Saturday, May 8, 2021

Cloud Forensics:Google Drive

Cloud Forensics:Google Drive

 วันนี้มาทดสอบการตรวจหาร่องรอยจาก GOOGLE DRIVE จากเครื่องคอมพิวเตอร์โดยพิจารณาจากอะไรบ้าง

ขั้นแรกทำการใช้โปรแกรม FTK Imager ทำสำเนาหลักฐานจากเครื่องคอมพิวเตอร์เป้าหมาย  ได้เป็น Forensic Image file ชื่อ CF009.E01 

Acquiring Disk Image with FTK Imager


Run Autopsy 4.15 and select New Case.
Provide the Case Name and the directory to store the case file. Click on Next.
  • Choose the required data source type, in this case Disk Image and click on Next.
  • Give path of the data source and click on Next.
  • You reach here once all the modules have been ingested. You can begin begin investigating but i recommend waiting until analysis and integrity check is complete.

Google Drive Forensic Artifatcs 

Directories created when Google Drive is installed

<SYSTEMROOT>\Program Files\Google\Drive

In this folder you will find the executable file of the application

<SYSTEMROOT>\Program Files (x86)\Google\Drive

Here you will find information about the updates of the application

<SYSTEMROOT>\Users\<username>\GoogleDrive

This is the default folder used for synchronizing the user’s files with Google Drive cloud service

<SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive

Here you will find all the native app’s files that store information about the app and the user’s data


Registry 

The installation of Google drive creates various keys and values inside the Registry. View the registry hives listed below in the forensic image of the suspect's hard disk.


    SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

    SOFTWARE\Google\Drive

    NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveSync




 From the Registry we can obtain the installed version and the user folder.

Let’s check the Registry to see if the sync process starts automatically with the user’s login. The right key to view here is NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run

 

Event Log

Path

<SYSTEMROOT>\Windows\System32\winevt\Logs\Application.evtx

Event ID

1033

Event Description Summary

Windows installer installed the product

Provider Name

MsInstaller

Event Data

Among others “<EventData> <Data> Backup and Sync From Google3.43.2448.907110330Google,Inc.(NULL)</Data>”



Prefetch

Windows stores Prefetch files at <SYSTEMROOT>\Windows\Prefetch.
WinPrefetchView



LNK (Shortcut) Files

  • <SYSTEMROOT>\Users\<username>\Desktop\Google Drive.lnk
  •  <SYSTEMROOT>\Users\<username>\Links\Google Drive.lnk
  • <SYSTEMROOT>\ProgramData\Microsoft\Windows\Start Menu\Programs\Google \Drive\Google Drive.lnk
You can parse each of these lnk files with Eric Zimmerman's LECmd for detailed information. A truncated output is shown below.

Web-browsing history
You can find an SQLite database with browsing history under C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default.

The Log File

You can obtain information about the client sync session from the sync_log.log file located at <SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive\user_default. 
Database Artifacts

Database Artifacts

  • <SYSTEMROOT>\Users\<username>\AppData\Local\ Google\Drive\user_default\snapshot.db
  • <SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive\user_default\sync_config.db
  •  <SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive\cloud_graph\cloud_graph.db
  •  <SYSTEMROOT>Users\<username>\AppData\Local\Google\Drive\global.db
  •  snapshot.db

     Sync_config.db

    • Client version installed
    • Local sync root path
    • User email

                      cloud forensics google drive 

    #WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD 


    หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

    * หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง ADMIN เพื่อแก้ไขต่อไป
    ขอบคุณครับ

    No comments:

    Post a Comment