We are passing the half way point in the semester, and I am happy to report that my analysis of Ubuntu One is going well!
My process has been pretty straight-forward thus far.
It is very important that this project is done in a forensically legitimate manner to ensure any information I get from my analysis is untainted and useful to the forensic community.
My first goal = Prove that Ubuntu One was installed on a windows system.
I started off on this project by creating a fresh windows 7 professional 64-bit virtual machine using VMware workstation.
The first thing I did upon completion of the Windows 7 installation was take a system snapshot, first on VMware workstation, and then a snapshot with system explorer.
The project begins!
Above are a few screenshots of me working on the first goal I set for myself: Prove that Ubuntu One had been installed on the system. The bottom image is a screenshot of a log file. This log file shows all the file, directory, and registry changes from the user designated point A, and point B.
Point A for me, was a clean windows 7 system without Ubuntu One installed.
Point B for me, was the same windows 7 system after Ubuntu One was installed.
By looking at this log I can see what parts of my system were changed by installing Ubuntu One.
My next step was to delete Ubuntu One, and see which Ubuntu one entities remained after uninstall.
I have done analysis of memory and hard disk on all of my VMs. So far I have found some user credentials, some URLs leading back to the cloud, and names of files associated with a logged on account (even if the files were never downloaded).
Some really awsome stuff!
This is one of many ares of progress I have made in my analysis. Keep checking back!