The Implications of Office 365 in Digital Forensics and eDiscovery – part 1

A couple of years ago Microsoft began to embrace cloud technology and launched Office 365 for Business, in direct competition with solutions being developed by Google and others. This was followed more recently with a home user edition: Office 365 Home Premium. The Office 365 suite is an evolution of the standard Office package and introduces, amongst other things, a cloud-based aspect called SkyDrive, which allows for greater online collaboration on documents. In the first of two posts, we will look at how Office 365 works, and provide an overview of the forensic artefacts that may be retrieved.

Users must have a registered Microsoft Account in order to download Office 365, which comes bundled with SkyDrive and the Office 2013 Upload Center. By default, all three applications are installed, and a SkyDrive folder is created for the user’s account at ~\Users\Username\SkyDrive.

When setting up SkyDrive on a new PC, the user has two main setup options. They can either use the default express settings, which will download any files currently associated with that account, or they can customise the setup and sync specific files and folders with the PC. They can also specify a different location for the SkyDrive folder.

The Windows Registry holds some useful Office 365 and SkyDrive configuration data. We can verify that Office 365 is installed, and determine the version in use by examining the following keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\propertyBag\productreleaseid. The value generated for this key in a typical Office 365 Home Premium setup is “O365HomePremRetail”, and it is expected that a similar naming convention will be used to represent other licensing models.

Each Microsoft account grants the user five Office 365 licences, which are managed online. Each licensed PC is given a unique identifier that is listed online and can be matched to a value in the registry, located atHKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Registration. This ID is actually the name that the user has given the computer (for example, WIN-UJMBC6MS5HB).

 The PC ID can also be retrieved from the SkyDrive system folder at C:\Users\Username\AppData\Local\Microsoft\SkyDrive\setup\logs. This folder contains one or more text files, which store the event logs for all synchronisation events and application updates, however only the logs that reference when SkyDrive was installed or updated will contain the PC ID. The line in the log containing the ID can be found relatively easily by searching for “X-Computer”.

Further information can be gleaned from the SkyDrive settings folder located at C:\Users\Username\AppData\Local\Microsoft\SkyDrive\settings. First, there is a text file which is named using a GUID (e,g. 130cf147b5dzxd4c), which is assigned to the SkyDrive account, and also forms part of the URL when the user logs in through a web browser.

The aforementioned settings file contains significant data about the SkyDrive account, including what Microsoft call the last ‘refresh’ time (i.e. the last time the account synchronised with the cloud server), the number of sync requests sent to the online server since Office 365 was installed, and the total bytes transferred. The last refresh time is also found as a Windows 64-bit little endian file time in the registry hive underHKEY_CURRENT_USER\Software\Microsoft\SkyDrive.

Uploads and downloads of Office 365 files to and from the SkyDrive account are managed by the Office 2013 Upload Center. When a new file is created using an Office 365 application, the user can either save only locally, or to their SkyDrive folder, which creates a local copy and a cloud copy. The latter creates a local version in the user’s SkyDrive folder, but also allows the Upload Center to sync the file with the cloud server. Providing the PC is online and uploads have not been paused, this sync happens almost instantaneously. Otherwise, the file is queued for upload to the cloud at the next opportunity.

While the file is only being accessed from one PC, the created, modified and accessed times behave like a normal Office file. However, if the file is accessed from another PC linked to the SkyDrive account, then there are slight differences. Firstly, the created date on the second PC is that of when the file was first uploaded to the cloud server. This is not necessarily the same as when it first came into existence on the original PC, or when it was downloaded to the additional PC. This is demonstrated in figure 1 below, which shows the created time differences for the same file on two PCs. Although in this example the difference is relatively small, if SkyDrive wasn’t synced as regularly the difference could be much bigger.

With respect to the modified date stamps, a direct comparison of between the first and second PC after synchronisation shows that this information stays the same during the sync, rather than reflecting the fact that the file has been downloaded to another PC. However, the last accessed time is updated as a result of this event and, in the example below, the accessed date on PC 2 actually reflects the time the file was downloaded from SkyDrive (although this may not always be the case).

Figure 1: A file created on PC 1 (left) and the same file on PC 2 with new created and accessed times (right).

Once synchronised, the file times then behave much as they would on an offline system. When a change is made and the file is saved, the modified and accessed times update on the local PC and, as long as synching takes place regularly, are also updated with the cloud account, so that this metadata is the same for all versions of the file on PCs associated with the account.

It is clear that Office 365 adds an extra dimension to the collection of Microsoft Office documents. While imaging a PC will capture any documents synced with SkyDrive, there may be further files sitting in the cloud that have never touched that particular device. Furthermore, the time and date information is not as reliable, and behaves differently to a standard Office document. As a result, considerable discrepancies could arise if they are not synced regularly.

Keep an eye out for part 2 of this Office 365 series, which will look at the back end that powers Office 365, and the extra information that can be uncovered from it.

Source: http://www.millnet-consulting.com/2013/05/27/office365-in-forensics-ed-1/#more-1047