Virtual machines are everywhere, no longer just confined to the corporate environment. It is not unheard of for consumers to use virtualization software on their personal devices these days. Examination of these VMs does not differ much from normal host investigations. Tools, like FTK Imager, support common virtualized HDDs and can be used to preserve and review them. But what happens when a VM is encrypted and password-protected? Compound the issue with an uncooperative custodian and it may be time for more creative solutions. Thankfully, VMware, a popular virtualization program, can create an artifact on the host operating system that gives us insight into what applications are installed on the VM.
Most web applications track account activity. These can alert the user to suspicious activity and provide the investigator a built-in audit log to review. This information is often volatile and may roll off after some time. Knowing where to find this information can prove vital as it may provide useful clues. This post describes where to find login activity details for popular websites. The table below provides a high-level summary of our findings.
How often are you tasked with reviewing large data sets in less than ideal (or even terrible) formats? Everyone has likely had to review logs containing many tens of thousands of lines at one point or another. We may not have time or budget (or patience) to review every line in a text editor. What do you do?
In the previous post (accessible here), we introduced Box, the various applications we can use with it, and browsing artifacts generated by it. In this post, we will introduce Box Edit and Box Sync which can be used to interact with Box locally on Windows. Let’s jump right in with Box Edit.
Cloud storage, like email before it, has gained wide acceptance and general adoption by consumers. Whether that is Google Drive, Amazon Drive, iCloud, Dropbox, or OneDrive, there are abundant options from which to choose from. One reason these services have become popular is the ease at which you can share and access important files on any device. That same benefit, however, can be used with malicious intent to extradite data from corporate or protected environments. In this post, we will explore the Box cloud service on Windows and discuss artifacts created as a by-product of its usage.
The Legal Review series answers questions often posed about evidence with high-level descriptions of forensic artifacts.
What programs were run on the machine? This is a common question that is relevant in most investigations. Application execution gives insight into the normal usage of a particular computer. Just as importantly, examining forensic artifacts associated with application usage can also reveal abnormal behavior. Knowing what a user did regularly or even immediately leading up to their departure from a company can be telling. Did they use a wiping utility to cover their tracks? Did they use cloud software to extract intellectual property? For our purposes, we will discuss this in the context of Windows operating systems and the prefetch and userassist artifacts.