The Implications of Office 365 in Digital Forensics and eDiscovery – part 1

A couple of years ago Microsoft began to embrace cloud technology and launched Office 365 for Business, in direct competition with solutions being developed by Google and others. This was followed more recently with a home user edition: Office 365 Home Premium. The Office 365 suite is an evolution of the standard Office package and introduces, amongst other things, a cloud-based aspect called SkyDrive, which allows for greater online collaboration on documents. In the first of two posts, we will look at how Office 365 works, and provide an overview of the forensic artefacts that may be retrieved.

Users must have a registered Microsoft Account in order to download Office 365, which comes bundled with SkyDrive and the Office 2013 Upload Center. By default, all three applications are installed, and a SkyDrive folder is created for the user’s account at ~\Users\Username\SkyDrive.

When setting up SkyDrive on a new PC, the user has two main setup options. They can either use the default express settings, which will download any files currently associated with that account, or they can customise the setup and sync specific files and folders with the PC. They can also specify a different location for the SkyDrive folder.

The Windows Registry holds some useful Office 365 and SkyDrive configuration data. We can verify that Office 365 is installed, and determine the version in use by examining the following keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\propertyBag\productreleaseid. The value generated for this key in a typical Office 365 Home Premium setup is “O365HomePremRetail”, and it is expected that a similar naming convention will be used to represent other licensing models.

Each Microsoft account grants the user five Office 365 licences, which are managed online. Each licensed PC is given a unique identifier that is listed online and can be matched to a value in the registry, located atHKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Registration. This ID is actually the name that the user has given the computer (for example, WIN-UJMBC6MS5HB).

 The PC ID can also be retrieved from the SkyDrive system folder at C:\Users\Username\AppData\Local\Microsoft\SkyDrive\setup\logs. This folder contains one or more text files, which store the event logs for all synchronisation events and application updates, however only the logs that reference when SkyDrive was installed or updated will contain the PC ID. The line in the log containing the ID can be found relatively easily by searching for “X-Computer”.

Further information can be gleaned from the SkyDrive settings folder located at C:\Users\Username\AppData\Local\Microsoft\SkyDrive\settings. First, there is a text file which is named using a GUID (e,g. 130cf147b5dzxd4c), which is assigned to the SkyDrive account, and also forms part of the URL when the user logs in through a web browser.

The aforementioned settings file contains significant data about the SkyDrive account, including what Microsoft call the last ‘refresh’ time (i.e. the last time the account synchronised with the cloud server), the number of sync requests sent to the online server since Office 365 was installed, and the total bytes transferred. The last refresh time is also found as a Windows 64-bit little endian file time in the registry hive underHKEY_CURRENT_USER\Software\Microsoft\SkyDrive.

Uploads and downloads of Office 365 files to and from the SkyDrive account are managed by the Office 2013 Upload Center. When a new file is created using an Office 365 application, the user can either save only locally, or to their SkyDrive folder, which creates a local copy and a cloud copy. The latter creates a local version in the user’s SkyDrive folder, but also allows the Upload Center to sync the file with the cloud server. Providing the PC is online and uploads have not been paused, this sync happens almost instantaneously. Otherwise, the file is queued for upload to the cloud at the next opportunity.

While the file is only being accessed from one PC, the created, modified and accessed times behave like a normal Office file. However, if the file is accessed from another PC linked to the SkyDrive account, then there are slight differences. Firstly, the created date on the second PC is that of when the file was first uploaded to the cloud server. This is not necessarily the same as when it first came into existence on the original PC, or when it was downloaded to the additional PC. This is demonstrated in figure 1 below, which shows the created time differences for the same file on two PCs. Although in this example the difference is relatively small, if SkyDrive wasn’t synced as regularly the difference could be much bigger.

With respect to the modified date stamps, a direct comparison of between the first and second PC after synchronisation shows that this information stays the same during the sync, rather than reflecting the fact that the file has been downloaded to another PC. However, the last accessed time is updated as a result of this event and, in the example below, the accessed date on PC 2 actually reflects the time the file was downloaded from SkyDrive (although this may not always be the case).

Figure 1: A file created on PC 1 (left) and the same file on PC 2 with new created and accessed times (right).

Once synchronised, the file times then behave much as they would on an offline system. When a change is made and the file is saved, the modified and accessed times update on the local PC and, as long as synching takes place regularly, are also updated with the cloud account, so that this metadata is the same for all versions of the file on PCs associated with the account.

It is clear that Office 365 adds an extra dimension to the collection of Microsoft Office documents. While imaging a PC will capture any documents synced with SkyDrive, there may be further files sitting in the cloud that have never touched that particular device. Furthermore, the time and date information is not as reliable, and behaves differently to a standard Office document. As a result, considerable discrepancies could arise if they are not synced regularly.

Keep an eye out for part 2 of this Office 365 series, which will look at the back end that powers Office 365, and the extra information that can be uncovered from it.

Source: http://www.millnet-consulting.com/2013/05/27/office365-in-forensics-ed-1/#more-1047

Intercepting Blackberry Application Traffic

Intercepting Blackberry Application Traffic

Intercepting mobile traffic is one of the key areas of mobile application penetration testing and Blackberry mobile applicatiosn are no different. In this post, we will look at methods of intercepting blackberry application traffic.

It is important to note that the standalone blackberry simulator does not offer any mechanism to route HTTP traffic over a web proxy. To use a web proxy for traffic interception, one has to use blackberry device simulator + MDS and email simulator. Assuming you have both installed, following steps will allow you to intercept blackberry web traffic.

Case 1: Routing HTTP traffic via web proxy:

1. Browse to "\Program Files\Research In Motion\BlackBerry Email and MDS Services Simulators #.#.#\MDS\config"
2. Open the rimpublic.property file
3. Under the HTTP HANDLER section, add your web proxy configuration information:

application.handler.http.proxyEnabled=true

application.handler.http.proxyHost=<your proxy address>

application.handler.http.proxyPort=<your proxy port>

The following image shows the rimpublic.property file HTTP HANDLER section for fiddler running on port 8888 on localhost.

Web Proxy Configuration

More details on proxy configuration can be seen here. Once you save these settings and launch MDS simulator, you will be able to monitor, intercept and modify all HTTP traffic. However, we still need to put in some extra work for SSL traffic.

Image shows HTTP traffic captured for google.com

Case 2: Routing HTTPS traffic via web proxy:
The above mentioned configuration was not successful when attempted on SSL traffic. It was time for some workaround and I thought of using a reverse proxy. The idea of using reverse proxy had some limitations but it worked seamlessly and allowed me to intercept SSL traffic for a particular domain. To demonstrate this concept, I will be using Charles Proxy's Reverse Proxy. You can use any reverse proxy of your own choice. Lets configure the Charles proxy now.

1. Obtain the IP address to which the application/browser talks
2. Obtain the IP for the target domain. nslookup for mail.google.com revealed four DNS entries(74.125.226.184, 74.125.226.182, 74.125.226.181, 74.125.226.183) and one of them was chosen to be destination for reverse proxy settings. See the screenshots below for Charles Reverse Proxy settings.
3. In the hosts file make an entry to forward all the target domain address to the IP at which reverse proxy is hosted. In our case, I entered the following for mail.google.com
   127.0.0.1 mail.google.com
4. Now launch your browser and access https://mail.google.com
5. The blackberry simulator will issue a certificate error. Choose the "Trust Certificate" option, provide certificate store password and  the save your settings.
6. All the traffic will be routed via Charles now. Enjoy!

To summarize reverse proxy settings (Two sets of entries):
Entry 1: To ensure that all SSL traffic is forwarded to mail.google.com:443
Listening on : 127.0.0.1:443
Forwarding to: 74.125.226.181:443 #one

Entry 2: To ensure that all plain HTTP is forwarded too
Listening on : 127.0.0.1:80
Forwarding to: 74.125.226.181:80

Image shows reverse proxy settings in Charles

Image shows the certificate error issued when https://mail.google.com is access via reverse proxy. Choosing the "Trust Certificate" options allows SSL traffic to be intercepted.

Source: http://gursevkalra.blogspot.in/2011/06/intercepting-blackberry-application.html

Internship for 2 months

Internship for 2 months (VAPT Tester, Cyber Security Professional)

at Valency Networks in Pune (Published at 07-05-2013)
We have 2 vacancies for Internship for collage students who want to eventually pursue career in cyber security domain. Candidate will get hands-on experience and knowledge. No salary will be offered.
Internship period of 2-3 months depending on your collage schedule. Female candidates will be given preference to promote their presence in this field.

BIOS LOG

Accessing BIOS for Windows

• Turn on the computer. As the computer is booting up, look toward the bottom of the screen. You will notice directions that read "BIOS = F2, Boot System = F12" or something similar to those commands. Again, this will vary according to the manufacturer. Press the button indicated for BIOS.
• Press the button for "System Log" or "Event Log" on the menu that appears. The menu will offer you a variety of options that are accessed by pressing the indicated buttons.
• View the system log. If you do not see any of the prompts instructed in the previous steps, you may have to contact the BIOS manufacturer. To find the BIOS manufacturer for your system, go to the Search area on the desktop and type in "System Information." Click "System Information" in the result, then view "System summary." The BIOS manufacturer will be listed.

Accessing BIOS for Mac

• Turn on the computer and wait for the desktop screen to load.
• Go to "Applications," "Utilities," then "Console" or type "Console" in the Spotlight area.
• Go to "system.log" to view the BIOS system log.

Read more: How to View a BIOS System Log | eHow http://www.ehow.com/how_7720270_bios-system-log.html#ixzz2TS5KDfpd

Baybylone remove...

Mozilla  Firefox

 

• Type "about:config" into the address bar, then press Enter.
• Accept the Warning
• In the Search bar on this page, Search for "browser.newtab.url" (without

quotes).

• Right click it, and click "reset"
• Restart Firefox. 

Source: http://www.o2tricks.in

Hide Folder Without any Software...

Folder Hide : No more software need...

Step 1 : Rename any folder with extension {645FF040-5081-101B-9F08-00AA002F954E}
For eg,
If u’ve a folder with name “Anything”
press F2,
then type, “Anything.{645FF040-5081-101B-9F08-00AA002F954E}”
and Press Enter.
Step 2 : To get back to its original form,
Make a new batch file with any name and type
“ren Anything.{645FF040-5081-101B-9F08-00AA002F954E} Anything” .

Nokia Tricks

Do you know your Nokia can do this also....

1.  Imagine ur cell battery is very low, u r expecting an important call and u don’t have a charger.
     Nokia instrument comes with a reserve battery. To activate, key is “*3370#”
     Ur cell will restart with this reserve and ur instrument will show a 50% increase in battery.
     This reserve will get charged when u charge ur cell next time.
     *3370# Activate Enhanced Full Rate Codec (EFR)-Your phone uses the best sound quality but talk time    is reduced by approx 5%
     #3370# Deactivate Enhanced Full Rate Codec( EFR)
     *#4720# Activate Half Rate Codec – Your phone uses a lower quality sound but you should gain approx 30% more Talk Time
     *#4720# Deactivate Half Rate Codec
2.  *#0000# Displays your phones software version,
      1st Line :  Software Version,
      2nd Line : Software Release Date,
      3rd Line : Compression Type
3.  *#9999# Phones software version if *#0000# does not work.
4.  *#06# For checking the International Mobile Equipment Identity (IMEI Number).
5.  #pw+1234567890+1# Provider Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
6.  #pw+1234567890+2# Network Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
7.  #pw+1234567890+3# Country Lock Status. (use the “*” button to obtain the “p,w” and “+” symbols).
8.  #pw+1234567890+4# SIM Card Lock Status.(use the “*” button to obtain the “p,w” and “+” symbols).
9.  *#147# (vodafone) this lets you know who called you last *#1471# Last call (Only vodofone).
10.  *#21# Allows you to check the number that “All Calls” are diverted to.
11.  *#2640# Displays security code in use.
12.  *#30# Lets you see the private number.
13.  *#43# Allows you to check the “Call Waiting” status of your phone.
14.  *#61# Allows you to check the number that “On No Reply” calls are diverted to.
15.  *#62# Allows you to check the number that “Divert If Unreachable(no service)” calls are diverted to.
16.  *#67# Allows you to check the number that “On Busy Calls” are diverted to.
17.  *#67705646# removes operator logo on 3310 & 3330
18.  *#73# Reset phone timers and game scores
19.  *#746025625# Displays the SIM Clock status, if your phone supports this power saving feature “SIM Clock Stop Allowed”, it means you will get the best standby time possible
20.  *#7760# Manufactures code
21.  *#7780# Restore factory settings
22.  *#8110# Software version for the nokia 8110
23.  *#92702689# (to remember *#WARRANTY#)
      Displays -
      1. Serial Number,
      2.Date Made
      3.Purchase Date,
      4.Date of last repair (0000 for no repairs),
      5.Transfer User Data.
      To exit this mode -you need to switch your phone off then on again
24.  *#94870345123456789# Deactivate the PWM-Mem
25.  **21*number# Turn on “All Calls” diverting to the phone number entered
26.  **61*number# Turn on “No Reply” diverting to the phone number entered
27.  **67*number# Turn on “On Busy” diverting to the phone number entered
  Each command is prefixed with either one or two * or # characters as follows:
   ** Register and Activate
   * Activate  
    ## De-Register (and Deactivate)
    # Deactivate
    *# Check Status
    © Call button
Once each command has been entered, if it is a network command (as opposed to a local handset command) it must be transmitted to the network by pressing the YES (receiver) key which acts as an enter key – this is represented here with the © character. Always enter numbers in full international format +CountryAreaNumber ( e.g. +447712345678).
Security
Change call barring code **03*OldCode*NewCode*NewCode#©
Change call barring code **03*330*OldCode*NewCode*NewCode#©
Change PIN code **04*OldPIN*NewPIN*NewPIN#©
Change PIN2 code **042*OldPIN2*NewPIN2*NewPIN2#©
Unlock PIN code (when PIN is entered wrong 3 times) **05*PUK*NewPIN*NewPIN#©
Unlock PIN2 code (when PIN2 is entered wrong 3 times) **052*PUK2*NewPIN2*NewPIN2#©
Display IMEI *#06#
Call Forwarding (Diversions)
De-register all call diversions ##002#©
Set all configured call diversions to number and activate **004*number#©
De-register all configured call diversions (no answer, not reachable, busy) ##004#©
Unconditionally divert all calls to number and activate **21*number#©
Activate unconditionally divert all calls *21#©
De-register unconditionally divert all calls ##21#©
Deactivate unconditionally divert all calls #21#©
Check status of unconditionally divert all calls *#21#©
Divert on no answer to number and activate **61*number#©
Activate divert on no answer *61#©
De-register divert on no answer ##61#©
Deactivate divert on no answer #61#©
Check status of divert on no answer *#61#©
Divert on not reachable to number and activate **62*number#©
Activate divert on not reachable *62#©
De-register divert on not reachable ##62#©
Deactivate divert on not reachable #62#©
Check status of divert on not reachable *#62#©
Divert on busy to number and activate  **67*number#©
Activate divert on busy *67#©
De-register divert on busy ##67#©
Deactivate divert on busy #67#©
Check status of divert on busy *#67#©
Change number of seconds of ringing for the given service before diverting a call (such as on no answer). Seconds must be a value from 5 to 30. De-registering the same divert will also delete this change! **service*number**seconds#© (Service numbers, see below)
Call barring
Activate barring all outgoing calls (see Security to set code) **33*code#©
Deactivate barring all outgoing calls #33*code#©
Check status of barring all outgoing calls *#33#©
Activate barring all calls **330*code#©
Deactivate barring all calls #330*code#©
Check status of barring all calls *#330*code#©
Activate barring all outgoing international calls **331*code#©
Deactivate barring all outgoing international calls #331*code#©
Check status of barring all outgoing international calls *#331#©
Activate barring all outgoing international calls except to home country **332*code#©
Deactivate barring all outgoing international calls except to home country #332*code#©
Check status of barring all outgoing international calls except to home country *#332#©
Activate barring all outgoing calls **333*code#©
Deactivate barring all outgoing calls #333*code#©
Check status of barring all outgoing calls *#333#©
Activate barring all incoming calls **35*code#©
Deactivate barring all incoming calls #35*code#©
Check status of barring all incoming calls *#35#©
Activate barring all incoming calls when roaming **351*code#©
Deactivate barring all incoming calls when roaming #351*code#©
Check status of barring all incoming calls when roaming *#351#©
Activate barring all incoming calls **353*code#©
Deactivate barring all incoming calls #353*code#©
Check status of barring all incoming calls *#353#©
Call waiting
Activate call waiting *43*#©
Deactivate call waiting #43##©
Check status of call waiting *#43#©
Calling Line Identification
The following only works if CLIP and CLIR are enabled (ask your service provider)
CLIP: Presentation of the number of the incoming call
Activate CLIP **30#©
Deactivate CLIP ##30#©
Check status of CLIP *#30#©
CLIR: Presentation of one’s own number to the to the called party
Activate CLIR **31#©
Activate CLIR for the actual call *31#number©
Deactivate CLIR ##31#©
Deactivate CLIR for the actual call #31#number©
Check status of CLIR *#31#©
COLP: Presentation of the actual number reached (if number called was diverted to another number
Activate COLP *76#©
Deactivate COLP #76#©
Check status of COLP *#76#©
COLR: Presentation of the original number called by the calling party (if the call was diverted to this cellphone)
Activate COLR *77#©
Deactivate COLR #77#©
Check status of COLR *#77#©

Source: http://kyrionhackingtutorials.com