What Is Lyman

Lyman’s purpose is to aid in the creation of .cstruct files. These files help to parse OneDrive logs into their components which can lead to better log decryption. By focusing on the data rather than trying to learn how to construct these files, it becomes easier to extract data that otherwise might be missed or misinterpreted.

But what does that mean?

By the nature of the way ODL files are parsed, they don't always decrypt properly. This is because the parameters of the log are extracted using a regex looking for ascii charaters. The example below shows a parameter that is not being decrypted. This is due to the regex incluiding a E at the end of the parameter when it should not be included.

How does Lyman help?

OneDriveExplorer has a lesser known feature that can aid in handling issues such as this through the use of cstruct "mapping" files. The downside to this is you need to know the ODL file structure, find what you're looking for and figure out how to write one of these files. This is where Lyman comes in. Let's walk through our log entry and get it to parse properly.

First thing we'll do is launch Lyman. You should see a screen like the one below.

Next we want to click ...

And select the log file we want to look at.

The next steps are used to find the log entry in question. As a not, the first match will populate so it may notbee the same exact entry you were looking at. This involves selecting the Code_File, Function, and the Flags.

Then finally we can select search.

With any luck, there should be data populated in Lyman.

To begin, click the add button twice and set the dropdowns to int32 and char. In the entry boxes put size1 and data1[size1] and click the green check mark.

The parsed data will populate in the right pane.

We will continue this process until all the data is parsed.

Fill out the rest of the form then select File -> Export cstruct

This will create the cstruct file in the directory Lyman was ran from. Copy this file into OneDriveExplorer’s cstructs folder.

Now when we run OneDriveExplorer again, the log entry will decrypt properly.

Conclusion

This is where Lyman becomes invaluable. Lyman manages all these complexities, allowing users to focus on finding data rather than deciphering the intricacies of the log file format. By using Lyman, a more robust solution for parsing OneDrive logs can be developed, contributing back to the ODEFiles repository Beercow/ODEFiles (github.com).

Lyman can be downloaded from (github.com)

Cracking OneDrive's Personal Vault

Sometimes in digital forensics there is a need to gain access to encrypted data sources. This can come in many forms including zip files, TrueCrypt/VeraCrypt, KeePass and BitLocker. OneDrive's Personal Vault is no exception. It is important to gain access to these encrypted containers because they can contain information that is important to our investigation.

What is Personal Vault?

According to Microsoft, "Personal Vault is a protected area in OneDrive where you can store your most important or sensitive files and photos without sacrificing the convenience of anywhere access." Personal Vault adds an extra layer of security by using Two-Factor Authentication (2FA). When accessed form the Windows client, Personal Vault is stored on the system in a BitLocker encrypted vhdx. It should be noted that Personal Vault is only available for OneDrive Personal.

Digging Deeper

What had caught my eye was that Microsoft is storing the data on a Windows device in a BitLocker encrypted vhdx. So where is this file located? The vhdx file is stored in a hidden folder at the root of the system drive. c:\OneDriveTemp\<SID>\<GUID>.vhdx

So now that we found the vhdx file, what can we do with it? We know it's protected by BitLocker so let's see what we can find out. The first thing I did was mount the vhdx and assign it a drive letter. This way, I could work with manage-bde to find out more information about the disk.

Now we can open up an administrative command prompt and start investigating the drive. The first command I used was manage-bde -status. This command provides information about BitLocker-capable volumes. This is the information for our Personal Vault.

Volume F: [Label Unknown]
[Data Volume]

    Size:                 Unknown GB
    BitLocker Version:    2.0
    Conversion Status:    Unknown
    Percentage Encrypted: Unknown%
    Encryption Method:    XTS-AES 128
    Protection Status:    Unknown
    Lock Status:          Locked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        External Key

Interesting! So, it appears the volume is protected by an external key. Let's take a closer look at this with the following command manage-bde -protectors -get f:. And our results look like this:

BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume F: [Label Unknown]
All Key Protectors

   External Key:
     ID: {08F750D7-0483-4F0E-847B-174119BD2896}
     External Key File Name:
       08F750D7-0483-4F0E-847B-174119BD2896.BEK

Let's see if we can get this external key.

manage-bde -protectors -get f: -sek d:\Projects\PersonalVaultBEK
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

ERROR: The operation cannot be performed because the volume is locked.

Seems we hit a road block. We cannot save the key because the volume is locked.

Looking at it from an Unlocked Perspective

The next thing we will try is to unassign the drive letter, dismount and unlock the Personal Vault with OneDrive.

So now the Personal Vault is unlocked. What's interesting is that there is not a drive letter associated with the Personal Vault. Inside our OneDrive folder, there is a Personal Vault.lnk file. When the vault is locked, double clicking it will run through the steps of unlocking the vault. After the vault is unlocked, double clicking it will bring us to the vault. We'll take a look at the lnk file to see how the vhdx is being referenced.

Here is the output from LECmd.

The lnk file is pointing to a Personal Vault folder in my OneDrive. When I ran a directory listing this folder was not present. This is because the folder is hidden. If we run dir again, looking for hidden files/folders, we can see that the folder is actually a junction.

Next thing we'll do is go to an administrative command prompt and assign the volume a letter so we can look at it with manage-bde again.

Let's run manage-bde -status and see what we have. And here is the information returned for our Persona Vault.

Volume E: [OneDrive Personal Vault]
[Data Volume]

    Size:                 1024.00 GB
    BitLocker Version:    2.0
    Conversion Status:    Used Space Only Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        External Key

So far so good! Let's run manage-bde -protectors -get e: to list the protectors.

BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume E: [OneDrive Personal Vault]
All Key Protectors

    External Key:
      ID: {08F750D7-0483-4F0E-847B-174119BD2896}
      External Key File Name:
        08F750D7-0483-4F0E-847B-174119BD2896.BEK

We see the same external key again. Let's see if we can save the key this time.

manage-bde -protectors -get e: -sek d:\Projects\PersonalVaultBEK
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume E: [OneDrive Personal Vault]
All Key Protectors

    External Key:
      ID: {08F750D7-0483-4F0E-847B-174119BD2896}
      External Key File Name:
        08F750D7-0483-4F0E-847B-174119BD2896.BEK

    Saved to directory d:\Projects\PersonalVaultBEK

Success! The BEK file is created as a hidden file. We'll do a quick directory listing to confirm it is there.

Using The BEK File to Gain Access

Now we will test if the BEK file will unlock the Personal Vault vhdx. Again, we will mount the vhdx by double clicking on it and assigning a drive letter. If we double click the drive, we will be prompted to "Load key from USB drive".

We'll open a command prompt again and use manage-bde to unlock the drive with the key we save.

And with that, the vault is unlocked and we can see the contents.

Conclusion

There is a way to get the encryption key for OneDrive's Persona Vault but certain criterial needs to be met. We have to have administrative access and the vault has to be unlocked. It may not be ideal but it is the best method I have come up with so far. There is also a script you can download to automate the process of saving the key. That script can be found here.

OneDriveExplorer v2024.03.22 released

This version of OneDriveExplorer (ODE) is a major update with quite a few GUI improvements and data processing. The first thing you will notice is ODE now has a breadcrumb viewer for another navigation option. You can now double click the folders in the center pane to open that folder. 

The CStructs pane has also been cleaned up for a more consistent look between themes.

Along with GUI updates, there are new data sources that have been added to bring more relevant information to your investigations. 

od_GraphMetadata_Records

ODE now includes data from the od_GraphMetadata_Records table. The od_GraphMetadata_Records table resides in the SyncEngineDatabase.db. One of the features of this table is that it stores information on who created and who modified the file last.

od_GraphMetadata_Records also can have information on video/image files such as audio format, bit rate, height and width.

If file policies are applied, ODE can populate them from the od_GraphMetadata_Records table.

od_HydrationData

The od_HydrationData table was added to SyncEngineDatabase.db sinse version 21 of the schema. It records the first time a file is downloaded (hydrated) from the cloud to the device. I preformed some test to see what would cause this table to populate. The following was observed.

First time file is hydrated (opened) if the status is Available when online.

• Does not get removed from the table when Free up space is performed.
• Always keep on this device does not populate the table.
• If status is Always keep on this divice, opening does not populate the table.

The hydration time can be found in the Details pane.

filter_delete_info

The filter_delete_info table resides in the SafeDelete.db.  Not entirely sure what causes this table to populate but it appears to be when an application is responsible for deleting files rather than the user just deleting them. One thing to note is the table contains what process was responsible for deleting the file. This information can be found in the Deleted items in ODE.

Another thing that was add, when adding the system recycle bin, ODE combines data points together to eliminate double entries and also indicates which files are still available on the system.

Personal Vault log decryption

Added to ODE is the ability to decode personal vault logs. This gives us more insight on what is happening with the files inside the vault. One thing to note, if the vault is open, ODE can see the files inside. As an example, here is what data we get from the logs without decrypting the personal vault logs. ODE was able to correlate 188 logs to the user's personal vault.

In order to decrypt the vault logs, we need to issue the following command.

OneDrive. exe /outputkeystorevault

What this command does is outputs the vault key to the EncryptionKeyStoreCopy folder.

With the vault.keystore file, ODE can decrypt any of the logs that pertain to the personal vault. ODE now displays 203 correlated logs for the personal vault.

 

The latest version of OneDriveExplorer can be found here.