 is all about franticating end point artifacts in the world of cloud storage services. So this is going to be my who on my page. Again, my name is Renz and Chris. I'm working as a DFIR or digital forensics and internet responder. I'm currently working here in Dubai. I was a former member of NCSA or what we call the National Cybersecurity Agency that is based in one of the countries in Middle East. I'm also a co-founder of Gaidem. Gaidem is the one of the leading training provider in the base of the Philippines. We do specialize in cybersecurity courses such as VAPT and cyber defense and threat hunting there. I've also accepted to various conferences before. I'd like to send a lot of CFP submissions in all various B-sides conference all over the world. So I get accepted in B-sides London, also in B-sides Vancouver in 2019. I presented last year for B-sides Doha and as well as in root control the base. And now I'm very, very grateful and also very honored to be part of NorthSex 2021. So shout out to all the NorthSex staff out there. So this talk, so this is just to clear some confusions because when they saw my title cloud services, cloud storage services, they might think of the B-3 in the business. So this talk is not primarily related to the B-3 cloud service providers such as Amazon or AWS, Google Cloud Platform or Microsoft Azure. So this is something that I'll probably do in the near future. Most commonly like IR or Forensics type of PUC to AWS or how you can get them back into the response to Microsoft Azure kind of thing, but not for now. So my talk is all about common footprints or artifacts that are leaving behind on the endpoints. Once you install the following cloud, excuse me, cloud storage applications. So these are the primarily cloud storage apps that you can see that enterprises use it. So normally there are two versions of this. So one for personal and then second is the business. So the personnel is typically controlled by the consumers like me, the users, the normal users. And then the business version is kind of more on the enterprise level. So the business version is, this is actually interesting because business version includes a lot of added features like files on demand, different retention times or dates for related items, of course, and the more robust logging capability. But on this talk, we're going to just showcase more of the personal version of it. So you can think of in a world of where the most important files are residing probably in third party systems. So how can we effectively accomplish these kinds of investigations? Is there anything left on the endpoint that is used for forensic analysis? So that is the main topic for today. That is what I'm going to discuss to promote or to just showcase those forensic goodness for predominate cloud storage apps. So which are the Dropbox, the OneDrive, Box and lastly the Google Drive. And these are my agenda. Why do we care? Why do we need to talk about this as an IR or as a digital forensic caterer or forensic examiner? What are those cloud storage services? And what are the footprints, the artifacts that it leaves behind? And those metadata or informations that we can use as part of our evidence. And of course, how can we acquire these things? Where can we acquire it? What are the default locations? What are the directories? And lastly, my demo for today is all about cave usage. How can we leverage cave or how can we acquire or perform cloud storage artifacts or acquisition in just less than a minute? So I've recorded a video, I'll just play around that later on. Now the main question is this. So why do we care? So a lot of adversaries nowadays are using it. So adversaries may perform data exploitation to using the cloud storage provider or the apps that I've just discussed, rather than over their primary command and control channels. So cloud storage services allow for the storage, allows for edit, some retrievals of data from a remote cloud server over the internet. So a couple of adversaries that are using cloud storage apps for data exploitation or purposes are listed on the MITRE when you visited that. So that's going to be the sub-technique idea for that is T1567 that 002. So you can see that on the right side of my slides. So this is just a sub-technique over the exploitation over web service. So when you go there, you can see most of the adversaries that's using it. So as you may know, like last week, I think there's a couple of news related to dark side ransomware. So they've been using that like mega as part of their data exploitation service. We just dump most of those confidential files that they got into this cloud platform. Kimera, another APT or adversary that they've used or they've exfiltrated the stolen data over OneDrive using multiple accounts. Even Toyota, Toyota is not new. We've been hearing these even a couple of years ago. They've used OneDrive and Forkshade for their exploitation purposes. Half new, just a couple of months ago, every security professionals are so busy. There's the patch there, Microsoft exchange servers, the on-premise ones because of these half new. And most of the customers that are infected by half new actually, we've seen that half new attackers are using mega just to dump all those files or all of those confidential data that they just got for their victims. And lastly, Empire. So Empire can use Dropbox for data exploitation purposes as well. And why do we care? Of course, just like what I've just mentioned, these can be heavily used as part of the data exploitation and sometimes using command and control. It can be trivial before, of course, but nowadays these can be one of the favorite exploitation methods of adversaries. Not just adversaries, but also insider trends. So if you want to upload something, if you want to download something coming from your enterprise, coming from your company's laptop, just use cloud storage applications. Easy as that. And also, blue teamers, and especially the DFI are folks, or we can leverage these kind of footprints, these kind of artifacts that are leaving behind, because we can get a lot of information by extracting this, by parsing it, if we know where can we find it. So this will be a very good part of our forensics report in every cases that we have. And what are those evidences that we need to collect? So we can collect a local and even cloud files. So these are the same files on the local drive or even on the cloud files. Of course, databases and logs, because we can see the value, a lot of values are beneficial when it comes to getting most of the metadata that we need, including the modified timestamp, the file hashes, of course, the file size, and the file name, et cetera. Deleted items. Of course, every forensic examiner loves to examine deleted items, as we'd like to know what they're trying to hide for some reason. OS artifacts or the operating systems artifacts, this could be a bunch of, I would say, Windows artifacts, like NLK files, jump lists, registry entries, MFT, or master file table, and even in memory dump, we can see a lot of value over there. So endpoint footprints, these are some of the categories that we can get from using these cloud storage applications. Unsurprisingly, cloud storage applications leave a very large kind of footprints like this. So I'm not going to mention everything here, but by checking the local systems, you can see a lot of artifacts that can be very, very useful when you're trying to investigate some cases, such as the username, the uploads, the downloads. If ever a user shared something to another user or to multiple users, the username, the email address that they've used to authenticate into a cloud storage services, you can see those things into the endpoint. Okay, let's start with our first cloud storage apps. So welcome to Dropbox. So one of my first ever storage, but also the worst. The worst not in terms of features, not in terms of usability or user experience, but the worst cloud storage solution for forensic examiner. Why? It is difficult. It's difficult for a cloud storage to investigate as the primary databases of Dropbox are encrypted using a W or Windows data API or the DP API, which we will discuss in a bit. So once you decrypt, of course, it has been encrypted. So you need like a decryption tool or decryption keys for this. So once you decrypted it, it will be easy to navigate as it employs a decrypted format of escalate database. So most of these cloud storage applications are using escalate database, which are easy to understand, which is, which are easy to parse and to navigate. So it used to be pretty straightforward. So this Dropbox thing, because they kind of use escalate, escalate like as their database before, but they've changed how they did things. As you can see here, some of the local files are residing on the Dropbox default folder. So this is the default folder or directory. Let's say you're trying to sync five gig of movies or a file to the cloud coming from your local files, then those files can be cached. So there will be a cache files or a temporary files container, which will be on a dot Dropbox cache folder. And this is the metadata. So the file cache that DBX is the most important thing that you can get on Dropbox applications. So there was a talk or there was a talk a way back 2012 in hack.lu, which is a conference in Luxembourg by two great gentles or gentlemen on the topic of a critical analysis of Dropbox software security. So they've discovered that the encryption keys used for these DBX files is kept in the registry and it is protected using DP API keys. So that's why by using a toolkit made by a Francesco Picasso, so he's a very good security researcher and also a former science instructor. So we're using his DP API toolkit. We need to supply the issue in the password. And then that's the time that we can decrypt the encrypted databases or the DBX files such as the file cache and the config DBX on the Dropbox. So after that, after we decrypt them that, then that's going to be an easy way for us to get things like the information, the metadata of different files residing on the Dropbox. So let's welcome another one which is OneDrive. So this is being noted as the most popular cloud storage. Let me think for a second, why this is the most popular cloud storage? Because this is owned by Microsoft. This is owned by Microsoft. So that's why it's very popular due to the fact that it has been installed by default since Windows 8 Plus. So in most cases, you may see on the default folder of OneDrive, but sometimes you can also see like SkyDrive. So SkyDrive is the old term or the old name of OneDrive when Microsoft acquired it. So in OneDrive, there are two versions of it. So I just like what I mentioned before, there will be a personal and there will be a business. So the good thing about the business side, which we'll talk about because we're just going to talk about the personal version, but just to talk a bit of the business version of OneDrive, the good thing about this is that it contains a unified audit logs or what they call UAO, wherein you can extract a report using the web applications of OneDrive and to get the audit logs that contains a lot of information, very rich information that you can find on the OneDrive, such as IP address, account names, file tasks. Does the user modify the files or has it been deleted? Was it accessed by the user or whoever user maybe? Was it being copied by user or shared to everybody? So and so forth. But for this stuff, we're just going to use OneDrive personal only. So these are the local files as well. You can see that this will be installed under the user profile and then the OneDrive. There will be also another register keys that you can see depending on the version of OneDrive. So as you can see here, an example that this would be under the anti-user software Microsoft OneDrive accounts personal, but if you're reusing a business account, then you just have to change the personal into business. So most of the metadata that you can see here are also useful when performing investigations, such as the sync diagnostic.log. It gives us the metadata for not just for the local files, but also for the cloud files. The user's seed. So this CID is not the SID of Microsoft or on the windows that we probably know about. This is not the security identifier, but this is the user identifier that OneDrive provides because you can have multiple accounts. So that gives you a unique identifier per user. So if you try to parse this user seed.dat, it contains a list of cloud and some local file names. So this is just an example of the OneDrive that I have on my local laptop. So you can see that there are a couple or different status icons. So there's a cloud icon. There is a green check mark and then there's a white check mark down there. So for the cloud icon, these are the files or folder that is only the cloud. So it's not existing on the hard disk itself. But since there is these features called files on demand, you can probably see that on your local drive. But technically it's not there. So once you image a certain hard drive and it has an icon like this, just a cloud, then it's not going to be existing there. So there is also a green check mark, which is this is just a temporary cache. So let's say if I open a certain file that has a cloud icon, then that would probably be changed as to a green check mark if we open it. It means that it's just a temporary store there. So it's not like permanently being there. So sometimes let's say for some reason your hard disk might be full, then this could be the first thing that will be deleted. On the white check mark, then this is the file that has been always kept on this device. So if you right click on each file of this, then there will be an options of always keep this file local. So once you click that file, then that means that this can be exist on the local disk as well as on the cloud instance. So just don't be confused on this different icons on the one drive. So an example of that again. So this file or another metadata that we can leverage. So this file, so as you can see on the icon or on the arrow down here, this is the file with DAT or that file is the user seat. So this is how Microsoft identifies whoever the user is. This is not in a text file format. So what do we need to do? We need to parse. So good thing, we have B strings. So B strings is one of the tools of easy tools or from Eric Zimmerman that we can use to get a bunch of strings of text, excuse me, to get more insights related to the file in one drive. So which I will present later on the next slide. And then the other one is the INI file. So the INI file contains a lot of good information related to the last thing time usage stats, etc. And then the response text, which is highly on the text file, this gives us the full limit of a user who authenticated. And of course, the Microsoft account email that was just logged in. So on the next slide, as you can see here that when I try to go on the directory of the one drive personnel, I can see that there is these stats file. So when I perform these things that the XCN and dash F, then I can see that these are the files that needs to be or are existing on the cloud instance. So we can easily see that even if you delete the file, it will still be there. So you can see the metadata of the files that have been deleted, which is very, very useful when it comes to incident response and digital forensics perspective. When I open the profile service response text file, then that gives me the name of the user. And of course, the Microsoft account that was used to authenticate on one drive. So again, another useful artifacts or informations, especially when you're dealing with or if you're in the middle of IR engagement. Now let's move on to the bus. So bus is the most forensic friendly applications that you can deal with because they're, you know, they're reducing escalate databases that provide all metadata like timestamps, like shower and hashes for online and offline files. So again, the local files will be stored on the user profile slash box, which is by default. And it also uses a reparse point, which I'll talk about later on. And a couple of metadata that you can see on the app data folder on the local box box, there's a logs folder, and also there is a data, which contains the databases from the block from the box itself. So see the beat here, as you can see, this is another metadata that we can open via the escalate database browser. So it contains a lot of information such as this, like box items. So if you open sing that DB, there will be a different tables or with multiple tables, but the bus underscore item is the most common that they can use for investigations or analysis. As you can see here, you can see the filenames, you can see the modified time, you can see the hash value, the created and last modified time. That's what I said, these are all epoch time. So you just have to convert it into a human readable format as you may prefer. Having a checksum is very useful, especially if you're trying to compare one file to another. So that's a good thing. And that's the bus. And also we have Google Drive. So I think most of the Gmail users are very pretty much aware of Google Drive because once you have a Gmail account, you'll probably have at least or a minimum or maximum of 15 GB of free cloud storage. I think that's like a default features or I would say advantage of having a Gmail account. So Google Drive has also these two versions. There is a Google Drive for consumers and of course for business. So Google backup and sync. So this is now the new name of Google Drive that is being installed at the endpoint. So it replaced the original Google Drive applications since 2018. So it is now the default desktop application for a consumer of Google Drive. So if you want to install Google Drive on your desktop applications, the name has been changed into backup and sync. And then the other one is Google Workspace or they call it G Suite FS or the FileSync or G Suite FileSync. So it is available for G Suite customers. Almost the same features of backup and sync with of course additional like minimum additional features like files on demand. But still the databases of the Google Drive is in a form of extra life. So that's why it's also not that hard to parse and not that hard to examine. Most of the metadata that we need from Forensic standpoint are sync config.db, cloud grab.db. This is the most important here in Google Drive because that contains the complete listing of the metadata that we need for our investigations. So as you can see here, I've opened my own cloud grab.db. So almost the same on the back sides when I open the database there. So it also contains the file name. It contains the modified time. So the modified time is again in a Unix E poach time format. We also have ND5 hash here of the file. So we can again run some comparisons of the file. We also have here shared column, which means if it's one, then it is being shared. If it's zero, if the value is zero, it means not shared. So very, very common or very no brainer. The dot type column here is kind of interesting because the dot type number one value, excuse me. So if we have a value of one and dot type, it means that we have a real file, a real file in a Google Drive terminology means that this is a PDF, this is a text, common files like dot, ppt, xls, or csv. But if the dot type contains a zero value, that means that we are looking at a folder. So other than that, like two, three, four, five up to 13 plus dot type value, that means that this is kind of different types of Google files or objects. As you may see here, I think I do have, yeah. So if you see here on the guided images, if you see on the dot type, you can see that I have a folder name called guided images. So that has a value of zero instead of one. So those are pretty much the common storage or cloud storage applications. So now let's talk about how we can perform some acquisitions of these artifacts because we're just humans. Sometimes we tend to forget things and we might forget where are these artifacts or files being located on the endpoint. So we probably need some automation or kind of tool that does the work. So we have some cloud storage API collections or collectors that we can leverage. We're in, we need to supply the username and password or the credentials for this to be connected on the API of these services. So we have fResponse, which are very common. This is also being used by law enforcement. So fResponse has the capability to collect such things. Celebrate is also an amazing platform that we can use because they have their cloud analyzer just to get these kinds of artifacts that we can use for the FYR thing. Magnet forensics, the Axiom one, they keep on having various updates now and then. So they're pretty amazing. Speaking of magnetic forensics, they have this, they have their ambient mentorship, I think, this week as well, and they're running their own conference. So shout out to Magnet forensics folks out there. Again, their magnet Axiom is very useful in terms of almost everything. They've collected a lot of stuff, but of course, in cloud storage, they have their own set of features down there. And Google, like when getting some logs or artifacts from Google Drive or any G Suite applications, there is this takeout.google.com or take Google takeout. So this is a common collector of the logs that you need from any like your G Suite applications or even your Google Drive. I've put here a Github repo of G Suite collector because I think this is amazing. I haven't tried this, but I've seen that this has been used by most of the people around me. So they've been using this to perform a collection of artifacts on G Suite as well. So you know, it won't hurt you to try it. So this is just pretty much the summarized version of how cloud storage or what are the artifacts that we can get depending on the cloud storage apps. So yeah, pretty amazing that we can get most out of it if we know what can we wait to look for or what to get for in terms of our investigations or whenever we have an engagement or there was a time that the user that are infected or probably the images that we're receiving from the IR side or from the DF side has been using cloud storage apps. So at least we know what are the things that we can extract from this depending on the application that they're using. Now the question is how can we acquire or how can we get these artifacts in a very fast manner? So Cape to the rescue. So if you haven't heard about Cape then Cape is one of the best collector out there or one of the best tool of the decade. I would say decade. It was written by Eric Zimmerman. So an ex-LVI and now working in crawl and also working as a science instructor. So Eric Zimmerman created or he he wrote a lot of tools. He called it easy tools that was used in so many aspects of incident response and digital forensics. So I have a demo here which I will be playing right now. So let me just share my screen. So I hope you can see a second. Not this one. Okay. So this one. So here my local host. So this is just a demo of how I can acquire cloud storage artifacts. So as you can see that I have a Google Drive box drop box installed in my local host. So how can I get those artifacts? Let's say I've been infected by something or I've been dealing with insider threats. So this is how I escape. So in Cape there is a target and module. So target. This is the things that we need to get or we're trying to acquire for depending on the types of evidences. So right now I'm trying to search for a cloud storage. So there is a section here called cloud storage wherein it will acquire all of the artifacts if the user is using box, either drop box, Google Drive, OneDrive, and SugarSync. Okay. So shout out to Chad Tilbury and Andrew Rotman for having these cloud storage section key. So yeah. So I've tried to highlight most of these cloud storage apps and then I can execute in a bit. So once I check that one out, so that means that I want to get those artifacts. So I want to put that on a VHDX format and then I just have to put the base name or the filing itself. Once I'm done, once I know the target source, once I got the target Cape files, then it's about time to execute. So it might take a couple of seconds. So normally it would take, it depends on how large the files that you're trying to acquire for. But in my case right now, it might take less than a minute. So just have to wait a bit. So it runs in a background like as you can see on the person in here, this is the progress status. So as you can see, it's almost done. So in just less than a minute, I was able to acquire most of the artifacts I need for my investigation purposes in terms of cloud storage applications. So as you can see, the total execution time here is 40.3756 seconds, very, very easy, especially if you don't know where are those directories that you need or those directories or metadata that I've just discussed. So once you open the VHDX files, you can see that I have acquired the artifacts from box, from Dropbox, Google Drive, Microsoft, that means that I'm acquiring a OneDrive artifact. So I'm trying to check each of the folders here if I was able to get things that I need to get. So now I'm opening Dropbox, and yeah, this is how easy it is by using Kabe being created by everyone. I really recommend, highly recommend this tool when you're working for ADF IR cases or IR cases that you have there. So that's it. That's my demo. So let's just go back to my presentation. Okay, so this actually ends my talk. So do you have any questions? Do you have yeah, things in your mind? So again, thank you so much for your notes, for having me here. I'm just very, very grateful and honored to be part of the speakers in NordTech 2021. So watch out for our panel discussions later related to cloud security. So I'll be waiting for your questions there. And again, thank you so much. If ever you have questions, just let them know.