Red Team Village - Enumerating Cloud File Storage Gems - TIB AV-Portal

Red Team Village - Enumerating Cloud File Storage Gems

00:00

95

Formal Metadata

Title

Red Team Village - Enumerating Cloud File Storage Gems

Title of Series

DEF CON Safe Mode

Number of Parts

374

Author

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/49168 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Organizational data is rapidly moving to the cloud, but it's not always intentional. The shift from on-premise data storage to the cloud constitutes a significant challenge and risk to the modern enterprise. The use of cloud file storage applications is on the rise for both consumer and business systems, which results in interesting data and metadata siting on endpoints. In this talk, we'll examine the large footprints of popular cloud file storage applications such as OneDrive and Box - learning what information can be enumerated from each cloud file storage solution. In some scenarios, data can be carved out from cache, restoring sensitive documents no longer on an endpoint.

Speech

Text

Image

00:00

Asynchronous Transfer ModeService (economics)Information securityDisintegrationPenetrationstestPort scannerComputer forensicsDependent and independent variablesInformation privacyContent (media)File systemDigitizingInformation securityPublic key certificateService (economics)Software testingCybersexComputer architectureBitRight angleLength of stayTwitterIncidence algebraComputer forensicsDependent and independent variablesSocial engineering (security)Client (computing)HypermediaFocus (optics)Boss CorporationProcess (computing)Computer animation

01:13

Data storage deviceLocal ringAsynchronous Transfer ModeComputer forensicsExplosionDifferent (Kate Ryan album)Cartesian coordinate systemFile systemComputer fileSoftware testingLoginInternet service providerObject (grammar)CASE <Informatik>Computer forensicsComputer animation

01:57

Computer fileData storage deviceSelf-organizationData managementSoftware maintenanceScalabilityAsynchronous Transfer ModeHigh-level programming languageFile systemDifferent (Kate Ryan album)Depth-first searchHuman migrationMultiplication signMereologyPatch (Unix)High availabilityDatei-ServerRAIDCASE <Informatik>Cartesian coordinate systemShared memoryPhysical systemEndliche ModelltheorieHard disk driveUser interfaceMechanism designRight angleGroup actionUsabilitySelf-organizationComputer fileCuboidGoogolSpacetimeInternetworkingWindowSoftware maintenanceSynchronizationMathematicsServer (computing)Virtuelles privates NetzwerkSoftware testingDatabaseData managementAuthorizationData storage devicePay televisionOperating systemComputer animation

04:31

Data storage deviceComputer fileAsynchronous Transfer ModeHigh-level programming languageComputer-generated imageryWindowShared memoryObservational studyCuboidGoogolComputer fileGame controllerIntegrated development environmentFile systemLine (geometry)Acoustic shadowCloud computingInformation securityLoginRevision controlWebsiteRight angleCASE <Informatik>Computer animation

05:49

Data storage deviceServer (computing)Cache (computing)Computer fileDatabaseAsynchronous Transfer ModeFile systemComputer fileCartesian coordinate systemTracing (software)Physical systemDatabaseLocal ringInformation securityCache (computing)Datei-ServerComputer animation

06:53

CASE <Informatik>Asynchronous Transfer ModeGoogolSuite (music)Enterprise architectureLoginGame controllerSuite (music)Exterior algebraData storage deviceInformation securityPhysical systemDirectory serviceInternet der DingeDifferent (Kate Ryan album)SpacetimeCuboidEquivalence relationLevel (video gaming)FreewareGoogolOffice suitePay televisionMobile appSlide ruleSingle sign-onSingle-precision floating-point formatComputer animation

08:38

Asynchronous Transfer ModeAuthenticationBlogDefault (computer science)WindowDirectory serviceBitLimit (category theory)Multiplication signOffice suiteTraffic reportingCartesian coordinate systemInstance (computer science)Local ringRevision controlInformation securityLoginUser interfaceWindows RegistryAuthenticationDefault (computer science)Mobile appRight anglePattern recognitionComputer animation

10:28

Computer fileAsynchronous Transfer ModeLocal ringDifferent (Kate Ryan album)LoginMobile appRight angleUniform resource locatorOffice suiteDirectory serviceData storage deviceEmailComputer fileCASE <Informatik>Profil (magazine)SynchronizationLevel (video gaming)Service (economics)Multiplication signString (computer science)MetadataDiallyl disulfideDefault (computer science)Physical systemRevision controlNumberRootAddress spaceElectronic mailing listUser profileDependent and independent variablesComputer animation

12:39

Asynchronous Transfer ModeSoftware testingTheoryPhysical systemSynchronizationType theoryRevision controlSoftware testingSynchronizationTheoryPhysical systemComputer fileCASE <Informatik>Point (geometry)Type theoryOffice suiteDifferent (Kate Ryan album)Virtual machineComputer animation

13:33

Computer fileAsynchronous Transfer ModeRevision controlLevel (video gaming)InformationComputer fileSynchronizationOvalString (computer science)Arithmetic progressionBitRight angleMereologyException handlingNumberWordStreaming mediaPoint (geometry)Hydraulic jumpMultiplication signStatisticsType theoryDirectory serviceGreatest element2 (number)MathematicsComputer animation

15:16

Computer fileFile formatAsynchronous Transfer ModeLevel (video gaming)Computer fileStreaming mediaSlide ruleBitString (computer science)Local ringHexagonElectronic mailing listText editorFile systemVirtual memoryComputer animationSource code

16:00

Asynchronous Transfer ModeComputer fileRevision controlBitDifferent (Kate Ryan album)Directory serviceHash functionLevel (video gaming)Type theoryString (computer science)Computer animation

16:51

Asynchronous Transfer ModeLocal ringLibrary (computing)SynchronizationElectronic visual displayAddress spaceEmailUniform resource locatorComputer fileDifferent (Kate Ryan album)Multiplication signSynchronizationVariable (mathematics)Address spaceInformationEmailElectronic visual displayProfil (magazine)Service (economics)NumberField (computer science)Office suiteDependent and independent variablesProcess (computing)Default (computer science)Computer animation

18:12

Asynchronous Transfer ModeKey (cryptography)Windows RegistryShared memoryRevision controlDifferent (Kate Ryan album)Windows RegistryKey (cryptography)Keyboard shortcutProjective planeNamespaceRegulärer Ausdruck <Textverarbeitung>Computer fileQuery languageSynchronizationShared memoryOcean currentInternet service providerUniform resource locatorSoftwarePoint (geometry)

19:39

Shared memoryAsynchronous Transfer ModeAddress spaceEmailShared memorySoftware testingComputer fileGroup action2 (number)String (computer science)Key (cryptography)Integrated development environmentDirectory serviceRandomizationWindows RegistryArithmetic mean

20:59

Asynchronous Transfer ModeSpacetimeData storage deviceMetadataLocal ringComputer fileMassBand matrixFreewarePlastikkarteSynchronizationCache (computing)SynchronizationFile systemComputer fileSpacetimeCuboidPlastikkarteVirtual machineOpen setComputer iconNeuroinformatikLocal ring1 (number)View (database)Type theoryGoogolSimilarity (geometry)Drop (liquid)Computer animation

22:03

Asynchronous Transfer ModeGoogolBackupSynchronizationComputer fileSuite (music)Streaming mediaDatabaseEmailAttribute grammarVolumeGastropod shellUniform resource locatorGoogolRevision controlComputer fileStreaming mediaEmailAddress spaceVolume (thermodynamics)Web 2.0Link (knot theory)CausalitySoftwareSynchronizationBackupSuite (music)Windows RegistryHexagonDatabaseGastropod shellInheritance (object-oriented programming)WindowShared memoryUniform resource locatorPresentation of a groupFile formatNegative numberText editorComputer animation

23:44

GoogolComputer fileAsynchronous Transfer ModeDatabaseSuite (music)Computer fileDirectory serviceCache (computing)InformationSynchronizationMetadataLocal ringGoogolCartesian coordinate systemLoginContent (media)Configuration spaceGraph (mathematics)Computer animation

24:37

Local ringRootGoogolAsynchronous Transfer ModeUniqueness quantificationMiniDiscHash functionComputer filePresentation of a groupSpreadsheetComputer fileSynchronizationUniqueness quantificationGoogolWeb browserCartesian coordinate systemGraph (mathematics)Table (information)NumberHash functionObject (grammar)Address spaceEmailType theoryProbability density functionConfiguration spaceIntrusion detection systemMultiplication signPresentation of a groupSpreadsheetVulnerability (computing)DatabaseNegative numberTimestampWordRevision controlDifferent (Kate Ryan album)Computer animation

26:36

GoogolAsynchronous Transfer ModeHigh-level programming languageEvent horizonGroup actionMathematicsSource codeDirection (geometry)Medical imagingWeb browserComputer filePasswordParsingGraph (mathematics)Direction (geometry)Self-organizationType theoryLatent heatSoftware testingPlastikkarteFile formatSimulationMessage passingWordGroup actionConvolutionComputer animation

27:52

GoogolAsynchronous Transfer ModeMiniDiscHash functionShared memoryPresentation of a groupComputer fileCASE <Informatik>Physical systemCountingGroup actionGoogolSoftware testingLogicDatabaseFunctional (mathematics)Computer animation

28:45

GoogolAsynchronous Transfer ModeWeb browserTable (information)Graph (mathematics)Figurate numberObject (grammar)Data structureProcess (computing)Inheritance (object-oriented programming)Theory of relativityGoogolComputer animation

29:28

GoogolAsynchronous Transfer ModeTable (information)GoogolString (computer science)Software testingRootComputer fileTheory of relativityTouchscreenMultiplication signDatabaseReal numberConstraint (mathematics)Computer animation

30:10

Asynchronous Transfer ModeDatabaseExtension (kinesiology)EncryptionKey (cryptography)Computer configurationContent (media)Windows RegistryPasswordRead-only memoryDatabaseComputer fileSemiconductor memoryComputer configurationKey (cryptography)Forcing (mathematics)Goodness of fitData miningConstraint (mathematics)EncryptionData loggerWindows RegistryMultiplication signExtension (kinesiology)WindowPasswordInformation privacyComputer animation

31:11

Asynchronous Transfer ModePay televisionCache (computing)Revision controlEvent horizonCache (computing)Multiplication signComputer fileEncryptionBinary fileWindowLevel (video gaming)Pay televisionVirtual machineSoftware testingComputer animation

32:09

EncryptionWindows RegistryAsynchronous Transfer ModeKey (cryptography)BackupSoftwareEncryptionUniform resource locatorTouchscreenDatabaseInformation securityMathematical analysisError messageScripting languageYouTubeComputer fileTwitterComputer animation

33:22

Web browserComputer fileUniform resource locatorAsynchronous Transfer ModeDatabaseComputer filePay televisionCache (computing)Data storage deviceLevel (video gaming)BitDirectory serviceDifferent (Kate Ryan album)Type theoryInformationSet (mathematics)Software testingExtension (kinesiology)Computer animation

34:30

Asynchronous Transfer ModeComputer fileCache (computing)Computer fileCuboidDirectory serviceLocal ringInformationDatabaseCartesian coordinate systemType theorySign (mathematics)HexagonText editorRevision controlNumberSoftwareLevel (video gaming)Metric systemLoginDefault (computer science)Random number generationUser interfaceBookmark (World Wide Web)Streaming mediaCASE <Informatik>SynchronizationData storage deviceIntegrated development environmentSystem callVolume (thermodynamics)Computer animation

36:25

Group actionParsingAsynchronous Transfer ModeGroup actionComputer fileCartesian coordinate systemCuboidRevision controlSoftware testingLoginKey (cryptography)NumberOpen setInformationWritingDifferent (Kate Ryan album)Closed setStreaming mediaReading (process)Integrated development environmentData loggerComputer animation

37:10

Asynchronous Transfer ModeState transition systemLocal ringCache (computing)Computer fileView (database)Formal grammarCache (computing)CuboidStreaming mediaDatabaseNumberUniform resource locatorDirectory serviceComputer fileFile formatHash functionBookmark (World Wide Web)Type theoryComputer configurationHexagonText editor

38:06

Asynchronous Transfer ModeView (database)InformationRevision controlLocal ringProcess (computing)Form (programming)DatabaseHash functionShared memoryObject (grammar)Inheritance (object-oriented programming)Computer fileSynchronizationUniqueness quantificationComputer fileLoginCuboidDevice driverCartesian coordinate systemSoftware testingMultiplication signInstallation artContent (media)Event horizonCache (computing)DatabaseDirectory serviceSynchronizationHash functionBitSlide ruleLevel (video gaming)Type theoryInheritance (object-oriented programming)Web browserGoogolObject (grammar)Data structureField (computer science)CASE <Informatik>Computer animation

39:40

Asynchronous Transfer ModeComputer fileCache (computing)Revision controlPlanningDirectory serviceDatabaseSlide ruleStreaming mediaReverse engineeringPhysical systemTimestampHash functionTouch typingDifferent (Kate Ryan album)Extension (kinesiology)1 (number)WordSequenceMultiplication signSynchronizationElectronic program guideComputer animation

42:07

Asynchronous Transfer ModeComputer fileSynchronizationPlanningOffice suiteSoftware testingTimestampInheritance (object-oriented programming)Object (grammar)Computer fileSynchronizationStreaming mediaEvent horizonBitComputer animation

43:05

Asynchronous Transfer ModeImage registrationRevision controlAddress spaceEmailVolumeDatabaseComputer fileShared memoryPhysical systemGoogolWindowCartesian coordinate systemSign (mathematics)Link (knot theory)Streaming mediaDatabaseVolume (thermodynamics)Enterprise architectureComputer animation

43:59

Asynchronous Transfer ModeLoginVolume (thermodynamics)Software testingComputer fileDirectory serviceMereologyData storage deviceWindowMobile appElectronic mailing listDefault (computer science)User profileLocal ringDatabaseCache (computing)Physical systemDifferent (Kate Ryan album)Computer animation

45:11

DatabaseAsynchronous Transfer ModeDatabaseInformationNumberSlide ruleDirectory serviceElectronic program guideInheritance (object-oriented programming)Right angleWeb browserComputer fileRemote procedure callDifferent (Kate Ryan album)Software testingFile viewerShared memoryIntrusion detection systemComputer animation

45:57

DatabaseObject (grammar)Inheritance (object-oriented programming)System identificationComputer fileHash functionAsynchronous Transfer ModeIdentifiabilityObject (grammar)Inheritance (object-oriented programming)Computer fileSampling (statistics)Remote procedure callInformation securityDifferent (Kate Ryan album)Database1 (number)Hash functionMultiplication signGoogolPrice indexComputer animation

46:38

Uniform resource locatorAsynchronous Transfer ModeInstance (computer science)Multiplication signMathematicsObject (grammar)Web browserUniqueness quantificationShared memoryWritingKey (cryptography)Computer fileSoftware testingAuthenticationHash functionTouchscreenComa BerenicesInformation securityLocal ringUniform resource locatorDirectory serviceNumberDatabaseComputer animation

48:03

Asynchronous Transfer ModeParsingLocal ringDatabaseComputer fileLimit (category theory)InformationObject (grammar)Directory serviceInheritance (object-oriented programming)ParsingString (computer science)Poisson-KlammerGroup actionPhysical systemSystem callFile systemCuboidHash functionHexagonElectronic program guideRevision controlWordCache (computing)Extension (kinesiology)CASE <Informatik>MereologyShared memoryType theoryText editorClosed setComputer animation

49:22

Computer fileData storage deviceAsynchronous Transfer ModePrice indexGoogolBitRootDirectory serviceFile systemSpreadsheetDifferent (Kate Ryan album)Integrated development environmentWeb browserCuboidSign (mathematics)Content (media)InformationSuite (music)Drop (liquid)Cartesian coordinate systemMobile appPresentation of a groupComputer animation

51:43

MetadataTape driveAsynchronous Transfer ModeMessage passingDigitizingCASE <Informatik>Integrated development environmentPhysical systemComputer forensicsSoftware bugDependent and independent variablesMetadataMedical imagingTwitter2 (number)Computer fileLink (knot theory)Cloud computingDifferent (Kate Ryan album)Cache (computing)

Transcript: English(auto-generated)

00:00

Cloud File Storage Gems. I'm Michael Wiley, Director of Cybersecurity Services at Ritchie May Technology Solutions. Prior to joining the firm, I owned a boutique cybersecurity firm in Los Angeles, California, where I performed penetration tests, red team engagements, phishing campaigns, social engineering, and so on. These days, I do a bit more around compliance, digital forensics, incident response,

00:21

and security architecture. I've got plenty of certifications I've collected over the past few years, and I enjoy what I do tremendously. I encourage you to connect on LinkedIn and follow me on Twitter. Those are probably the best two ways to get ahold of me after this talk. About Ritchie May.

00:40

Well, the firm was founded 30, going on 35 years ago as a tax and audit firm. A while ago, transitioned into business advisory, and during that process, the firm realized that they wanted to advise their clients on technology and cybersecurity. They brought in my boss, who's a former CISO. They acquired my firm and a couple of others

01:00

to build the team that I work with today. I focus on the media entertainment industry, while the firm's other niche is the financial sector. So I get to work with a lot of studios and vendors that make the movies you love happen. Some of the learning objectives we're gonna go over in this talk. We're gonna learn what file artifacts are available in cloud file storage applications.

01:21

We'll see what kind of cloud file storage user activities we can enumerate during a penetration test. We'll be introduced to application logs and what's available there, and examine the difference between cloud file storage providers. So first, I wanna give some credit where credit is due. Some of this I have come up with from my own testing,

01:42

from forensic cases that I've looked at, as well as a lot of reading from other people's work. So just name a few of those who have created content and things that I have read, come across, looked at their research labs, et cetera. These people are due credit. So why are we talking about cloud file storage solutions?

02:01

Well, back in the day, obviously we had file servers on premise, and that's the, most of the time, the crown jewel is what we're looking at during a test. It could be obviously a database or something else, but a lot of times you're gonna find those juicy gems on a file server. These days, we seem to be doing at Ritchie May a lot of migrations helping customers move away

02:20

from the traditional model of an on-premise file server and trying to utilize some of these cloud file storage solutions like Box, Google Drive, OneDrive, Dropbox, ShareFile, et cetera. And so some of the perceived benefits that organizations get to this and why they're making that transition is that, one, there's protection against disasters for the most part, right?

02:40

So whether it's the pandemic, you can go home and obviously access Google Drive, whereas if you had a file server on premise, you'd have some VPN access or some other way to get to those files. There's a decrease in maintenance. So IT departments don't have to sit there and patch file servers. They don't have to work on ACLs. They don't have to troubleshoot DFS issues,

03:00

sync problems, all those kinds of things. There's also the perceived high availability aspect of it. Sure, cloud can go down from time to time, but for the most part, these cloud file storage solutions have an uptime higher than file servers that are sitting on premise. They're also scalable. So Google will happily sell you an extra terabyte or two terabytes of space with just an increase in your price

03:21

of your monthly subscription. Whereas if you have a traditional file server on premise and you're running out of space, you may have to add hard drives to a RAID cluster or add systems to a cluster or whatever mechanism you're using to get more space. There's also, there's some ease of management, right? You don't have to get into a Windows operating system and adjust file permissions or folder permissions

03:43

or share permissions. You can just basically make a couple of changes from a web interface. There are a couple of uses that we're going to take a look at. And so if you do end up compromising a system and you suspect or see that there was a cloud file storage solution there, you may run into one of two scenarios. One, it may be business authorized.

04:01

So there may be a cloud file storage solution that the business has paid for, implemented and deployed. And there may be some differences then if you find the application installed, but it's a personal account that they have logged in with. So in many cases, I've gone in from both perspectives, offensive or defensive, and we have seen applications installed that were not sanctioned by the organization,

04:21

but it was either a employee who thought they were doing good, or they wanted to just access their files and they downloaded Dropbox or Box or some application and started syncing files. So what are those different solutions out there? Well, we're going to talk about Microsoft OneDrive, Google Drive, Dropbox, Box, and Citrix Shareflap.

04:40

And this, the data here was pulled up from, I believe it was SolarWinds did a study on this, and they outlined small, midsize, or large businesses and which solution they're using. So you can obviously see Microsoft OneDrive, it's baked into Windows 8 and above, so a lot of people are using it. But when you start getting

05:00

to some of the other solutions like Box, you can obviously see they're focusing on larger businesses in that market share. So there's, as I mentioned, there's two different scenarios that we might run across. One is where the remote system that we've compromised, they're running a cloud file storage solution that is sanctioned by the corporate environment. And in that case, there may be CASB or off-site logs

05:23

or other security controls where they're monitoring or controlling what's going on. But we may run across the other scenario on the right-hand side there, where there's the sanctioned cloud applications that may have CASB that is not in line or other security controls, but they're also using a personal version of Google Drive or OneDrive or something like that.

05:43

And that may bypass some of those shadow IT or security controls that the defenders put in place. So what are some of these gems that we may uncover as we see that there is a cloud file storage application on a system we've compromised, and what can we get from that?

06:00

Well, if you think of cloud file storage solutions as replacements of file servers, we may see customer data, financials, employee data, HR. You wouldn't believe some of the things that I have seen people store in cloud file storage solutions and with laxed security around them. Some of the things that these cloud file storage applications may leave behind that were of interest to us, cached files.

06:22

So whether those files are stored on the cloud or local or local, but then they were deleted, we may be able to recover these cached files and actually see or recreate some of those files. We may see the local files, we'll get a database with all the files that are stored locally, but more importantly in the cloud as well. So we can see what is out there

06:41

that maybe the user doesn't have stored locally. We'll see file usage and their behavior around those files, what files they're accessing most frequently. We'll be able to find traces of possibly deleted files as well. So as I mentioned, there is either a business or enterprise account, and that may be company issued. There may be additional logging and security controls

07:03

that the security team or IT team has, such as CASB. There's also more logging generally in the cloud if it is a business or enterprise account. Whereas if you stumble upon a free account that someone has on a system you've compromised, it may not be company issued, so there may be no knowledge of it.

07:21

There may be no access to the actual account itself. That may be not synced with Active Directory or LDAP or single sign-on, so we may not be able to gain access to that right away. There's no central visibility by the defenders, though, so they're not going to see the things we're poking around or accessing.

07:40

And then we're also going to be able to find some local logs there. And so the difference between those business enterprise accounts and the personal free accounts is that there's a lot more storage with the business accounts that are built in. Obviously, it depends on what you're paying for, but you might have G Suite. The equivalent to a personal account would be Google Drive. It's not exactly called that. We'll get into that in a second,

08:00

but 15 gigs of free space there. So even if it's not a sanctioned account and someone just installs the Google Drive app, you can have up to 15 gigs of gems you can find there. With Office 365, it comes with OneDrive subscription there. OneDrive Basics, the free alternative with only five gigs. Box, Business, or Enterprise,

08:20

you can have different levels of storage, but you can also get two gigs of free storage with a basic account. Dropbox Pro, the equivalent for a free account is Box Starter. This may have changed since I built this slide a while back. It used to be able to get about 100 gigs of space. I think they have limited that. So let's talk about Microsoft OneDrive first.

08:41

Let's get into it. That's the one that's baked into Windows 8 and above. It must be enabled. So it's installed, but you need to enable it via authentication. So once you sign in, it does a couple of things, add some registry keys, as well as it creates the OneDrive directory sitting in AppData local Microsoft. So that folder will not be there,

09:01

that directory will not be there until you authenticate with the OneDrive application. Now, if you have a personal account, you're gonna see within AppData local Microsoft OneDrive logs, you're gonna see a personal folder directory. If they have a business version of OneDrive, you're gonna see business one. Now, I believe the reason they do business one

09:23

is because that you can install or sign into more than one account. And so you might see business one, business two, business three, but the primary account should be business one. With Office 365, the defenders do have a unified logging, and it is by default enabled

09:42

from my recollection up to 90 days. Now, from the instance I've been working more recently and what we see with some of like the Mandiant 12 times and Verizon DBI reports and whatnot, is that our dwell time is getting better, but it's still pretty long. And so that 90 days of retention may not be enough for defenders to see what's going on,

10:02

especially in the red team engagement. So, but even with a personal account though, there's no central logging from what I can see on the web interface of OneDrive. So all those logs are stored locally. And obviously maybe you can subpoena Microsoft or get whatever logs they have,

10:20

but at least from the availability for IT and security professionals who are trying to investigate what might've happened or who accessed this, it's a bit limited. Right, and so on the left-hand side there, we can see in AppData, local Microsoft OneDrive logs, we've got a couple of different logs that are stored locally on the endpoint. And on the right-hand side, we see the business unified logs.

10:41

So a couple of interesting directories and folders that I've outlined here for you is that some of the things we can see if we've gained access to a system that is syncing with OneDrive is that the user profile slash OneDrive is the default data store of where things are gonna go. If it is a Office 365 or business account, it'll be OneDrive dash and the company name.

11:02

So we'll be able to see what company they work for as well and make sure it's obviously in scope. The, we'll then see the root directory within the logs directory, which is kind of strange. We'll also be able to see some metadata for local and cloud files. So even if the file is not synced locally,

11:21

we may be able to see it in the sync diagnostics log. There is a big maybe there I'll talk about in a second. And then we're gonna have a DAT and INI file. And those two files, it's going to start the, the actual file name is gonna be the customer ID or the CID of the user. So you'll see with the CID dot DAT, you'll see a list of local and cloud file names.

11:42

So even things that are not synced locally, you'll be able to see those. And the CID dot INI file, we'll be able to see the file store locations and sync time, usage details, and some other metadata there. We're gonna see another file that starts with the CID of the user followed by dash and profile service response dot TXT. That will give us the name, email, CID, email, phone,

12:03

and title, et cetera of the user. That only is the case though for personal accounts. When I tried it with Office 365 or paid versions, I did not get this file. I find that interesting because most people aren't gonna sign in or add their title and phone number and address and stuff like that.

12:20

I'll show you a more detailed version in a second here. And most of the time you're gonna see that as null, but at least you could see the email address that they have associated with OneDrive. And then you're gonna also find a obfuscation string map dot TXT file. And that's gonna be important to map back to obfuscated file names. And I'll show you how that works in a second too.

12:40

So within the sync diagnostics dot log file, I have observed two different types of files, right? And so you may get one of two versions and I think I've narrowed it down, but I haven't had enough test cases to verify this. I'm gonna call one the summary sync diagnostics file and the other one I'm gonna call the details sync diagnostics file.

13:00

And now what I've noticed is that if I install Office 365 OneDrive and I look at the sync diagnostics file, I keep getting the summary version. But if I try a personal version and I've tried multiple labs and syncing it, what I've generally seen is that the first machine you activate OneDrive on

13:21

will have the detailed sync diagnostics log file. And then every subsequent system you sync with will have the summary version. So that's my theory to this point. Again, I need more testing for that. And I'll show you what those look like. So on the left-hand side here, we've got the detailed sync diagnostics log, and you could see that there's, in the bottom part of that,

13:41

there's files and folders that are presumably added or synced. And you could see some type of mount point with possibly a GUID, and then there is a backslash and then a three word string. So far, jump, sue, sue bat, egg, and so on. So those are obfuscated file names,

14:01

and I'll show you how to decode those in a second. On the right-hand side, you have the summary version of the sync diagnostics file. It's not as verbose. You have statistical data, sync progress. You've got last sync time, bytes downloaded, bytes uploaded, that kind of stuff. And so here's, again, a little bit more of the summary version

14:21

where you could see the number of changed folders, deleted folders. It's really high level information there. Now, if you happen to get that detailed version of the sync diagnostics log, what you can go ahead and do is, obviously we don't know what see bat egg is, but you can go ahead and open up that obfuscation string map. And again, all of these files that I'm talking about,

14:40

with the exception of Dropbox, they are all clear text. So these files, it's not something special I've had to open up. The obfuscation string map is just sitting in a directory that anyone can access. And when we look at the sync diagnostics, we're gonna have to take that three word string there, like see bat egg,

15:01

and we're gonna have to go map that to our obfuscation string map text file. And so there we can see that see bat egg essentially equals the desktop. So it looks like a folder was added to sync and that folder was desktop, right? So it's a little bit of work, but you can go ahead and map those back and forth there. Just a little bit more on that obfuscation string map text file.

15:22

I think that last slide showed it in great detail. Okay, and then so the CID of the user.dat, if we open that up, that's gonna show us the list of file names, both locally and in the cloud. So even if it's not synced to the local file system, we could see what that user has access to in the cloud. And it is a little bit challenging to read this dat file.

15:41

It's not formatted in the greatest way. So you can open it up in a hex editor and you can even see, searching for strings isn't the best. However, if you use something like strings or B-strings, that will let you go ahead and pull that out and you can then obviously pipe that to find string or grep and you can look for whatever you're interested in or just manually parse through that.

16:02

Okay, and in the business version though, of the CID.dat file, it's a little bit different. So obviously this last one here is the personal version and we were able to easily see those directory names. With the business version though, it's a little less apparent. And so from what I've seen here, if you open up that CID.dat file,

16:20

the files, it either is a hash or some type of GWT there. And so when I thought maybe it was obfuscated and if I just open up that obfuscation string map text file and correlate that or cross reference it, I was able to find some hits, but it was more so on the deobfuscation side and I wasn't really able to go ahead and figure out what those file names were.

16:41

So it may also be an MD5 hash or some type of GWT. I haven't really been able to figure out how on the business version to see all the file names. Okay, so with Microsoft OneDrive, the CID.ini files I mentioned, it's gonna be a couple of different variables that you're gonna see in there

17:01

depending if it's personal or business, but essentially what you are gonna be able to see is the CID of the user and the location of the URL of OneDrive for that user. You'll be able to see the last time they synced in Unix epoch time. You'll be able to see the sync activity, bytes transferred so you can see how active they are using OneDrive.

17:24

The CID-ProfileServiceResponse file, that one gives us a plethora of information. However, I have not seen this file get created for business or Office 365 accounts. It only seems like it's for personal accounts. If you got the personal account, though, as I mentioned, you're gonna see the display name,

17:41

first name, last name, CID, email address, phone number, title, address, and so much more. However, a lot of those things like job title, when I created my sock puppet account here for OneDrive, it did not ask me for a title or address or phone number. So maybe a user would go into the profile and update that stuff. But by default, that's not a required field

18:02

to create a OneDrive account or a live account. And so I did not need to do that. Therefore, I didn't fill it out. And that's why you're gonna see a lot of null fields there. So when I did a red shot and I took a look at, well, what registry keys are being created here by OneDrive? We can see that with the business version, we have quite a few registry keys.

18:21

With personal, it's less. And then I did a difference on those. And so the difference is that, or the common is all the way on the right-hand side. And then the registry keys that the personal account had that the business did not have is gonna be the is upgrade available and vault shortcut path. Otherwise, the keys of the personal account had

18:42

were similar to the business account. So the other cool thing you're gonna see if you look at the registry hive, and you can take a look within HKEY current user, software, sync engines, providers, OneDrive. On a business account, if you look in there, you possibly are going to see some different random characters.

19:01

It may be a CID or a GUID, but essentially when you look at that, those are items that are shared with the user that you are enumerating. And so what that tells me is that they have received shared files from another user within OneDrive. If you actually do a reg query on any one of those, you're gonna go ahead

19:21

and then get more details about that, such as what the actual share name is. And so we can see there on the amount point, it is where it's located, and it also tells us the name. So it was called something project documents. And then we actually get the URL namespace for that as well that we can go ahead and try. Now, one thing about this,

19:41

whether it's personal or business that I've noticed is that you will have to accept the share, right? So if someone just shares it for you, and you see it in OneDrive online, it doesn't mean that you're gonna see that registry key here created. What happens is you have to click the add share. So if someone shares it with you and you click it to add it to your OneDrive, that action of adding that folder

20:00

will go ahead and then create that registry key on all endpoints that are synced. So I created a second sock puppet account and created a file or a directory called test and added that to this user's OneDrive account. And once I click add, that's when that was created. And with a personal account, unlike the business account where you get more of that long string

20:21

of random characters, with the personal account, you don't even need to go any deeper. Just as soon as you go into the OneDrive key, you're gonna see there's the sub key called test and that was added there. So rather than creating that CID or some unique ID for the share, it's gonna have the actual name of the share in there.

20:40

And then if you actually go into that sub key of test, you're gonna go ahead and see the CID of the user that shared it. So you won't get their email address or username, but you will actually see the CID and maybe you've compromised that other user in the environment. And you can then go ahead and just cross reference that to see who the owner is.

21:01

So Microsoft also has this feature called Space Saver. And so what they do with Space Saver is that they, back, let me start again, with the early days of cloud file storage, whether it was Google Drive or Box or Dropbox, getting them all mixed up here, they were, you could selectively sync files and folders, but it was kind of a pain if you had nested folders

21:22

and you only wanted certain things synced. I remember I had terabytes of stuff up in Box or Dropbox, one of those solutions, and it was just challenging to figure out on all my computers which ones I wanted to sync or didn't sync. And so a lot of these cloud file storage solutions have adopted the philosophy of caching files.

21:40

And so Microsoft, they have this new solution that allows users to view files and their names, but they're not actually stored on the machine unless you open them, they're gonna pull them down. So in Dropbox, for example, they have Smart Sync, it's a similar type of feature. If you've ever looked at OneDrive, did you see those different icons on the status that's telling you if it's cloud only,

22:02

always local or cached locally. So let's now talk about Google Drive. So in Google Drive, I keep calling Google Drive just because I'm old school, but really the personal account or personal version of Google Drive is gonna be called Backup and Sync. With business, they have migrated that over. So if you have G Suite, what they're gonna use

22:22

is a tool called Drive File Stream. I tested mostly the personal account just cause I didn't have a G Suite account, but they are using SQL-like databases rather than text files and registry keys like OneDrive used. So within Google Drive,

22:41

if you are using the business version, the Drive File Stream, what happens is it creates a virtual volume in FAT32 and it mounts that. So it's almost like a mounted drive if you were a network share. Synced Google formatted files, what's interesting about those is that if you actually open up these files like a Google Sheets document

23:01

that was created on the web version, it's going to download that, but you could see the size there of one kilobyte. It's super small in Windows Explorer. And what's happening is that any Google-native files, whether it's presentation, document, if that is a Google-native file type, what's downloaded is not the actual file. What it actually does is kind of like a shell item,

23:22

which has the URL, the doc ID, and the email address associated with that file. And so a couple of cool things is just looking at that, if you open it up in Notepad or a hex editor, you should be able to see the actual file path to get to that Google Drive link or that document. You'll see the ID, which isn't super relevant,

23:40

but you also could see the email address associated with that, which is kind of cool. Okay, some of the other files and folders and databases and stuff that we'll see, we'll be able to see in the sync underscore config.db, we'll see the user info, their preferences, initial application, install information, so when they installed Google Drive. In the cloud underscore graph.db database,

24:02

we'll see metadata for local cloud and shared files and folders, which is cool. Sync underscore log.log is files added, deleted, modified, renamed within Google Drive. The snapshot.db database has local file metadata within it. The content underscore cache directory

24:22

has local file caches for G Suite users only. So we can actually see content that possibly have been deleted. And then within the metadata underscore SQLite underscore db, we'll see offline files, cloud, and deleted file metadata. So if we look at that sync config database,

24:41

there's a couple of things just to look at to identify who the user is. We can see their user email address and some of the sync time, the application version, see if there's any vulnerabilities with that. So it'll look something like this if you open it up with db browser for SQLite. And within the cloud graph database, we'll see things like the Google Drive document IDs,

25:02

which are unique file and folder object IDs. We'll see file names, the original or human readable file names. We'll see the time when the file was added to Google Drive. Most of the stuff we're gonna take a look at with timestamps, time and date stamps are gonna be in Unix epoch times. Just keep that in mind. And the ECL role column,

25:22

we're gonna see whether or not the user you're looking at is the owner of the file or it's a different user. So whether someone else shared it with that user or not. And probably the most verbose piece and more so than any other solution will look at is the doc type column within this database. And so if you look at the cloud graph entry table

25:41

within this database, that's gonna go ahead and give you the doc type column. And there you're gonna see different numeric values. And those are gonna tell you whether the object you're looking at is a folder, a traditional file. So let's say PDF or Microsoft Word document. And then the numbers two through 13 are reserved for Google native files.

26:02

So it'll actually tell you whether or not it was a Google native presentation, which would be a number two. Four would be a Google native spreadsheet, so Google sheets. And then six would tell you if it's a Google Word document, essentially, a native Google Word document. And then the removed column, I could not get that to fire off.

26:22

So when I deleted things locally on the cloud, I wasn't getting any modification of that column. And then Google also gives you an MD5 hash. Most of the other solutions will give you a SHA-1 hash, but Google gives you the MD5 hash of that file that you're looking at, which could be useful in certain situations. Here's an image of what it would look like

26:40

if you open it up in DB browser for SQLite, all the columns I was talking about. And then our synclog.log file is insight into users' activity in their personal accounts. So whether they are creating files, deleting files, modifying files, renaming files, changing files, and so on, changing ownership, it is a bit messy and convoluted.

27:01

So I do recommend you either grep it out or you put it in some type of SIM where you can manipulate the data and get what you're looking for. I do recommend in grepping or parsing for those keywords as action.create, action.delete to try and find things for you. The synclog.log also give us other things about direction.

27:20

So it'll tell us whether the file was first added to Google Drive or if it was added locally by the user and then uploaded to Google Drive, whether or not it's shared with other users in the organization. And then the other thing you can grep for or parse for is name equals you, and then send my quotes around the file name you're looking for. So if there's a specific file name

27:41

or you wanted to do a wildcard like pass or password, you could obviously do that format as well and just parse out any words that have those keywords that you're looking for, which is definitely helpful when you're looking for sensitive data on a pen test. Okay, and here's just an example I wanted to show you. If you're taking a look at the synclog.log, I use Sumo Logic just to do a log reduce,

28:02

and so we could see some of those actions. In this case, we can see that there was 22 download actions that were taken. So something was pulled from Google Drive to the local system, and you could just kind of get like a count on the different activities there. But again, however you want to do this, trying to figure out what's going on

28:21

or every use case is going to be different for what you're looking for if you're using this on a penetration test or a red team engagement. The snapshot.db, we're going to get all kinds of stuff here. There's another database that we just looked at prior that was very similar. The thing that this database adds is that we're going to also be able to see whether or not the item is shared with other users.

28:41

So that's some additional functionality we get with the snapshots.db database. Here's a screenshot of what that would look like if you're looking at it with db browser for SQLite. Now, one thing you can do is you can recreate the folder structure that the user would be seeing within Google Drive here. And so looking at some of these,

29:01

you might see the doc IDs, but not really know is this document you found within this folder or where is it sitting. And so looking at the cloud relations table within, I believe it's within snapshots.db and cloud underscore graph.db, you'll be able to then see the child and parent doc ID, and you can recreate some of these things

29:21

and figure out where these objects are stored. And so it's not super straightforward, and I don't have a expedited process for you here just with my testing, but this is what you would do is if you take the cloud entries and so, or whatever you're looking at there, but you'd see that there's a document called finance or a document called the Mike Wiley something,

29:42

and you would then have to go over to the cloud relations table. And in there, we can then map those like I have on the screen, and we can see which files are in which folders or are they in the root or where are they sitting within Google Drive. Let's go ahead and take a look at Dropbox real quick. Now I did not do a lot of testing on Dropbox

30:03

because one time constraint, two, I was having issues with how Dropbox is handling their databases. So kudos to Dropbox. Since 2011, they've been using encrypted SQL like databases. So they're using SQLite encryption extension, SED since 2011.

30:22

So all these other solutions we have talked about and are going to talk about is that anyone who has access to the databases or log files can see all of these artifacts, activity and file names and whatnot. Whereas with Dropbox, that is protected. Now the key is stored in registry and it's encrypted using Windows Data Protection API, DPAPI.

30:44

And so there's a couple of options. You can either brute force the password, good luck. Some of you probably have rigs way better than mine that can go ahead and do that. But that didn't seem feasible to me in my time constraints. You could also then extract DPAPI from memory. There is another talk about that, where this worked.

31:03

I tried to follow some of the stuff from the DC WinDB toolkit to extract those keys, but I didn't have success with that in a limited time I had for testing. So what you can do is look at some of the Dropbox.cache files.

31:20

Those contain miscellaneous temporary cache files that possibly were deleted by the users. I was able to get to some of that stuff without obviously having to get through encryption or find the decryption keys. The logging, or sorry, the deletion on files that are local. So if you go ahead and delete something,

31:41

it's gonna send it to the local recycle bin on Windows machines, and that does not get purged. So unless obviously the user purchased it, whereas on the cloud, it's going to, if a user deletes something, it goes to the cloud, recycle bin, a trash can, and it's gonna sit there for 30 to 120 days, depending on their subscription level and how much they're paying. But locally though,

32:01

it could still be sitting in the recycling bin. So if you are looking for something, I do encourage you to look in the recycling bin. And if they haven't cleared that, you may be able to see purge things there. And so those encryption keys, as we were talking about, give the different locations on the screen here of where you can find that. Now, Nicholas and Florian did a talk

32:21

called A Critical Analysis of Dropbox Software Security at HackLU in 2012. I recommend taking a look at that. If you are more interested in this, they were able to get into Dropbox databases. I did try some of the stuff that they had talked about

32:41

and some of the toolkits out there. There are PS1 files, so PowerShell scripts, as well as I believe they were Python scripts, and neither of them really worked for me. So I got different errors. I tried debugging for a while and eventually moved on to the next tool. So it has been done, can be done. If you are really interested,

33:00

I encourage you to go check that out. Again, A Critical Analysis of Dropbox Software Security at HackLU 2012. I believe there's a YouTube video out there on this. This is allegedly, you can go to the GitHub, play with it yourself, but you should be able to, if you tweak that a little bit. And if you do, please let me know on LinkedIn or Twitter. I'm curious on what you had to do to get it to work.

33:21

Probably something simple. Some of the files and folders and databases that were created when I installed Dropbox, we can see that there are the Dropbox cache and the Dropbox files that have temporary files that are possibly opened or cached. So you can dig into that without decrypting the databases. Anything else though that the file cache.dbx,

33:43

there are some duplicate directories as far as, not directories, but databases, host.db and host.dbx. They look similar, just slight difference in the extension type. I could not access either one of them. And so any one of those that you see, oh, look, it's actually .db and it's not .dbx.

34:01

I can get in there. From my testing, those were still unreadable. The other thing you can find is there's an info.json that's unencrypted and you can find the file store path, host ID, team settings, subscription level and type, how much they're paying. Not terribly useful, but you can get a tiny bit of information from that.

34:20

But Dropbox really, I liked that they did encrypt the databases and didn't give you a whole lot of information without decrypting those databases. So kudos to them again. Let's take a look at some of the box files. So obviously you'll find the default file store, but probably one of my favorites is the cache directory. And within the cache directory,

34:41

you're gonna find full copies of files that were previously opened by the user locally. So if they have box and they go ahead and open a file, whether or not that file still exists within the box file store, you still will be able to, in most cases, even if it's deleted, you'll be able to find a version of that file

35:02

in the cache directory. And so I have tried in lab environments, went ahead and deleted the files in box and the cache copy is still in the cache directory. Now the file name will not be the existing file name. So obviously you can go into some of the other databases and map that back, but you can easily open the file in the cache directory in a hex editor or text editor

35:21

and be able to see what type of file it is and open it in its respective application. Within the logs directory, we'll find a bunch of different log files, such as the box-version.log, which is a detailed activity log. We'll find the boxui underscore some random number underscore the date.log. And that is gonna be generally things associated

35:42

with the box application. So when the user signs into the local application, they sign out, network activity, it's a very detailed user interface logging. I'll call it that. We also see the box underscore stream underscore number and then underscore date.log. And that's gonna have file activity

36:01

such as files, paths, level of logging, free space on the volume, et cetera. It's got a lot of detailed information about files in, out, and activity around them. The data directory is gonna have a path through our databases. We'll see databases such as the syncdb, streamfs.db and metrics.db.

36:26

So if we take a look at the box underscore streams underscore number underscore the date, and you'll find quite a few. In my test environment, I had just a handful of files and folders, maybe less than 30 files. And I was already seeing multiple versions of this log file

36:42

with different dates on them. So it does seem like it rolls over pretty quickly and there's a lot of activity in these files. We'll see things with key actions, kind of like we saw in prior applications. We'll see add file, add folder, on delete file, on delete folder, on open file, on close file, on read file, on create file,

37:01

on write file, and on get file info. These are some actions that I've identified just parsing through a couple of these logs that look interesting and things that may be relevant to you. If we take a look at the box underscore streams underscore number underscore date dot log, as you can see there, we'll see things like the cache path.

37:21

So if that was modified or changed or anything like that, you could see the cache location, you'll see database paths, you'll see the mount path, et cetera. You'll see a lot of stuff in there. And my favorite is that, as I mentioned, that box cache directory. And so you can see there within the directory, we've got these, what looks like grid,

37:41

possibly a hash, file names. It doesn't tell us what the originals were, but if you open them up, what you're gonna see there, and this one was easy, I opened up in a text editor and we could see the magic bite there and we could tell what type of file it was, but it may be a file type that notepad's not going to understand. And so if we do have a hex editor, opening that up and taking a look at the magic bite is gonna be the preferred option there.

38:02

And we can actually recreate or view those cache documents, which is great. The box.u, as I mentioned, log file, there you can see things like driver install, driver events, sign-ins, cache events, all kinds of activities around the box application itself.

38:20

The box-version.log, there we can see that there are some file names, the test.txt, when content was created, again, and Unix epoch time. And then we've got that database directory with a couple of those databases we've talked about. In the sync.db database, we're gonna have a ID of objects or files, folders within box.

38:41

We're gonna have a type, whether it's a file or folder, we don't get that granular level of document type like we saw with Google Drive, but at least we can tell if it's a file or folder. We can then see the parent ID, so we can recreate the folder structure within box. The file name, we get the owner ID of whoever owns that file. So if someone else owns that file,

39:00

we should see the owner ID of that user. We will see a hash, in this case, unlike other applications, we saw an MB5 hash, we'll see a SHA-1 hash within box. We see when the file was created, updated. I will mention with these, I have not tested the created date or updated time to verify when they're triggered,

39:22

when they're modified and that kind of stuff. So that's a little bit more research or something you may want to take a look at and not just trust those dates out of the box. No pun intended. Sync.db, within that database, as I mentioned in the last slide, we've got those different fields. Here's an example of what you might see if you open it up in DB browser for SQLite.

39:42

The streamFSDB, there we're gonna see a touch sequence. I could not find documentation or really reverse engineer what that was doing. We see a cache data ID, and that's the file name of the cached version that's sitting in that cache directory. So a few slides ago when we saw that cache directory

40:01

and it looked like a GUID or some hash of the file name, it wasn't the original file name. Here's where we can actually see and map that back to its original file name. So that's the cache data ID is the cached version file name. And then obviously the inode ID, we can look at that and then reverse engineer that, if you will,

40:22

looking at the prior databases and find that inode ID and be able to see the original file name. And then also we'll get an age column, which gives us the when a file was cached. Zero, you'll see in that column if it is not cached. If it is a one, it is cached. So we'll take a look at that, or I'm sorry, not a one,

40:42

but we'll see the epoch, Unix epoch time of when that file was cached locally. So in that far right column there, you'll see a few different date timestamps when those files were cached and then all the other ones there that were not cached locally on the system that we've compromised.

41:00

Okay, and so with the streams fs.db database, if we take a look at that, obviously there you can see in the names column of the sync.db, and that's where we can recreate the file name. So again, going back to the streams fs.db, we can see that there's a grid or hash there

41:21

of A1, B4, five, et cetera. That's what we would have seen in the cache directory if we want to know the original file name. We go over to the inode ID column, we see that it's 13. We then open up the sync.db database and we can look at the inode ID for 13, which then go into the left-hand side there. We can see in the names column,

41:41

it was called business plan. So that's how we can recreate those file names if we do find interesting cached files sitting in that cache directory. And here's just another example of a cached item that we can open up in the cache directory and we could see the magic bite of PK. And essentially we can see that that is a docx document.

42:00

So we can open up that in Microsoft Word or change the file extension to .docx and open it that way. And here we can see, obviously I didn't have Microsoft Office installed, but I was able to open it up in WordPad and we can now see that that is in fact the business plan for startup business document that we saw.

42:20

Okay. And just a couple of things on those columns within the stream fsdb, we can obviously see whether it's a file or folder, the parent's inode ID, the name of the file, we'll see multiple timestamps, the created at timestamp, the modified timestamp, access timestamps. Again, you may want to do a little bit of testing on this if that's important to you. I don't know exactly what events will trigger that

42:43

and I just want to warn you of that. We'll also see the inode ID of the object we're taking a look at and we'll see whether or not the item or the object is marked for offline use, essentially kept offline or cached. And then we'll also see folder fetch timestamp.

43:00

So it's an, again, Unix epoch timestamp or the last folder sync for that object. Let's go ahead and talk about Citrix ShareFile for a second here. A little intro to it, the application to download, unlike all the other applications we've talked about, it's behind a signup wall. So you cannot just go download it like you would

43:20

for OneDrive or Dropbox or anything else like that. You actually need to register for a trial of it using what they say a business or enterprise account. However, I was able to use a Gmail account for a trial request, instantly got the download link for that and signed up. And then upon installing ShareFile,

43:42

what it looks like is it creates a virtual volume, FAT32, similar to what Google Drive is doing with File Stream. And it will automatically create a mounted S drive for you on that Windows system. From what I see, the databases are SQLite and they are unencrypted. So yet another unencrypted database.

44:00

The key things that I've noted here from testing is that obviously the S drive or volume is what the default file store. We'll see within user profile, there's app data, local Citrix. And then within Citrix, you'll see a couple other directories and files of interest. Within Citrix files, slash DB,

44:22

there's an ID and this ID seemed to change. It was probably based off of my trial. That seems to be where though most of the databases are stored. So possibly the ID directory is created so that if you have different ShareFile accounts, they're stored in different directories. The remote DB, it appeared to have a list

44:41

of all files that were remote and folders as well. And then we have a local item.db and that lists all the local files and folders. There's also a logs directory and that's where they store all the different log files. And then there's a Citrix file underscore and then a date dot log and that seemed to have detailed activity

45:01

about what's going on with ShareFile. And then I also identified that they had part cache directory and that seemed to have all of the cache files that I opened up locally on the Windows system. So if we see here the DB directory and then some ID or GUID number, that's where we've got all the different databases. You can see there's more than I mentioned on the prior slide.

45:22

And the reason for that is that there are certain databases that were near empty or didn't seem to be having unique information so I kind of left those out. Within the remote DB, we'll have a couple of different columns if we open that up in a database viewer for a browser for SQLite. We've got folder IDs, parent folder IDs,

45:42

file names, and global ShareFile ID so it's assigned a unique ID. And we could see here the different files that I had within ShareFile. We can obviously see the name. There's a bunch of different file names that I had for testing and then the unique ID to the right of that. The remote DB database,

46:01

it's got a object ID in the database. It has a parent object ID. It has an identifier for the item, whether or not if it was a file or folder so you can see indications. Again, similar to the last example we looked at, not as detailed as Google Drive but at least we can tell if it's a file or folder. We get a created date in Unix epoch time.

46:22

We have a file hash and quite a few other columns that didn't seem super relevant for this talk. So here's just a sample. You could see there's a lot of different columns here. Quite a few were were nulled out and other ones just didn't seem relevant for offensive security purposes. The local item database,

46:41

we can see things like the key. There are certain columns here I didn't have great explanations for so I left those blank but again, we've got the change date, last access date, last write date, an ID number, which not sure how that differs from the share file unique ID we saw prior. There's the content ID.

47:01

Again, not sure how that differs from the key or the ID. And then the creation date, time and object was created in Unix epoch. We did get another interesting one is there's a URL column and that gives us a cloud URL. So it's the instance ID. I don't know if this changes for paid accounts versus trials but I had some kind of trial instance ID

47:21

dot SF dash API dot com slash SF slash V3 slash items. And then the item ID which matched up to the other ID column that we see here on the screen. And so I thought that was pretty interesting when I went ahead and tried to access that with a browser, Firefox or Chrome,

47:41

it would not give me access to those files. Now I would like to do some further testing on that and figure out if we can use other tools aside from a browser to go ahead and access those files without authentication. That seems like it may be a security issue for share file but I have not validated that yet. We also see a file hash

48:01

and there's quite a few other columns that we see. Within the directory entry.db database we just get very limited information apparent ID of an object, file name, ID of an object. If we go ahead and take a look at the Citrix files underscore date and then it actually has the date of the file dot blog. We'll see other actions that we may wanna parse out

48:23

using strings or grep or something like that. Upload file, these are all in brackets. You wanna search for those. File system notifier, local, win, FSP, delete item, download, upload, read callback, those are all interesting things that I found within those log files.

48:42

And if we go ahead and take a look at that part cache file, it's exactly the same as we saw in the last example for Box where in this case though, it seemed to rename it rather than some type of GUID. The directory, the parent directory would be some type of GUID that or hash or something that identified that file.

49:01

But then within that, it was a single cached file and it was generally called zero dot part. However, if you open that up and again with a hex editor, you'd see the magic bite. You see that it's a word doc and we could just change the file extension to .docx and we can go ahead and open up that file whether or not it was deleted within share file, we now have that a cached version of that.

49:23

So in closing, one other way that you may be able to take a look at things, if a user is not actually or they have not installed the application, but they are using cloud file storage solutions, you wanna numerate a little bit about what they're doing. I identified some things within Google Drive where if they were using or viewing

49:41

or editing Google spreadsheets, you would see within their browser history, docs.google.com slash spreadsheets. If they were editing or viewing a presentation, you could see docs.google.com slash presentation. Not a ton of great information from that other than that they are using Google docs in the environment

50:01

and you may have to then attempt to gather documents else or different method. But obviously if they are using a browser and you have access to their browser, Google never signs you out. So you should be able to obviously just open a browser and access the documents there. But this is a telltale sign that they are using

50:21

probably G Suite or Google Docs for the workplace. We can also see other tools, for example, Box, whether they were in the root directory, it's gonna have app.box.com slash folder slash zero. And then we will see other indications of different folders, but at least you can see that they have signed in

50:42

and that they were looking at the root of box.com if you see that folder slash zero. With OneDrive, you're gonna see OneDrive.live.com slash question mark id equal root, and you'll see that they have a personal account there and they are looking in the root directory. You'll also see the CID of their personal OneDrive account.

51:01

For business, it's a little bit different. They're probably gonna be using SharePoint. If you're using Dropbox, we can see that it's just dropbox.com slash home, which wasn't a great indication of what they were doing within Dropbox. With viewing an actual document though, showing that they have signed in and they're actually viewing content,

51:21

you'll see dropbox.com slash SCL, and that will indicate that they have actually viewed documents within Dropbox. Also, if they are viewing the contents of a folder, you're gonna go ahead and actually see the folder name as well. So it's gonna be dropbox.com slash home slash the folder name. You'll get some indication of the different folders,

51:41

whether it's accounting, HR, et cetera. Now, one thing I did create for you, if you wanna go ahead and shoot me a message on LinkedIn or Twitter, happy to share this with you. Once I created my lab environment and I wanted to go ahead and collect those, the metadata and the artifacts that were left behind, what I did is I created a CAPE target.

52:01

And so I utilized CAPE, which generally I would use more in the instant response or digital forensic case to do a triage image of a system. The reason that I like using this tool is that you can see here, using this custom target that I created, it took 12 seconds, just under 12 seconds to go ahead

52:21

and collect all that data. So if you wanna play around with this or try and test this out, see what kind of CAF files are left behind or that you can enumerate, it's very easy to do. You can obviously pull these yourself, but I found it useful to use a CAPE target so that I could just collect all of the different data from the different cloud providers very quickly. And so I've got a snippet there.

52:41

I can give you the GitHub link if you go ahead and send me a message on LinkedIn or Twitter, as I mentioned. And that wraps.