OneDrive Microsoft.FileUsageSync.db

I recently started to look into the Microsoft.FileUsageSync.db. The database can be found in %localappdata%\Microsoft\OneDrive\ListSync\Business<1-9>\settings. It is not documented in OneDrive Evolution because it only appears in OneDrive for Business. OneDrive Evolution's data is collected from personal only. It's not known what version this database first appeared in. Just like Microsoft.ListSync.db, this database is used by Microsoft.SharePoint.exe but is not related to the Offline Mode for web feature that I am aware of. There is some interesting data in the recent_files_formatted_spo table. The FormattedValue column holds JSON data that isn't the prettiest to look at.

To make the data easier to read, I wrote the following script to convert the JSON data into CSV format.

import sqlite3
import pandas as pd
import json

db_path = "Microsoft.FileUsageSync.db"

conn = sqlite3.connect(db_path)

query = "SELECT FormattedValue FROM recent_files_formatted_spo"

df = pd.read_sql_query(query, conn)

conn.close()


def parse_json(value):
    try:
        value = value.encode().decode('unicode_escape')

        return json.loads(value)
    except Exception as e:
        print("JSON Parse Error:", e)
        return None


df_parsed = df["FormattedValue"].apply(parse_json)

df_expanded = pd.json_normalize(df_parsed.dropna())

df_expanded.to_csv('output.csv', index=False, encoding='utf-8')

So what type of data does this table hold? Unfortunately, I cannot show you the data because I don't have a development environment so I'll do my best to explain what I found.

To give you an idea, when the data is parsed out, we have the following headers:
file.Id, file.@odata.id, file.FileModifiedTime, file.LastModifiedDateTime, file.FileCreatedTime, file.FileExtension, file.FileSize, file.StorageProviderContext, file.IsEmptyCopy, file.SharePointItem.SiteId, file.SharePointItem.WebId, file.SharePointItem.ListId, file.SharePointItem.UniqueId, file.ItemProperties.Shared.LastSharedWithMailboxOwnerByDisplayName, file.ItemProperties.Shared.LastSharedWithMailboxOwnerBySmtp, file.ItemProperties.Shared.LastSharedWithMailboxOwnerDateTime, file.ItemProperties.Shared.SubjectProperty, file.ItemProperties.Shared.AttachmentItemReferenceId, file.ItemProperties.Shared.AttachmentReferenceId, file.ItemProperties.Shared.ImmutableFileItemReferenceId, file.ItemProperties.AggregatedActivities.LastUserActivityDateTime, file.ItemProperties.AggregatedActivities.LastModifiedDateTime, file.ItemProperties.AggregatedActivities.MailboxOwnerTopInsights, file.ItemProperties.AggregatedActivities.IsHidden, file.ItemProperties.SemanticProperties.Title, file.UserRelationship.LastSharedDateTime, file.Visualization.Title, file.Visualization.AccessUrl, file.Visualization.Type, file.AllExtensions.SharingHistory.Instances, file.FileName, file.SharePointOnlineFacetStatus, file.Document.Title, file.WorkingSetId, activity.message_format, activity.type, activity.users, activity.timestamp, activity.extended_info.subject, file.UserRelationship.LastSharedById, file.Document.Author, file.SharePointItem.ModifiedBy, file.PrimaryItemLocation, file.SharePointItem.ContentClass, file.SharePointItem.SitePath, file.ItemProperties.Default.SiteTemplateId, activity.extended_info.sharing_medium, file.Visualization.ContainerTitle, file.Visualization.ContainerUrl, file.Visualization.PreviewImageUrl, file.FileOwner, file.SharePointItem.ContentTypeId, file.SharePointItem.ListItemId, file.SharePointItem.DocId, file.SharePointItem.ModifiedByDisplayName, file.SharePointItem.FileUrl, file.SharePointItem.ParentId, file.ItemProperties.Default.AuthorOWSUSER, file.ItemProperties.Default.EditorOWSUSER, file.ItemProperties.Default.DocumentLink, file.ItemProperties.AggregatedActivities.MailboxOwnerHistograms, file.ItemProperties.ClientAccessByMailboxOwner.LastAccessDateTime, file.ItemProperties.SemanticProperties.Url, file.ItemProperties.SemanticProperties.ContainerName, file.ItemProperties.SemanticProperties.ContainerUrl, file.UserRelationship.FrequentlyUsedSiteWeight, file.UserRelationship.LastAccessDateTime, file.ItemProperties.Default.ProgID, file.ItemProperties.Shared.TeamsMessageThreadId, file.ItemProperties.Direct.ColorHex, file.UserRelationship.LastModifiedDateTime, file.ItemProperties.Default.RecordingStartDateTime, file.ItemProperties.Default.RecordingEndDateTime, file.ItemProperties.Default.MeetingOrganizerId, file.ItemProperties.Default.MeetingICalUid, file.ItemProperties.Default.BaseType, file.ItemProperties.Default.ListTemplateTypeId, file.ItemProperties.Default.ListIcon, file.ItemProperties.Default.ListColor, activity.extended_info.navigation_id

It appears to hold information on files that are not necessarily in your OneDrive, but files that are shared from OneDrive. This can include files that were shared to you via email, Teams, and whiteboards to name a few.

Another interesting table is recommended_files. This table appears to hold a max of 20 files. One of the things that stood out to me was a description in the JSON data. The description is the first couple lines of the file so it could give us a good indication of what the file contains.

The last table I want to talk about is top_collaborators. This one holds information on people the user interacts with the most. We could potentially glean work relationships from this data.

The plan is to add this data into OneDriveExplorer once I can get it sorted out. Until then, use the script to explore this sure to be valuable forensic resource.

OneDriveExplorer Offline Mode Edition

Changes to OneDriveExplorer (ODE)

With this release, there are a few things to be aware of that have changed with the GUI and command line version.

GUI

The ODE GUI now has a profile selection. This is to make things easier so we don't have to point to certain files/folders for parsing settings data and logs. The options are still there but this is meant more for if you have a loose collection of files.

With the profile option, all we need to do is select the profile folder %LOCALAPPDATA%\Microsoft\OneDrive and ODE will do the rest. Logs will only be parsed if the Enable ODL log parsing option is enabled in the preferences.
The GUI can now indicate if the account is Personal or Business.

Command Line

With the command line, there is a new argument (--output-dir) to designate the save folder location. There is no longer a need to add a directory to --csv, --html, or --json. These arguments are now used to indicate what type of output you want the data stored in. Also, --csvf has been dropped.

New Additions

OneDrive Offline Mode

OneDrive for Business has a feature called Offline Mode that allows you to continue to use the web version of OneDrive without an internet connection. If you want to learn more, I had written about it in another article. In order for the database (Microsoft.ListSync.db) to populate, Offline Mode needs to be set up. First off, the feature needs to be pushed to your tenant by Microsoft (I believe Microsoft has finished rolling this out). Offline Mode is enabled by default but can be disabled via group policy. When you navigate to OneDrive for web, if you see a computer icon in the upper right of the page, Offline Mode is enabled and ready.

Once this is done, the Offline Mode database will be populated. There are also some limitations that might not allow Offline Mode to be enabled. See the Current limitations of offline mode section for more information.

What does this bring to OneDriveExplorer

With new features bring new data. So what kind of data does OneDriveExplorer get from Offline Mode? In addition to knowing a file/folder is shared, we can now see who it is shared with.

Another interesting artifact of this is seeing what other people have shared and to whom. If we look at a folder that was linked to OneDrive, the shared data is present, even though we did not do the sharing.

Another data point Offline Mode brings to ODE is OCR (Optical Character Recognition). Here is an example of the data in ODE verses the actual image.

More to come

There is still a lot of data to go through with Offline Mode that can be added to ODE. Additional work will be done to have a dedicated parser for Microsoft.ListSync.db for instances where that is the only file you have available. The latest version of OneDriveExplorer can be found here.

OneDrive Offline Mode (Recallish vibes)

Back in April 2024, Microsoft announced a new feature coming to OneDrive for Business called Offline Mode. The feature allows you to continue to use the web version of OneDrive without an internet connection. It works by downloading your file metadata and running a web server (Microsoft.SharePoint.exe) located in Program Files\Microsoft Onedrive\<OneDrive_Version>\. Now, as many of you may already know, I dabble in OneDrive forensic artifacts so when I finally got the feature in December I started to poke around. I found some pretty interesting things in the database that drives Offline Mode.

The database in question is called Microsoft.LinkSync.db. It is located in %LOCALAPPDATA%\Microsoft\OneDrive\ListSync\Business1\settings. This database contains the file metadata to help run Offline Mode. According to Microsofts own documentation,

"To accomplish this, a copy of your file metadata that powers OneDrive web app is securely stored locally on your device. These data on your device are only available to you. If someone else were to sign in on your device, these local data on the device wouldn't be available to them. We adhere to privacy guidelines outlined in the Microsoft Privacy Statement.

A secure local web server on your device handles the operations that you perform on your files, such as viewing, sorting, renaming, moving, and copying where traditionally these operations would need to be handled by the OneDrive cloud service. This results in fast and smooth interactions with your files like loading your files and folders, sorting, renaming, moving, renaming, and more. And all of these operations will continue to work even when you are offline, lose your internet connection, or run into a service disruption in the app."

I find this statement to not be true. How can this data be "securely stored" when there are no protections on the database? Microsoft.LinkSync.db is sitting there in an unecrypted state. I can grab this database and copy it to where ever I want, open it and view it. Even to another device. "these local data on the device wouldn't be available to them", I was able to access the database with an account with admin privileges and the data was available to me. Now I know you're saying but you had admin rights. True but according to Microsoft, it should not be available to me. Also, I'm not a hacker but I'm sure there are other ways to get to it. Lets take a peak at the data in this "securely stored" database that can be exfiled and read by anyone.

OCR data

In my quick look over of Microsoft.LinkSync.db, I came across a couple tables named list_<listID>_<siteID>_rows. One of them had a column named MediaServiceOCR. The data appears to be related to this feature. Nice feature, until recently, when the data is being stored locally, unsecured. Here is a small sample of the data:

But why should I be concerned. Not all of these images are stored locally, some can be online only. If someone were to start downloading images from the cloud, there would be traces in the Unified Audit Log (UAL). And if it were a lot of files, it would make some noise. So why not grab the database and not even touch OneDrive. Sound familiar (Recall)? The other issue with this is the user might not even realize that when they take a screenshot with something like Snipping tool, the default in Windows 11 is to save it to OneDrive whether they decided to save it or not. And there could be concerns about HIPAA and other regulations that need to be followed.

What other fun things can we find?

There is another table called site_<siteID>_users that, you guessed it, contains user information for your organization.

Along with all the usual things like file/folder names, paths, etc. I'm probably missing some things but again, this was a quick look.

What lead me to write this?

A couple days ago, SwiftOnSecurity posted a Tweet (yes I still call them that) that I had responded to.

This caught the attention of vx-underground. Even though they are more malware related, they like me for some reason.

It's just one poll but it looks like people don't want this data laying around unsecured. The collaboration with xv-underground lead to Smelly releasing a tool to "Tool designed to exfiltrate OneDrive Business OCR Data". In turn, I decided to release the python version of this I had been working on.

vx-underground OCRMe
Beercow OCRMe

I've done all I can to raise my concerns so I'll leave it up to the community to decide if this is truly a concern or not.

Running Autopsy Auto Ingest in Headless Mode

In this post we are going to look at running auto ingest in a headless state. This will allow the auto ingest server to be rebooted without the need for human interaction to start the auto ingest node.

Auto Ingest

Auto Ingest is a experimental feature in Autopsy. It's best used in a multi-user cluster to help automate case workloads. One thing in the documentation that didn't make sense to me was the following: "Note that if the computer running Autopsy in auto ingest mode is restarted, someone must log into it to restart Autopsy. It does not start by itself." This is not entirely true as we will see in a minute.

Turns out, there is an undocumented feature to run auto ingest as a service. I started my journey into headless mode by looking for any clues in the documentation. I was unsuccessful at this so I turned to GitHub to see if there was anything in the various commits over the years. I was able to find a commit that was briefly added and then [removed[(https://github.com/sleuthkit/autopsy/commit/a02f02b700748c0dfd72cabdcdbedeaab43a6d78) from the documentation. It stated "Note that if the computer running Autopsy in auto ingest mode is restarted and the auto ingest node is not running as a service, someone must log into it to restart Autopsy." Interesting! It seems like, at some point, auto ingest was able to run as a service. The next step was to look at the source code.

Back to GitHub to look at the auto ingest code. After searching through various files, I came across the piece I was looking for in AutoIngestControlPanel.java. There is a definition called ‎RUNNING_AS_SERVICE_PROPERTY that looks like the key to this mystery.

Putting it Together (Headless Mode)

Autopsy can be ran as a service so a user does not need to log into the auto ingest node to start it.

1. -J-Dautoingest.runningasservice=true needs to be added the the default_options in the autopsy.conf file.

   
   # options used by the launcher by default, can be overridden by explicit
   
   # command line switches
   
   default_options="--branding autopsy -J-Xms24m -J-Xmx4G -J-XX:MaxPermSize=128M -J-Xverify:none,
   -J-XX:+UseG1GC -J-XX:+UseStringDeduplication -J-Dprism.order=sw -J-Dautoingest.runningasservice=true"
   
   

2. Download NSSM. In the same folder as NSSM, create a batch file named auto_ingest_service.bat with the following content:

   
   @echo off
   
   nssm install Autopsy <PATH_TO_AUTOPSY>\Autopsy-4.20.0\bin\autopsy64.exe
   
   nssm set Autopsy DisplayName Autopsy Auto Ingest
   
   nssm set Autopsy Description Automated ingest service for Autopsy
   
   nssm set Autopsy Start SERVICE_AUTO_START
   
   nssm set Autopsy ObjectName LocalSystem
   
   nssm start Autopsy
   
   

3. From a command prompt, run auto_ingest_service.bat. If everything was successful, you should see the following output:

   C:\nssm-2.24\nssm-2.24\win64>auto_ingest_service.bat

   Service "Autopsy" installed successfully!

   Set parameter "DisplayName" for service "Autopsy".

   Set parameter "Description" for service "Autopsy".

   Set parameter "Start" for service "Autopsy".

   Reset parameter "ObjectName" for service "Autopsy" to its default.

   Autopsy: START: The operation completed successfully.

With this setup, auto ingest is now running as a service and can survive reboots without having to log into the server and starting auto ingest.

Autopsy Hardening Guide: Part 2

This is part one of a two part series on hardening an Autopsy Multi-user Cluster. The Autopsy documentation states, "A multi-user deployment must be in a private network to ensure that only authorized users can access data. Remote sites should connect to central services via a VPN." This does not mean we should not harden Autopsy further. In this series, we will go over some additional steps that can be taken to make an Autopsy Multi-user Cluster more secure. Setting Up Multi-user Cluster documentation. It is recommended to read Part 1 along with this guide.

ActiveMQ

We are going to start from the Configuring Authentication section of Install and Configure ActiveMQ. Actually, we are just going to throw it out. This is because passwords are stored in plain text. Instead, I am going to show you how to setup encrypted passwords and change the password on the web-console.

Broker Security using Simple Authentication Plugin ( Encrypted Password)

Step1: Add the following elements in conf/activemq.xml to setup Encryption method, Encryption Key, and Properties file.

  <!-- Allows us to use encrypted system properties as variables in this configuration file -->
  <bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
    <property name="algorithm" value="PBEWithMD5AndDES" />
    <property name="passwordEnvName" value="ACTIVEMQ_ENCRYPTION_PASSWORD" />
  </bean>
                                                                     
  <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
    <property name="config" ref="environmentVariablesConfiguration" />
  </bean>  
    
  <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
      <constructor-arg ref="configurationEncryptor" /> 
      <property name="location" value="file:${activemq.conf}/credentials-enc.properties"/> 
  </bean> 

In the preceding command snippet, you could notice the configurationEncryptor is pointing to credentials-enc.properties.

This file should be used to pass the encrypted username and password to the ActiveMQ broker configuration. The entries in this file could be referenced into the activemq configuration file activemq.xml.

We need to pass the Secret key which is used to encrypt the password as an environment variable. We will do that in Step 5.

Next Step is to encrypt the passwords.

Step2: To add the password into credentials-enc.properties file, we must encrypt the password using ActiveMQ encrypt command.

activemq.bat encrypt --password mysecretkey --input c0mp!ex@01

where password is a secret used by the encryptor and input is the password you want to encrypt.

After encrypting all the passwords, you need to add it to the credentials-enc.properties file.

Step3: Add the encrypted passwords into credentials-enc.properties file.

activemq.username=system
activemq.password=ENC(sD3S95bFWIhMDmuKejdOl7Oea2LYkolwiPjzDtBY6Fc=)
guest.password=ENC(cNryOPepZzOgJnlcq/i+gBPgpte3Z5kIqXiwAK1yMfA=)
user.password=ENC(AbBRIYkG9/bibk6ojMeYwLgGk68fsMOAPLlAdu2CWNg=)
autopsy.password=ENC(V0Lwgh2SFXZlTSoFT4Y9pQWFYfle6T/RSUWNhN2ksQU=)

Here we have configured four usernames and its passwords

1. activemq.username and activemq.password for default system account ( this account is used by the web console to access the broker resources )
2. guest.password is for guest privileged account
3. user.password is for user privileged account
4. autopsy.password is for autopsy privileged account

Step4: Add the following Simple authentication plugin into activemq.xml file right after the <broker> tag starts

      <plugins>
        <!-- Configure authentication; Username, passwords and groups -->
        <simpleAuthenticationPlugin>
            <users>
                <authenticationUser username="system" password="${activemq.password}"
                    groups="users,admins"/>
                <authenticationUser username="user" password="${user.password}"
                    groups="users"/>
                <authenticationUser username="autopsy" password="${autopsy.password}"
                    groups="users"/>
                <authenticationUser username="guest" password="${guest.password}"
                    groups="guests"/>
            </users>
        </simpleAuthenticationPlugin>
      </plugins>

Step5: Run Active-MQ using Encrypted Passwords

To run the Active-MQ broker with encrypted password configuration, follow the following steps:

1. Set environment variable for encryption

setx \m ACTIVEMQ_ENCRYPTION_PASSWORD <secret>

2. Start the ActiveMQ service

   

3. Reset the environment variable for encryption

REG delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /F /V ACTIVEMQ_ENCRYPTION_PASSWORD

Secure the console by encrypting the web-console username and password

By default, web console user credentials are stored in jetty-realm.properties.

It will have a clear text username and password as shown below:

# Defines users that can access the web (console, demo, etc.)
# username: password [,rolename ...]
admin: admin, admin
user: user, user

Now we need to encrypt this password for better security. This is how you need to do that.

1. Download Jetty from https://www.eclipse.org/jetty/download.html

2. Unzip and Untar the downloaded package into the desired location on your server. Finally, you will get a directory like this
   jetty-distribution-9.4.10.v20180503 ( Version might change )

3. cd to that directory and you need to execute the encryption command

java -cp lib/jetty-util-9.4.10.v20180503.jar org.eclipse.jetty.util.security.Password adminuser admin
2018-05-22 02:48:41.398:INFO::main: Logging initialized @179ms to org.eclipse.jetty.util.log.StdErrLog
admin
OBF:1u2a1toa1w8v1tok1u30
MD5:21232f297a57a5a743894a0e4a801fc3
CRYPT:adpexzg3FUZAk

Here adminuser is the salt which is used to encrypt the password not the actual username and admin is the password.

The last line contains our encrypted password.

CRYPT:adpexzg3FUZAk

Now, Copy this password to jetty-realm.properties and replace the clear text password. Do the same with the user account.

# Defines users that can access the web (console, demo, etc.)
# username: password [,rolename ...]
admin: CRYPT:adpexzg3FUZAk, admin
user: user, user

Start/Restart your ActiveMQ instance.

Conclusion

In the second part, we secured ActiveMQ by encrypting the passwords so they are not in plain text. We also went further by encrypting and changing the password for the web-console. I hope you enjoyed these guides and they aid you in making your Autopsy Multi-user Cluster a little more secure.

Autopsy Hardening Guide: Part 1

PostgreSQL/Solr

This is part one of a two part series on hardening an Autopsy Multi-user Cluster. The Autopsy documentation states, "A multi-user deployment must be in a private network to ensure that only authorized users can access data. Remote sites should connect to central services via a VPN." This does not mean we should not harden Autopsy further. In this series, we will go over some additional steps that can be taken to make an Autopsy Multi-user Cluster more secure. Setting Up Multi-user Cluster documentation.

PostgreSQL

I am not going to dive into PosgreSQL but I do want to point out that the configuration guide does suggest setting your subnet mask rules in pg_hba.conf

# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records.  In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.



# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     scram-sha-256
# IPv4 local connections:
host    all             all             127.0.0.1/32            scram-sha-256
# IPv6 local connections:
host    all             all             ::1/128                 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local   replication     all                                     scram-sha-256
#host    replication     all             127.0.0.1/32            scram-sha-256
#host    replication     all             ::1/128                 scram-sha-256
host	all		all		10.10.192.0/24		scram-sha-256

Solr

There are a couple of things that can be done to make Solr more secure. In the Prerequisites section in Install and Configure Solr there is a link to a pre-packaged Autopsy version of Solr. The problem is, this package has the Log4J vulnerability. We will need to update that first.

1. Download the pre-packaged Autopsy version of Solr and unzip into a directory of you choice.
2. Do the same with the latest version of solr-8.11.4.
3. Copy \bin\solr.in.cmd, \bin\nssm.exe, and the directory \server\solr from the pre-packaged Autopsy version to solr-8.11.4.

From here we can continue the setup until we get to Testing.

The Solr admin panel does not have a password. Basiclly, anyone can navigate to the the panel in a web browser and access it. To fix this, we need to create a username and password. To do this, we are going to use the Online Solr password encryption tool. In the Solr password entry, enter in the password that you want. You will notice when you type, the credentials in the the JSON example update.

We will create a file called security.json with the following contents. Copy the credentials line from the online tool and replace the credentials line in security.json. Notice I also changed the user name from the default solr to solrautopsy.

{
"authentication":{ 
   "blockUnknown": false, 
   "class":"solr.BasicAuthPlugin",
   "credentials":{"solrautopsy":"FK9YcX8lIJtMgBibl2OlHhIxG3pChPOdeNQCARn0zHo= c3hxODdydmQ0YmJtaHVuMw=="}, 
   "realm":"My Solr users", 
   "forwardCredentials": false
   "":{"v":0}
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[{"name":"core-admin-read",
      "role":"admin"}], 
   "user-role":{"solr":"admin"} 
}}

Next we need to update Solr with the following command:

cd <Solr_path>\server\scripts\cloud-scripts
zkcli.bat -zkhost localhost:9983 -cmd putfile /security.json <path_to_security.json>

Restart the Solr service and continue on to Testing

Conclusion

In the first post, we updated postgreSQL configuration to only allow connections from certain subnets. We also removed the Log4J vulnerability and made Solr more secure by changing the admin panel username and adding a password. In the next post, we will look at ActiveMQ.

OneDrive Evolution Update

 OneDrive Evolution has been updated to v24.235.1121.0001. OneDrive Evolution now holds data on 549 version of OneDrive. You can find the lates information at OneDrive Evolution.