 All right, so hello Bluetin Village and welcome to my talk. So I'll be discussing for today a title called Forensicating Endpoint Artifacts in the world of Cloud Storage Services. My name is Renz and Cruz, and then I'll be starting and sharing my screen. I hope you can see my screen. There you go. Okay, let's start. So again, my name is Renz and Cruz. I'm a DFIR guy. I'm doing digital forensics and incident response on my work in one of the companies in UK. But I'm based here in Dubai. I'm also an ex-security consultant slash IR. I'm part of the NCSA, or they call it the National Cybersecurity Agency in one of the countries in Middle East. I'm also a co-founder of Guy Dem. So we do specialize in training program for aspiring cybersecurity professionals. And we do offer like cyber defense, threat hunting, VAPT kind of thing. And also I've got accepted by various conferences such as besides London, Vancouver, Doha, Rutcon in Philippines. Recently we had the North Sec a couple of months ago in Montreal and now here in Bluetin Village, Defcon. So thank you so much for those BTV folks and for the council's who accepted my talk. And just a caveat there that this is not a talk primarily related to the big three or the big three cloud service providers such as AWS from Amazon, GCP or Google Cloud Platform and also Microsoft Azure. So if you're here just to learn more about these stuff. So this is not the talk for you. I'm particularly discussing the cloud storage services. And maybe some, maybe probably in the near future I'll be discussing this and we'll talk about Cloud Forensics and IR that and also the things that you have to do when there's an incident. But for now we're just going to discuss the cloud storage and also the footprints leaving behind on the endpoints. And these is what I'm saying will be analyzing the footprints related to the box, Dropbox, Google Drive, Mega and also OneDrive. So these are the primary cloud storage apps that we have today. There are a couple of versions or two versions that we have for this. So number one is the personal drive which typically used by the consumers. And there's also a second one which is the business version. So on the business versions that the main difference there is the added features such as file on demands. There's also a different retention policy that you can extend from 90 days up to whatever you want depends on the storage that you have and also more robust locking. But on this talk we're just going to focus and showcase more on the personal version itself. Now the question is in the world where the most important data is only present on probably third party systems. How do we effectively accomplish our analysis and investigations? Is there anything left on the endpoint that can be used for forensics? So that is the topic that I'm going to discuss mainly to have a forensic goodness and showcase this forensic goodness of these five predominate cloud storage apps that we have. And I also have a logo here in iCloud but basically it's quite popular especially for those Apple fanboys out there but it tends to be used by smaller organizations. And here's going to be the agenda for today. Why do we care? Okay, some use cases, some incidents that we do have from the past. What are the forensics value and the metadata the information that we can get by analyzing the metadata or the evidence. And also I'll be showing you a quick rundown of how we can perform an evidence acquisitions using couple of tools. All right, so now is this. So we have a problem and these cloud storage are being used by most of the adversary nowadays. So you may be familiar with MITRE so you may see on the right of my screen that there is a screenshot related to MITRE techniques that talks about exfiltration over web services, exfiltration to cloud storage. So that is exactly a technique ID 1567.002 which consists of sub techniques. So adversaries keeps on using these to exfiltrate data and also to store those stolen data from their victim. And we have here also a couple of adversaries that keeps on using it. Number one here is the Chimera. So Chimera abuses cloud services to exfiltrate data. They are actually using OneDrive accounts to exfiltrate those stolen data. Purilla, which is been here for a couple of years already. It's not new, but they also use OneDrive and FourShared. The latest one, which we do have a couple of months ago from Microsoft, which is the Haphneum. So Haphneum, as per the reports based from the threat intelligence, they also exfiltrate data on the file sharing sites like Mega or MegaSync. And last thing is Empire. So there is this kind of module, which is particularly for C2, that leverage Dropbox to perform data exfiltration. So now the question is, why do we care? Of course we do care. So cloud storage can be used to perform data exfilt, so we need to look for those remnants and also artifacts that can lead us to more granular informations and more data. It can also be used or heavily used by insider trends, especially if your company doesn't have proper policy or even like data loss prevention tools to detect those internal documents being shared, being uploaded, being downloaded by someone, by your employees, then you will be on a mass condition. Extremely useful, of course, especially when we are doing some analysis as it leaves tons of trails and also artifacts that can be used to track down the activities, what are the tasks that are being done by your employees or by the adversary by just looking into these footprints. So these are the things that we have collect or we can collect from the evidence standpoint. So we can collect local files or even the cloud files. The sync files on the local drive or even on the cloud file itself. So we have here something like databases and logs. So databases and logs can be beneficial to get most of the metadata that we need, especially the modified time, the timestamp, the different hashes. You will be surprised that there are a couple of hashes that are available depending on the cloud storage that we are using. So there are storage that are using SHA-1, there's storage that is using MD5 hashes and also the file names of the file itself. Other thing that is also useful for us is the deleted items. So of course, every forensic examiner labs to examine deleted items, especially in IR, we would like to know what are those files that they're trying to hide for us. And last thing is the operating systems artifacts. This could be bunch of Windows artifacts such as LNK files, prefetch files, registry entries and even event logs, jump layers and also memory dumps. So if ever you guys are using these kind of cloud storage apps, then once you execute this, once you use this, this will be existing almost everywhere, almost everywhere on the OS artifacts that we have known. Next is the endpoint footprints. So technically cloud storage applications live large footprints on the endpoint. So by checking the local systems, you can see a lot of artifacts that can be useful for our analysis. So one thing is account details. So what file success currently being shared with the user, what files may be available, not on the system, but available potentially in the cloud storage. What is also the files that are being downloaded, being transferred, what are the accounts that they've used to share these files. So in addition to that, we have also a bunch of timestamps that we can correlate with the user's activities. So other thing is like the hashes, that's what I've mentioned, depending on the cloud storage, it gives us the information of the hash that we can use to perform some comparison that they can use for being stored or being transferred from different recipients. Now let's start. So welcome to Dropbox. This is one of my favorite and not favorite when it comes to investigations, but one of the first storage that I've used. So a couple of years ago, but this is also the worst cloud storage, not in terms of the features of scalability and the UI, it's actually awesome, it's actually good. It suggests that it's hard when it comes to analysis and investigations because it is difficult cloud storage because of the primary databases are encrypted using Windows DP API, so you have to decrypt it. So you have to use some tools, you have to get the keys for you to decrypt it, but once you decrypted it, it will be easy to navigate because it is also using a normal type of database, which is on SQLite. So if you have like an SQLite viewer, then you can easily see this kind of format. They used to be pretty straightforward a couple of years ago, but they changed how they did things. So there is one metadata here, which is what we call the file cache that DBX. So this is the most important artifacts that you can have in Dropbox, as it contains most of the metadata that is locally synchronized files. Also the file cache and the config again, these are actually encrypted, but there is an open source tool that we can use to decrypt this using DPAPI toolkit made by Francisco Picasso. So he's a researcher and then he created this toolkit to decrypt this kind of stuff. So I have also mentioned here, one of a good talk a couple of years ago, since year 2012. So during 2012, there was a talk in Hack.loop, which is a conference in Luxembourg, by two great gents in the topic of a critical analysis of Dropbox software security. So they discovered that the encryption key used for the DBX files that are encrypted is kept in the registry and it's protected by again, the DPAPI. So I just mentioned here the link. So you can just visit this and look at the paper. It's kind of interesting. Next is OneDrive, which is the most popular due to the Windows having it as installed by default started on Windows 8 Plus version. So in most cases, you may see this on the default folder OneDrive, but sometimes it can also be as SkyDrive. So if you're examining, let's say a case and then you can see that there's a SkyDrive, that is actually a OneDrive. So SkyDrive was the old name of OneDrive, which is Microsoft acquired from years ago. And as what I've mentioned, there is a two variants of this. One is the personal and the second is the business variant of OneDrive. So the good thing about the business one is that gives you a log called Unified Audit Logs, or UAL. So UAL is enabled by default now for every user in the corporate, which gives you a 90 days detention by default. So once you extract certain logs in UAL, like for example, you are investigating a user on your company, and then if you extract the report to be via CSV or it could be the web UI that they have there, then you can get the audit logs, like the user's IP address, the account itself, and the file status, whether the user modified an account or modified a certain file on the SharePoint. If he deleted something, if he accessed something or even a copy, so that is existing on a UAL or Unified Audit Logs. But for this talk, I'll be just focusing on the personal variant of OneDrive. So we also have here a metadata called that the AT file or user seed that the AT file, which basically gives us the list of local files and cloud files names. So here, these are the three types of the states when OneDrive do some files on demand, so one of the cool things about this OneDrive is the concept of this, the files on demand. So only a subset of available files are likely resident in the local file systems. So as you may see here on my screenshots, that there are three types. So number one, the first one, the cloud icon, that states that the file or folder that is only existing on the cloud itself, okay? So it's not existing on your local drive. The second thing is the green check mark states that it is temporarily cached. So if a user go to this directory and then when they open it, then that actually gives them a temporary cache of the file itself. And then the last thing, which has the white check icon inside the green circle, that states that the file has been always kept on this device or it is stored locally. So if you right click a certain file, then that gives you an option of always kept on the device. So that means that this will be available on the local file as well as on the cloud file. But most of the time, when you see this cloud icon on the first one, this is being called as repost point. So these are actually just a placeholders. So the files is not existing on the hard disk, but you can get the metadata and it will be the reference file. To the existing file on the cloud. Okay, so sometimes once you image a certain hard disk, the user will be surprised that the file is not existing, but this is existing on the cloud because of that, because the reason why is this is just a repost point, unless the user click the available, put this as available or always kept this on the device or on the local file, then once you image your machine, then you will get the exact file and not just the metadata. Another metadata or artifacts that we can use for our investigations here are the .INI file because that gives us the one drive location information. Also, there's also a timestamp like the last time that one drive was synchronized with the cloud and also the bytes transfer that the request sent, which is the amount of activity during the sync file. There's also a text file here, as you can see on my screen, the profile, service, response, that text file. This is actually in the JSON format and it gives us the information of the first and the last name of the user plus their Microsoft account and the email address. And the last one thing here, which doesn't have the red box. So there is this file called that DAT file. So it shows the active file on the sync folders, including the local files and the files available on the cloud. So here, what I did here is to perform a B strings or a tool from Eric Zimmerman. So I think they call it better strings. So once you perform a B strings here on that DAT file, then that gives us a result of all the files that exist on our local drive, okay? So that identifies also whoever the user is and also the file names itself. And on the right side of my screenshot, you can see there the notepad that I've just opened, which basically gives you the name and also the last name of the user as well as his Microsoft account. So you may see there that my user email that I've used there is truzrenzon.jml.com. This is based on the JSON format. Next is Box, which is the most forensically and friendly app that we can deal with, okay? See, this is one of my favorite when it comes to performing an analysis because it's easy to navigate and also it's easy to investigate. They're also using an SQLite databases that provides the metadata like timestamps, the SHA-1, and for online and offline files, okay? So also the directories that you can find the local files are residing on the user profile and then Box. So this is by default, but this can be changed by the adversary too. So on the Box file, you can see here that there's a database called sync.db. So this is, this contains more of the identifying the items currently tracked by the Box Drive application. You can see here that there are tons of useful information when you go to Box item column or table from the sync.db database. You can see there that there is a parent item column. There's also a file name. There's also the checksum. You can see there that this is on a SHA-1. There's also some timestamp which you need to convert in an epoch time. Next thing is Google Drive. There are two types of Google Drive that we need to consider here. There is a Google Drive or Google Backup and Sync. So that is the new term now which they replace the original Google Drive applications on the year 2018. So this is the default desktop applications for consumer that uses Google Drive. So the other one is when let's say when your company is using an enterprise version of that, then they call it Google Workspace or they call it Google G Suite or G Suite FS or G Suite File Stream. So it is available on a G Suite customers, almost the same features or backup and sync with the addition of files on demand like the Box and the OneDrive, okay? So still the databases of this Google Drive or the Google Backup and Sync uses the form of SQL Lite version of database. And we do have here some metadata which are useful databases. So it's not encrypted. So you can see here the cloudgrop.db. So you will get tons of information such as a modified time, which is again in Unix, epoch time. We can also get here the MD5 hashes of the files. So we can run some comparison of the existing files whether there is a file that has been changed, modified by the adversary or maybe it's being deleted by someone, okay? So there is also a shared column here which is kind of interesting, okay? Shared column here means if it's one, then it is being shared. But if it's zero, if it's the data have zero value, then it means that this is not shared. Another column here that is kind of interesting to me is the dock type, okay? You can see there that the dock type consists of two values on my screenshots. There is a zero and one. So if the dock type has a value of zero, it means that that is a folder. But if the dock type has a value of one, that means that these are real files. Like if it's a PDF, it could be a text, it could be a document or PowerPoint, Excel, et cetera, okay? Next is, or the last thing that we will be discussing right now is mega sync, okay? So mega heavily used by adversary because they said that mega is one of the most secured applications or cloud storage services that are being used by the people, okay? So mega, so mega actually is having a word or it stands for mega-encrypted global access. So they are claiming that they are focused that, I mean, their service is focused heavily on security and they are using an end-to-end encryption and they are also the one who is claiming that they're using a zero knowledge encryption, okay? So zero knowledge encryption means that in this case, there's no one besides you has the keys to your data and not even the service you're storing your file speed. So they are claiming that we don't have any access to the keys that you have there. So you only have, you are the one who only have the access to your files. So if you lose the keys or if you lose some sort of the passphrase that they gave to you once you register your account, then they don't have any way to recover it, okay? So that's why attackers love using mega because of this claim. And some of the local files that you can see from the window sides is existing on the user profile, app data, mega-limited, mega-sync slash lags. As you can see on my screenshot that you can see there the lag files. If you open it, you can see there what was the file that has been recently downloaded from my mega account. And also in mega on the web UI, you can see there that they also stored deleted files on the rubbish bin. So I'm not sure how they stored it. I think for 30 or 90 days as well, like the same cloud storage apps there. But once you delete a file, then that would be stored on the rubbish bin. It acts like the recycle bin or windows. There's also this local folder and a cloud folder where you can just drop anything there. So I have here a test folder existing on my local drive. So if ever I drop anything there, then that will automatically upload on my mega account as long as I have my internet. And like what we have on other cloud storage apps, you can also see most of this, once you execute this in most of the OS artifacts such as LNK and even in event lags as you can see on my screenshots, prefetch files. This that will automatically exist, of course, because that's an artifacts for executions. And also on the master file table, you can see that there's a lot of mega applications or traces that I'm the one or the user is using Megasync cloud storage apps. So that would be the last one. And now let's have a discussions on how can we perform an acquisition, okay? So on the cloud storage collections, most of these are leveraging the API functions. So you need to give them the credentials so that they can perform the activities such as evidence acquisitions. So there are a couple of stuff here. So I have here another GitHub repo that could be good to perform evidence acquisitions on a G Suite platform. So it's free. There's also a default take out from Google wherein you can dump most of the lags that you need from your investigation. And the predominant enterprise applications that you can find from the collection sites, which are the fResponse, Celebrite. So Celebrite has this cloud forensics analysis module too. And of course, magnet forensics. So magnet axiom, so useful. I've used this before. They are very good when it comes to providing and parsing a lot of fields, artifacts that you can find on any cloud storage that you are using. So these are the things that are commonly being seen that investigators are using. So just check it out. And this is the summary of the cloud storage files that we can get on each applications. So it would be better to have this as a reference guide. And right now, what if we need to get this from the endpoint? So let's say we need to get the artifacts, the footprints that we can get from the host level. So what could be the tool that we can use? So if you're not familiar with CAPE, so this is an absolutely amazing tool made and written by Eric Zimmerman. So there are two modules from CAPE. There is a target and then there's also a module which could be done by parsing all of the files and gives you a result on an Excel format or CSV format, which I will be performing a demo. So again, this is free. You just have to subscribe to crawl, go to the crawl website, and then you just have to supply your email and then they will just give the link to you. So there are a couple of modules here which is entirely for cloud storage contents and metadata. So that is an absolutely amazing tool. All you have to do is just to click, like few clicks and then you have to wait for it to finish. Now it's demo time, I will be just be presenting it to you. Let me just share my screen again. Okay. So now this is the video that I'll be showing to you. So here this is my computer, this is my desktop. So what we'll be doing is to perform an evidence acquisitions based on the footprints, based on those artifacts, those locations, directories that we have just discussed by using a tool called CAPE by Eric Zimmerman. Okay, so I will be launching here CAPE on my desktop and then after a few seconds it will be appearing here. So I'll be using here a target which is basically where should I get those evidences? So I just have to put my C drive here. And the next thing is where should I put the output or where it will dump most of those artifacts that it will be collecting. And the next is getting the modules or putting the cloud storage there. So as you can see there that if I click that option then that gives me the artifacts from the Dropbox, from the OneDrive, from the Google Drive and also there's the sugar sink here. Okay, so after confirming that these will be the options that I need to do, I just have to convert and also put a container in VHDX so that I can easily just open it into whatever computers that I have. And then I'll be putting a cloud base name which is a cloud storage underscore artifacts. Okay, so once I'm done, then that's it. You just have to click the execute and then let's wait for this to finish. Okay, so this would take me less than a minute I think. And after that, then it will be dropped on the folder that we have just stated on the target destinations and then we can start our investigation. So this will ease us because sometimes we tend to forget where are the artifacts located, where are the default path, where are the database being located, then this could solve our problems. And it's very easy and it's very fast as well. As you can see here, it's already done and it took us only 40 seconds to finish. And now let's extract what are the files that we just got using K. Okay, so now, so I just dump everything on the Kpe output target. As you can see here, that those files are copied already on my directory. So you can see here the app data. If you go to that, you can see here the box, the Dropbox, the Google Drive, and also the Microsoft or the OneDrive. So if you go to the box, you can see here most of the logs that we've just discussed on the data. You can see there the databases where we can extract a couple of evidences and information. And yeah, and Dropbox, you can see here the sync history, the config, DBX files, and things like that. Okay, so that's how you perform evidence acquisitions by using KPE as a tool, which is a free tool. And it took us only a minute to get those artifacts that we need based on the cloud storage apps that we are using. And that's it for me, that's my demo. And let's go back to my slides. And actually, that's it, is there any question, right? So that's it for me, that is my talk. And if ever you have questions related to the topic, please do let me know. And these are a couple of the references related to this talk. And yeah, these are the links that we have here. Yeah, these are my handles, are my Twitter handle, Ranzek, and my LinkedIn, and also my email. So if you have any questions, please do let me know. Please reach out. And that's it. Thank you so much, Bluton Village, for having me here, of course. And I'll be opening the floor for any questions that we have from the audience.