about_customblogblog_customclosedocumenteliemenuphotos_custompublications_customsearch_newsmiletoolsvideos_custom
close-normalfacebookgoogleinstagramlinkedinlocationmailredditrsstagtwitteryoutube

Beyond files recovery OWADE cloud-based forensic

The field of forensics is currently undergoing drastic changes due to the fact that most user activity is moving to the cloud. It used to be the case that analyzing a user's computer was sufficient to reconstruct his activity, but now a large of user data is stored remotely. In the cloud and wireless age, reconstructing a user's activity requires knowing where the computer was connected, which online services were accessed, and which online identities were used by the user. Traditional forensic file based techniques are insufficient to extract the information needed to reconstruct the user's online activity because such information is encrypted, obfuscated and scattered across multiples files and registry keys. Add to this the fact that the encryption obfuscation schemes used by various pieces of software tend to be different and it becomes clear that this type of advanced analysis is very challenging. For example, in order to extract the logins and passwords stored by Internet Explorer, one needs to crack the Windows user password, acquire the DPAPI (Data Protection API) master key, reconstruct the browsing history, and decrypt the Internet Explorer vault--and these steps describe the "simple case", in which the user did not use Internet Explorer's private browsing mode. To reconstruct the user's online activity from his hard-drive, we have developed OWADE (Offline Windows Analysis and Data Extraction http://www.owade.org), an open-source tool that is able to perform the advanced analysis required to extract the sensitive data stored by Windows, the browsers, and the instant messaging software. OWADE decrypts and geolocates the historical WiFi data stored by Windows, providing a list of wifi points the computer has accessed (including the locations of the access points to within 500 feet) and when each point was last accessed. It can also recover all the logins and passwords stored in popular browsers (Internet Explorer, Firefox, Safari, and Chrome) and instant messaging software (Skype, MSN live, Gtalk, etc.). Finally, it can reconstruct the user's online activity by reconstructing their browsing history from various sources: browsers, the Windows registry, and the Windows certificate store.

BlackHaT USA 2011 2011

Downloads

Share this paper on your favorite social network.

Stay in touch

Join the 35K awesome readers community!

or

Recent

Be in the Know

Join thousands of readers who receive my latest blog posts in their inbox.
 
No spam I promise and you can unsubscribe anytime.
Elie Bursztein © 2017
Papers
Blog
Tools
Photos
About Me

Recent entries