Exfiltration Forensics in the Age of the Cloud - SANS Computer ...

computer.forensics.sans.org

Exfiltration Forensics in the Age of the Cloud - SANS Computer ...

Exfiltration Forensics in the

Age of the Cloud

Frank McClain, GCFA, GCIH, CHFI

InfoSec Analyst, CSIRT Lead

PrimeLending, A PlainsCapital Company


Who is this guy?

Grew up in Ham radio, won a computer at age 11

Specialized electronics repair in the military

Working in technology since 2003, mostly small business

Little bit of IA, IS, IR, with mostly IT (which I don't find interesting)

Found and got into DF in 2007, with small consulting firm

Entered corporate in 2011 at PrimeLending, A PlainsCapital Company

How might you know me?

Blog – Forensicaliente.blogspot.com

Twitter - @littlemac042

ForensicArtifacts.com (team member, contributor)

Forensic email lists – SANS DFIR, Win4n6

Forensic Focus article on Dropbox Forensics

Other than that, just another drop of rain in a cloudy sky


What's this all about?

The use of cloud-based backup/synchronization services

Host-based identification and artifacts

Expanding the scope of research

What's the big deal?

“Host-based forensics is dead”

Availability of easy-to-use cloud services

Small business issues


What's the point?

Understand the types of artifacts/footprints on the host

Be aware of the potential as exfiltration channel

Possible exploitation by external attacker

Extremely easy for internal threat

Is it really happening?

Sharon Nelson – RideTheLightning.SenseiEnt.com (Dropbox)

At least two people I know have active IP theft cases (Dropbox)

I worked a breach of contract/IP theft case (Carbonite)


What services are covered here?

Dropbox 1.2 SpiderOak v4.4 TeamDrive v2.4 ADrive v1.5

Carbonite v5.2 Mozy Home v2.12 Mozy Stash v0.11

What kinds of artifacts are we looking at?

Install location Executable name(s) Application data directory

Backup/Sync directory Application data files Network connections

Connections signature Remnants after uninstall

Registry

Application

Data


Methodology

Registry snapshots before and after install (RegShot)

Default installation

Network connections at rest & during operations (ProcessHacker, CurrPorts)

Full network capture (Wireshark)

Sync/backup for test file directory (named "Test_Files")

Sync/backup on 2nd system for cross-system access

Application/Executable general info, file and registry handles (ProcessHacker)

List application (executables), application data (data files), &

Sync/backup directories (FileInfo)

Copy data files for post-uninstall analysis

Registry snapshots before and after uninstall (RegShot)

Uninstall via Windows applet

List executables, data files, and sync/backup directories - post-uninstall (FileInfo)

Parse registry hives for remnants and references - post-uninstall (RegDecoder)

Review PCAP files, isolate & identify clear-text & encrypted traffic (NetWitness)

Analyze contents for files of interest (Notepad++, Calc, Excel, SQLiteDBBrowser,

HxD, HEX Editor, Encoder, Decode, DbVisualizer, TrID, File)

Primary system running Win7Pro, 64-bit.

Secondary system running XP Pro, 32-bit.


* Important Note *

You will see references in screenshots and filepaths, to:

“servicename\files_of_interest\...”

Where “servicename” is Dropbox, Adrive, etc.

This is the location where I stored a copy of various application-

related files; whether from Program Files, Application Data, or

the Sync/Backup directory.

Immediately following “files_of_interest” is where the rest of the

path begins. It's relative up to that point.

I mention this to minimize confusion for offline readers...


Dropbox


Dropbox

Artifact Type Dropbox

Installation Location AppData\Roaming\Dropbox\bin\

Executable Dropbox.exe

Application Data Location

Backup/Sync Location

AppData\Roaming\Dropbox

(default)

%User%\Dropbox

Files of Interest

Network Connection(s)

Network Signature

Uninstall Remnants –

Registry

config.db, config.dbx, desktop.ini,

filecache.dbx, host.db, sigstore.dbx,

unlink.db, entries.log

199.47.217.173:443, 199.47.216.178:443,

199.47.216.146:80, 50.16.217.157:443,

75.126.110.108:443, dropbox.com,

notify3.dropbox.com

GET /subscribe?

host_int=169449187&ns_map=5932257_7

3227506984566&ts=1139002454 HTTP/1.1

Microsoft\Windows\CurrentVersion\Explorer\

ShellIconOverlayIdentifiers\DropboxExt1,

Software\COMODO\Firewall

Pro\Configurations\0\firewall\Policy\21

Dropbox.exe, DropboxExt.14.dll,

Uninstall Remnants – DropboxExt64.14.dll, msvcp71.dll,

Program

msvcr71.dll

Uninstall Remnants – Files host.dbx, entries.log


Dropbox

File Type

\Dropbox\files_of_interest\Dropbox\host.db ASCIItext

\Dropbox\files_of_interest\Dropbox\host.dbx ASCIItext

\Dropbox\files_of_interest\Dropbox\config.dbx data

\Dropbox\files_of_interest\Dropbox\filecache.dbx data

\Dropbox\files_of_interest\Dropbox\l\4f9c5ac9 data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b1b data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b1d data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b1e data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b5d data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b5e data

\Dropbox\files_of_interest\Dropbox\l\4f9c5b60 data

\Dropbox\files_of_interest\Dropbox\l\4fcc352e data

\Dropbox\files_of_interest\Dropbox\l\4fcc357c data

\Dropbox\files_of_interest\Dropbox\l\4fcc357d data

\Dropbox\files_of_interest\Dropbox\l\4fcc357e data

\Dropbox\files_of_interest\Dropbox\l\4fcc358d data

\Dropbox\files_of_interest\Dropbox\l\4fcc358e data

\Dropbox\files_of_interest\Dropbox\sigstore.dbx data

\Dropbox\files_of_interest\Dropbox\unlink.db data

\Dropbox\files_of_interest\Dropbox\bin\itag empty

\Dropbox\files_of_interest\Dropbox\config.db SQLite3.xdatabase


Dropbox

Host.db – Decoded:

Host.dbx – Decoded:


Dropbox

Date-Named

Directory

(“2012-06-06”):

Note: This is inside

the .dropbox.cache

directory

Entries.log – Decoded:


Dropbox


Dropbox

Network Connections:


Dropbox

Network Signature:


Dropbox

SSL Connections:


SpiderOak


SpiderOak

Artifact Type SpiderOak

Installation Location Program Files (x86)\SpiderOak\

Executable SpiderOak.exe, windows_dir_watcher.exe

Application Data Location

Backup/Sync Location

AppData\Roaming\SpiderOak

(default)

Any, User-Defined, File Type

1336254748.22.port, config.dat, config.txt, device_1a.dat,

device_2a.dat, dirhash.db, downloads.db, exclude.txt, fs_queue.db,

local.dat, oak_20120505145242.log, oak_20120505165227.log,

prefs.dat, snapshot.db, Spider_20120505145242.log,

Spider_20120505165227.log, Test-skipfilter.db, test.db, test.log,

tss_external_orphans_fixed_pandora_sqliite_database,

Files of Interest

tss_external_orphans_fixed_snapshot.db

38.121.104.67:443, 38.121.104.68:44 (Performance Systems

Network Connection(s) International, aka Cogent Communications or PSINet, Inc)

Network Signature uses TLSv1, no unencrypted traffic observed

Uninstall Remnants –

Registry

\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\34

API-MS-Win-Core-LocalRegistry-L1-1-0.dll, API-MS-Win-Core-

ProcessThreads-L1-1-0.dll, API-MS-Win-Security-Base-L1-1-0.dll,

bz2.pyd, POWRPROF.dll, pythoncom27.dll, pywintypes27.dll,

select.pyd, shared.zip, unicodedata.pyd, win32api.pyd,

win32com.shell.shell.pyd, win32event.pyd, win32evtlog.pyd,

win32gui.pyd, win32pdh.pyd, win32process.pyd, win32trace.pyd,

Uninstall Remnants – win32ui.pyd, winxpgui.pyd, _ctypes.pyd, _hashlib.pyd, _socket.pyd,

Program

_ssl.pyd, _win32sysloader.pyd

Uninstall Remnants – Files same as files of interest – nothing removed


SpiderOak

File Type

\SpiderOak\files_of_interest\oak_20120505145242.log ASCIIC++programtext,withverylonglines,withCRLFlineterminators

\SpiderOak\files_of_interest\oak_20120505165227.log ASCIIC++programtext,withverylonglines,withCRLFlineterminators

\SpiderOak\files_of_interest\spider_20120505145242.log ASCIIEnglishtext,withverylonglines,withCRLFlineterminators

\SpiderOak\files_of_interest\spider_20120505165227.log ASCIIEnglishtext,withverylonglines,withCRLFlineterminators

\SpiderOak\files_of_interest\config.txt ASCIItext

\SpiderOak\files_of_interest\exclude.txt ASCIItext

\SpiderOak\files_of_interest\prefs.dat ASCIItext

\SpiderOak\files_of_interest\tss_external_blocks_pandora_sqliite_database\00000014 ASCIItext

\SpiderOak\files_of_interest\test.log ASCIItext,withCRLFlineterminators

\SpiderOak\files_of_interest\tss_external_orphans_fixed_pandora_sqliite_database ASCIItext,withnolineterminators

\SpiderOak\files_of_interest\tss_external_orphans_fixed_snapshot.db ASCIItext,withnolineterminators

\SpiderOak\files_of_interest\backup_system_ignore_this_folder.lock empty

\SpiderOak\files_of_interest\dirhash.db SQLite3.xdatabase

\SpiderOak\files_of_interest\download_cache\downloads.db SQLite3.xdatabase

\SpiderOak\files_of_interest\fs_queue.db SQLite3.xdatabase

\SpiderOak\files_of_interest\object_cache\device_1a.dat SQLite3.xdatabase

\SpiderOak\files_of_interest\object_cache\device_2a.dat SQLite3.xdatabase

\SpiderOak\files_of_interest\pandora_sqliite_database SQLite3.xdatabase

\SpiderOak\files_of_interest\snapshot.db SQLite3.xdatabase

\SpiderOak\files_of_interest\sync\test-skipfilter.db SQLite3.xdatabase

\SpiderOak\files_of_interest\sync\test.db SQLite3.xdatabase


SpiderOak

oak_20120505145242.log


SpiderOak

spider_20120505145242.log


SpiderOak

entry_time path journal_num last_session_start last_session_recno last_session_size

1336248614 c:\Users\Frank\Documents\SpiderOak 1001

1336248614 c:\Users\Frank\Documents\SpiderOak\TEST_FILES 1002 0 6 103

decoded: Sat, 05 May 2012 15:10:14 -0500

Test.db – SQLite3 db:

device_1a.dat (SQLite3 db)

sync_id sync_name time_added

1 test 2012-05-05 21:52:59


SpiderOak

Network Connections:


SpiderOak

Network Signature:


SpiderOak

SSL Connections:


TeamDrive


TeamDrive

Artifact Type TeamDrive

Installation Location Program Files (x86)\TeamDrive2.0\

Executable TeamDrive2.exe, TeamDrive2Database.exe

Application Data Location

Backup/Sync Location

AppData\Roaming\TeamDrive

(default)

%User%\TeamDrive Spaces

Files of Interest

Network Connection(s)

Network Signature

Uninstall Remnants –

Registry

Uninstall Remnants –

Program

none

Uninstall Remnants – Files desktop.ini, target.lnk

A few examples: WebDAVSettings.xml, DirWatcher_log.log,

FileWatcher_log.log, log.log,

old_20120513_162655_logs.zip, general_log.CSV,

slow_log.CSV, db.opt,

littlemac042_TeamDrive_13.05.2012.pss,

Default_littlemac042.sakh, desktop.ini, target.lnk

46.137.108.17:80, 79.125.8.233:80,

td2ec2in4mv1euwest.teamdrive.net, reg.teamdrive.net.

Connections going to AmazonAWS in Dublin.

PUT /primespace/vol05/29720/protolog/last.log?

P1RID=1&pb-id=tt31385962996753839188459838

HTTP/1.1 (application/octet-stream)

\Software\Trolltech\OrganizationDefaults\Qt Factory Cache

4.7\com.trolltech.Qt.QTextCodecFactoryInterface:\C:\Progra

m Files (x86)\TeamDrive2.0,

\ControlSet001\Services\EventLog\Application\MySQL,

\ControlSet002\Services\EventLog\Application\MySQL


File Type

\TeamDrive\files_of_interest\TeamDrive\logs\CTransferListThread_log.log ASCIIEnglishtext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\log.log ASCIIEnglishtext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CLogPollerThread_log.log ASCIIEnglishtext,withverylonglines,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CFSSynchronizerThread_log.log ASCIInewstext,withverylonglines,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\mysql\data\pbxt\location ASCIItext

\TeamDrive\files_of_interest\TeamDrive\mysql\data\td2\db.opt ASCIItext

\TeamDrive\files_of_interest\TeamDrive\mysql\data\TeamDrive2Database.pid ASCIItext

\TeamDrive\files_of_interest\TeamDrive\logs\CApiModuleThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CArchiveCacheWorkerThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CArchiverDeamonThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CDelayedArchiverThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CDownLoadMessageThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CEventListenerThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CFSJobArchiverThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CFSRuleEngineDeamonThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CGUIFileEventBufferThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CJobManagerThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CLogBackupThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CMessageBuilderThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CReaderWriterThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CScanJobWorkerThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CScannerDeamonThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CSynchronizerDeamonThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CThreadedReceiverThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\CWatcherDeamonThread_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\DirWatcher_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\logs\FileWatcher_log.log ASCIItext,withCRLFlineterminators

\TeamDrive\files_of_interest\TeamDrive\mysql\data\TeamDrive2Database.err ASCIItext,withCRLFlineterminators


TeamDrive

TeamDrive.ini:


TeamDrive

TDStart.ini:


TeamDrive TeamDrive2Database.err:

A few other files to look at:

CFSRuleEngineDeamonThread_log.log

CFSSynchronizerThread_log.log

CScanJobWorkerThread_log.log

Xlog-1.xt


TeamDrive

DNS Connections:


TeamDrive Network Connections:


TeamDrive

Network Signature:


ADrive


ADrive

Artifact Type Adrive

Installation Location Program Files (x86)\ADrive Desktop\

Executable ADrive Desktop.exe

AppData\Roaming\com.adrive.ADriveDesktop.9E

1195EE779B0F966F518632F3A0F64E53222D

Application Data Location C6.1

Backup/Sync Location

(default)

Any, User-Defined, File Type

Files of Interest

Network Connection(s)

Network Signature

Uninstall Remnants –

Registry

Adrive.db, index.dat (History.IE5, Content.IE5,

Cookies), install.log (Adobe AIR)

65.49.56.133:443, 65.49.56.133:80, adrive.com,

www31.adrive.com

34947 > https [SYN] Seq=0 Win=8192 Len=0

MSS=1460 WS=4 SACK_PERM=1, https >

34947 [SYN, ACK] Seq=0 Ack=1 Win=5840

Len=0 MSS=1460 SACK_PERM=1 WS=128,

34947 > https [ACK] Seq=1 Ack=1 Win=65700

Len=0, Client Hello

\Wow6432Node\Microsoft\Tracing\ADrive

Desktop_RASAPI32,

\Software\COMODO\Firewall

Pro\Configurations\0\firewall\Policy\1

Uninstall Remnants –

Program

none

Uninstall Remnants – Files same as files of interest


ADrive

File Type

Adrive\files_of_interest\com.adrive.ADriveDesktop.9E1195EE779B0F9

66F518632F3A0F64E53222DC6.1\Local Store\ADrive.db

\ADrive\files_of_interest\Install.log

SQLite3.xdatabase,userversion300200

UTF-

8Unicode(withBOM)Englishtext,withverylo

nglines,withCRLF,LFlineterminators


ADrive


ADrive

LogEntries Table


ADrive

Adobe AIR Install Log


ADrive

Network Connections


ADrive

Network Signature:


ADrive SSL Connections


Carbonite


Carbonite


Carbonite

Artifact Type Carbonite

Installation Location

Program Files (x86)\Carbonite\Carbonite

Backup\

Executable CarboniteUI.exe

Application Data Location

Backup/Sync Location

ProgramData\Carbonite

(default)

Any, User-Defined, File Type

Files of Interest

Network Connection(s)

Network Signature

Carbonite.log, CarboniteConfig.dat,

CarboniteDelta.dat, CarboniteFiles.dat,

CarboniteNSE.log,

CarbonitePossibleUpgrade.exe,

CarboniteRestores.dat, CarboniteUI.log,

CarboniteVersions.dat

4.53.54.244:443, 8.26.56.26:53,

38.97.103.136:80

web6.site11.carbonite.com, carbonite.com

GET

/Download/v5.2.1181/CarboniteUpgradeen.exe

HTTP/1.1, User-Agent: CarboniteUI,

Host: www.carbonite.com, Cache-Control:

no-cache

\Classes\Applications\CarboniteUI.exe,

Uninstall Remnants – \ControlSet001\Services\EventLog\Applica

Registry

Uninstall Remnants –

tion\CarboniteService

Program

none

Uninstall Remnants – Files none


Carbonite

File Type

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\CarboniteNSE.log ASCIItext,withCRLFlineterminators

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\CarboniteUI.log ASCIItext,withCRLFlineterminators

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\ScriptTests.txt ASCIItext,withCRLFlineterminators

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\ShowAll.txt ASCIItext,withCRLFlineterminators

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\Carbonite.log

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\CarboniteNSE.strings

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\CarboniteService.strings

\Carbonite\files_of_interest\Carbonite\Carbonite Backup\skin\CarboniteUI.strings

ASCIItext,withverylonglines,withCRLF,L

Flineterminators

UTF-

8Unicode(withBOM)Englishtext,withver

ylonglines,withCRLFlineterminators

UTF-

8Unicode(withBOM)Englishtext,withver

ylonglines,withCRLFlineterminators

UTF-

8Unicode(withBOM)Englishtext,withver

ylonglines,withCRLFlineterminators


Carbonite

File Handles


Carbonite Carbonite.log


Carbonite

CarboniteFiles.dat


Carbonite

Network Connections


Carbonite

Network Signature:


Carbonite

SSL Connections


Mozy Home/Stash


Artifact Type Mozy (Home & Stash)

Installation Location Program Files\MozyHome, Program Files (x86)\Mozy\Stash

Executable MozyBackup.exe, MozyStat.exe, Stash.exe

Application Data Location

Backup/Sync Location

Program Files\MozyHome\Data, AppData\Local\Stash

(default)

Any, %User%\Stash

Files of Interest

Network Connection(s)

Network Signature

Uninstall Remnants –

Registry

cache.dat, changes.dat, filter_raw.log.1, local_backup.dat,

manifest.dat, mozy.log, resume.dat, scancache.dat, state.dat,

metrics.dat, Stash.log, state.dat

173.243.50.163:443, 173.243.50.190:443, 173.243.50.240:443,

74.112.148.76, 8.26.56.26, 156.154.70.22, 173.243.52.180,

173.243.52.200, 74.112.148.220, 74.112.148.85, 173.243.52.210,

173.243.51.62, 173.243.50.145, 216.54.220.68, 173.243.51.98,

173.243.51.80, 173.243.51.30, 173.243.50.245, 173.243.50.211,

173.243.50.184, 173.243.50.181, 173.243.50.173, 173.243.50.162,

173.243.50.157, 173.243.50.154, 173.243.50.135, 74.112.149.3,

mozyops.com, *.mozy.com

GET /dev/null HTTP/1.1, Host: client.mozy.com, User-Agent:

kalypso/2.12.1.160, Content-Length: 1048576; HEAD /dev/null

HTTP/1.1, Host: client.mozy.com, User-Agent: kalypso/2.12.1.160,

HTTP/1.1 200 OK, Date: Sun, 27 May 2012 20:58:11 GMT, Server:

Apache, Last-Modified: Wed, 25 May 2011 15:45:49 GMT, ETag:

"5923aa-23-4a41b993fa540", Accept-Ranges: bytes, Content-Length:

35, Content-Type: text/html

\Software\Mozy Inc,

\ControlSet001\Enum\Root\LEGACY_MOZYFILTER\0000

Uninstall Remnants –

Program

banner.1332213388.json

Uninstall Remnants – Files metrics.dat, Stash.log, state.dat, .accountinfo.ini, desktop.ini


Mozy Home/Stash

File Type

\Mozy\files_of_interest\Data\mozy.log ASCIIEnglishtext,withCRLFlineterminators

\Mozy\files_of_interest\desktop.ini ASCIItext,withCRLFlineterminators

\Mozy\files_of_interest\Stash\Stash.log ASCIItext,withverylonglines,withCRLFlineterminators

\Mozy\files_of_interest\Data\filter_raw.log empty

\Mozy\files_of_interest\.accountinfo.ini Little-endianUTF-16Unicodetext,withCRLF,CRlineterminators

\Mozy\files_of_interest\Data\cache.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\changes.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\local_backup.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\manifest.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\resume.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\scancache.dat SQLite3.xdatabase

\Mozy\files_of_interest\Data\state.dat SQLite3.xdatabase

\Mozy\files_of_interest\Stash\metrics.dat SQLite3.xdatabase

\Mozy\files_of_interest\Stash\state.dat SQLite3.xdatabase


Mozy Home/Stash

Scancache.dat (Home)


Mozy Home/Stash

Metrics.dat (Stash)


Mozy Home/Stash

State.dat (Stash)


Mozy Home/Stash

A few other files of note:

Manifest.dat (Home), “user” table

Mozy.log (Home)

Stash.log (Stash)


Mozy Home/Stash

Network Connections


Mozy Home/Stash

Network Signature:


Mozy Home/Stash

SSL Connections


Very important to remember – while

applications were uninstalled and

some files were deleted ...

No files or tools were injured in the

making of this presentation.

And NO dongles were used. Ever.


Thank you very much for your time.

I'm open to questions, now or later:

http://twitter.com/littlemac042

http://www.linkedin.com/in/frankmcclain

More magazines by this user
Similar magazines