Daily Blog #29: 7/21/13 Sunday Funday Winner!

Sunday Funday Winner! by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
         I think I may have been a bit to harsh in the last contest, I'll work to make these either more doable in a couple hours or span them out over more days in the future. For those who were hesitant to enter you should know the winner was the only person who submitted an answer and you might have been able to answer more completely! Also this is the first time I've received a request from someone to submit an answer anonymously, a request I have accepted and will change the rules to allow going forward.

Why allow anonymous entries? Many of us are testifying experts and we still want to participate in the community without providing fodder for cross examination. I'm largely past this point as with the amount of written material I've put out its just a fact of life that opposing counsel is going to quote something I've written in a book or blog to see if he can try to trick me. So for those of you worried about your contest entries being used against you I will handle anonymous entries as follows:

1. You must email me your response before the deadline.

2. If you want to be eligible to receive the prize I have to know where to send it to.

3. If you do win I need to know how you would like to be credited

Regardless of anonymous or not I will post the winning answer the following day.

So with that said, here was yesterday's challenge:

For a Windows 7 system:

1. Describe the Gmail JSON format and how you would recover it.

2. Describe where in the disk you would expect to find Gmail JSON fragments.

3. Which services popular in forensic investigations utilize JSON.

4. Provide a carve signature for the header and footer of a Gmail JSON.

5. Describe what Gmail's JSON would reveal to you

Here is the winning answer:
1. Describe the Gmail JSON format and how you would recover it
Gmail JSON (and json primer)
As I understand it, it changed as recently as this month. Gmail recently re-constructed their front end and I would expect it to result in new json.

As you know Java Script object notation works by pairing object names with their values. Can be thought of as tags and lists. Programmatic objects have names and content. The content can be values, lists or other objects. The object names are referenced by the calling function and JSON file can be used to populate the value(s). All Json files will be ascii by default and as such have no defined “file signature” but that said they will all contain Data Structures defined by open and close square brackets and in the event of scripting code, structs defined by open squiggle  “{“  and closing “}” squiggle brackets

Opening is generally followed by a crlf Thus we could grep for \x7b\x0d\x0a
The crlf is optional.

Old gmail json used many documented tags and included server, account name, attachments and message body (to name a few)
Conveniently they all started with (No Quotes) “while(1); “
The format for the value pairs was (and may still be… )
 Of most interest is the [“mb”, tag = message body
[“gn” = account name

2. Describe where in the disk you would expect to find Gmail JSON fragments 

Allegedly this information is not supposed to be cached to disk. But (version dependent) can be found in temporary internet (or wherever your browser of study puts its temp files… eg Mozilla\profiles\\cache.
The actual mail will often be found as mail[x].htm
Pagefile, unallocated and hiberfil are also good places to look for the fragments.
 Still working on the  footer question (and in fact the piece of research I need to do for my case)
 In short, json may be used to render the entire email so not only will you get email content but folders, quotas, version, display options and more….

5. Describe what Gmail's JSON would reveal to you

Balance of documented tags (from SANS John McCash)
Account Name
Server name
Account Quota
Message List (Thread)
Conversation Summary
Message Information/Index
Message Body (This is where the meat is)
Message Attachments (Number & Filenames)
GMail Data Packet header (beginning of file)
Fast Tip (no I don't know what that means)
Thread Summary (Similar to Conversation Summary)
End of Thread List
GMail Version
  Also not asked for but very interesting is the apple webkit.Path.. (?? Away from forensic box and docs) but along the lines of …… users/library/application dataWhats cool is that this is a mail (and includes gmail)  rendering engine that stores pieces of gmail in sql lite db.The DB includes the first couple lines (as presented on ios device) of an email as well as conversations, senders, recipients and dates.One caveat… the webkit builds conversations based on subject line thus if we have an email subject “Sunday funday”  and I send one to you and another totally different email to John smith, the webkit SQLLite DB will include both the names as part of the conversation when in fact no single email went to both parties.But of interest… this is the storage for the javascript and rendering of webmail.This becomes particularly valuable when dealing with ipad 2 and > or iphone 4s and greater as no tools I am aware of are getting email off those devices but webkit data can be found in all ios devices (I will check my mac book and get back to you on that … I think its there as well) 
Now this was not a complete answer but it was a good answer! I plan to take the time fully write out what I would consider to be a full answer this week as it seems this very important set of artifacts isn't as understood as I thought. While Magnet Forensics IEF tool solves this pain point for getting reviewable webmail results for me, you still need to understand the JSON format to find partial fragments that a carver won't locate and to understand what else is possible/available to recover.

Hope you enjoyed the contest and you'll participate in this weeks Forensic Lunch webcast on Friday and next weeks Sunday Funday. I'm reaching out to other companies whose products I like and use in my own investigations to see if they want to step up as Magnet Forensics has and provide prizes to those of you willing to put in the time to share your knowledge through these Sunday Funday contests!

Also Read: Daily Blog #28

Post a Comment