system since v5.8 which was released in January of this year. No password, Protect folders, or registry information is required, and it works on Windows XP, Vista, as well as Windows 7 and Windows 8. We’ll be incorporating the features from our free tool into IEF Standard in the near future and hopefully with Windows 7/8 support.
Today I wanted to explain some of the fields/data within the decrypted filecache.dbx file. Once decrypted, you’ll have a plaintext SQLite database. There are a few tables but we’ll focus on the most interesting one today, the file_journal table.
Below is a view of the file_journal table, the first items are all default files that everyone gets when they start a Dropbox account. The last record which is highlighted is a file I added named “secrets.txt”:
There are a few useful fields here: server_path (the full path to the file in the cloud, with the user ID prepended), parent_path (the containing folder), local_sjid (the file version number – Dropbox will store older versions of files as previous versions, accessible via the web interface or by right-clicking the file in Windows Explorer and selecting Dropbox -> View Previous Versions), and local_filename (the filename). The following screenshot shows the rest of the fields:
More useful fields here: local_size (the file size), local_mtime (the modified time of the file – in Unix/epoch time, UTC), local_ctime (the created time of the file – in Unix/epoch time, UTC), and some updated_xxxx fields which I have not be able to populate with data. They could display similar info as the previous fields if the files/records have been updated on the Dropbox account.
Interesting note: When I created a new file named “secrets.txt” with new data and overwrote the old secrets.txt file in my Dropbox folder, the database maintained the original created time and updated the modified time (i.e. it did not use the created time of the new file but maintained the original created time).
And that is a quick overview of the data found within the Dropbox filecache.dbx file. Some of the other tables include host ID info and configuration information, including a “last_reindex” time (last sync time) in the config table reindex_info key.
We’ve made a couple changes to the free Dropbox decryptor tool since it first launched last week, it now accepts direct Regedit exports (.reg export file format) for the registry data, works with accounts that have no password, and Protect folders with multiple SIDs.
To download the latest version (v1.1), please click the button below.
// ]]>
And as always, please feel free to let us know what you think and how we can continue to improve IEF and our other products.
Have a great weekend,
Jad and the Magnet Team
May 19-22, 2013
Orlando, FL
Guidance Software, Inc. is proud to host CEIC 2013, one of the largest international gatherings of legal, corporate, law enforcement and government attendees in the world, with a focus on the latest developments in digital investigations. A high percentage of our CEIC attendees return year after year for a high-quality educational program and valuable networking opportunities that aren’t available anywhere else.