Monday, April 21, 2014

Project Completion

Well here we are, nearing the end of the semester. I am proud to say, that I have accomplished all of my goals! My forensic analysis of Ubuntu One is complete! In my findings I was able to find user credentials, file names, urls, and a bunch more information regarding my test Ubuntu One account. This information could prove to be very useful in a forensic investigation that involves Ubuntu One.

Here is a poster that I created with an overview of how the project went!


This was a very exciting project, and the results are even more exciting!



 The above screenshot, from EnCase, shows the password of the user account that logged in on Google chrome. This was found in the memory.





This screenshot shows that the file names of downloaded files are logged on the system.

There are many logs kept by the popular browsers, and the client itself.

Thursday, March 13, 2014

Ubuntu One Forensic Analysis Update


We are passing the half way point in the semester, and I am happy to report that my analysis of Ubuntu One is going well!
My process has been pretty straight-forward thus far.

It is very important that this project is done in a forensically legitimate manner to ensure any information I get from my analysis is untainted and useful to the forensic community.

My first goal = Prove that Ubuntu One was installed on a windows system.

I started off on this project by creating a fresh windows 7 professional 64-bit virtual machine using VMware workstation. 




The first thing I did upon completion of the Windows 7 installation was take a system snapshot, first on VMware workstation, and then a snapshot with system explorer. 

The project begins!





Above are a few screenshots of me working on the first goal I set for myself: Prove that Ubuntu One had been installed on the system. The bottom image is a screenshot of a log file. This log file shows all the file, directory, and registry changes from the user designated point A, and point B.

Point A for me, was a clean windows 7 system without Ubuntu One installed.
Point B for me, was the same windows 7 system after Ubuntu One was installed.

By looking at this log I can see what parts of my system were changed by installing Ubuntu One.
My next step was to delete Ubuntu One, and see which Ubuntu one entities remained after uninstall.

I have done analysis of memory and hard disk on all of my VMs. So far I have found some user credentials, some URLs leading back to the cloud, and names of files associated with a logged on account (even if the files were never downloaded).

Some really awsome stuff!


This is one of many ares of progress I have made in my analysis. Keep checking back!










Monday, January 20, 2014

Ubuntu One: A Forensic Breakdown

Andrew Clifford
                               (Source)

Open source giant, Canonical Ltd. is a software company based out of a London headquarters in the United Kingdom. Most widely known for their Linux distribution product entitled 'Ubuntu', Canonical Ltd. has become a successful and thriving company that is well known in the computer industry. In order to stay on the leading edge, Canonical Ltd. offers a cloud storage service called "Ubuntu One", similar to the well-known "Google Drive."

Ubuntu One is free (upgrades are available for purchase) and available for use on Linux, Windows, Mac, Android, and iOS.

I will be putting the Linux and Windows versions of this service through an examination that will show how its use may help, or hinder a forensic investigation.

Please check back for frequent updates, and as always, feel free to contact me about this project.
Champlain College
Champlain College Forensics

Thank you!