I didn’t intend on dissecting files when I started looking at IDrive. My intent was to look at its operation and determine a method of file acquisition as a “Cloud” service. That is still an ongoing project. What I found though is a little disturbing from a user point of view, and fantastic from a forensic point of view. I originally wrote this last year and never got it posted. When I originally looked at IDrive I found some interesting information. I thought after a year they would have changed their methods of obscuring their client information on the local machine. Alas, no….Here is what I found.
From their corporate information page IDrive identifies them as a “service” of Pro Softnet Corporation based in Calabasas, California. Pro Softnet has been around since 1995 providing Internet-based solutions. They have several other products including IBackup and RemotePC.
Disturbing Findings or not so disturbing for the Forensic examiner
I downloaded the “Free” version of IDrive’s software. I wanted to test it and potentially include it in our training as a discussion item on cloud investigation issues. IDrive is unique among the “Online Backup” providers in that they offer “Free” storage of up to 5 GB of data. The other companies in this space seem to only offer a free trial period of their product. IDrive was unique enough that I thought I needed to try it.
This short blog entry is not a review of the entire installation of the software. I did not look in to the registry or examine ever file. I did however find a few things that are worth mentioning for the forensic examiner. I quickly and easily installed their software and easily uploaded some test data into their storage. I then started to poke around on my machine to identify where IDrive put files. I did not have to go far. IDrive’s files are found on the local system hard drive under the IDrive folder in the “Program Files” folder.
In the main IDrive folder is the 128 bit “rc4.key” encrypted key file I am sure that is used by the system to communicate with the IDrive server. RC4 is almost 25 years old as an encryption scheme. It however is still in common use today. I did not examine further its implementation in the communication scheme of the product or try to crack it..
IDrive Temp Folder
In the IDrive “Temp” folder there were two folders with files similarly named. The file “DLLOutput1.txt” contained only an IP address of 18.104.22.168 (and what appears to be a port number of 11663) which belongs to IDrives parent company Pro-Softnet.
The file DLLIntput1.txt similarly contained a small amount of important information. The format was:
We will discuss the username and password translation below.
In the LDB folder is a file titled “IDriveLDB.IDr”. The file is an SQlite database containing file paths of the data to be backed up.
Under the “Log” folder is another file containing a file named “Realtime Trace.txt”. This file is a log file with connection dates and times. This file contained the backup up operation to IDrive, which included the IDrive User name, data files names and paths, the start and end time of the backup, the number of files backed up and any excluded files from the backup.
Folder with local computer name
In the folder with the local computers name was found a file titled “Backupfile.txt”. This file contained a list of the files backed up to the IDrive server. In this same folder was another file “BackupSet.txt” that appeared to contain the dates and times of the backups.
In the IDrive user folder there is a file called “IDriveE.ini”. The contents are a little lengthier but it is revealing. At first glance there is the same IP address identified above, the port and much more information. I looked at the lines in the file and realized that some encryption scheme was used. The question is what was it? Thinking I would not easily find out what the scheme was that was implemented, I used a program to simply try various cyphers common in obfuscation. Without much effort I revealed my passwords and my user name from the text. The obfuscation used by IDrive was a simple 2 position Cesar Cypher.
|Text in File||Translation|
|user||2 position Cesar Cypher and is my login user name|
|User Password=xxxxxxx||2 position Cesar Cypher and is my login password|
|gpercuuyqtf=xxxxxxxx||2 position Cesar Cypher and is “encpassword=mypassword”|
|Enc password=xxxxxx||2 position Cesar Cypher and is my encrypted Idrive password but only the first 6 characters of my password|
(Real password has been removed for my security….)
These were not the only lines that used the 2 position Cesar Cypher. In going through the entire file, the lines not in plaintext all used this same cypher to encode their data.
In reviewing a file named “SerTraceFile.txt” I found a log file with more interesting information about the service and what it collects about my system. The file contained many pieces of information about the IDrive service and the local machine including the local PC name and the NIC card’s MAC address.
WOW….So in looking at IDrive, the “Encrypted” backup service, I found from a forensic point of view, some substantially important failings on the local machine. Well not failings from an investigative point of view, this is actually some great information. I made no attempt at the writing of this blog entry to use the file information to login from a separate machine. Until Prosoft changes the IDrive local machine files Digital Forensic examiners will have access to some useful information from the IDrive files.
I am sure this will be changed in a follow-on version by Pro-Soft (at least I hope so), but for the record what I found is limited to my examination of these specific versions on a Windows 7 machine. The IDrive versions I used in this testing were 3.3.4 and3.4.1.