SlideShare ist ein Scribd-Unternehmen logo

Life on Clouds: a forensics overview

Reality Net System Solutions
Reality Net System Solutions

DFRWS 2016 EU (Lausanne) Presentation by Marco Scarito

Technologie
1 von 31
Downloaden Sie, um offline zu lesen
LIFE ON CLOUDS, A FORENSICS OVERVIEW MARCO SCARITO – MATTIA EPIFANI – FRANCESCO PICASSO DFRWS 2016 EU – LAUSANNE 31/03/2016
OUR DIGITAL LIFE IS ON THE CLOUD  Nowadays each digital device is, somehow, connected to the Internet  Most of them store (meta)data on a cloud service  We don’t know exactly where and how our data is stored
CLOUD SERVICES  Cloud services include:  Storage  Documents  Email  Calendar  Applications  Virtual machines  Other services
HOW CAN WE ACCESS CLOUD STORAGE DATA? Each vendor provides a specific client to access data other than a web browser access. During a forensic analysis, when we know the user credentials or we have a valid token, the usage of standard clients is absolutely unsuitable and web access is often uncomfortable
API ACCESS  Fortunately, all vendors provide API (Application Program Interface) to access data on cloud services  Some forensics software for cloud acquisition rely on the APIs, some others emulate a browser and parse information, but most of them are focused on retrieving files (eventually deleted or previous versions) ignoring almost completely all available metadata  During our research, we developed some pieces of software (Python scripts) that implement the vendor’s API, focusing more on metadata than on files
CLOUD DATA STORAGE PLAYERS  We have developed acquisition scripts for DropBox and Google (Drive and other services) and we called them «CLOUDIAN»
CLOUDIAN – API INSTALLATION  Both DropBox and Google provide an API interface and a dedicated Python SDK  After installing Python you need to install the proper SDKs $ pip install dropbox $ pip install --upgrade google-api-python-client
CLOUDIAN – REGISTERYOUR APPLICATION ON DROPBOX  In order to register a new application you need a DropBox® account  Go to https://www.dropbox.com/developers  The app must have full write access  Choose an app name  Obtain  App key  App secret
CLOUDIAN-DBOX flow = dropbox.client.DropboxOAuth2FlowNoRedirect(app_key, app_secret) authorize_url = flow.start() webbrowser.open_new(authorize_url) print ('1. Click "Allow" (you might have to log in first)') print ("2. Copy the authorization code.") code = raw_input("Enter the authorization code here: ").strip() access_token, user_id = flow.finish(code) client = dropbox.client.DropboxClient(access_token) Now that you have a proprer App key and App secret, you can use Python APIs to connect to a Dropbox account with proper username and password (or valid token)
CLOUDIAN-DBOX  Once your own App is authorized, you can easily access data and/or metadata of all files stored in the account using APIs  First of all you can retrieve Account Information using the command: account = client.account_info()
CLOUDIAN-DBOX  Then you can retrieve the content of a particular path, for example, starting from the root and recursively browsing the complete tree: metadata = client.metadata(path, list = True, include_deleted = True)  This command retrieves all metadata available for the specified «path» and, if it is a directory, it retrieves also metadata of contained files and subdirectories (including deleted ones)
CLOUDIAN-DBOX  If a file has previous versions, you can retrieve a list of all revisions using the command: revisions = client.revisions(path, rev_limit=1000)  Then you can retrieve metadata of each revision stored on Dropbox account: for revision in revisions: metatada = client.metadata(path, rev=revision, include_media_info=True)  The include_media_info paramenter permits to collect Exif information stored in metadata
CLOUDIAN-DBOX  Once you have downloaded all metadata information you can start analyzing them  They are downloaded in JSON format, so it is quite easy to manage information  Here is JSON sample returned by the client.account_info()call "account information": { "referral_link": "https://db.tt/UE4wbELS", "display_name": "REALITY NET System Solutions", "uid": 466040986, "locale": "it", "email_verified": true, "email": "info@realitynet.it", "is_paired": false, "team": null, "name_details": { "familiar_name": "REALITY NET", "surname": "System Solutions", "given_name": "REALITY NET" }, "country": "IT", "quota_info": { "datastores": 0, "shared": 0, "quota": 1101659111424, "normal": 7661774 } },
CLOUDIAN-DBOX  Here is the JSON describing a Folder  As you can see there are some useful info:  The «last modified date»  The folder is shared with someone "/RW_shared": { "meta": { "read_only": false, "modifier": null, "icon": "folder_user", "bytes": 0, "thumb_exists": false, "rev": "4e3c55f906", "modified": "Fri, 25 Mar 2016 09:40:23 +0000", "shared_folder": { "shared_folder_id": "1180320204", "is_team_only_shared_folder": false }, "path": "/RW_shared", "is_dir": true, "size": "0 bytes", "root": "dropbox", "revision": 78 },
CLOUDIAN-DBOX  Here is the JSON describing a File  As you can see there are some useful info  The «modified» date on Dropbox server  The «client_mtime» is the last modified date on the local client  The file was last modified by «REALITY NET» with uid «466040986» and email «info@realitynet.it»  Mimetype says it is a text file but this info is not reliable because is based only on file extension  Notice «revision»: 5 "/RW_shared/sample2.txt": { "meta": { "read_only": false, "parent_shared_folder_id": "1180320204", "revision": 5, "bytes": 139, "thumb_exists": false, "rev": "5465a41cc", "modified": "Fri, 25 Mar 2016 10:32:58 +0000", "mime_type": "text/plain", "size": "139 bytes", "path": "/RW_shared/sample2.txt", "is_dir": false, "modifier": { "email_verified": true, "display_name": "REALITY NET System Solutions", "uid": 466040986, "email": "info@realitynet.it" }, "root": "dropbox", "client_mtime": "Fri, 25 Mar 2016 10:32:16 +0000", "icon": "page_white_text" },
CLOUDIAN-DBOX  Let’s analyze another file  As you can see there are some useful info  The file was «deleted»  The «modified» date says when the file was deleted  The last modifier does not coincide with the user who deleted the file (i know that i used another one )  The «client_mtime» has no sense  It is not possible to download a deleted file: you have to find the most recent «previous version» of the deleted file  Notice «revision»: 6 "/RW_shared/sample2.txt": { "meta": { "read_only": false, "parent_shared_folder_id": "1180320204", "is_deleted": true, "revision": 6, "bytes": 0, "thumb_exists": false, "rev": "6465a41cc", "modified": "Fri, 25 Mar 2016 10:33:16 +0000", "mime_type": "text/plain", "size": "0 bytes", "path": "/RW_shared/sample2.txt", "is_dir": false, "modifier": { "email_verified": true, "display_name": "REALITY NET System Solutions", "uid": 466040986, "email": "info@realitynet.it" }, "root": "dropbox", "client_mtime": "Wed, 31 Dec 1969 23:59:59 +0000", "icon": "page_white_text"
CLOUDIAN-DBOX  Let’s analyze a third file:  This one was modified by another user   Notice that «client_mdate» and «modified» are perfectly the same, this could indicate that the file was uploaded with the web interface  Notice «revision»: 1 "/RW_shared/sample1.txt": { "meta": { "read_only": false, "parent_shared_folder_id": "1180320204", "revision": 1, "bytes": 30, "thumb_exists": false, "rev": "1465a41cc", "modified": "Fri, 25 Mar 2016 09:57:32 +0000", "mime_type": "text/plain", "size": "30 bytes", "path": "/RW_shared/sample1.txt", "is_dir": false, "modifier": { "email_verified": true, "display_name": "Marco Scarito", "uid": 24169827, "email": "marcoscarito@outlook.com" }, "root": "dropbox", "client_mtime": "Fri, 25 Mar 2016 09:57:32 +0000", "icon": "page_white_text" },
CLOUDIAN-DBOX Name Revision Modified Modifier Client-mdate Deleted sample1.txt 1 Fri, 25 Mar 2016 09:57:32 Marco Scarito Fri, 25 Mar 2016 09:57:32 No sample1.txt 2 Fri, 25 Mar 2016 10:20:39 REALITY NET System Solutions Fri, 25 Mar 2016 10:20:34 No sample1.txt 3 Fri, 25 Mar 2016 10:31:12 REALITY NET System Solutions Wed, 31 Dec 1969 23:59:59 Yes sample2.txt 4 Fri, 25 Mar 2016 10:31:12 REALITY NET System Solutions Fri, 25 Mar 2016 10:20:34 No sample2.txt 5 Fri, 25 Mar 2016 10:32:58 REALITY NET System Solutions Fri, 25 Mar 2016 10:32:16 No sample2.txt 6 Fri, 25 Mar 2016 10:33:16 REALITY NET System Solutions Wed, 31 Dec 1969 23:59:59 Yes Let’s now have a look to all files and try to make some «intelligence»
CLOUDIAN-DBOX What did we add to ensure a «forensically sound» environment?  You can include in your «project» info about:  Examiner name  Examiner Company  Other info are generated automatically:  Start date and time  MD5 and SHA-256 hashes based on metadata retrieved during acquisition If you are able to «freeze» the hashes (for example you could send them immediately to your «customer» using a secure channel), you can ensure that retrieved data will not be «tampered» by anyone
CLOUDIAN-DBOX What can we do to ensure a more «forensically sound» environment?  We can improve the script on some fields:  We can retrieve «timing information» from a secure source (public NTP)  We can «sniff» network traffic generated by the script  We can improve the output data type (for example we could generate a time line)
CLOUDIAN – REGISTERYOUR APPLICATION ON GOOGLE DEVS  In order to register a new application you need a Google account  Go to https://console.developers.google.com  Create a new project  Activate API for desired service (Drive, Gmail, Calendar, …)  Click on “Create Credential”  Download the json file containing  Client ID  Client Secret  Other information
CLOUDIAN – GOOGLE  Google Cloud Services are more complex than Dropbox  There is a huge amount of different services on Google Cloud  Gmail  Drive  Calendar  Contacts  And other free services  Moreover, there are a lot of professional services (like Cloud Computing, Cloud SQL, CloudVirtual Networks, …)  Each service has its own set of API constantly improved
CLOUDIAN – GOOGLE  In our research we decided to focus only on free services:  Google Calendar  Google Drive  The API approach is similar to the Dropbox one: you need to connect to a known account with your application in order to retrieve data from Google data centers  All metadata are exposed as JSON objects  In most cases you can retrieve metadata without downloading the data  Google APIs are «forensics friendly» as you can set read only access
CLOUDIAN-GCAL  When you access Google Calendar using APIs, you can retrieve all information about the user’s calendar and all other calendars that are shared with the user while True: calendar_list = service.calendarList().list(pageToken=page_token).execute() for item in calendar_list['items']: calendars.append(item) page_token = calendar_list.get('nextPageToken') if not page_token: break
CLOUDIAN-GCAL USER MAIN CALENDAR "kind": "calendar#calendarListEntry", "foregroundColor": "#000000", "defaultReminders": [ … ], "primary": true, "colorId": "3", "selected": true, "summary":"marco.scarito@realitynet.it", "etag": ""1435832228655000"", "backgroundColor": "#f83a22", "timeZone": "Europe/Rome", "accessRole": "owner", "id": "marco.scarito@realitynet.it" SHARED CALENDARWITH FULL RIGHT "kind": "calendar#calendarListEntry", "foregroundColor": "#000000", "defaultReminders": [], "colorId": "15", "selected": true, "summary": "mattia.epifani@realitynet.it", "etag": ""1458923654259000"", "backgroundColor": "#9fc6e7", "timeZone": "Europe/Rome", "accessRole": "owner", "id": mattia.epifani@realitynet.it SHARED CALENDAR FREE/BUSY "kind": "calendar#calendarListEntry", "foregroundColor": "#000000", "defaultReminders": [], "colorId": "22", "selected": true, "summary": "Marco Scarito", "etag": ""1459329937764000"", "backgroundColor": "#f691b2", "timeZone": "Europe/Rome", "accessRole": "freeBusyReader", "id": "marcoscarito@gmail.com"
CLOUDIAN-GCAL  Analizing each single event in the JSON structure you can retrieve a lot of useful information  How organize the event (it should be another user)  Start and End date and time  Attendees  Creation date and time  Visibility  Summary  Recurrence  And much more
CLOUDIAN-GDRIVE  When you access Google Drive using APIs, you can retrieve all information about the user activities  User files with previous versions  Deleted file  Google photo files  All files accessed by the user within the google docs platform  Shared files  And much more
CLOUDIAN-GDRIVE  Focusing on metadata  For each file you have directly the MD5 hash on metadata (without downloading the file)  For each shared document you can access the full list of users with specific permissions  For multimedia files you can access specific metadata (like video length in seconds, image dimension in pixel, EXIF metadata)
CLOUDIAN-GDRIVE  The most interesting aspect in our research (not yet implemented) is that, using APIs, you can search for files using metadata parameters like:  modification date range (if you are looking for an event in a specific time period)  Hash value (if you are looking if a user has a specific file)  Camera Model (if you are looking for photos shot with a specific camera)  And so on…
CLOUDIAN-GDRIVE Latest discovery:  Analyzing my own Google Drive account I discovered that some years ago I opened a document named “plaso reinventing the super timeline - 2013 DFIR Summit.pdf” that was published as a public Google docs document
Q&A Marco Scarito Digital Forensics Analyst and Mobile Device Security Analyst CTO @ REALITY NET –System Solutions Member of CLUSIT, DFA, IISFA, ONIF marco.scarito@realitynet.it @marcoscarito http://www.linkedin.com/in/marcoscarito http://blog.digital-forensics.it http://www.realitynet.it

Empfohlen

Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Reality Net System Solutions
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
Information Gathering With Google
Information Gathering With GoogleInformation Gathering With Google
Information Gathering With GoogleZero Science Lab
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011Ashwin Patil, GCIH, GCIA, GCFE
 
iPhone forensics, without the iPhone
iPhone forensics, without the iPhoneiPhone forensics, without the iPhone
iPhone forensics, without the iPhonehrgeeks
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerRob Ragan
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingGareth Davies
 

Empfohlen

Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Reality Net System Solutions
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
Information Gathering With Google
Information Gathering With GoogleInformation Gathering With Google
Information Gathering With GoogleZero Science Lab
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011Ashwin Patil, GCIH, GCIA, GCFE
 
iPhone forensics, without the iPhone
iPhone forensics, without the iPhoneiPhone forensics, without the iPhone
iPhone forensics, without the iPhonehrgeeks
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerRob Ragan
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingGareth Davies
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
 
Google Dorks: Analysis, Creation, and new Defenses
Google Dorks: Analysis, Creation, and new DefensesGoogle Dorks: Analysis, Creation, and new Defenses
Google Dorks: Analysis, Creation, and new DefensesFlavio Toffalini
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
2013 lecture-01-introduction
2013 lecture-01-introduction2013 lecture-01-introduction
2013 lecture-01-introductionPharo
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASPGrupo Gesfor I+D+i
 
Malware analysis
Malware analysisMalware analysis
Malware analysisDen Iir
 
14(1) 005
14(1) 00514(1) 005
14(1) 005phanleson
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Hijack This
Hijack ThisHijack This
Hijack ThisKitty
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful National Cheng Kung University
 
Google Dorks and SQL Injection
Google Dorks and SQL InjectionGoogle Dorks and SQL Injection
Google Dorks and SQL InjectionMudassir Hassan Khan
 
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)msz
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...SparkPost
 
Apache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsApache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsANKIT GUPTA
 

Weitere ähnliche Inhalte

Was ist angesagt?

Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
 
Google Dorks: Analysis, Creation, and new Defenses
Google Dorks: Analysis, Creation, and new DefensesGoogle Dorks: Analysis, Creation, and new Defenses
Google Dorks: Analysis, Creation, and new DefensesFlavio Toffalini
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
2013 lecture-01-introduction
2013 lecture-01-introduction2013 lecture-01-introduction
2013 lecture-01-introductionPharo
 
Malware analysis
Malware analysisMalware analysis
Malware analysisDen Iir
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Hijack This
Hijack ThisHijack This
Hijack ThisKitty
 
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)msz
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 

Was ist angesagt? (20)

Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
 
Google Dorks: Analysis, Creation, and new Defenses
Google Dorks: Analysis, Creation, and new DefensesGoogle Dorks: Analysis, Creation, and new Defenses
Google Dorks: Analysis, Creation, and new Defenses
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
2013 lecture-01-introduction
2013 lecture-01-introduction2013 lecture-01-introduction
2013 lecture-01-introduction
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
14(1) 005
14(1) 00514(1) 005
14(1) 005
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Hijack This
Hijack ThisHijack This
Hijack This
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
 
Google Dorks and SQL Injection
Google Dorks and SQL InjectionGoogle Dorks and SQL Injection
Google Dorks and SQL Injection
 
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 

Ähnlich wie Life on Clouds: a forensics overview

Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...SparkPost
 
Apache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsApache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsANKIT GUPTA
 
Microsoft Graph: Connect to essential data every app needs
Microsoft Graph: Connect to essential data every app needsMicrosoft Graph: Connect to essential data every app needs
Microsoft Graph: Connect to essential data every app needsMicrosoft Tech Community
 
Microsoft Graph: Connect to essential data every app needs
Microsoft Graph: Connect to essential data every app needsMicrosoft Graph: Connect to essential data every app needs
Microsoft Graph: Connect to essential data every app needsMicrosoft Tech Community
 
Real-time big data analytics based on product recommendations case study
Real-time big data analytics based on product recommendations case studyReal-time big data analytics based on product recommendations case study
Real-time big data analytics based on product recommendations case studydeep.bi
 
Training thethings.iO
Training thethings.iOTraining thethings.iO
Training thethings.iOMarc Pous
 
Evolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di PalmaEvolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di PalmaMongoDB
 
Evolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchEvolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchMongoDB
 
Cloudbase.io MoSync Reload Course
Cloudbase.io MoSync Reload CourseCloudbase.io MoSync Reload Course
Cloudbase.io MoSync Reload Coursecloudbase.io
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Amazon Web Services
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Luca Lusso
 
JavaScript & Cloud: the AWS JS SDK and how to work with cloud resources
JavaScript & Cloud: the AWS JS SDK and how to work with cloud resourcesJavaScript & Cloud: the AWS JS SDK and how to work with cloud resources
JavaScript & Cloud: the AWS JS SDK and how to work with cloud resourcesCorley S.r.l.
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Securityguest2a5a03
 
Introduction to Google Cloud platform technologies
Introduction to Google Cloud platform technologiesIntroduction to Google Cloud platform technologies
Introduction to Google Cloud platform technologiesChris Schalk
 
Building applications with Serverless Framework and AWS Lambda
Building applications with Serverless Framework and AWS LambdaBuilding applications with Serverless Framework and AWS Lambda
Building applications with Serverless Framework and AWS LambdaFredrik Vraalsen
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBMongoDB
 
Using Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoUsing Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoDaniel Zivkovic
 

Ähnlich wie Life on Clouds: a forensics overview (20)

Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
 
Apache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsApache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analytics
 
Microsoft Graph: Connect to essential data every app needs
Microsoft Graph: Connect to essential data every app needsMicrosoft Graph: Connect to essential data every app needs
Microsoft Graph: Connect to essential data every app needs
 
Microsoft Graph: Connect to essential data every app needs
Microsoft Graph: Connect to essential data every app needsMicrosoft Graph: Connect to essential data every app needs
Microsoft Graph: Connect to essential data every app needs
 
Real-time big data analytics based on product recommendations case study
Real-time big data analytics based on product recommendations case studyReal-time big data analytics based on product recommendations case study
Real-time big data analytics based on product recommendations case study
 
Training thethings.iO
Training thethings.iOTraining thethings.iO
Training thethings.iO
 
Evolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di PalmaEvolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di Palma
 
Evolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchEvolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB Stitch
 
Cloudbase.io MoSync Reload Course
Cloudbase.io MoSync Reload CourseCloudbase.io MoSync Reload Course
Cloudbase.io MoSync Reload Course
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!
 
JavaScript & Cloud: the AWS JS SDK and how to work with cloud resources
JavaScript & Cloud: the AWS JS SDK and how to work with cloud resourcesJavaScript & Cloud: the AWS JS SDK and how to work with cloud resources
JavaScript & Cloud: the AWS JS SDK and how to work with cloud resources
 
Mobile on AWS
Mobile on AWSMobile on AWS
Mobile on AWS
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day One
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 
Introduction to Google Cloud platform technologies
Introduction to Google Cloud platform technologiesIntroduction to Google Cloud platform technologies
Introduction to Google Cloud platform technologies
 
Building applications with Serverless Framework and AWS Lambda
Building applications with Serverless Framework and AWS LambdaBuilding applications with Serverless Framework and AWS Lambda
Building applications with Serverless Framework and AWS Lambda
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDB
 
Using Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoUsing Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in Toronto
 

Mehr von Reality Net System Solutions

BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesReality Net System Solutions
 

Mehr von Reality Net System Solutions (12)

BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
 
Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400
 
iOS Forensics a costo zero
iOS Forensics a costo zeroiOS Forensics a costo zero
iOS Forensics a costo zero
 
The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS Forensics
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret Zone
 
Forensicating the Apple TV
Forensicating the Apple TVForensicating the Apple TV
Forensicating the Apple TV
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Acquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOSAcquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOS
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android Devices
 
ReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunitiesReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunities
 
Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
 

Kürzlich hochgeladen

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 

Kürzlich hochgeladen (20)

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Life on Clouds: a forensics overview

  • 1. LIFE ON CLOUDS, A FORENSICS OVERVIEW MARCO SCARITO – MATTIA EPIFANI – FRANCESCO PICASSO DFRWS 2016 EU – LAUSANNE 31/03/2016
  • 2. OUR DIGITAL LIFE IS ON THE CLOUD  Nowadays each digital device is, somehow, connected to the Internet  Most of them store (meta)data on a cloud service  We don’t know exactly where and how our data is stored
  • 3. CLOUD SERVICES  Cloud services include:  Storage  Documents  Email  Calendar  Applications  Virtual machines  Other services
  • 4. HOW CAN WE ACCESS CLOUD STORAGE DATA? Each vendor provides a specific client to access data other than a web browser access. During a forensic analysis, when we know the user credentials or we have a valid token, the usage of standard clients is absolutely unsuitable and web access is often uncomfortable
  • 5. API ACCESS  Fortunately, all vendors provide API (Application Program Interface) to access data on cloud services  Some forensics software for cloud acquisition rely on the APIs, some others emulate a browser and parse information, but most of them are focused on retrieving files (eventually deleted or previous versions) ignoring almost completely all available metadata  During our research, we developed some pieces of software (Python scripts) that implement the vendor’s API, focusing more on metadata than on files
  • 6. CLOUD DATA STORAGE PLAYERS  We have developed acquisition scripts for DropBox and Google (Drive and other services) and we called them «CLOUDIAN»
  • 7. CLOUDIAN – API INSTALLATION  Both DropBox and Google provide an API interface and a dedicated Python SDK  After installing Python you need to install the proper SDKs $ pip install dropbox $ pip install --upgrade google-api-python-client
  • 8. CLOUDIAN – REGISTERYOUR APPLICATION ON DROPBOX  In order to register a new application you need a DropBox® account  Go to https://www.dropbox.com/developers  The app must have full write access  Choose an app name  Obtain  App key  App secret
  • 9. CLOUDIAN-DBOX flow = dropbox.client.DropboxOAuth2FlowNoRedirect(app_key, app_secret) authorize_url = flow.start() webbrowser.open_new(authorize_url) print ('1. Click "Allow" (you might have to log in first)') print ("2. Copy the authorization code.") code = raw_input("Enter the authorization code here: ").strip() access_token, user_id = flow.finish(code) client = dropbox.client.DropboxClient(access_token) Now that you have a proprer App key and App secret, you can use Python APIs to connect to a Dropbox account with proper username and password (or valid token)
  • 10. CLOUDIAN-DBOX  Once your own App is authorized, you can easily access data and/or metadata of all files stored in the account using APIs  First of all you can retrieve Account Information using the command: account = client.account_info()
  • 11. CLOUDIAN-DBOX  Then you can retrieve the content of a particular path, for example, starting from the root and recursively browsing the complete tree: metadata = client.metadata(path, list = True, include_deleted = True)  This command retrieves all metadata available for the specified «path» and, if it is a directory, it retrieves also metadata of contained files and subdirectories (including deleted ones)
  • 12. CLOUDIAN-DBOX  If a file has previous versions, you can retrieve a list of all revisions using the command: revisions = client.revisions(path, rev_limit=1000)  Then you can retrieve metadata of each revision stored on Dropbox account: for revision in revisions: metatada = client.metadata(path, rev=revision, include_media_info=True)  The include_media_info paramenter permits to collect Exif information stored in metadata
  • 13. CLOUDIAN-DBOX  Once you have downloaded all metadata information you can start analyzing them  They are downloaded in JSON format, so it is quite easy to manage information  Here is JSON sample returned by the client.account_info()call "account information": { "referral_link": "https://db.tt/UE4wbELS", "display_name": "REALITY NET System Solutions", "uid": 466040986, "locale": "it", "email_verified": true, "email": "info@realitynet.it", "is_paired": false, "team": null, "name_details": { "familiar_name": "REALITY NET", "surname": "System Solutions", "given_name": "REALITY NET" }, "country": "IT", "quota_info": { "datastores": 0, "shared": 0, "quota": 1101659111424, "normal": 7661774 } },
  • 14. CLOUDIAN-DBOX  Here is the JSON describing a Folder  As you can see there are some useful info:  The «last modified date»  The folder is shared with someone "/RW_shared": { "meta": { "read_only": false, "modifier": null, "icon": "folder_user", "bytes": 0, "thumb_exists": false, "rev": "4e3c55f906", "modified": "Fri, 25 Mar 2016 09:40:23 +0000", "shared_folder": { "shared_folder_id": "1180320204", "is_team_only_shared_folder": false }, "path": "/RW_shared", "is_dir": true, "size": "0 bytes", "root": "dropbox", "revision": 78 },
  • 15. CLOUDIAN-DBOX  Here is the JSON describing a File  As you can see there are some useful info  The «modified» date on Dropbox server  The «client_mtime» is the last modified date on the local client  The file was last modified by «REALITY NET» with uid «466040986» and email «info@realitynet.it»  Mimetype says it is a text file but this info is not reliable because is based only on file extension  Notice «revision»: 5 "/RW_shared/sample2.txt": { "meta": { "read_only": false, "parent_shared_folder_id": "1180320204", "revision": 5, "bytes": 139, "thumb_exists": false, "rev": "5465a41cc", "modified": "Fri, 25 Mar 2016 10:32:58 +0000", "mime_type": "text/plain", "size": "139 bytes", "path": "/RW_shared/sample2.txt", "is_dir": false, "modifier": { "email_verified": true, "display_name": "REALITY NET System Solutions", "uid": 466040986, "email": "info@realitynet.it" }, "root": "dropbox", "client_mtime": "Fri, 25 Mar 2016 10:32:16 +0000", "icon": "page_white_text" },
  • 16. CLOUDIAN-DBOX  Let’s analyze another file  As you can see there are some useful info  The file was «deleted»  The «modified» date says when the file was deleted  The last modifier does not coincide with the user who deleted the file (i know that i used another one )  The «client_mtime» has no sense  It is not possible to download a deleted file: you have to find the most recent «previous version» of the deleted file  Notice «revision»: 6 "/RW_shared/sample2.txt": { "meta": { "read_only": false, "parent_shared_folder_id": "1180320204", "is_deleted": true, "revision": 6, "bytes": 0, "thumb_exists": false, "rev": "6465a41cc", "modified": "Fri, 25 Mar 2016 10:33:16 +0000", "mime_type": "text/plain", "size": "0 bytes", "path": "/RW_shared/sample2.txt", "is_dir": false, "modifier": { "email_verified": true, "display_name": "REALITY NET System Solutions", "uid": 466040986, "email": "info@realitynet.it" }, "root": "dropbox", "client_mtime": "Wed, 31 Dec 1969 23:59:59 +0000", "icon": "page_white_text"
  • 17. CLOUDIAN-DBOX  Let’s analyze a third file:  This one was modified by another user   Notice that «client_mdate» and «modified» are perfectly the same, this could indicate that the file was uploaded with the web interface  Notice «revision»: 1 "/RW_shared/sample1.txt": { "meta": { "read_only": false, "parent_shared_folder_id": "1180320204", "revision": 1, "bytes": 30, "thumb_exists": false, "rev": "1465a41cc", "modified": "Fri, 25 Mar 2016 09:57:32 +0000", "mime_type": "text/plain", "size": "30 bytes", "path": "/RW_shared/sample1.txt", "is_dir": false, "modifier": { "email_verified": true, "display_name": "Marco Scarito", "uid": 24169827, "email": "marcoscarito@outlook.com" }, "root": "dropbox", "client_mtime": "Fri, 25 Mar 2016 09:57:32 +0000", "icon": "page_white_text" },
  • 18. CLOUDIAN-DBOX Name Revision Modified Modifier Client-mdate Deleted sample1.txt 1 Fri, 25 Mar 2016 09:57:32 Marco Scarito Fri, 25 Mar 2016 09:57:32 No sample1.txt 2 Fri, 25 Mar 2016 10:20:39 REALITY NET System Solutions Fri, 25 Mar 2016 10:20:34 No sample1.txt 3 Fri, 25 Mar 2016 10:31:12 REALITY NET System Solutions Wed, 31 Dec 1969 23:59:59 Yes sample2.txt 4 Fri, 25 Mar 2016 10:31:12 REALITY NET System Solutions Fri, 25 Mar 2016 10:20:34 No sample2.txt 5 Fri, 25 Mar 2016 10:32:58 REALITY NET System Solutions Fri, 25 Mar 2016 10:32:16 No sample2.txt 6 Fri, 25 Mar 2016 10:33:16 REALITY NET System Solutions Wed, 31 Dec 1969 23:59:59 Yes Let’s now have a look to all files and try to make some «intelligence»
  • 19. CLOUDIAN-DBOX What did we add to ensure a «forensically sound» environment?  You can include in your «project» info about:  Examiner name  Examiner Company  Other info are generated automatically:  Start date and time  MD5 and SHA-256 hashes based on metadata retrieved during acquisition If you are able to «freeze» the hashes (for example you could send them immediately to your «customer» using a secure channel), you can ensure that retrieved data will not be «tampered» by anyone
  • 20. CLOUDIAN-DBOX What can we do to ensure a more «forensically sound» environment?  We can improve the script on some fields:  We can retrieve «timing information» from a secure source (public NTP)  We can «sniff» network traffic generated by the script  We can improve the output data type (for example we could generate a time line)
  • 21. CLOUDIAN – REGISTERYOUR APPLICATION ON GOOGLE DEVS  In order to register a new application you need a Google account  Go to https://console.developers.google.com  Create a new project  Activate API for desired service (Drive, Gmail, Calendar, …)  Click on “Create Credential”  Download the json file containing  Client ID  Client Secret  Other information
  • 22. CLOUDIAN – GOOGLE  Google Cloud Services are more complex than Dropbox  There is a huge amount of different services on Google Cloud  Gmail  Drive  Calendar  Contacts  And other free services  Moreover, there are a lot of professional services (like Cloud Computing, Cloud SQL, CloudVirtual Networks, …)  Each service has its own set of API constantly improved
  • 23. CLOUDIAN – GOOGLE  In our research we decided to focus only on free services:  Google Calendar  Google Drive  The API approach is similar to the Dropbox one: you need to connect to a known account with your application in order to retrieve data from Google data centers  All metadata are exposed as JSON objects  In most cases you can retrieve metadata without downloading the data  Google APIs are «forensics friendly» as you can set read only access
  • 24. CLOUDIAN-GCAL  When you access Google Calendar using APIs, you can retrieve all information about the user’s calendar and all other calendars that are shared with the user while True: calendar_list = service.calendarList().list(pageToken=page_token).execute() for item in calendar_list['items']: calendars.append(item) page_token = calendar_list.get('nextPageToken') if not page_token: break
  • 25. CLOUDIAN-GCAL USER MAIN CALENDAR "kind": "calendar#calendarListEntry", "foregroundColor": "#000000", "defaultReminders": [ … ], "primary": true, "colorId": "3", "selected": true, "summary":"marco.scarito@realitynet.it", "etag": ""1435832228655000"", "backgroundColor": "#f83a22", "timeZone": "Europe/Rome", "accessRole": "owner", "id": "marco.scarito@realitynet.it" SHARED CALENDARWITH FULL RIGHT "kind": "calendar#calendarListEntry", "foregroundColor": "#000000", "defaultReminders": [], "colorId": "15", "selected": true, "summary": "mattia.epifani@realitynet.it", "etag": ""1458923654259000"", "backgroundColor": "#9fc6e7", "timeZone": "Europe/Rome", "accessRole": "owner", "id": mattia.epifani@realitynet.it SHARED CALENDAR FREE/BUSY "kind": "calendar#calendarListEntry", "foregroundColor": "#000000", "defaultReminders": [], "colorId": "22", "selected": true, "summary": "Marco Scarito", "etag": ""1459329937764000"", "backgroundColor": "#f691b2", "timeZone": "Europe/Rome", "accessRole": "freeBusyReader", "id": "marcoscarito@gmail.com"
  • 26. CLOUDIAN-GCAL  Analizing each single event in the JSON structure you can retrieve a lot of useful information  How organize the event (it should be another user)  Start and End date and time  Attendees  Creation date and time  Visibility  Summary  Recurrence  And much more
  • 27. CLOUDIAN-GDRIVE  When you access Google Drive using APIs, you can retrieve all information about the user activities  User files with previous versions  Deleted file  Google photo files  All files accessed by the user within the google docs platform  Shared files  And much more
  • 28. CLOUDIAN-GDRIVE  Focusing on metadata  For each file you have directly the MD5 hash on metadata (without downloading the file)  For each shared document you can access the full list of users with specific permissions  For multimedia files you can access specific metadata (like video length in seconds, image dimension in pixel, EXIF metadata)
  • 29. CLOUDIAN-GDRIVE  The most interesting aspect in our research (not yet implemented) is that, using APIs, you can search for files using metadata parameters like:  modification date range (if you are looking for an event in a specific time period)  Hash value (if you are looking if a user has a specific file)  Camera Model (if you are looking for photos shot with a specific camera)  And so on…
  • 30. CLOUDIAN-GDRIVE Latest discovery:  Analyzing my own Google Drive account I discovered that some years ago I opened a document named “plaso reinventing the super timeline - 2013 DFIR Summit.pdf” that was published as a public Google docs document
  • 31. Q&A Marco Scarito Digital Forensics Analyst and Mobile Device Security Analyst CTO @ REALITY NET –System Solutions Member of CLUSIT, DFA, IISFA, ONIF marco.scarito@realitynet.it @marcoscarito http://www.linkedin.com/in/marcoscarito http://blog.digital-forensics.it http://www.realitynet.it