Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 2 ? Log Files artefacts)

Published: 2017-07-05. Last Updated: 2017-07-06 07:44:15 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

[This is a second guest diary by Dr. Ali Dehghantanha. You can find his first diary here. If you would like to propose a guest diary, please let us know]

Continuing the earlier post on the investigation of BitTorrent Sync version 2.0; this post discusses evidence that can be extracted from related log files of BitTorrent Sync version 2.0 on Windows 8.1, Mac OS X Mavericks 10.9.5, and Ubuntu 14.04.1 LTS.

BitTorrent Sync stores logs in the application folder and the filename of which is displayed as ‘sync.log’. The default log size is 100MB and can be modified by the user. When the maximum size is reached, the log file is renamed to sync.log.old, and a new sync.log file will be created. As BitTorrent Sync does not implement an encryption algorithm to secure its logs, the logs could be easily accessible using a text editor. The log file is important as it would aid in identifying BitTorrent Sync events around a specific time of the incident. Table 1 and Table 2 below summarize a list of notable log entries forensic interest from sync.log.

Table 1: Log entries of forensic interest from sync.log.

Relevance

Examples of log entries obtained in our research

Enables a practitioner to identify the BitTorrent Sync version installed on the device under investigation.

  • platform: Windows workstation 6.3.0 x86

version: 2.0.93

Assist the practitioner in determining the non-encoded peer ID of the device under investigation.

  • [2015-04-03 16:18:32] My PeerID: 103B760A3674FE44C4A512B4EF802D452F633F99

A master folder will only be created during identity creation. This potentially allows the practitioner to determine when BitTorrent Sync was first used on a device.

  • [2015-04-03 16:19:50] MD[init]: Master Folder: create

May assist the practitioner in determining the IP addresses used by the device under investigation.

  • [2015-04-03 16:18:30] Using IP address 192.168.220.176
  • [2015-04-03 16:31:03] Changing IP address from 192.168.220.176 to 192.168.220.143

Informs the practitioner the IP addresses used by the peer devices.

  • [2015-04-04 09:05:32] Incoming connection from 192.168.220.176:49734
  • [2015-04-03 16:51:58] SD[BBAD]: Peer 1: local IP 192.168.220.176:20566
  • [2015-04-03 16:51:47] SD[BBAD]: Got ping (broadcast: 1) from peer 192.168.220.176:20566 (10DEC8109E524439D9454ABE2BB1475BF7D5A2B5)
  • Peer 1: 60.50.83.170:49449 10DEC8109E524439D9454ABE2BB1475BF7D5A2B5
  • [2015-04-05 08:23:56] SF[1F7E] [A2B5]: Found peer 10DEC8109E524439D9454ABE2BB1475BF7D5A2B5 192.168.220.176:49759 direct:1 transport:1 version: 2.0.93

Allows a practitioner to identify the device names of the peer devices.

  • [2015-04-05 09:05:32] SF[B5E2] [A2B5]: Got id message from peer WIN-KMM6MUN4701 (10DEC8109E524439D9454ABE2BB1475BF7D5A2B5) 2.0.93
  • [2015-04-17 12:51:19] MD[A965]: new device found WIN-KMM6MUN4701 (CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV)

Since most peer IDs are stored in base32 format in the metadata and configuration files, these log entries would provide a potential method for identification of the actual (non-encoded) peer IDs from the device names.

  • [2015-04-05 09:05:32] SF[B5E2] [A2B5]: Got id message from peer WIN-KMM6MUN4701 (10DEC8109E524439D9454ABE2BB1475BF7D5A2B5) 2.0.93
  • [2015-04-15 12:30:31] SD[4F11]: Got ping (broadcast: 1) from peer 192.168.220.146:50523 (107C1CFB546B565559FE2929E7B7C8804E7302F0)
  • [2015-04-17 12:51:19] MD[A965]: new device found WIN-KMM6MUN4701 (CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV)
  • [2015-04-17 12:51:19] API: callback id=19, value="{ "value": {"peerid":"CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV"}}", can_deferred=0, _delegate=0x1c57d48…

May assist the practitioner in determining the share IDs for the shared folders added.

  • [2015-04-05 11:37:54] SSLEH[0x15fa28b0]: hello packet { share:6C25389E651AC160F91ECAF3D9A249C58F6BED15 } has been sent
  • [2015-04-05 11:37:54] SSLEH[0x08e849e8]: received hello packet, { share:6C25389E651AC160F91ECAF3D9A249C58F6BED15 }
  • [2015-04-05 11:47:58] Requesting peers from tracker 52.1.1.135:3000 for share 6C25389E651AC160F91ECAF3D9A249C58F6BED15

Enables identification of the shared folder names/IDs created on the device under investigation.

  • [2015-04-04 20:36:45] FC[B5E2]: started periodic scan for "\\?\C:\Sync"
  • [2015-04-05 11:37:57] MD[A965]: [apply] Processing folder "Sync" (-2775350472753142605)

Assists the practitioner in determining the synced filenames or folder names as well as the addition/creation times.

  • [2015-04-05 08:24:17] JOURNAL[22F5]: new torrent created for file Enron3111.txt mt:1418488391 9603FC44BB0F59A822FA3331A1802F880ABA583B

[2015-04-05 08:24:17] JOURNAL[22F5]: setting time for file "\\?\C:\Sync\Enron3111.txt" to 1428193457

[2015-04-05 08:24:17] JOURNAL[22F5]: insert file "\\?\C:\Sync\Enron3111.txt" = 131072:22982

Informs the practitioner folder names for the deleted folders as well as the deletion times.

  • [2015-06-28 23:41:17] Folder being removed from this device and the files at '\\?\C:\Sync' are being removed.

Allows the practitioner to determine the local identity’s disconnection time.

  • [2015-04-05 09:12:01] Master Folder Controller: disconnect master folder

Table 2: Records of BitTorrent Sync’s Application Programming Interface (API) response bodies (in JSON format) of forensic interest from sync.log.

Relevance

Examples of log entries obtained in our research

Provides the practitioner details about the device under investigation such as the peer ID, device name, last online time, last sync completed time, and folder IDs for the shared folders created/added.

  • [2015-04-05 09:11:53] API: <-- getmfdevices({ "status": 200, "value": [{ "aod": false, "devicename": "WIN-KMM6MUN4701", "folders": [ { "added": true, "id": -7338009380596345790, "mode": 1 }, { "added": true, "id": 3964779361527927184, "mode": 1 }, { "added": true, "id": 4780923171276619705, "mode": 1 }, { "added": true, "id": 5471258729987051831, "mode": 1 } ], "id": "CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV", "lastseen": 1428196287, "lastsynccompleted": 1428196287, "name": "WIN-KMM6MUN4701", "online": true, "self": false, "syncerr": 0, "syncerrmsg": "", "userid": "" } ] })…

Assists the practitioner in determining the pending user requests sent to the device under investigation including the folder IDs (if any), the times when the requests were sent, access permissions, as well as the requester’s IP addresses and certificate fingerprints.

  • [2015-04-03 16:51:48] API: <-- getpendingrequests({ "status": 200, "value": [ { "access_level": 3, "id": "5471258729987051831", "ip": "192.168.220.176", "license": false, "readwrite": true, "time": 1428051108, "user_identity": { "devicename": "device", "fingerprint": "2UMI566O3XAE7BB2V3N3YWWECJ3TCGJHMRGZTVLN2SZY276QI4AQ", "username": "Guest" } } ] })…

May assist a practitioner in determining the folder names, folder IDs, storage paths, folder sizes, timestamp information, as well as peer device names, peer IDs, and fingerprints associated with the shared folders added by or downloaded to the device under investigation.

  • [2015-04-05 09:05:37] API: <-- getsyncfolders({ "folders": [ { "access": 4, "archive": "C:\\Sync\\.sync\\Archive", "archive_files": 3, "archive_size": 153187, "date_added": 1428049323, "down_eta": 0, "down_speed": 0, "down_status": 100, "error": 0, "files": 3, "folderid": "5471258729987051831", "has_key": true, "indexing": false, "ismanaged": true, "iswritable": true, "last_modified": 1428053450, "name": "Sync", "path": "C:\\Sync", "paused": false, "peers": [ { "direct": true, "downdiff": 0, "id": "10DEC8109E524439D9454ABE2BB1475BF7D5A2B5", "isonline": true, "lastreceivedtime": 0, "lastsenttime": 1428051120, "lastsynctime": 1428051129, "name": "WIN-KMM6MUN4701", "updiff": 0, "userid": "UQO52P4G5O2QU6OOGX3AS7R6RUAU22JBBWJ4H2CYNXHRO3KIRVBQ" }], "size": 321638, "status": "314.0 kB in 3 files", "stopped": false, "synclevel": 2, "up_eta": 0, "up_speed": 0, "up_status": 100, "users": [{ "access": 3, "id": "2UMI566O3XAE7BB2V3N3YWWECJ3TCGJHMRGZTVLN2SZY276QI4AQ", "name": "Guest" } ] },

Informs the practitioner the storage path for the device under investigation.

  • [2015-04-03 16:43:13] API: <-- getfoldersstoragepath({ "status": 200, "value": "C:\\Users\\anonymous\\BitTorrent Sync" })
  • [2015-04-05 09:05:33] API: <-- setfoldersstoragepath({ "path": "C:\\Users\\anonymous\\BitTorrent Sync", "status": 200 })

Allows the practitioner to identify the folder name, path, and timestamp references for the shared folders added by the device under investigation.

  • [2015-04-04 20:27:22] API: --> addsyncfolder(path=C%3A%5CSync&selectivesync=false&t=1428150442927)

Contains copy of history.dat file (see section 4.1) at the time of request.

  • [2015-04-05 08:33:06] API: <-- history({ "status": 200, "value": [{ "id": 39, "msg": "WIN-KMM6MUN4701 updated file Enron3111.zip", "time": 1428193777 }, { "id": 38, "msg": "WIN-KMM6MUN4701 updated file Enron3111.txt", "time": 1428193777 }, { "id": 37, "msg": "Remote peer removed file Enron3111.rtf", "time": 1428193777 }, { "id": 13, "msg": "Added file Enron3111.docx", "time": 1428153859 }…

 

The next post discuss about BitTorrentSync v.2 evidence retrievable from physical memory.

 

Keywords:
0 comment(s)
ISC Stormcast For Thursday, July 6th 2017 https://isc.sans.edu/podcastdetail.html?id=5570

Selecting domains with random names

Published: 2017-07-05. Last Updated: 2017-07-05 18:30:23 UTC
by Didier Stevens (Version: 1)
5 comment(s)

I often have to go through lists of domains or URLs, and filter out domains that look like random strings of characters (and could thus have been generated by malware using an algorithm).

That's one of the reasons I developed my re-search.py tool. re-search is a tool to search through (text) files with regular expressions. Regular expressions can not be used to identify strings that look random, that's why re-search has methods to enhance regular expressions with this capability.

We will use this list of URLs in our example:
http://didierstevens.com
http://zcczjhbczhbzhj.com
http://www.google.com
http://ryzaocnsyvozkd.com
http://www.microsoft.com
http://ahsnvyetdhfkg.com

Here is an example to extract alphabetical .com domains from file list.txt with a regular expression:
re-search.py [a-z]+\.com list.txt

Output:
didierstevens.com
zcczjhbczhbzhj.com
google.com
ryzaocnsyvozkd.com
microsoft.com
ahsnvyetdhfkg.com

Detecting random looking domains is done with a method I call "gibberish detection", and it is implemented by prefixing the regular expression with a comment. Regular expressions can contain comments, like programming languages. This is a comment for regular expressions: (?#comment).

If you use re-search with regular expression comments, nothing special happens:
re-search.py "(?#comment)[a-z]+\.com" list.txt

However, if your regular expression comment prefixes the regular expression, and the comment starts with keyword extra=, then you can use gibberish detection (and other methods, use re-search.py -m for a complete manual).
To use gibberisch detection, you use directive S (S stands for sensical). If you want to filter all strings that match the regular expression and are gibberish, you use the following regular expression comment: (?#extra=S:g). :g means that you want to filter for gibberish.

Here is an example to extract alphabetical .com domains from file list.txt with a regular expression that are gibberish:
re-search.py "(?#extra=S:g)[a-z]+\.com" list.txt

Output:
zcczjhbczhbzhj.com
ryzaocnsyvozkd.com
ahsnvyetdhfkg.com

If you want to filter all strings that match the regular expression and are not gibberish, you use the following regular expression comment: (?#extra=S:s). :s means that you want to filter for sensical strings.

Classifying a string as gibberish or not, is done with a set of classes that I developed based on work done by rrenaud at https://github.com/rrenaud/Gibberish-Detector. The training text is a public domain book in the Sherlock Holmes series. This means that English text is used for gibberish classification. You can provide your own trained pickle file with option -s.

 

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: DGA domain malware
5 comment(s)

Comments


Diary Archives