@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #29: 7/21/13 Sunday Funday Winner!

Hello Reader,
         I think I may have been a bit to harsh in the last contest, I'll work to make these either more doable in a couple hours or span them out over more days in the future. For those who were hesitant to enter you should know the winner was the only person who submitted an answer and you might have been able to answer more completely! Also this is the first time I've received a request from someone to submit an answer anonymously, a request I have accepted and will change the rules to allow going forward.

Why allow anonymous entries? Many of us are testifying experts and we still want to participate in the community without providing fodder for cross examination. I'm largely past this point as with the amount of written material I've put out its just a fact of life that opposing counsel is going to quote something I've written in a book or blog to see if he can try to trick me. So for those of you worried about your contest entries being used against you I will handle anonymous entries as follows:

1. You must email me your response before the deadline
2. If you want to be eligible to receive the prize I have to know where to send it to
3. If you do win I need to know how you would like to be credited

Regardless of anonymous or not I will post the winning answer the following day.

So with that said, here was yesterday's challenge:
For a Windows 7 system:
1. Describe the Gmail JSON format and how you would recover it
2. Describe where in the disk you would expect to find Gmail JSON fragments
3. Which services popular in forensic investigations utilize JSON
4. Provide a carve signature for the header and footer of a Gmail JSON
5. Describe what Gmail's JSON would reveal to you

Here is the winning answer:
1. Describe the Gmail JSON format and how you would recover it

Gmail JSON (and json primer)
As I understand it, it changed as recently as this month. Gmail recently re-constructed their front end and I would expect it to result in new json.

As you know Java Script object notation works by pairing object names with their values. Can be thought of as tags and lists. Programmatic objects have names and content. The content can be values, lists or other objects. The object names are referenced by the calling function and JSON file can be used to populate the value(s). All Json files will be ascii by default and as such have no defined “file signature” but that said they will all contain Data Structures defined by open and close square brackets and in the event of scripting code, structs defined by open squiggle  “{“  and closing “}” squiggle brackets

Opening is generally followed by a crlf Thus we could grep for \x7b\x0d\x0a
The crlf is optional.

Old gmail json used many documented tags and included server, account name, attachments and message body (to name a few)
Conveniently they all started with (No Quotes) “while(1); “
The format for the value pairs was (and may still be… )
\[“[a-z][a-z]?”,
 Of most interest is the [“mb”, tag = message body
[“gn” = account name

2. Describe where in the disk you would expect to find Gmail JSON fragments 

Allegedly this information is not supposed to be cached to disk. But (version dependent) can be found in temporary internet (or wherever your browser of study puts its temp files… eg Mozilla\profiles\\cache.
The actual mail will often be found as mail[x].htm
Pagefile, unallocated and hiberfil are also good places to look for the fragments.
 Still working on the  footer question (and in fact the piece of research I need to do for my case)
 In short, json may be used to render the entire email so not only will you get email content but folders, quotas, version, display options and more….

5. Describe what Gmail's JSON would reveal to you

Balance of documented tags (from SANS John McCash)
["gn",
Account Name
["st",
Server name
["qu",
Account Quota
["ds",
Folders
["t",
Message List (Thread)
["cs",
Conversation Summary
["mi",
Message Information/Index
["mb",
Message Body (This is where the meat is)
["ma",
Message Attachments (Number & Filenames)
while(1);
GMail Data Packet header (beginning of file)
["i",
Invitation
["ft",
Fast Tip (no I don't know what that means)
["ct",
Categories/Labels/Contacts
["ts",
Thread Summary (Similar to Conversation Summary)
["te",
End of Thread List
["v",
GMail Version
  Also not asked for but very interesting is the apple webkit.Path.. (?? Away from forensic box and docs) but along the lines of …… users/library/application dataWhats cool is that this is a mail (and includes gmail)  rendering engine that stores pieces of gmail in sql lite db.The DB includes the first couple lines (as presented on ios device) of an email as well as conversations, senders, recipients and dates.One caveat… the webkit builds conversations based on subject line thus if we have an email subject “Sunday funday”  and I send one to you and another totally different email to John smith, the webkit SQLLite DB will include both the names as part of the conversation when in fact no single email went to both parties.But of interest… this is the storage for the javascript and rendering of webmail.This becomes particularly valuable when dealing with ipad 2 and > or iphone 4s and greater as no tools I am aware of are getting email off those devices but webkit data can be found in all ios devices (I will check my mac book and get back to you on that … I think its there as well) 
Now this was not a complete answer but it was a good answer! I plan to take the time fully write out what I would consider to be a full answer this week as it seems this very important set of artifacts isn't as understood as I thought. While Magnet Forensics IEF tool solves this pain point for getting reviewable webmail results for me, you still need to understand the JSON format to find partial fragments that a carver won't locate and to understand what else is possible/available to recover.

Hope you enjoyed the contest and you'll participate in this weeks Forensic Lunch webcast on Friday and next weeks Sunday Funday. I'm reaching out to other companies whose products I like and use in my own investigations to see if they want to step up as Magnet Forensics has and provide prizes to those of you willing to put in the time to share your knowledge through these Sunday Funday contests!

Labels:

Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.