SlideShare uma empresa Scribd logo

(130928) #fitalk cloud storage forensics - dropbox

INSIGHT FORENSIC
INSIGHT FORENSIC

2013 F-INSIGHT TALK

Tecnologia
1 de 23
Baixar para ler offline
Cloud  Storage  Forensics   Part  I  :  Dropbox   2013.  09.  28   forensic.n0fate.com  
forensicinsight.org   Dropbox  Forensics   h.p://forensic.n0fate.com  
forensicinsight.org   Dropbox  Forensics   •  Dropbox   – 웹 기반 파일 공유 서비스   – 총 12개의 클라이언트 지원   •  Desktop  :  Windows,  Mac  OS  X,  Linux   •  Mobile  :  iOS,  Android,  Symbian,  Win  Mobile,  Blackberry   – 한 계정 당 무료로 2GB까지 지원   •  자동 동기화 및 사용자 간 자료 공유   h.p://forensic.n0fate.com  
forensicinsight.org   Dropbox  Feature   •  Previous  Version   – 각 파일에 대한 버전 기록을 유지함   – 변경한 사용자, 호스트 명, 시간, 용량 정보   h.p://forensic.n0fate.com  
forensicinsight.org   Dropbox  Feature   •  Recovery  deleted  files   – 삭제된 데이터는 최대 30일(팩랫:무제한) 보관   h.p://forensic.n0fate.com  
forensicinsight.org   Dropbox  Forensics   •  Dropbox의 데이터는 디스크에 저장   – 디스크 이미지에서 각 파일을 접근할 수 있음   – 별다른 문제 없이 분석을 진행할 수 있음   •  삭제된 파일은?   – ‘.dropbox.cache’에 삭제한 파일을 기록   – Dropbox 페이지에 버전 정보 기록   h.p://forensic.n0fate.com  
forensicinsight.org   Show  deleted  files   •  삭제된 파일은 ‘.dropbox.cache’에 저장   – 동기화 후 이동/수정/삭제된 파일 저장   – 최대 3일간 데이터를 유지   n0fate-MacBook-Air:~ n0fate$ cd Dropbox/.dropbox.cache/ n0fate-MacBook-Air:.dropbox.cache n0fate$ ls 2013-08-16 2013-08-17 n0fate-MacBook-Air:.dropbox.cache n0fate$ cd 2013-08-16 n0fate-MacBook-Air:2013-08-16 n0fate$ ls 2013 디지털 포렌식 기술 동향 (deleted 60f35a91ffee07c883802a5920aa553f).pptx 2013 디지털 포렌식 기술 동향 (deleted eafa23ac8430ffa0cfb77d847926c0bf).pptx 3E4E51888FB14B239407637B07A3D035 (deleted 2bdac50f2409a961cbefaa83ada787c8).doentry 43B030297C994934B65199C78C8C8F75 (deleted b78f5a24a5cf8f2f18611a764f67b767).doentry n0fate-MacBook-Air:2013-08-16 n0fate$ file * 2013 디지털 포렌식 기술 동향 (deleted 60f35a91ffee07c883802a5920aa553f).pptx: Zip archive data, at least v2.0 to extract .....<snip>... 43B030297C994934B65199C78C8C8F75 (deleted b78f5a24a5cf8f2f18611a764f67b767).doentry: XML document text h.p://forensic.n0fate.com  
forensicinsight.org   Dropbox  Forensics   •  공격자가 해당 폴더 Wiping 수행한 경우?   – 해당 디렉터리의 정보가 zero-­‐out되기 때문에 분석할 수 없음   – 다른 요소를 이용하여 최대한 분석 필요   •  존재할 수 있는 요소   – 계정 정보   – 파일 목록(존재하는 / 삭제된 파일)   – 파일 동기화 여부   h.p://forensic.n0fate.com  
forensicinsight.org   filecache.dbx   •  SQLite3  Database  format   •  file_journal  table  (<2013)   – Containing  a  lis_ng  of  all  directories  and  files   – Synchroniza_on  informa_on   – Only  the  live  files,  not  deleted  ones   – Recovery  deleted  record  though  SQLite3  Carving   •  In  early  2013  Dropbox  released  an  update  that   encrypted  this  file   h.p://forensic.n0fate.com  
forensicinsight.org   filecache.dbx •  SQLite3  DB  Browser로 내용 확인 불가능   – Hex  Editor에서 정상적인 파일로 보이지 않음   •  데이터 암호화로 인해 올바른 해석 불가   – Sqlite3  Database  Encryp_on  기술을 이용   – User  Password  기반의 Database  Key를 생성하여 모든 데이터베이스 암호화   – 역으로 키를 생성하여 복호화를 수행해야 함.   h.p://forensic.n0fate.com  
forensicinsight.org   Client Database  Key  Genera_on   (Windows) •  User  key  genera_on h.p://forensic.n0fate.com    HMAC  Key   (고정 값) version Registry  Path   HKCUSOFTWAREDropboxks Payload   length payload HMAC 1.  HMAC 2.  CryptUnprotectData   API valida_on   User  Key
forensicinsight.org   hostkeys Database  Key  Genera_on   (Linux) •  User  key  genera_on h.p://forensic.n0fate.com    HMAC  Key   (고정 값) version File  Path   /home/<USER>/.dropbox/hostkeys payload HMAC 1.  HMAC 2.  AES-­‐128  with  CBC valida_on User  Key Ini_al  Vector   (고정 값) Unique  Key   md5(“ia9’<hostkeys   FILEPATH>Xa|ui20”)
forensicinsight.org   Database  Key  Genera_on   (Windows/Linux) •  Database  Key  genera_on h.p://forensic.n0fate.com    Salt   (고정 값) Itera_on  Count   (1066) PBKDF2 User  Key passphrasesalt Itera_on   Count DB  Key   (16bytes)
forensicinsight.org   Decryp_ng  SQLite  DBX •  SQLite  Encryp_on  Extension  (SEE)   – Read  and  write  encrypted  database  files   – All  data  and  the  metadata  is  encrypted   – So  outside  observer  the  database  appears  to   contain  white  noise   – Public  version  of  SQLite  will  not  be  able  to  read  or   write  an  encrypted  database  file h.p://forensic.n0fate.com   Link  :  hip://www.sqlite.org/see/doc/trunk/www/readme.wiki
forensicinsight.org   Decryp_ng  SQLite  DBX RC4 AES-­‐128-­‐OFB AES-­‐256-­‐OFB AES-­‐128-­‐CCM h.p://forensic.n0fate.com   DB  Key   (16bytes) Encryp_on  mode   (default  :  AES128OFB) Product  Ac_va_on  Key   (7bb07b8d471d642e)
forensicinsight.org   Tools  (Online)   •  A  Cri_cal  Analysis  of  Dropbox  Security를 발표 한 newsom 멤버가 개발   – hips://github.com/newsom   •  Tool   – Dropbox  DB  Key  Generator  :  dbx-­‐keygen-­‐ windows/linux  (Mac  OS  X는 없음)   – DBX  Decryptor  :  sqlite3-­‐dbx   h.p://forensic.n0fate.com  
forensicinsight.org   Tools  (Online)   •  시연   h.p://forensic.n0fate.com  
forensicinsight.org   Dropbox  Decryptor  (Offline)   h.p://forensic.n0fate.com  
forensicinsight.org   Dropbox  Decryptor   •  When/Who  :  March,  1,  2013,  Magnet  Forensics   •  Requirements   –  filecache.dbx  file   •  [root]Documents  and  SeqngsusernameApplica_on  DataDropbox   on  XP,  or  [root]UsersJadAppDataRoamingDropbox  on  Vista   –  The  en_re  protect  folder  for  that  user   •  [root]Documents  and  SeqngsusernameApplica_on  DataMicrosom   on  XP,  or  [root]UsersJadAppDataRoamingMicrosom  on  Vista/7   –  A  file  containing  the  raw  bytes  from  the  Dropbox  ‘client’  value   under  the  ‘ks’  key  in  registry   •  registry/NTUSER.dat  file  (full  path  is  HKEY_CURRENT_USERSomware Dropboxks   –  User’s  windows  login  password   h.p://forensic.n0fate.com  
forensicinsight.org   Dropbox  Decryptor   CryptProtectData   h.p://forensic.n0fate.com   Master  Key  Storage   Folder   (Protected  Folder) Encrypted   Master  Key salt login  creden_al   Algorithm  :  AES-­‐256   HMAC  :  SHA512   Itera_on  count  :  5600 Master  Key Password   SID   PBKDF2 salt   hCp://www.passcape.com/index.php?secMon=blog&cmd=details&id=20  
forensicinsight.org   Dropbox  Decryptor   h.p://forensic.n0fate.com  
Q  &  A Homepage  :  forensic.n0fate.com   E-­‐Mail  :  n0fate@n0fate.com
forensicinsight.org   Reference •  Florian  LEDOUX,Nicolas  RUFF.  Applica_on   Security  Forum  2012.  A  Cri_cal  Analysis   Dropbox  Security.  2012.   •  Dhiru  Kholia,  Przemyslaw  Wegrzyn.  Looking   inside  the  (Drop)  box.  2013.  

Recomendados

Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 

Recomendados

Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessmentSanjay Kumar (Seeking options outside India)
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivitySqrrl
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoSplunk
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSCody Thomas
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 

Mais conteúdo relacionado

Mais procurados

Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivitySqrrl
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoSplunk
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSCody Thomas
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 

Mais procurados (20)

Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control Activity
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - Demo
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 

Destaque

Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesDheeraj Negi
 
11.cyber forensics in cloud computing
11.cyber forensics in cloud computing11.cyber forensics in cloud computing
11.cyber forensics in cloud computingAlexander Decker
 
Cloud Forensics- An IS Approach
Cloud Forensics- An IS ApproachCloud Forensics- An IS Approach
Cloud Forensics- An IS ApproachIOSR Journals
 
Cloud Application Logging for Forensics
Cloud Application Logging for ForensicsCloud Application Logging for Forensics
Cloud Application Logging for ForensicsRaffael Marty
 
Adding event reconstruction to a cloud forensic readiness
Adding event reconstruction to a cloud forensic readinessAdding event reconstruction to a cloud forensic readiness
Adding event reconstruction to a cloud forensic readinessVictor Kebande
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science David Sweigert
 
Providing Proofs of Past Data Possession in Cloud Forensics
Providing Proofs of Past Data Possession in Cloud Forensics Providing Proofs of Past Data Possession in Cloud Forensics
Providing Proofs of Past Data Possession in Cloud Forensics zawoad
 
Memory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computingMemory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computingPriyanka Aash
 
NGN Japan 2012-2017
NGN Japan 2012-2017NGN Japan 2012-2017
NGN Japan 2012-2017Kabir Ahmad
 
Delivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsDelivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsCloudPassage
 
Cloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsCloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsSandeep Saxena
 
Automatski - The Internet of Things - Privacy in IoT
Automatski - The Internet of Things - Privacy in IoTAutomatski - The Internet of Things - Privacy in IoT
Automatski - The Internet of Things - Privacy in IoTautomatskicorporation
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceInformation Security Awareness Group
 
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)Manoj Kumar
 
IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015HildebrandTech
 

Destaque (20)

Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
11.cyber forensics in cloud computing
11.cyber forensics in cloud computing11.cyber forensics in cloud computing
11.cyber forensics in cloud computing
 
Cloud Forensics- An IS Approach
Cloud Forensics- An IS ApproachCloud Forensics- An IS Approach
Cloud Forensics- An IS Approach
 
Cloud Application Logging for Forensics
Cloud Application Logging for ForensicsCloud Application Logging for Forensics
Cloud Application Logging for Forensics
 
Adding event reconstruction to a cloud forensic readiness
Adding event reconstruction to a cloud forensic readinessAdding event reconstruction to a cloud forensic readiness
Adding event reconstruction to a cloud forensic readiness
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science
 
Providing Proofs of Past Data Possession in Cloud Forensics
Providing Proofs of Past Data Possession in Cloud Forensics Providing Proofs of Past Data Possession in Cloud Forensics
Providing Proofs of Past Data Possession in Cloud Forensics
 
Memory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computingMemory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computing
 
NGN Japan 2012-2017
NGN Japan 2012-2017NGN Japan 2012-2017
NGN Japan 2012-2017
 
Delivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsDelivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS Products
 
Cloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security MetricsCloud Monitoring And Forensic Using Security Metrics
Cloud Monitoring And Forensic Using Security Metrics
 
IaaS Security - Back to the Drawing Board
IaaS Security - Back to the Drawing BoardIaaS Security - Back to the Drawing Board
IaaS Security - Back to the Drawing Board
 
Automatski - The Internet of Things - Privacy in IoT
Automatski - The Internet of Things - Privacy in IoTAutomatski - The Internet of Things - Privacy in IoT
Automatski - The Internet of Things - Privacy in IoT
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security Alliance
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
 
IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015
 
The Cloud: Privacy and Forensics
The Cloud: Privacy and ForensicsThe Cloud: Privacy and Forensics
The Cloud: Privacy and Forensics
 

Semelhante a (130928) #fitalk cloud storage forensics - dropbox

(130622) #fitalk the stealing windows password
(130622) #fitalk the stealing windows password(130622) #fitalk the stealing windows password
(130622) #fitalk the stealing windows passwordINSIGHT FORENSIC
 
Openstack Swift overview
Openstack Swift overviewOpenstack Swift overview
Openstack Swift overview어형 이
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석INSIGHT FORENSIC
 
(130316) #fitalk trends in d forensics (feb, 2013)
(130316) #fitalk trends in d forensics (feb, 2013)(130316) #fitalk trends in d forensics (feb, 2013)
(130316) #fitalk trends in d forensics (feb, 2013)INSIGHT FORENSIC
 
(130727) #fitalk rp log tracker
(130727) #fitalk rp log tracker(130727) #fitalk rp log tracker
(130727) #fitalk rp log trackerINSIGHT FORENSIC
 
WzDat과 Pandas를 통한 로그 데이터 분석
WzDat과 Pandas를 통한 로그 데이터 분석WzDat과 Pandas를 통한 로그 데이터 분석
WzDat과 Pandas를 통한 로그 데이터 분석정주 김
 
Hadoop distributed file system rev3
Hadoop distributed file system rev3Hadoop distributed file system rev3
Hadoop distributed file system rev3Sung-jae Park
 
T11_1_한종원_20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Fron...
T11_1_한종원_20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Fron...T11_1_한종원_20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Fron...
T11_1_한종원_20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Fron...양재동 코드랩
 
20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Frontend를 Serverle...
20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Frontend를 Serverle...20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Frontend를 Serverle...
20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Frontend를 Serverle...Jongwon Han
 
XECon2015 :: [1-5] 김훈민 - 서버 운영자가 꼭 알아야 할 Docker
XECon2015 :: [1-5] 김훈민 - 서버 운영자가 꼭 알아야 할 DockerXECon2015 :: [1-5] 김훈민 - 서버 운영자가 꼭 알아야 할 Docker
XECon2015 :: [1-5] 김훈민 - 서버 운영자가 꼭 알아야 할 DockerXpressEngine
 
Spark + S3 + R3를 이용한 데이터 분석 시스템 만들기
Spark + S3 + R3를 이용한 데이터 분석 시스템 만들기Spark + S3 + R3를 이용한 데이터 분석 시스템 만들기
Spark + S3 + R3를 이용한 데이터 분석 시스템 만들기AWSKRUG - AWS한국사용자모임
 
Ipfs : InterPlanetary File System
Ipfs : InterPlanetary File SystemIpfs : InterPlanetary File System
Ipfs : InterPlanetary File System동현 강
 
(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part i(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part iINSIGHT FORENSIC
 
(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part i(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part iINSIGHT FORENSIC
 
Oracle linux8 solaris_new_features-suk kim
Oracle linux8 solaris_new_features-suk kimOracle linux8 solaris_new_features-suk kim
Oracle linux8 solaris_new_features-suk kimsuk kim
 
[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)NAVER D2
 
(120128) #fitalk sql server anti-forensics
(120128) #fitalk sql server anti-forensics(120128) #fitalk sql server anti-forensics
(120128) #fitalk sql server anti-forensicsINSIGHT FORENSIC
 

Semelhante a (130928) #fitalk cloud storage forensics - dropbox (20)

(130622) #fitalk the stealing windows password
(130622) #fitalk the stealing windows password(130622) #fitalk the stealing windows password
(130622) #fitalk the stealing windows password
 
Openstack Swift overview
Openstack Swift overviewOpenstack Swift overview
Openstack Swift overview
 
(2010.12.23)iipc oasis
(2010.12.23)iipc oasis(2010.12.23)iipc oasis
(2010.12.23)iipc oasis
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
 
Hadoop overview
Hadoop overviewHadoop overview
Hadoop overview
 
(130316) #fitalk trends in d forensics (feb, 2013)
(130316) #fitalk trends in d forensics (feb, 2013)(130316) #fitalk trends in d forensics (feb, 2013)
(130316) #fitalk trends in d forensics (feb, 2013)
 
(130727) #fitalk rp log tracker
(130727) #fitalk rp log tracker(130727) #fitalk rp log tracker
(130727) #fitalk rp log tracker
 
WzDat과 Pandas를 통한 로그 데이터 분석
WzDat과 Pandas를 통한 로그 데이터 분석WzDat과 Pandas를 통한 로그 데이터 분석
WzDat과 Pandas를 통한 로그 데이터 분석
 
Hadoop distributed file system rev3
Hadoop distributed file system rev3Hadoop distributed file system rev3
Hadoop distributed file system rev3
 
T11_1_한종원_20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Fron...
T11_1_한종원_20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Fron...T11_1_한종원_20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Fron...
T11_1_한종원_20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Fron...
 
20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Frontend를 Serverle...
20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Frontend를 Serverle...20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Frontend를 Serverle...
20181126 AWS S3, SPA, 그리고 Vue.JS - HBSmith는 어떻게 Frontend를 Serverle...
 
XECon2015 :: [1-5] 김훈민 - 서버 운영자가 꼭 알아야 할 Docker
XECon2015 :: [1-5] 김훈민 - 서버 운영자가 꼭 알아야 할 DockerXECon2015 :: [1-5] 김훈민 - 서버 운영자가 꼭 알아야 할 Docker
XECon2015 :: [1-5] 김훈민 - 서버 운영자가 꼭 알아야 할 Docker
 
Spark + S3 + R3를 이용한 데이터 분석 시스템 만들기
Spark + S3 + R3를 이용한 데이터 분석 시스템 만들기Spark + S3 + R3를 이용한 데이터 분석 시스템 만들기
Spark + S3 + R3를 이용한 데이터 분석 시스템 만들기
 
Ipfs : InterPlanetary File System
Ipfs : InterPlanetary File SystemIpfs : InterPlanetary File System
Ipfs : InterPlanetary File System
 
(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part i(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part i
 
(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part i(120318) #fitalk web browser forensics - part i
(120318) #fitalk web browser forensics - part i
 
Oracle linux8 solaris_new_features-suk kim
Oracle linux8 solaris_new_features-suk kimOracle linux8 solaris_new_features-suk kim
Oracle linux8 solaris_new_features-suk kim
 
[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)
 
Git
Git Git
Git
 
(120128) #fitalk sql server anti-forensics
(120128) #fitalk sql server anti-forensics(120128) #fitalk sql server anti-forensics
(120128) #fitalk sql server anti-forensics
 

Mais de INSIGHT FORENSIC

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensicsINSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)INSIGHT FORENSIC
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fsINSIGHT FORENSIC
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trendINSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안INSIGHT FORENSIC
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifactsINSIGHT FORENSIC
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식INSIGHT FORENSIC
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatchINSIGHT FORENSIC
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석INSIGHT FORENSIC
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법INSIGHT FORENSIC
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysisINSIGHT FORENSIC
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)INSIGHT FORENSIC
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threatINSIGHT FORENSIC
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensicsINSIGHT FORENSIC
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recoveryINSIGHT FORENSIC
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)INSIGHT FORENSIC
 
(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in koreaINSIGHT FORENSIC
 

Mais de INSIGHT FORENSIC (20)

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
 
(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea
 

(130928) #fitalk cloud storage forensics - dropbox

  • 1. Cloud  Storage  Forensics   Part  I  :  Dropbox   2013.  09.  28   forensic.n0fate.com  
  • 2. forensicinsight.org   Dropbox  Forensics   h.p://forensic.n0fate.com  
  • 3. forensicinsight.org   Dropbox  Forensics   •  Dropbox   – 웹 기반 파일 공유 서비스   – 총 12개의 클라이언트 지원   •  Desktop  :  Windows,  Mac  OS  X,  Linux   •  Mobile  :  iOS,  Android,  Symbian,  Win  Mobile,  Blackberry   – 한 계정 당 무료로 2GB까지 지원   •  자동 동기화 및 사용자 간 자료 공유   h.p://forensic.n0fate.com  
  • 4. forensicinsight.org   Dropbox  Feature   •  Previous  Version   – 각 파일에 대한 버전 기록을 유지함   – 변경한 사용자, 호스트 명, 시간, 용량 정보   h.p://forensic.n0fate.com  
  • 5. forensicinsight.org   Dropbox  Feature   •  Recovery  deleted  files   – 삭제된 데이터는 최대 30일(팩랫:무제한) 보관   h.p://forensic.n0fate.com  
  • 6. forensicinsight.org   Dropbox  Forensics   •  Dropbox의 데이터는 디스크에 저장   – 디스크 이미지에서 각 파일을 접근할 수 있음   – 별다른 문제 없이 분석을 진행할 수 있음   •  삭제된 파일은?   – ‘.dropbox.cache’에 삭제한 파일을 기록   – Dropbox 페이지에 버전 정보 기록   h.p://forensic.n0fate.com  
  • 7. forensicinsight.org   Show  deleted  files   •  삭제된 파일은 ‘.dropbox.cache’에 저장   – 동기화 후 이동/수정/삭제된 파일 저장   – 최대 3일간 데이터를 유지   n0fate-MacBook-Air:~ n0fate$ cd Dropbox/.dropbox.cache/ n0fate-MacBook-Air:.dropbox.cache n0fate$ ls 2013-08-16 2013-08-17 n0fate-MacBook-Air:.dropbox.cache n0fate$ cd 2013-08-16 n0fate-MacBook-Air:2013-08-16 n0fate$ ls 2013 디지털 포렌식 기술 동향 (deleted 60f35a91ffee07c883802a5920aa553f).pptx 2013 디지털 포렌식 기술 동향 (deleted eafa23ac8430ffa0cfb77d847926c0bf).pptx 3E4E51888FB14B239407637B07A3D035 (deleted 2bdac50f2409a961cbefaa83ada787c8).doentry 43B030297C994934B65199C78C8C8F75 (deleted b78f5a24a5cf8f2f18611a764f67b767).doentry n0fate-MacBook-Air:2013-08-16 n0fate$ file * 2013 디지털 포렌식 기술 동향 (deleted 60f35a91ffee07c883802a5920aa553f).pptx: Zip archive data, at least v2.0 to extract .....<snip>... 43B030297C994934B65199C78C8C8F75 (deleted b78f5a24a5cf8f2f18611a764f67b767).doentry: XML document text h.p://forensic.n0fate.com  
  • 8. forensicinsight.org   Dropbox  Forensics   •  공격자가 해당 폴더 Wiping 수행한 경우?   – 해당 디렉터리의 정보가 zero-­‐out되기 때문에 분석할 수 없음   – 다른 요소를 이용하여 최대한 분석 필요   •  존재할 수 있는 요소   – 계정 정보   – 파일 목록(존재하는 / 삭제된 파일)   – 파일 동기화 여부   h.p://forensic.n0fate.com  
  • 9. forensicinsight.org   filecache.dbx   •  SQLite3  Database  format   •  file_journal  table  (<2013)   – Containing  a  lis_ng  of  all  directories  and  files   – Synchroniza_on  informa_on   – Only  the  live  files,  not  deleted  ones   – Recovery  deleted  record  though  SQLite3  Carving   •  In  early  2013  Dropbox  released  an  update  that   encrypted  this  file   h.p://forensic.n0fate.com  
  • 10. forensicinsight.org   filecache.dbx •  SQLite3  DB  Browser로 내용 확인 불가능   – Hex  Editor에서 정상적인 파일로 보이지 않음   •  데이터 암호화로 인해 올바른 해석 불가   – Sqlite3  Database  Encryp_on  기술을 이용   – User  Password  기반의 Database  Key를 생성하여 모든 데이터베이스 암호화   – 역으로 키를 생성하여 복호화를 수행해야 함.   h.p://forensic.n0fate.com  
  • 11. forensicinsight.org   Client Database  Key  Genera_on   (Windows) •  User  key  genera_on h.p://forensic.n0fate.com    HMAC  Key   (고정 값) version Registry  Path   HKCUSOFTWAREDropboxks Payload   length payload HMAC 1.  HMAC 2.  CryptUnprotectData   API valida_on   User  Key
  • 12. forensicinsight.org   hostkeys Database  Key  Genera_on   (Linux) •  User  key  genera_on h.p://forensic.n0fate.com    HMAC  Key   (고정 값) version File  Path   /home/<USER>/.dropbox/hostkeys payload HMAC 1.  HMAC 2.  AES-­‐128  with  CBC valida_on User  Key Ini_al  Vector   (고정 값) Unique  Key   md5(“ia9’<hostkeys   FILEPATH>Xa|ui20”)
  • 13. forensicinsight.org   Database  Key  Genera_on   (Windows/Linux) •  Database  Key  genera_on h.p://forensic.n0fate.com    Salt   (고정 값) Itera_on  Count   (1066) PBKDF2 User  Key passphrasesalt Itera_on   Count DB  Key   (16bytes)
  • 14. forensicinsight.org   Decryp_ng  SQLite  DBX •  SQLite  Encryp_on  Extension  (SEE)   – Read  and  write  encrypted  database  files   – All  data  and  the  metadata  is  encrypted   – So  outside  observer  the  database  appears  to   contain  white  noise   – Public  version  of  SQLite  will  not  be  able  to  read  or   write  an  encrypted  database  file h.p://forensic.n0fate.com   Link  :  hip://www.sqlite.org/see/doc/trunk/www/readme.wiki
  • 15. forensicinsight.org   Decryp_ng  SQLite  DBX RC4 AES-­‐128-­‐OFB AES-­‐256-­‐OFB AES-­‐128-­‐CCM h.p://forensic.n0fate.com   DB  Key   (16bytes) Encryp_on  mode   (default  :  AES128OFB) Product  Ac_va_on  Key   (7bb07b8d471d642e)
  • 16. forensicinsight.org   Tools  (Online)   •  A  Cri_cal  Analysis  of  Dropbox  Security를 발표 한 newsom 멤버가 개발   – hips://github.com/newsom   •  Tool   – Dropbox  DB  Key  Generator  :  dbx-­‐keygen-­‐ windows/linux  (Mac  OS  X는 없음)   – DBX  Decryptor  :  sqlite3-­‐dbx   h.p://forensic.n0fate.com  
  • 17. forensicinsight.org   Tools  (Online)   •  시연   h.p://forensic.n0fate.com  
  • 18. forensicinsight.org   Dropbox  Decryptor  (Offline)   h.p://forensic.n0fate.com  
  • 19. forensicinsight.org   Dropbox  Decryptor   •  When/Who  :  March,  1,  2013,  Magnet  Forensics   •  Requirements   –  filecache.dbx  file   •  [root]Documents  and  SeqngsusernameApplica_on  DataDropbox   on  XP,  or  [root]UsersJadAppDataRoamingDropbox  on  Vista   –  The  en_re  protect  folder  for  that  user   •  [root]Documents  and  SeqngsusernameApplica_on  DataMicrosom   on  XP,  or  [root]UsersJadAppDataRoamingMicrosom  on  Vista/7   –  A  file  containing  the  raw  bytes  from  the  Dropbox  ‘client’  value   under  the  ‘ks’  key  in  registry   •  registry/NTUSER.dat  file  (full  path  is  HKEY_CURRENT_USERSomware Dropboxks   –  User’s  windows  login  password   h.p://forensic.n0fate.com  
  • 20. forensicinsight.org   Dropbox  Decryptor   CryptProtectData   h.p://forensic.n0fate.com   Master  Key  Storage   Folder   (Protected  Folder) Encrypted   Master  Key salt login  creden_al   Algorithm  :  AES-­‐256   HMAC  :  SHA512   Itera_on  count  :  5600 Master  Key Password   SID   PBKDF2 salt   hCp://www.passcape.com/index.php?secMon=blog&cmd=details&id=20  
  • 21. forensicinsight.org   Dropbox  Decryptor   h.p://forensic.n0fate.com  
  • 22. Q  &  A Homepage  :  forensic.n0fate.com   E-­‐Mail  :  n0fate@n0fate.com
  • 23. forensicinsight.org   Reference •  Florian  LEDOUX,Nicolas  RUFF.  Applica_on   Security  Forum  2012.  A  Cri_cal  Analysis   Dropbox  Security.  2012.   •  Dhiru  Kholia,  Przemyslaw  Wegrzyn.  Looking   inside  the  (Drop)  box.  2013.