Sunday, July 21, 2013

Daily Blog #28: Sunday Funday! 7/21/13

Hello Reader,
           It's that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week we have quite the prize from our friends at Magnet Forensics.

The Prize:
The Rules:
  1. You must post your answer before Midnight PST (GMT -7)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
The Challenge:
    Since Magnet is providing the prize I wanted to create a challenge that would help others understand the pain point their tools can solve.I originally bought IEF because of its ability to handle JSON artifacts into well parsed output, before that I had to carve them out myself and write code to make sense of it. IEF has made dealing with these things much easier for me and in most cases is the second thing I run after making the forensic image. With that said here is the challenge.

For a Windows 7 system:
1. Describe the Gmail JSON format and how you would recover it
2. Describe where in the disk you would expect to find Gmail JSON fragments
3. Which services popular in forensic investigations utilize JSON
4. Provide a carve signature for the header and footer of a Gmail JSON
5. Describe what Gmail's JSON would reveal to you

    'Web 2.0' as they call it has been both good and bad for us as forensic examiners, its time to see how much you know about it's artifacts! Good luck!