1. jmichelp
    Owade
    Transcript Header:
    Owade
    Transcript Body:
    • 1. Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan Fontarensky Cassidian Matthieu Martin Stanford University Jean Michel Picod CassidianWednesday, August 3, 2011
    • 2. The world is moving to the cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 3. 2.7 millions photos are uploaded to Facebook every 20 minutes E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 4. 100 millions new files are saved on Dropbox every day E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 5. Data are moving to multiple services Hard drive E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 6. Data are moving to multiple services emails Hard drive E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 7. Data are moving to multiple services emails Hard drive Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 8. Data are moving to multiple services emails Hard drive Webmail Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 9. Data are moving to multiple services emails contacts Hard drive Webmail Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 10. Data are moving to multiple services emails contacts Hard drive Webmail Social sites Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 11. Data are moving to multiple services emails contacts photos Hard drive Webmail Social sites Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 12. Data are moving to multiple services emails contacts photos Hard drive Photo sites Webmail Social sites Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 13. Data are moving to multiple services emails contacts photos Hard drive Webmail Social sites Photo sites Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 14. Impact on the forensic field • There are more data which are harder to reach • Dealing with cloud data force us to reinvent forensic E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 15. Let’s do cloud forensics E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 16. What is cloud forensics ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 17. Facebook credentials as a use case Facebook E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 18. Facebook credentials as a use case credentials IE Facebook DPAPI Blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 19. Facebook credentials as a use case DPAPI blob-key credentials DPAPI IE Facebook master-key DPAPI Blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 20. Facebook credentials as a use case Windows User Password DPAPI blob-key credentials DPAPI IE Facebook SAM (hash) master-key DPAPI Blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 21. Facebook credentials as a use case Windows User Syskey Password DPAPI blob-key credentials DPAPI IE Facebook Registry SAM (hash) master-key DPAPI Blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 22. Facebook credentials as a use case Windows User Syskey Password DPAPI blob-key credentials DPAPI IE Facebook Registry SAM (hash) master-key DPAPI Blob Getting Facebook credentials require to bypass 4 layers of encryption E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 23. Focus of this talk • xw Show you how to bypass the encryption layers and get the data you want E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 24. Introducing OWADE • Dedicated to cloud forensics • Decrypt / recovers • DPAPI secrets • Browsers history and websites credentials • Instant messaging creds • Wifi data http://owade.org • Free and open-source E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 25. OWADE in action E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 26. OWADE overview E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 27. OWADE overview disk E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 28. OWADE overview disk disk image E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 29. OWADE overview Registry disk disk image E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 30. OWADE overview Registry disk disk image Files E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 31. OWADE overview Windows credentials Registry disk disk image Files E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 32. OWADE overview Windows credentials Registry disk disk image WiFi info Files E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 33. OWADE overview Windows credentials Registry disk disk image WiFi info Files Hardware info E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 34. OWADE overview Windows credentials Registry disk disk image WiFi info Files Hardware info Credentials and data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 35. OWADE overview Windows credentials Registry disk disk image WiFi info Files Hardware info Credentials and data Cloud data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 36. Outline E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 37. Outline • File base forensics refresher E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 38. Outline • File base forensics refresher • The Windows crypto eco-system E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 39. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 40. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location • Recovering browser data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 41. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location • Recovering browser data • Recovering instant messaging data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 42. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location • Recovering browser data • Recovering instant messaging data • Acquiring cloud data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 43. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location • Recovering browser data • Recovering instant messaging data • Acquiring cloud data • Demo E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 44. File based forensic refresher E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 45. Not all files are born equal Type of file how to recover it Standard copy In the trash undelete utility Deleted file carving Wiped call the NSA :) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 46. Windows registry • .dat files • Hardware information • Softwares installed with their versions and serials • Windows credentials (encrypted) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 47. Some Registry Information Extracted E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 48. Windows crypto E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 49. Why do we care about Windows crypto ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 50. The Windows crypto eco-system Crypto API E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 51. The Windows crypto eco-system Crypto API SAM E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 52. The Windows crypto eco-system Crypto API DPAPI SAM E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 53. The Windows crypto eco-system Crypto API DPAPI Credential Manager SAM E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 54. Windows Crypto API • Basic cryptographic blocks • Cipher: 3DES, AES • Hash functions: SHA-1 SHA256, HMAC • PKI: public keys and certificates (X.509) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 55. The Security Account Manager (SAM) • Store Windows user credentials • Located in the registry • Encrypted with the SYSKEY • Passwords are hashed E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 56. Windows Password Hashing functions • Two hash functions used • LM hash function (NT, 2K, XP, VISTA) weak • NTLM (XP, Vista, 7) • Passwords are not salted E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 57. LM hash weakness • Use only upper-case • Hash password in chunk of 7 characters mypassword LMHash(MYPASSW) + LMHash(ORD) Password key-space: 69^7 (at most) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 58. Rainbow Tables • Pre-compute all the possible passwords • Time-Memory trade-off • Rainbow tables of all the LM hash are available E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 59. How OWADE Works • Extract Usernames and password hashes • LM hashes available ? • use John/Rainbow tables to get the pass in uppercase • use NTLM hashes to find the password cases • Try to crack the NTLM using John/Rainbow table E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 60. Windows Password recovered E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 61. • What if we can’t crack the NTLM hash :( • (need a sad baby face here) If the password is too strong we can’t recover it E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 62. • Everything is not lost because of how DPAPI works • (smilling baby face) but we can still decrypt DPAPI secret (sometime) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 63. The Data Protection API • Ensure that encrypted data can’t be decrypted without knowing the user Windows password • Blackbox crypto API for developers: • Encrypt data DPAPI blob • Decrypt DPAPI blob data • Main point : tie the encryption to the user password E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 64. DPAPI derivation scheme SHA1(password) pre-key User E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 65. DPAPI derivation scheme SHA1(password) pre-key User master-key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 66. DPAPI derivation scheme SHA1(password) pre-key User master-key blob key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 67. DPAPI derivation scheme SHA1(password) pre-key User master-key blob key DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 68. DPAPI derivation scheme SHA1(password) pre-key User master-key blob key blob key blob key DPAPI blob DPAPI blob DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 69. DPAPI Blob structure struct wincrypt_datablob { ! DWORD! cbProviders, ! GUID!! pbProviders[cbProviders], ! DWORD! cbMasterkeys, ! GUID!! pbMasterkeys[cbMasterkeys], ! DWORD! dwFlags, ! DWORD! cbDescription, ! BYTE!! pbDescription[cbDescription], ! ALG_ID! algCipher, ! DWORD! cbKey, ! DWORD! cbData, ! BYTE!! pbData[cbData], ! DWORD! dwUnknown, ! ALG_ID! algHash, ! DWORD! dwHashSize, ! DWORD! cbSalt, ! BYTE!! pbSalt[cbSalt], ! DWORD! cbCipher, ! BYTE!! pbCipher[cbCipher], ! DWORD! cbCrc, ! BYTE!! pbCrc[cbCrc] } ; E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 70. DPAPI master-key structure Header Structure struct wincrypt_masterkey_masterkeybloc { ! DWORD! dwRevision, ! BYTE!! pbSalt[16], ! DWORD! dwRounds, ! ALG_ID! algMAC, ! ALG_ID! algCipher, ! BYTE!! pbEncrypted[] }; Footer Structure E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 71. DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 72. Master-key GUID DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 73. Master-key GUID DPAPI blob Master key pre-key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 74. Master-key GUID DPAPI blob Master key SHA1(password) pre-key User E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 75. Master-key GUID DPAPI blob Master key SHA1(password) pre-key User Master key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 76. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User Master key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 77. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User Master key blob key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 78. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User IV + Master key Salt blob key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 79. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User IV + Master key Salt Additional entropy blob key Software E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 80. Bypassing the user password cracking • If we can’t crack the password we need its SHA1 • This SHA1 is stored in the hibernate file • OWADE uses Moonsols to recover it E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 81. DPAPI additional entropy • Software can supply an additional entropy • Act as a “key” (needed for decryption) • Force us to understand how it is generated for each software • Can be used to tie data to a specific machine (i.e Netbios name) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 82. Credential Manager • Built on top of DPAPI • Handle transparently the encryption and storage of sensitive data • Used by Windows, Live Messenger, Remote desktop... E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 83. Credstore type of credentials Type of Example of Encryption credential application DPAPI + Live messenger Generic password fixed string HTTP auth (IE) Domain password In clear Netbios Hash of Domain certificate Certificate certificate DPAPI + Remote access Domain visible password fixed string .NET passport E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 84. WiFi data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 85. Wifi data • Info stored for each access point • Mac address (BSSID) • Key (encrypted) • Last time of access • Wifi data are stored in • Registry (XP) • XML file and Registry (Vista/7) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 86. Decrypting WiFi password • Encrypted with DPAPI • Access point shared among users • Encrypted with the System account • But the system account has no password... What is my DPAPI key ??? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 87. Decrypting WiFi password • Use a LSASecret as DPAPI key • Array of credentials • HelpAssistant password in clear • DPAPI_SYSTEM • “Encrypted” E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 88. Where are you ? • We’ve recovered access point keys but where are they ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 89. Where are you ? • We’ve recovered access point keys but where app an ! are they ? is at re th e r Th fo E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 90. HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 91. HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 92. HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 93. Behind the curtain E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 94. Nothing is ever easy • Google started to restrict queries in June • So we started to look for other API E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 95. Entering Microsoft • Live service • “Documented” in the Windows mobile MSDN 2011-02-15T16:22:47.0000968-05:00 e1e71f6b-2149-45f3-b298-a20XXXXX5017 • After sniffing the traffic: 21BF9AD6-CFD3-46B2-B042-EE90XXXXXX • Use a big SOAP request • Does not check any ID fields • Allows to supply one MAC E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 96. Blog post and demo released ! E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 97. Just fixed • Fixed last weekend • No longer return location for a single address E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 98. Just fixed • Fixed last weekend • No longer return location for a single address atch p a ! is at re th T he for E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 99. Geo-location API restrictions Requires 2 MAC close from each other The MAC and IP location need to be “close” Requires multiples MAC addresses see http://elie.im/blog/ for more information E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 100. WiFi Information Extracted By OWDE E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 101. Browsers E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 102. Firefox > 3.4 • Passwords • Location: signons.sqlite • Encryption: 3DES + Master password • History • URLs: places.sqlite • Forms fields: formhistory.sqlite E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 103. Decrypting Firefox password E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 104. Decrypting Firefox password pass User E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 105. Decrypting Firefox password pass Global salt User key3.db E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 106. Decrypting Firefox password pass Global salt User user key: HMAC-SHA1(salt, pass) key3.db E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 107. Decrypting Firefox password pass Global salt User user key: HMAC-SHA1(salt, pass) key3.db encrypted key + key salt key3.db E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 108. Decrypting Firefox password pass Global salt User user key: HMAC-SHA1(salt, pass) key3.db encrypted key + key salt key3.db master key: 3DES(userkey, enckey) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 109. Decrypting Firefox password pass Global salt User user key: HMAC-SHA1(salt, pass) key3.db encrypted key + key salt key3.db master key: 3DES(userkey, enckey) encrypted pass signon.sqlite E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 110. Decrypting Firefox password pass Global salt User user key: HMAC-SHA1(salt, pass) key3.db encrypted key + key salt key3.db master key: 3DES(userkey, enckey) encrypted pass Site password: 3DES (master key, enc pass) signon.sqlite E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 111. Shopping at Amazon ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 112. How about a nice kindle ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 113. How about a nice kindle ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 114. Every form field is recorded E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 115. Configuring a Linksys ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 116. Again the key is recorded E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 117. Form history leak a lot of information • Shipping address • Wifi key • Credit card information • Email • Search history E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 118. Preventing field recording To tell the browser to not record a field use the tag autocomplete=”off” E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 119. • Passwords • Location: registry • Encryption: DPAPI + URL as salt Internet• History Explorer • URLs: Index.dat E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 120. Decrypting Internet Explorer passwords E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 121. Decrypting Internet Explorer passwords SHA1(URL) Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 122. Decrypting Internet Explorer passwords SHA1(URL) URL Registry URL List E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 123. Decrypting Internet Explorer passwords SHA1(URL) URL Registry SHA1(URL) URL (dpapi entropy) URL List E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 124. Decrypting Internet Explorer passwords SHA1(URL) URL Registry SHA1(URL) URL (dpapi entropy) URL List DPAPI Blob Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 125. Decrypting Internet Explorer passwords SHA1(URL) URL Registry SHA1(URL) URL (dpapi entropy) URL List DPAPI Blob Site password Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 126. Maximizing our recovery • Build a list of URL from others browsers and files • Use a list of known login URLs E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 127. • Passwords • Location: Login Data (sqlite) Chrome • Encryption: DPAPI• History • URLs: History (sqlite) • Forms fields: Web Data (sqlite) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 128. • Passwords • Location: keychain.plist (Property list format) Safari • Encryption: DPAPI + fixed string as entropy• History • URLs: History.plist • Forms fields: Form Value.plist E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 129. Browsers takeaway • Internet Explorer is the most secure. • If you don’t know the URL you can’t recover the credentials • Firefox is the worst • Passwords encryption not tied to the Windows user password (bug open for a while) • Login are encrypted in signons.sqlite not in formhistory.sqlite E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 130. Private mode • Most bugs are fixed • Requires to be creative • SSL OCSP requests • File carving • Potential techniques • Analyze the hibernate file See: http://ly.tl/p16 for more information on private mode E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 131. The browsers histories aggregated E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 132. Instant messaging E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 133. Skype • Encryption custom • Difficulty extreme • Location registry + config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 134. Decrypting Skype passwords E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 135. Decrypting Skype passwords DPAPI Blob Registry pre-key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 136. Decrypting Skype passwords DPAPI Blob Registry pre-key AES key: SHA1(pre-key) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 137. Decrypting Skype passwords DPAPI Blob Registry pre-key AES key: SHA1(pre-key) encrypted credential config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 138. Decrypting Skype passwords DPAPI Blob Registry pre-key AES key: SHA1(pre-key) encrypted credential pass cracking Login MD5(loginnskypernpassword) config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 139. Decrypting Skype passwords DPAPI Blob pre-key p er Registry r ip e th at hn th Jo or a f is tch re key:aSHA1(pre-key) eAES p T h encrypted credential pass cracking Login MD5(loginnskypernpassword) config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 140. Google Talk • Encryption DPAPI + custom (salt) • Difficulty Hard • Location registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 141. Salt derivation algorithm overview E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 142. Salt derivation algorithm overview String: 0xBA0DA71D E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 143. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 144. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 145. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry computer Netbios name Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 146. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry computer Netbios name Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 147. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry computer Netbios name Registry DPAPI Blob Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 148. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry computer Netbios name Registry DPAPI Blob Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 149. Microsoft Messenger • Encryption DPAPI or Credstore • Difficulty Medium • Location version dependent E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 150. Windows Messenger by version Version Storage encryption 5 Registry Base64 encoded 6 Credstore Credstore 7 Registry x2 DPAPI x 2 Live Credstore Credstore E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 151. aMSN • Encryption DES key: substr(login . “dummykey”, 8) • Difficulty easy • Location config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 152. 9talk • Encryption XOR key: 9 • Difficulty trivial • Location user.config E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 153. Trillian • Encryption Base 64 +XOR key: fixed string • Difficulty trivial • Location user.config E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 154. Pidgin • Encryption Clear aka encryt-what? • Difficulty none • Location account.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 155. Pidgin • Encryption Clear aka encryt-what? • Difficulty none • Location account.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 156. Paltalk • Encryption Custom • Difficulty difficult (offline) • Location registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 157. Paltalk encryption algorithm E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 158. Paltalk encryption algorithm VolumeSerial Number 01234567 E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 159. Paltalk encryption algorithm VolumeSerial Number Paltalk account name 01234567 myusername Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 160. Paltalk encryption algorithm VolumeSerial Number Paltalk account name 01234567 myusername m0y1u2s3e4r5n6a7me x 3 Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 161. Paltalk encryption algorithm VolumeSerial Number Paltalk account name 01234567 myusername m0y1u2s3e4r5n6a7me x 3 Registry encrypted password yyyz yyyz yyyz yyyz Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 162. Paltalk encryption algorithm VolumeSerial Number Paltalk account name 01234567 myusername m0y1u2s3e4r5n6a7me x 3 Registry encrypted password yyyz yyyz yyyz yyyz ci: yyyzi - asciiCode(S-BOXn-i) Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 163. Paltalk encryption algorithm VolumeSerial Number Paltalk account name 01234567 myusername m0y1u2s3e4r5n6a7me x 3 Registry encrypted password yyyz yyyz yyyz yyyz ci: yyyzi - asciiCode(S-BOXn-i) Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 164. Messenger take away • If your Skype password is strong we can’t recover it • Gtalk and Paltalk are the only ones to use computer information • 3rd party software are the least secure E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 165. All the credentials recovered by OWADE E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 166. Cloud based forensic E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 167. Cloud modules • Leverage the credentials and history extracted to get cloud-data • Might be legal (or not) • Only LinkedIn currently (more modules almost ready) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 168. OWADE status • Alpha stage • Tested on Ubuntu against XP windows • Roadmap • Stabilizing the code • modularize the code so you write your own modules • More cloud probes: Facebook, Flickr, Emails... • Windows Vista and 7 integration E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 169. Conclusion • People moving to the cloud means more data that is harder to get • Forensics needs to evolve to cope with this • OWADE is the first tool dedicated to cloud forensic • Decrypt the 4 major browsers data • Decrypt Instant messaging credentials • Open-source E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 170. Thank you ! Please remember to complete your feedback form :) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    • 171. Download OWADE Follow-us on Twitter http://owade.org @elie, @projectowade Donate to OWADE to support it ! E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
    View More