Owade

2,427 views

Published on

Published in: Software, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,427
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Owade

  1. 1. Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan Fontarensky Cassidian Matthieu Martin Stanford University Jean Michel Picod CassidianWednesday, August 3, 2011
  2. 2. The world is moving to the cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  3. 3. 2.7 millions photos are uploaded to Facebook every 20 minutes E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  4. 4. 100 millions new files are saved on Dropbox every day E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  5. 5. Data are moving to multiple services Hard drive E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  6. 6. Data are moving to multiple services emails Hard drive E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  7. 7. Data are moving to multiple services emails Hard drive Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  8. 8. Data are moving to multiple services emails Hard drive Webmail Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  9. 9. Data are moving to multiple services emails contacts Hard drive Webmail Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  10. 10. Data are moving to multiple services emails contacts Hard drive Webmail Social sites Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  11. 11. Data are moving to multiple services emails contacts photos Hard drive Webmail Social sites Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  12. 12. Data are moving to multiple services emails contacts photos Hard drive Photo sites Webmail Social sites Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  13. 13. Data are moving to multiple services emails contacts photos Hard drive Webmail Social sites Photo sites Cloud E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  14. 14. Impact on the forensic field • There are more data which are harder to reach • Dealing with cloud data force us to reinvent forensic E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  15. 15. Let’s do cloud forensics E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  16. 16. What is cloud forensics ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  17. 17. Facebook credentials as a use case Facebook E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  18. 18. Facebook credentials as a use case credentials IE Facebook DPAPI Blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  19. 19. Facebook credentials as a use case DPAPI blob-key credentials DPAPI IE Facebook master-key DPAPI Blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  20. 20. Facebook credentials as a use case Windows User Password DPAPI blob-key credentials DPAPI IE Facebook SAM (hash) master-key DPAPI Blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  21. 21. Facebook credentials as a use case Windows User Syskey Password DPAPI blob-key credentials DPAPI IE Facebook Registry SAM (hash) master-key DPAPI Blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  22. 22. Facebook credentials as a use case Windows User Syskey Password DPAPI blob-key credentials DPAPI IE Facebook Registry SAM (hash) master-key DPAPI Blob Getting Facebook credentials require to bypass 4 layers of encryption E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  23. 23. Focus of this talk • xw Show you how to bypass the encryption layers and get the data you want E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  24. 24. Introducing OWADE • Dedicated to cloud forensics • Decrypt / recovers • DPAPI secrets • Browsers history and websites credentials • Instant messaging creds • Wifi data http://owade.org • Free and open-source E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  25. 25. OWADE in action E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  26. 26. OWADE overview E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  27. 27. OWADE overview disk E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  28. 28. OWADE overview disk disk image E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  29. 29. OWADE overview Registry disk disk image E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  30. 30. OWADE overview Registry disk disk image Files E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  31. 31. OWADE overview Windows credentials Registry disk disk image Files E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  32. 32. OWADE overview Windows credentials Registry disk disk image WiFi info Files E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  33. 33. OWADE overview Windows credentials Registry disk disk image WiFi info Files Hardware info E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  34. 34. OWADE overview Windows credentials Registry disk disk image WiFi info Files Hardware info Credentials and data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  35. 35. OWADE overview Windows credentials Registry disk disk image WiFi info Files Hardware info Credentials and data Cloud data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  36. 36. Outline E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  37. 37. Outline • File base forensics refresher E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  38. 38. Outline • File base forensics refresher • The Windows crypto eco-system E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  39. 39. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  40. 40. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location • Recovering browser data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  41. 41. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location • Recovering browser data • Recovering instant messaging data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  42. 42. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location • Recovering browser data • Recovering instant messaging data • Acquiring cloud data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  43. 43. Outline • File base forensics refresher • The Windows crypto eco-system • Wifi data and Geo-location • Recovering browser data • Recovering instant messaging data • Acquiring cloud data • Demo E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  44. 44. File based forensic refresher E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  45. 45. Not all files are born equal Type of file how to recover it Standard copy In the trash undelete utility Deleted file carving Wiped call the NSA :) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  46. 46. Windows registry • .dat files • Hardware information • Softwares installed with their versions and serials • Windows credentials (encrypted) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  47. 47. Some Registry Information Extracted E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  48. 48. Windows crypto E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  49. 49. Why do we care about Windows crypto ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  50. 50. The Windows crypto eco-system Crypto API E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  51. 51. The Windows crypto eco-system Crypto API SAM E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  52. 52. The Windows crypto eco-system Crypto API DPAPI SAM E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  53. 53. The Windows crypto eco-system Crypto API DPAPI Credential Manager SAM E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  54. 54. Windows Crypto API • Basic cryptographic blocks • Cipher: 3DES, AES • Hash functions: SHA-1 SHA256, HMAC • PKI: public keys and certificates (X.509) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  55. 55. The Security Account Manager (SAM) • Store Windows user credentials • Located in the registry • Encrypted with the SYSKEY • Passwords are hashed E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  56. 56. Windows Password Hashing functions • Two hash functions used • LM hash function (NT, 2K, XP, VISTA) weak • NTLM (XP, Vista, 7) • Passwords are not salted E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  57. 57. LM hash weakness • Use only upper-case • Hash password in chunk of 7 characters mypassword LMHash(MYPASSW) + LMHash(ORD) Password key-space: 69^7 (at most) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  58. 58. Rainbow Tables • Pre-compute all the possible passwords • Time-Memory trade-off • Rainbow tables of all the LM hash are available E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  59. 59. How OWADE Works • Extract Usernames and password hashes • LM hashes available ? • use John/Rainbow tables to get the pass in uppercase • use NTLM hashes to find the password cases • Try to crack the NTLM using John/Rainbow table E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  60. 60. Windows Password recovered E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  61. 61. • What if we can’t crack the NTLM hash :( • (need a sad baby face here) If the password is too strong we can’t recover it E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  62. 62. • Everything is not lost because of how DPAPI works • (smilling baby face) but we can still decrypt DPAPI secret (sometime) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  63. 63. The Data Protection API • Ensure that encrypted data can’t be decrypted without knowing the user Windows password • Blackbox crypto API for developers: • Encrypt data DPAPI blob • Decrypt DPAPI blob data • Main point : tie the encryption to the user password E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  64. 64. DPAPI derivation scheme SHA1(password) pre-key User E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  65. 65. DPAPI derivation scheme SHA1(password) pre-key User master-key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  66. 66. DPAPI derivation scheme SHA1(password) pre-key User master-key blob key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  67. 67. DPAPI derivation scheme SHA1(password) pre-key User master-key blob key DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  68. 68. DPAPI derivation scheme SHA1(password) pre-key User master-key blob key blob key blob key DPAPI blob DPAPI blob DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  69. 69. DPAPI Blob structure struct wincrypt_datablob { ! DWORD! cbProviders, ! GUID!! pbProviders[cbProviders], ! DWORD! cbMasterkeys, ! GUID!! pbMasterkeys[cbMasterkeys], ! DWORD! dwFlags, ! DWORD! cbDescription, ! BYTE!! pbDescription[cbDescription], ! ALG_ID! algCipher, ! DWORD! cbKey, ! DWORD! cbData, ! BYTE!! pbData[cbData], ! DWORD! dwUnknown, ! ALG_ID! algHash, ! DWORD! dwHashSize, ! DWORD! cbSalt, ! BYTE!! pbSalt[cbSalt], ! DWORD! cbCipher, ! BYTE!! pbCipher[cbCipher], ! DWORD! cbCrc, ! BYTE!! pbCrc[cbCrc] }  ; E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  70. 70. DPAPI master-key structure Header Structure struct wincrypt_masterkey_masterkeybloc { ! DWORD! dwRevision, ! BYTE!! pbSalt[16], ! DWORD! dwRounds, ! ALG_ID! algMAC, ! ALG_ID! algCipher, ! BYTE!! pbEncrypted[] }; Footer Structure E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  71. 71. DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  72. 72. Master-key GUID DPAPI blob E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  73. 73. Master-key GUID DPAPI blob Master key pre-key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  74. 74. Master-key GUID DPAPI blob Master key SHA1(password) pre-key User E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  75. 75. Master-key GUID DPAPI blob Master key SHA1(password) pre-key User Master key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  76. 76. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User Master key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  77. 77. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User Master key blob key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  78. 78. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User IV + Master key Salt blob key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  79. 79. Master-key GUID DPAPI blob Master key Cipher SHA1(password) + key pre-key User IV + Master key Salt Additional entropy blob key Software E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  80. 80. Bypassing the user password cracking • If we can’t crack the password we need its SHA1 • This SHA1 is stored in the hibernate file • OWADE uses Moonsols to recover it E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  81. 81. DPAPI additional entropy • Software can supply an additional entropy • Act as a “key” (needed for decryption) • Force us to understand how it is generated for each software • Can be used to tie data to a specific machine (i.e Netbios name) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  82. 82. Credential Manager • Built on top of DPAPI • Handle transparently the encryption and storage of sensitive data • Used by Windows, Live Messenger, Remote desktop... E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  83. 83. Credstore type of credentials Type of Example of Encryption credential application DPAPI + Live messenger Generic password fixed string HTTP auth (IE) Domain password In clear Netbios Hash of Domain certificate Certificate certificate DPAPI + Remote access Domain visible password fixed string .NET passport E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  84. 84. WiFi data E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  85. 85. Wifi data • Info stored for each access point • Mac address (BSSID) • Key (encrypted) • Last time of access • Wifi data are stored in • Registry (XP) • XML file and Registry (Vista/7) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  86. 86. Decrypting WiFi password • Encrypted with DPAPI • Access point shared among users • Encrypted with the System account • But the system account has no password... What is my DPAPI key ??? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  87. 87. Decrypting WiFi password • Use a LSASecret as DPAPI key • Array of credentials • HelpAssistant password in clear • DPAPI_SYSTEM • “Encrypted” E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  88. 88. Where are you ? • We’ve recovered access point keys but where are they ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  89. 89. Where are you ? • We’ve recovered access point keys but where app an ! are they ? is at re th e r Th fo E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  90. 90. HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  91. 91. HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  92. 92. HTML5 Geo-location protocol E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  93. 93. Behind the curtain E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  94. 94. Nothing is ever easy • Google started to restrict queries in June • So we started to look for other API E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  95. 95. Entering Microsoft • Live service • “Documented” in the <GetLocationUsingFingerprint xmlns="http:// inference.location.live.com"> Windows mobile MSDN <RequestHeader> <Timestamp>2011-02-15T16:22:47.0000968-05:00 </Timestamp> <ApplicationId>e1e71f6b-2149-45f3-b298-a20XXXXX5017 • After sniffing the traffic: </ApplicationId> <TrackingId>21BF9AD6-CFD3-46B2-B042-EE90XXXXXX </TrackingId> • Use a big SOAP request <DeviceProfile ClientGuid="0fc571be-4622-4ce0-b04e- XXXXXXeb1a222" Platform="Windows7" DeviceType="PC" OSVersion="7600.16695.amd64fre.win7_gdr.101026-1503" LFVersion="9.0.8080.16413" ExtendedDeviceInfo="" /> • Does not check any ID <Authorization /> </RequestHeader> fields <BeaconFingerprint> <Detections> <Wifi7 BssId="00:BA:DC:0F:FE:00" rssi="-25" /> • Allows to supply one </Detections> </BeaconFingerprint> MAC </GetLocationUsingFingerprint> E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  96. 96. Blog post and demo released ! E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  97. 97. Just fixed • Fixed last weekend • No longer return location for a single address E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  98. 98. Just fixed • Fixed last weekend • No longer return location for a single address atch p a ! is at re th T he for E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  99. 99. Geo-location API restrictions Requires 2 MAC close from each other The MAC and IP location need to be “close” Requires multiples MAC addresses see http://elie.im/blog/ for more information E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  100. 100. WiFi Information Extracted By OWDE E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  101. 101. Browsers E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  102. 102. Firefox > 3.4 • Passwords • Location: signons.sqlite • Encryption: 3DES + Master password • History • URLs: places.sqlite • Forms fields: formhistory.sqlite E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  103. 103. Decrypting Firefox password E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  104. 104. Decrypting Firefox password pass User E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  105. 105. Decrypting Firefox password pass Global salt User key3.db E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  106. 106. Decrypting Firefox password pass Global salt User user key: HMAC-SHA1(salt, pass) key3.db E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  107. 107. Decrypting Firefox password pass Global salt User user key: HMAC-SHA1(salt, pass) key3.db encrypted key + key salt key3.db E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  108. 108. Decrypting Firefox password pass Global salt User user key: HMAC-SHA1(salt, pass) key3.db encrypted key + key salt key3.db master key: 3DES(userkey, enckey) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  109. 109. Decrypting Firefox password pass Global salt User user key: HMAC-SHA1(salt, pass) key3.db encrypted key + key salt key3.db master key: 3DES(userkey, enckey) encrypted pass signon.sqlite E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  110. 110. Decrypting Firefox password pass Global salt User user key: HMAC-SHA1(salt, pass) key3.db encrypted key + key salt key3.db master key: 3DES(userkey, enckey) encrypted pass Site password: 3DES (master key, enc pass) signon.sqlite E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  111. 111. Shopping at Amazon ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  112. 112. How about a nice kindle ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  113. 113. How about a nice kindle ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  114. 114. Every form field is recorded E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  115. 115. Configuring a Linksys ? E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  116. 116. Again the key is recorded E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  117. 117. Form history leak a lot of information • Shipping address • Wifi key • Credit card information • Email • Search history E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  118. 118. Preventing field recording To tell the browser to not record a field use the tag autocomplete=”off” E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  119. 119. • Passwords • Location: registry • Encryption: DPAPI + URL as salt Internet• History Explorer • URLs: Index.dat E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  120. 120. Decrypting Internet Explorer passwords E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  121. 121. Decrypting Internet Explorer passwords SHA1(URL) Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  122. 122. Decrypting Internet Explorer passwords SHA1(URL) URL Registry URL List E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  123. 123. Decrypting Internet Explorer passwords SHA1(URL) URL Registry SHA1(URL) URL (dpapi entropy) URL List E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  124. 124. Decrypting Internet Explorer passwords SHA1(URL) URL Registry SHA1(URL) URL (dpapi entropy) URL List DPAPI Blob Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  125. 125. Decrypting Internet Explorer passwords SHA1(URL) URL Registry SHA1(URL) URL (dpapi entropy) URL List DPAPI Blob Site password Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  126. 126. Maximizing our recovery • Build a list of URL from others browsers and files • Use a list of known login URLs E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  127. 127. • Passwords • Location: Login Data (sqlite) Chrome • Encryption: DPAPI• History • URLs: History (sqlite) • Forms fields: Web Data (sqlite) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  128. 128. • Passwords • Location: keychain.plist (Property list format) Safari • Encryption: DPAPI + fixed string as entropy• History • URLs: History.plist • Forms fields: Form Value.plist E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  129. 129. Browsers takeaway • Internet Explorer is the most secure. • If you don’t know the URL you can’t recover the credentials • Firefox is the worst • Passwords encryption not tied to the Windows user password (bug open for a while) • Login are encrypted in signons.sqlite not in formhistory.sqlite E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  130. 130. Private mode • Most bugs are fixed • Requires to be creative • SSL OCSP requests • File carving • Potential techniques • Analyze the hibernate file See: http://ly.tl/p16 for more information on private mode E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  131. 131. The browsers histories aggregated E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  132. 132. Instant messaging E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  133. 133. Skype • Encryption custom • Difficulty extreme • Location registry + config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  134. 134. Decrypting Skype passwords E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  135. 135. Decrypting Skype passwords DPAPI Blob Registry pre-key E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  136. 136. Decrypting Skype passwords DPAPI Blob Registry pre-key AES key: SHA1(pre-key) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  137. 137. Decrypting Skype passwords DPAPI Blob Registry pre-key AES key: SHA1(pre-key) encrypted credential config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  138. 138. Decrypting Skype passwords DPAPI Blob Registry pre-key AES key: SHA1(pre-key) encrypted credential pass cracking Login MD5(loginnskypernpassword) config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  139. 139. Decrypting Skype passwords DPAPI Blob pre-key p er Registry r ip e th at hn th Jo or a f is tch re key:aSHA1(pre-key) eAES p T h encrypted credential pass cracking Login MD5(loginnskypernpassword) config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  140. 140. Google Talk • Encryption DPAPI + custom (salt) • Difficulty Hard • Location registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  141. 141. Salt derivation algorithm overview E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  142. 142. Salt derivation algorithm overview String: 0xBA0DA71D E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  143. 143. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  144. 144. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  145. 145. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry computer Netbios name Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  146. 146. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry computer Netbios name Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  147. 147. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry computer Netbios name Registry DPAPI Blob Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  148. 148. Salt derivation algorithm overview String: 0xBA0DA71D Windows account name Registry computer Netbios name Registry DPAPI Blob Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  149. 149. Microsoft Messenger • Encryption DPAPI or Credstore • Difficulty Medium • Location version dependent E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  150. 150. Windows Messenger by version Version Storage encryption 5 Registry Base64 encoded 6 Credstore Credstore 7 Registry x2 DPAPI x 2 Live Credstore Credstore E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  151. 151. aMSN • Encryption DES key: substr(login . “dummykey”, 8) • Difficulty easy • Location config.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  152. 152. 9talk • Encryption XOR key: 9 • Difficulty trivial • Location user.config E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  153. 153. Trillian • Encryption Base 64 +XOR key: fixed string • Difficulty trivial • Location user.config E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  154. 154. Pidgin • Encryption Clear aka encryt-what? • Difficulty none • Location account.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  155. 155. Pidgin • Encryption Clear aka encryt-what? • Difficulty none • Location account.xml E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  156. 156. Paltalk • Encryption Custom • Difficulty difficult (offline) • Location registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  157. 157. Paltalk encryption algorithm E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  158. 158. Paltalk encryption algorithm VolumeSerial Number 01234567 E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  159. 159. Paltalk encryption algorithm VolumeSerial Number Paltalk account name 01234567 myusername Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  160. 160. Paltalk encryption algorithm VolumeSerial Number Paltalk account name 01234567 myusername m0y1u2s3e4r5n6a7me x 3 Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  161. 161. Paltalk encryption algorithm VolumeSerial Number Paltalk account name 01234567 myusername m0y1u2s3e4r5n6a7me x 3 Registry encrypted password yyyz yyyz yyyz yyyz Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  162. 162. Paltalk encryption algorithm VolumeSerial Number Paltalk account name 01234567 myusername m0y1u2s3e4r5n6a7me x 3 Registry encrypted password yyyz yyyz yyyz yyyz ci: yyyzi - asciiCode(S-BOXn-i) Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  163. 163. Paltalk encryption algorithm VolumeSerial Number Paltalk account name 01234567 myusername m0y1u2s3e4r5n6a7me x 3 Registry encrypted password yyyz yyyz yyyz yyyz ci: yyyzi - asciiCode(S-BOXn-i) Registry E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  164. 164. Messenger take away • If your Skype password is strong we can’t recover it • Gtalk and Paltalk are the only ones to use computer information • 3rd party software are the least secure E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  165. 165. All the credentials recovered by OWADE E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  166. 166. Cloud based forensic E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  167. 167. Cloud modules • Leverage the credentials and history extracted to get cloud-data • Might be legal (or not) • Only LinkedIn currently (more modules almost ready) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  168. 168. OWADE status • Alpha stage • Tested on Ubuntu against XP windows • Roadmap • Stabilizing the code • modularize the code so you write your own modules • More cloud probes: Facebook, Flickr, Emails... • Windows Vista and 7 integration E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  169. 169. Conclusion • People moving to the cloud means more data that is harder to get • Forensics needs to evolve to cope with this • OWADE is the first tool dedicated to cloud forensic • Decrypt the 4 major browsers data • Decrypt Instant messaging credentials • Open-source E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  170. 170. Thank you ! Please remember to complete your feedback form :) E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011
  171. 171. Download OWADE Follow-us on Twitter http://owade.org @elie, @projectowade Donate to OWADE to support it ! E. Bursztein, I. Fontarensky, J.M. Picod, M. Martin Beyond files recovery: OWADE cloud based forensic http://owade.orgWednesday, August 3, 2011

×