The App Analysis team has continued to analyze the artifacts left behind on the machines. We have completed our review of Steam. Also, we analyzed Trello in addition to the original three apps. We are almost done with the other apps as well. While we haven’t found major data breaches, some of the apps leave unencrypted information. This information could be relevant in a forensic investigation. Or, some of the information could also be useful to malicious entities.
Analysis: Fitbit Artifacts:
In our investigation of Fitbit, we found a lot more artifacts than anticipated. We managed to recover a lot of information that could be relevant in a forensic analysis. It could also be useful in phishing attacks.
During data generation, the user account joined two Fitbit community groups. We searched the Lost Files folder within the VMDK. There we found many artifacts of both profile images and images posted to both of those groups. The Lost Files folder also contained the user’s cover photo and current and previous profile pictures.
The AppData folder of the VMDK contains a friends.json file. It is viewable in plain text which contained information about the user’s friends. This information includes age, the location of the user, date of birth, name, gender, height, locale, timezone, badges, and more. But, some of this data is optional for the users to complete, so they may not be present. This information could be used in phishing attacks to convince a target that the fake user is trustworthy.
To motivate users, the challenge feature allows users the option to challenge friends in one of four different friendly competitions. We managed to find artifacts relating to these challenges. This included invitations to join challenges, as well as the results of challenges.
Users earn badges when they meet certain milestones for the number of steps and the number of floors they’ve climbed. Users can also earn badges for meeting their weight goal. Besides friend’s badges that we found before, there is also evidence of the user’s badges. We found a database file with text of the achieved badge and the image associated with the badge.
Another artifact with user information was a file titled profile.json. This file contained the user’s profile information, even if set to private.
We also found evidence of the user’s weight goals. This includes the goal type and start date. But, the start weight and current weight are not formatted in lbs, even if that is set as the default. Rather, it is set as kilograms with three significant figures. Below, the user’s start weight is 106549, which would translate to 106.549kg.
Users have the option to track the foods they eat. Fitbit breaks this down into calories. We managed to find a file containing information about these logged foods.
Fitbit also tracks exercise data taken either from the device itself or through user reported data. These exercise logs are in a .json file with the name formatted as a numeric year-month-day. They contained information that transfers to the app when the device syncs. The duration of activity is in milliseconds.
Analysis: LastPass Artifacts
For our investigation we used Encase 8 and Autopsy. It was challenging to recover everything, but we were able to see some of the user’s activities.
LastPass is a browser extension and not an installed application. That means very little data exists on a user’s computer. The location LastPass stores data is dependent on the web browser used. Our team used Mozilla Firefox, in which case LastPass stores data at root\Users\<username>\AppData\LocalLow\LastPass. Most files here are either irrelevant or encrypted.
As a result, we had to turn to artifacts from our web browsers themselves to find any relevant data. Most data we found stored in history as URLs.
The email address used with LastPass is also stored in history when users verify their email addresses.
LastPass gives the option for users to share passwords, files, and personal information. We shared information between our main and a secondary account. We did not find any sign that we shared data with the secondary account. But not only did we find that the secondary account shared data, we found the email address associated with it.
Initiating the password reset process and finalizing it creates two separate artifacts.
Password Reset Initiation:
Password Reset Complete:
Some artifacts have appeared in Google Chrome’s directory. We do not have documentation on any of our team using Chrome for this project. We are unsure whether this is due to LastPass using Chrome to store information. Or if this is the result of someone using Chrome and not documenting it. We will not be presenting any artifacts in Chrome’s directories. This could be the focus of further research as it appears that Chrome stores more information. And if it stores that information differently than Firefox.
Analysis: Steam Artifacts
After completing the data generation phase, we started our analysis. We found two main paths where Steam stores user information, located at: root\Users\<username>\Steam and root\Users\<username>\AppData\Local\Steam. The latter path is not forensically relevant. It only contained promotional images and the HTML cache. We also noted that the games can be stored in other paths besides the default, and that this is easily changed by users.
Before our analysis of Steam, we made it our goal to find screenshots, gaming apps, user info, friend data, and chat information. Through the use of EnCase and FTK Imager, we were able to find quite a few artifacts. Though we did not find any major data breaches. We were able to find a list of users that had logged into the machine as well as information about those users. This included the games they downloaded, their friends, the games they followed, and the screenshots they took in game.
Though we did not find any chat logs, we did find a configuration file that is edited each time there is a chat window with a new user. For each iteration, the file’s format is the same as the example shown below, with the nine digit number representing the Steam32 ID of the friend.
This could prove that a chat window existed between two users. This could be useful in a forensic investigation to oppose a claim that two parties did not have contact with one another. But, it is possible that the users exchanged no messages and that the only action was opening the chat window. Also, we did not find out whether a chat opened on one end without messages sent would create the same change in the config file.
We also found information relating to the accounts used, found in the loginusers.vdf file.
Within the path root\Users\<username>\AppData\Local\Steam\logs was a list of logs of many different actions within Steam.
One of these logs is the content_log, which documented each session, from login to log off. This log included information on game updates, when an application starts, update information, game states, and more. This information can be useful in regards to timestamps, which are attached to every action.
The remote_connections file is a log for remote connections which always seemed to listen on port 27036. Since we did not use this feature of Steam, it is possible there is other information recorded when remote access is used.
The next folder of interest was the steamapp folder.
The file appmanifest_<App ID>.acf contained data about the games downloaded to Steam. This included the name of a game, what language it is in, its App ID, when it was last updated, and its last owner if it had one. There is one of these for every downloaded game.
The localconfig.vdf files in the path config from the userdata folder contains the names of friends, their name history, their avatar hex number, the games they follow, and what groups they are in. We hypothesized that this file is used to generate the feed for the account. This idea is based on the variety of information as well as the actual content of the feed within the app.
That file also contained a list of “apptickets” which is a list of the App IDs for all the games installed. This can be used as a master list of games when the user downloaded the games into folders besides the default folder. Some games have more than one App ID, usually sequential. For example, Fallout Shelter seems to use 588430 – 588432. From this information, investigators can search databases that link App IDs to the game’s common name. Investigators can then perform a search of those names to find the folder where the game resides. But, note that the sequential App IDs may not have any results attached to them. They are packages for games rather than the main App ID.
We also managed to find screenshots, as well as information about the “apptickets”. This includes what game they are from, the timestamp, caption, and more. The screenshot.vdft file in the path …/<Steam32 ID>/760 from the userdata folder contains this information.
During datagen, we hid games, and put some under different labels, which were also logged in a configuration file, as seen below.
Analysis: Trello Artifacts
For Trello Analysis, we used Encase and FTK Imager. We found artifacts relating to the boards, usernames, images displayed on the boards, and a few pieces of data about the cards and team.
Upon completing the data generation phase, we began our analysis of the app. But it yielded much less data than expected. There are three main areas where Trello stores user information, located at these paths: /root/ProgramFiles/WindowsApps/45237LiamForsyth.PawsforTrello_188.8.131.52_x64__7pb5ddty8z1pa/
The first gave us the least amount of information, only providing Trello’s version number.
With that said, the two other paths did not provide as much information as planned. But, an explanation did present itself. Trello has no offline mode. This means that most of the data generated by user actions store on the Trello server.
The second path contained the most artifacts. Within that folder, the folder Cache contained a lot of artifacts. This includes PNG images of all the backgrounds and the profile picture of one of the users, as well as data files.
Most of the relevant information that we found was found in the file data_1. The first thing we realized about the file was that there were many percent encoded URLs for different boards.
We also found links that directed to the team that the user was a member of. These URLs included the team ID, which consists of the original team name and a numerical number to differentiate between teams of the same name.
The names of some cards were also present. It is important to note that we could not find all the cards that we created. These would not be useful for investigators unless the titles could be used as possible evidence of intent.
Besides to the normal boards and cards, there was also the names of deleted boards and cards.
While we only managed to find one of the users within the data_1 file, it’s worth noting that this was the user that was last logged in (and was not logged out at the end of the data generation.)
It is important to note that despite the amount of data this one file provided, there were still a lot of items that we generated that were missing from this file.
The third path contained logs and a file named starredboards. The starredboards file had information about every board. This includes the name, if it’s closed, the team associated with it, if it’s pinned, its ID, the URL of board, and the background image as a URL.
Despite the small amount of data we managed to pull, we could find out who was using this app, what team(s) they are a member of, their boards, some cards, and unsaved comments. This information could prove useful in a forensic investigation. Though it would not be as relevant for malicious entities. As such, we would describe Trello as a secure application.
Of the information we collected about these four apps, none of it poses a serious threat to privacy. LastPass and Trello seemed to be the most secure apps. Fitbit and Steam revealed more information than expected. While none of them have major information leaks, Fitbit, Steam, and Trello artifacts could be useful in a forensic investigations. Trello, again, is the least useful. The only area of concern is the information that could be used in phishing attacks. The most relevant information would come from the file loginusers.vdf from Steam and the data_1 file in Trello.
The odds of a hacker researching those apps in particular are low. These apps are for game purchasing and team organization. Usually, attacks target information on social media sites. While we were able to extract a lot of relevant data from these apps, the worst someone with malicious intent could do with the data gathered is launch a phishing attack.
Have any questions or comments? Post them in the comment section below! The LCDI always welcomes feedback! Check us out on Facebook, Twitter, or read our other blogs! You can also reach us by email at: firstname.lastname@example.org.