1. Beyond files forensic
OWADE cloud based forensic
Elie Bursztein Stanford University
Ivan Fontarensky Cassidian
Matthieu Martin Stanford University
Jean Michel Picod Cassidian
Wednesday, August 3, 2011
2. The world is moving to the cloud
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
3. 2.7 millions photos are uploaded to Facebook
every 20 minutes
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
4. 100 millions new files are saved on Dropbox
every day
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
5. Data are moving to multiple services
Hard drive
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
6. Data are moving to multiple services
emails
Hard drive
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
7. Data are moving to multiple services
emails
Hard drive
Cloud
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
8. Data are moving to multiple services
emails
Hard drive
Webmail
Cloud
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
9. Data are moving to multiple services
emails contacts
Hard drive
Webmail
Cloud
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
10. Data are moving to multiple services
emails contacts
Hard drive
Webmail Social sites
Cloud
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
11. Data are moving to multiple services
emails contacts photos
Hard drive
Webmail Social sites
Cloud
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
12. Data are moving to multiple services
emails contacts photos
Hard drive
Photo sites Webmail Social sites
Cloud
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
13. Data are moving to multiple services
emails contacts photos
Hard drive
Webmail Social sites Photo sites
Cloud
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
14. Impact on the forensic field
• There are more data which
are harder to reach
• Dealing with cloud data
force us to reinvent forensic
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
15. Let’s do cloud forensics
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
16. What is cloud forensics ?
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
17. Facebook credentials as a use case
Facebook
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
18. Facebook credentials as a use case
credentials
IE Facebook
DPAPI Blob
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
19. Facebook credentials as a use case
DPAPI blob-key credentials
DPAPI IE Facebook
master-key DPAPI Blob
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
20. Facebook credentials as a use case
Windows User
Password DPAPI blob-key credentials
DPAPI IE Facebook
SAM (hash)
master-key DPAPI Blob
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
21. Facebook credentials as a use case
Windows User
Syskey Password DPAPI blob-key credentials
DPAPI IE Facebook
Registry SAM (hash)
master-key DPAPI Blob
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
22. Facebook credentials as a use case
Windows User
Syskey Password DPAPI blob-key credentials
DPAPI IE Facebook
Registry SAM (hash)
master-key DPAPI Blob
Getting Facebook credentials require to bypass 4 layers of
encryption
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
23. Focus of this talk
• xw
Show you how to bypass the encryption layers and get
the data you want
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
24. Introducing OWADE
• Dedicated to cloud
forensics
• Decrypt / recovers
• DPAPI secrets
• Browsers history and
websites credentials
• Instant messaging creds
• Wifi data
http://owade.org
• Free and open-source
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
25. OWADE in action
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
26. OWADE overview
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
27. OWADE overview
disk
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
28. OWADE overview
disk disk image
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
29. OWADE overview
Registry
disk disk image
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
30. OWADE overview
Registry
disk disk image
Files
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
31. OWADE overview
Windows
credentials
Registry
disk disk image
Files
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
32. OWADE overview
Windows
credentials
Registry
disk disk image
WiFi info
Files
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
33. OWADE overview
Windows
credentials
Registry
disk disk image
WiFi info
Files
Hardware
info
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
34. OWADE overview
Windows
credentials
Registry
disk disk image
WiFi info
Files
Hardware
info
Credentials and data
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
35. OWADE overview
Windows
credentials
Registry
disk disk image
WiFi info
Files
Hardware
info
Credentials and data Cloud data
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
36. Outline
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
37. Outline
• File base forensics refresher
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
38. Outline
• File base forensics refresher
• The Windows crypto eco-system
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
39. Outline
• File base forensics refresher
• The Windows crypto eco-system
• Wifi data and Geo-location
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
40. Outline
• File base forensics refresher
• The Windows crypto eco-system
• Wifi data and Geo-location
• Recovering browser data
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
41. Outline
• File base forensics refresher
• The Windows crypto eco-system
• Wifi data and Geo-location
• Recovering browser data
• Recovering instant messaging data
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
42. Outline
• File base forensics refresher
• The Windows crypto eco-system
• Wifi data and Geo-location
• Recovering browser data
• Recovering instant messaging data
• Acquiring cloud data
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
43. Outline
• File base forensics refresher
• The Windows crypto eco-system
• Wifi data and Geo-location
• Recovering browser data
• Recovering instant messaging data
• Acquiring cloud data
• Demo
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
44. File based forensic refresher
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
45. Not all files are born equal
Type of file how to recover it
Standard copy
In the trash undelete utility
Deleted file carving
Wiped call the NSA :)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
46. Windows registry
• .dat files
• Hardware information
• Softwares installed with
their versions and serials
• Windows credentials
(encrypted)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
47. Some Registry Information Extracted
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
48. Windows crypto
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
49. Why do we care about Windows crypto ?
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
50. The Windows crypto eco-system
Crypto API
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
51. The Windows crypto eco-system
Crypto API
SAM
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
52. The Windows crypto eco-system
Crypto API
DPAPI
SAM
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
53. The Windows crypto eco-system
Crypto API
DPAPI Credential Manager
SAM
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
54. Windows Crypto API
• Basic cryptographic blocks
• Cipher: 3DES, AES
• Hash functions: SHA-1 SHA256, HMAC
• PKI: public keys and certificates (X.509)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
55. The Security Account Manager (SAM)
• Store Windows user credentials
• Located in the registry
• Encrypted with the SYSKEY
• Passwords are hashed
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
56. Windows Password Hashing functions
• Two hash functions used
• LM hash function (NT, 2K, XP, VISTA) weak
• NTLM (XP, Vista, 7)
• Passwords are not salted
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
57. LM hash weakness
• Use only upper-case
• Hash password in chunk
of 7 characters
mypassword LMHash(MYPASSW) + LMHash(ORD)
Password key-space: 69^7 (at most)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
58. Rainbow Tables
• Pre-compute all the possible passwords
• Time-Memory trade-off
• Rainbow tables of all the LM hash are available
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
59. How OWADE Works
• Extract Usernames and password hashes
• LM hashes available ?
• use John/Rainbow tables to get the pass in uppercase
• use NTLM hashes to find the password cases
• Try to crack the NTLM using John/Rainbow table
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
60. Windows Password recovered
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
61. • What if we can’t crack the NTLM hash :(
• (need a sad baby face here)
If the password is too strong we can’t recover it
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
62. • Everything is not lost because of how DPAPI works
• (smilling baby face)
but we can still decrypt DPAPI secret (sometime)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
63. The Data Protection API
• Ensure that encrypted data can’t be decrypted
without knowing the user Windows password
• Blackbox crypto API for developers:
• Encrypt data DPAPI blob
• Decrypt DPAPI blob data
• Main point : tie the encryption to the user password
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
64. DPAPI derivation scheme
SHA1(password)
pre-key
User
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
65. DPAPI derivation scheme
SHA1(password)
pre-key
User
master-key
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
66. DPAPI derivation scheme
SHA1(password)
pre-key
User
master-key
blob key
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
67. DPAPI derivation scheme
SHA1(password)
pre-key
User
master-key
blob key
DPAPI blob
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
68. DPAPI derivation scheme
SHA1(password)
pre-key
User
master-key
blob key blob key blob key
DPAPI blob DPAPI blob DPAPI blob
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
70. DPAPI master-key structure
Header Structure
struct wincrypt_masterkey_masterkeybloc
{
! DWORD! dwRevision,
! BYTE!! pbSalt[16],
! DWORD! dwRounds,
! ALG_ID! algMAC,
! ALG_ID! algCipher,
! BYTE!! pbEncrypted[]
};
Footer Structure
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
71. DPAPI blob
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
72. Master-key GUID
DPAPI blob
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
73. Master-key GUID
DPAPI blob Master key
pre-key
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
74. Master-key GUID
DPAPI blob Master key
SHA1(password)
pre-key
User
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
75. Master-key GUID
DPAPI blob Master key
SHA1(password)
pre-key
User
Master key
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
76. Master-key GUID
DPAPI blob Master key
Cipher
SHA1(password)
+ key
pre-key
User
Master key
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
77. Master-key GUID
DPAPI blob Master key
Cipher
SHA1(password)
+ key
pre-key
User
Master key
blob key
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
78. Master-key GUID
DPAPI blob Master key
Cipher
SHA1(password)
+ key
pre-key
User
IV +
Master key
Salt
blob key
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
79. Master-key GUID
DPAPI blob Master key
Cipher
SHA1(password)
+ key
pre-key
User
IV +
Master key
Salt
Additional entropy
blob key
Software
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
80. Bypassing the user password cracking
• If we can’t crack the
password we need its
SHA1
• This SHA1 is stored in
the hibernate file
• OWADE uses Moonsols
to recover it
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
81. DPAPI additional entropy
• Software can supply an additional entropy
• Act as a “key” (needed for decryption)
• Force us to understand how it is generated for each
software
• Can be used to tie data to a specific machine (i.e
Netbios name)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
82. Credential Manager
• Built on top of DPAPI
• Handle transparently the encryption and storage of
sensitive data
• Used by Windows, Live Messenger, Remote desktop...
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
83. Credstore type of credentials
Type of Example of
Encryption
credential application
DPAPI + Live messenger
Generic password
fixed string HTTP auth (IE)
Domain password In clear Netbios
Hash of
Domain certificate Certificate
certificate
DPAPI + Remote access
Domain visible password
fixed string .NET passport
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
84. WiFi data
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
85. Wifi data
• Info stored for each access point
• Mac address (BSSID)
• Key (encrypted)
• Last time of access
• Wifi data are stored in
• Registry (XP)
• XML file and Registry (Vista/7)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
86. Decrypting WiFi password
• Encrypted with DPAPI
• Access point shared
among users
• Encrypted with the
System account
• But the system account
has no password...
What is my DPAPI key ???
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
87. Decrypting WiFi password
• Use a LSASecret as
DPAPI key
• Array of credentials
• HelpAssistant password
in clear
• DPAPI_SYSTEM
• “Encrypted”
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
88. Where are you ?
• We’ve recovered access
point keys but where
are they ?
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
89. Where are you ?
• We’ve recovered access
point keys but where app
an !
are they ? is at
re th
e r
Th fo
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
90. HTML5 Geo-location protocol
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
91. HTML5 Geo-location protocol
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
92. HTML5 Geo-location protocol
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
93. Behind the curtain
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
94. Nothing is ever easy
• Google started to
restrict queries in June
• So we started to look
for other API
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
95. Entering Microsoft
• Live service
• “Documented” in the <GetLocationUsingFingerprint xmlns="http://
inference.location.live.com">
Windows mobile MSDN <RequestHeader>
<Timestamp>2011-02-15T16:22:47.0000968-05:00
</Timestamp>
<ApplicationId>e1e71f6b-2149-45f3-b298-a20XXXXX5017
• After sniffing the traffic: </ApplicationId>
<TrackingId>21BF9AD6-CFD3-46B2-B042-EE90XXXXXX
</TrackingId>
• Use a big SOAP request <DeviceProfile ClientGuid="0fc571be-4622-4ce0-b04e-
XXXXXXeb1a222" Platform="Windows7" DeviceType="PC"
OSVersion="7600.16695.amd64fre.win7_gdr.101026-1503"
LFVersion="9.0.8080.16413" ExtendedDeviceInfo="" />
• Does not check any ID <Authorization />
</RequestHeader>
fields <BeaconFingerprint>
<Detections>
<Wifi7 BssId="00:BA:DC:0F:FE:00" rssi="-25" />
• Allows to supply one </Detections>
</BeaconFingerprint>
MAC </GetLocationUsingFingerprint>
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
96. Blog post and demo released !
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
97. Just fixed
• Fixed last weekend
• No longer return
location for a single
address
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
98. Just fixed
• Fixed last weekend
• No longer return
location for a single
address
atch
p
a !
is at
re th
T he for
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
99. Geo-location API restrictions
Requires 2 MAC
close from each other
The MAC and IP location
need to be “close”
Requires multiples
MAC addresses
see http://elie.im/blog/ for more information
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
100. WiFi Information Extracted By OWDE
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
101. Browsers
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
102. Firefox > 3.4
• Passwords
• Location: signons.sqlite
• Encryption: 3DES + Master password
• History
• URLs: places.sqlite
• Forms fields: formhistory.sqlite
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
103. Decrypting Firefox password
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
104. Decrypting Firefox password
pass
User
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
105. Decrypting Firefox password
pass Global salt
User key3.db
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
106. Decrypting Firefox password
pass Global salt
User user key: HMAC-SHA1(salt, pass) key3.db
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
107. Decrypting Firefox password
pass Global salt
User user key: HMAC-SHA1(salt, pass) key3.db
encrypted key + key salt
key3.db
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
108. Decrypting Firefox password
pass Global salt
User user key: HMAC-SHA1(salt, pass) key3.db
encrypted key + key salt
key3.db
master key: 3DES(userkey, enckey)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
109. Decrypting Firefox password
pass Global salt
User user key: HMAC-SHA1(salt, pass) key3.db
encrypted key + key salt
key3.db
master key: 3DES(userkey, enckey)
encrypted pass
signon.sqlite
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
110. Decrypting Firefox password
pass Global salt
User user key: HMAC-SHA1(salt, pass) key3.db
encrypted key + key salt
key3.db
master key: 3DES(userkey, enckey)
encrypted pass
Site password: 3DES (master key, enc pass) signon.sqlite
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
111. Shopping at Amazon ?
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
112. How about a nice kindle ?
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
113. How about a nice kindle ?
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
114. Every form field is recorded
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
115. Configuring a Linksys ?
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
116. Again the key is recorded
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
117. Form history leak a lot of information
• Shipping address
• Wifi key
• Credit card information
• Email
• Search history
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
118. Preventing field recording
To tell the browser to not record a field use the tag
autocomplete=”off”
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
119. • Passwords
• Location: registry
• Encryption: DPAPI + URL as salt Internet
• History Explorer
• URLs: Index.dat
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
120. Decrypting Internet Explorer passwords
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
121. Decrypting Internet Explorer passwords
SHA1(URL)
Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
122. Decrypting Internet Explorer passwords
SHA1(URL) URL
Registry URL List
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
123. Decrypting Internet Explorer passwords
SHA1(URL) URL
Registry SHA1(URL) URL (dpapi entropy) URL List
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
124. Decrypting Internet Explorer passwords
SHA1(URL) URL
Registry SHA1(URL) URL (dpapi entropy) URL List
DPAPI Blob
Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
125. Decrypting Internet Explorer passwords
SHA1(URL) URL
Registry SHA1(URL) URL (dpapi entropy) URL List
DPAPI Blob
Site password Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
126. Maximizing our recovery
• Build a list of URL from others browsers and files
• Use a list of known login URLs
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
127. • Passwords
• Location: Login Data (sqlite)
Chrome
• Encryption: DPAPI
• History
• URLs: History (sqlite)
• Forms fields: Web Data (sqlite)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
128. • Passwords
• Location: keychain.plist (Property list format)
Safari
• Encryption: DPAPI + fixed string as entropy
• History
• URLs: History.plist
• Forms fields: Form Value.plist
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
129. Browsers takeaway
• Internet Explorer is the most secure.
• If you don’t know the URL you can’t recover the
credentials
• Firefox is the worst
• Passwords encryption not tied to the Windows user
password (bug open for a while)
• Login are encrypted in signons.sqlite not in
formhistory.sqlite
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
130. Private mode
• Most bugs are fixed
• Requires to be creative
• SSL OCSP requests
• File carving
• Potential techniques
• Analyze the hibernate
file
See: http://ly.tl/p16 for more information on private mode
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
131. The browsers histories aggregated
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
132. Instant messaging
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
133. Skype
• Encryption
custom
• Difficulty
extreme
• Location
registry + config.xml
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
134. Decrypting Skype passwords
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
135. Decrypting Skype passwords
DPAPI Blob
Registry pre-key
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
136. Decrypting Skype passwords
DPAPI Blob
Registry pre-key
AES key: SHA1(pre-key)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
137. Decrypting Skype passwords
DPAPI Blob
Registry pre-key
AES key: SHA1(pre-key)
encrypted credential
config.xml
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
138. Decrypting Skype passwords
DPAPI Blob
Registry pre-key
AES key: SHA1(pre-key)
encrypted credential
pass cracking
Login MD5(loginnskypernpassword) config.xml
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
139. Decrypting Skype passwords
DPAPI Blob
pre-key p er
Registry
r ip
e
th at
hn th
Jo or
a f
is tch
re key:aSHA1(pre-key)
eAES p
T h
encrypted credential
pass cracking
Login MD5(loginnskypernpassword) config.xml
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
140. Google Talk
• Encryption
DPAPI + custom (salt)
• Difficulty
Hard
• Location
registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
141. Salt derivation algorithm overview
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
142. Salt derivation algorithm overview
String: 0xBA0DA71D
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
143. Salt derivation algorithm overview
String: 0xBA0DA71D Windows account name
Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
144. Salt derivation algorithm overview
String: 0xBA0DA71D Windows account name
Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
145. Salt derivation algorithm overview
String: 0xBA0DA71D Windows account name
Registry
computer Netbios name
Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
146. Salt derivation algorithm overview
String: 0xBA0DA71D Windows account name
Registry
computer Netbios name
Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
147. Salt derivation algorithm overview
String: 0xBA0DA71D Windows account name
Registry
computer Netbios name
Registry
DPAPI Blob
Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
148. Salt derivation algorithm overview
String: 0xBA0DA71D Windows account name
Registry
computer Netbios name
Registry
DPAPI Blob
Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
149. Microsoft Messenger
• Encryption
DPAPI or Credstore
• Difficulty
Medium
• Location
version dependent
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
150. Windows Messenger by version
Version Storage encryption
5 Registry Base64 encoded
6 Credstore Credstore
7 Registry x2 DPAPI x 2
Live Credstore Credstore
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
151. aMSN
• Encryption
DES
key: substr(login . “dummykey”, 8)
• Difficulty
easy
• Location
config.xml
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
152. 9talk
• Encryption
XOR
key: 9
• Difficulty
trivial
• Location
user.config
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
153. Trillian
• Encryption
Base 64 +XOR
key: fixed string
• Difficulty
trivial
• Location
user.config
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
154. Pidgin
• Encryption
Clear aka encryt-what?
• Difficulty
none
• Location
account.xml
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
155. Pidgin
• Encryption
Clear aka encryt-what?
• Difficulty
none
• Location
account.xml
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
156. Paltalk
• Encryption
Custom
• Difficulty
difficult (offline)
• Location
registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
157. Paltalk encryption algorithm
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
158. Paltalk encryption algorithm
VolumeSerial Number
01234567
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
159. Paltalk encryption algorithm
VolumeSerial Number Paltalk account name
01234567 myusername
Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
160. Paltalk encryption algorithm
VolumeSerial Number Paltalk account name
01234567 myusername
m0y1u2s3e4r5n6a7me x 3 Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
161. Paltalk encryption algorithm
VolumeSerial Number Paltalk account name
01234567 myusername
m0y1u2s3e4r5n6a7me x 3 Registry
encrypted password
yyyz yyyz yyyz yyyz
Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
162. Paltalk encryption algorithm
VolumeSerial Number Paltalk account name
01234567 myusername
m0y1u2s3e4r5n6a7me x 3 Registry
encrypted password
yyyz yyyz yyyz yyyz
ci: yyyzi - asciiCode(S-BOXn-i) Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
163. Paltalk encryption algorithm
VolumeSerial Number Paltalk account name
01234567 myusername
m0y1u2s3e4r5n6a7me x 3 Registry
encrypted password
yyyz yyyz yyyz yyyz
ci: yyyzi - asciiCode(S-BOXn-i) Registry
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
164. Messenger take away
• If your Skype password is strong we can’t recover it
• Gtalk and Paltalk are the only ones to use computer
information
• 3rd party software are the least secure
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
165. All the credentials recovered by OWADE
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
166. Cloud based forensic
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
167. Cloud modules
• Leverage the credentials
and history extracted to
get cloud-data
• Might be legal (or not)
• Only LinkedIn currently
(more modules almost
ready)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
168. OWADE status
• Alpha stage
• Tested on Ubuntu against XP windows
• Roadmap
• Stabilizing the code
• modularize the code so you write your own modules
• More cloud probes: Facebook, Flickr, Emails...
• Windows Vista and 7 integration
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
169. Conclusion
• People moving to the cloud means more data that is
harder to get
• Forensics needs to evolve to cope with this
• OWADE is the first tool dedicated to cloud forensic
• Decrypt the 4 major browsers data
• Decrypt Instant messaging credentials
• Open-source
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
170. Thank you !
Please remember to complete
your feedback form :)
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011
171. Download OWADE Follow-us on Twitter
http://owade.org @elie, @projectowade
Donate to OWADE to support it !
E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.org
Wednesday, August 3, 2011