The field of forensics is currently undergoing drastic changes due to the fact that most user activity is moving to the cloud. It used to be the case that analyzing a user's computer was sufficient to reconstruct his activity, but now a large of user data is stored remotely. In the cloud and wireless age, reconstructing a user's activity requires knowing where the computer was connected, which online services were accessed, and which online identities were used by the user. Traditional forensic file based techniques are insufficient to extract the information needed to reconstruct the user's online activity because such information is encrypted, obfuscated and scattered across multiples files and registry keys. Add to this the fact that the encryption obfuscation schemes used by various pieces of software tend to be different and it becomes clear that this type of advanced analysis is very challenging. For example, in order to extract the logins and passwords stored by Internet Explorer, one needs to crack the Windows user password, acquire the DPAPI (Data Protection API) master key, reconstruct the browsing history, and decrypt the Internet Explorer vault--and these steps describe the "simple case", in which the user did not use Internet Explorer's private browsing mode. To reconstruct the user's online activity from his hard-drive, we have developed OWADE (Offline Windows Analysis and Data Extraction http://www.owade.org), an open-source tool that is able to perform the advanced analysis required to extract the sensitive data stored by Windows, the browsers, and the instant messaging software. OWADE decrypts and geolocates the historical WiFi data stored by Windows, providing a list of wifi points the computer has accessed (including the locations of the access points to within 500 feet) and when each point was last accessed. It can also recover all the logins and passwords stored in popular browsers (Internet Explorer, Firefox, Safari, and Chrome) and instant messaging software (Skype, MSN live, Gtalk, etc.). Finally, it can reconstruct the user's online activity by reconstructing their browsing history from various sources: browsers, the Windows registry, and the Windows certificate store.
Blog posts, Talks and Publications