Thursday, August 1, 2013

Daily Blog #39: Web 2.0 Forensic Part 4

Hello Reader,
      I finally got fiddler installed, its windows only and available here http://fiddler2.com/get-fiddler, and it is much improved over the last time I used it! It even has a ajax and xml decoder built in now which is a pretty huge improvement. In this post we are going to focus on what network data is actually being transmitted between the web client and the web 2.0 web application so you can see the raw data that your browser will be parsing and storing in memory/pagefile/hiberfil. Note that if you want to do this time of testing at home you will need a SSL proxy like fiddler in order to capture the traffic, a network sniffer will just see encrypted traffic.

This is what the request for an inbox view looks like in gmail:
POST https://mail.google.com/mail/u/0/?ui=2&ik=21fc62e736&rid=mail%3Ai.7728.0.1&view=cv&th=1403b5ce42ebf543&th=140395ee6229f7d4&th=1403631f3703e936&th=140344ed98e4eaa3&th=140303866b4ce541&prf=1&_reqid=167197&nsc=1&mb=0&rt=j&search=inbox HTTP/1.1
Host: mail.google.com
Connection: keep-alive
Content-Length: 0
X-Same-Domain: 1
Origin: https://mail.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: */*
X-Chrome-Variations: CM21yQEIhLbJAQiptskBCIaEygEIt4XKAQ==
Referer: https://mail.google.com/_/mail-static/_/js/main/m_i,t,it/rt=h/ver=zDJLUK9Vw_8.en./sv=1/am=!Lt4ru3nDBdL0RMHSG0tdRQM1xOP0KmwcZtPFWYZIAZLMmkQ7GBAA95rDr4ZmlpWnYLsjYcfQ/d=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
 Cookie Removed

This the header of the response:
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Set-Cookie: Cookie Removed 
Domain=mail.google.com; Expires=Thu, 15-Aug-2013 23:39:57 GMT; Path=/mail; Secure; HttpOnly
P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/bin/answer.py?answer=151657 for more info."
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Thu, 01 Aug 2013 23:39:57 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 46023
Server: GSE
This is the raw data that is transmitted containing the inbox mail data that you can recover and tools like IEF automatically recover for you:
)]}'
[[["v","zDJLUK9Vw_8.en.","8","dd1cc0830f5f7b2d"]
,["di",710,,,,,[]
,[]
,,,[]
,[]
,[]
]
,["cs","1403b5ce42ebf543","1403b5ce42ebf543",1,,,1375387947676000,"1403b5ce42ebf543",["1403b5ce42ebf543"]
,[]
,[]
,[["1403b5ce42ebf543",["^all","^i","^smartlabel_group","^unsub"]
]
]
,,,[]
,[["","examplegooglegroup@googlegroups.com"]
]
,,,[]
,[]
,,,"Abridged summary of examplegooglegroup@googlegroups.com - 1 Message in 1 Topic","[DFIR] Abridged summary of examplegooglegroup@googlegroups.com - 1 Message in 1 Topic"]
,["ms","1403b5ce42ebf543","",4,"examplegooglegroup@googlegroups.com","","examplegooglegroup@googlegroups.com",1375385478000,"Today's Topic Summary Group: http://groups.google.com/group/examplegooglegroup...",["^all","^i","^smartlabel_group","^unsub"]
,0,1,"[DFIR] Abridged summary of examplegooglegroup@googlegroups.com - 1 Message in 1 Topic",["1403b5ce42ebf543",["Abridged Recipients \u003cexamplegooglegroup@googlegroups.com\u003e"]
,[]
,[]
,["examplegooglegroup@googlegroups.com"]
,"The complete message was located here ",[[]
,[0]
,"",[]
]
,0,[[]
,[["Abridged","examplegooglegroup@googlegroups.com"]
]
After this each message inbox entry and message preview will be listed in sequence and the response ends with:
]
,-1,,,,"google.com",,[]
,[]
,0,""]
,["ce"]
,["e",18,,,45978]
],'fce167f9fb9f05f']

Tomorrow let's talk about whats contained in these fields and what a good regular expression to recover the data, heck maybe a foremost rule to automate the recovery for you. Or you can do what I do and get a copy of IEF rather than try to keep up with all the changes that are made to their data formats.