A group of researchers from Stanford University in California and EADS Defence & Security has recently presented a new, open source tool for the forensic analysis of Windows machines.
This tool is able to extract a many types of information from used discs – including information on where the computer was connected, which online services were accessed and which online identities were used by the user.
The advent of the cloud and the fact that many users nowadays store their data in it have made the criminal forensic specialists’ job more difficult. They can discover what’s on the disk, but what if critical information was stored in the cloud or happens to be on social networks or other online services? How can they they mach suspects to online identities or see what they were up to online?
“Traditional forensic file based techniques are insufficient to extract the information needed to reconstruct the user’s online activity because such information is encrypted, obfuscated and scattered across multiples files and registry keys,” explains Elie Bursztein, one of the researchers. “Add to this the fact that the encryption obfuscation schemes used by various pieces of software tend to be different and it becomes clear that this type of advanced analysis is very challenging.”
So, they developed OWADE – Offline Windows Analysis and Data Extraction.
OWADE is a tool that allows forensic specialists to extract data stored by the OS, the browser and various programs; to pinpoint the location of the computer in any given (past) moment by analyzing the stored WiFi data; to recover login credentials for online services from a variety of browsers and IM software; and, in general, to piece together the user’s online activity by taking advantage of browsing histories, information stored in the Windows registry and the Windows certificate store.
All this data, when located on a hard drive, is usually encrypted by the Windows’ Data Protection API (DPAPI), which is used by a variety of popular applications and by Windows itself to store passwords. But, the team finally managed to find a way to decrypt it, and to implement that knowledge in the OWADE tool.
The researchers are set to present their tool later this month, and will demonstrate the recovery process. The tool will be also be made available for download.