A Planned Methodology for Forensically Sound IR in Office 365 - SANS DFIR Summit 2018

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
(crescendoing music) (loud boom) (loud zoom) (applause) - Without further ado, Office 365 Forensics, the forensically sound approach. and at the end of the day, you know, the transition from on-prem exchange servers to doing forensics, in Microsoft's playground on their servers, and then in their back-end data infrastructures has presented interesting forensic challenges. There's no longer am I able to put hands on the original, you know, the old traditional IS logs. Now we're kind of working off of logs filtered by Microsoft and put into certain areas of Office 365. We now have to interpret and figure out what is the causality, with what creates these entries, and what can I then learn from these logs to figure out an actor that has gained unauthorized access, usually through business email compromise, or through password spray attacks, to get into an account and now what data is it risk of being accessed by an authorized third party. So where do we go first? For those of you that have done forensics in Office 365 the most important place you want to go is under security and compliance, and there is something called the unified audit log. And the unified audit log is Microsoft's dump of several data sources into one location. And what you have produced from that is this unified audit log that allows you to pull auditable events, that Microsoft has kind of again hand chosen for us, to dump into one log that you can break down by users. So you'd go to search investigation, you'll go to audit log search, and then you'd be greeted with an interesting window, which we'll get to in a minute, to actually search through. There's some caveats. Some very important friends of caveats to the unified audit log that if you're not aware of you should be. Logouts are not captured. So if I'm a bad guy and I've logged into an email account, one of the questions I often get asked by law firms or clients, "How long was the bad guy in our system/email account?" Logouts aren't captured and there's, of course, a bunch of technical reasons for that. One of which is, you know, if I close the web browser by not clicking the logout button, I just clicked the "X", close my session, Microsoft probably could log the latency or could probably log that my sessions terminated. At the end of the day, they just don't. So I have a login event. I have no logout event. Was he in there for hours? Was he in there for days? Messages. Specific viewed messages within an email account are not logged in the unified audit log. So if I'm a bad guy and I'm in an email account, and I've logged in with username and password, and I'm viewing emails in your email account, the viewed message themselves are not captured in the unified audit log. Search terms being run. Again, not actually captured there. Was an attachment viewed? For a lot of the investigations that my team does we're often asked, you know, the body of the emails, not the important part. It doesn't have the PII or the PHI, the HIPAA data. It's the attachment. It's Excel spreadsheet that contains 10,000 user records with social security number, date of birth, etc. Was that attachment viewed? Unified audit log doesn't tell me. So usually I take the position that if I know that, that guy was in the account based on the unified audit log, likely the contents of that account are at least at risk. Those are the limitations that Microsoft has kind of strapped us with from this one data source. Like the session, I already spoke about. This is the one thing. This is the nightmare that you never, ever want to see an instant responder. If you've logged into a client's Office 365 tenant and that is that the audit log is not turned on because now you have a significant issue. I have now lost one of my primary forensic data sets to help tell you, the client, what the actor did when he was in your email account. By default, this is not on. So any time that we get engaged one of the first things we usually do is ask the client, "Do you know if you have unified audit logging turned on?" And for about a quarter of our clients they have no idea what we're talking about. For about another percentage of our clients, they're like, "Yes and we just turned it on when we found out about this event so it's now capturing data." Great, that doesn't help me for the last 30 days. Or, you know, you have a proactive IT group and they're like, "Yes. That was turned on. We have logged data." Excellent. If not though, you're greeted with this screen where you then have to turn it on. Takes about 24 or so hours. A little hard to see on the screen. I apologize. Bottom left there though is says, "Because you started recording user and admin activities within the past 24 hours some activities may not show up." And depending on the size of the tenant and depending, what I mean by that is, depending on the amount of users in the tenant based on the licensing, sometimes it will take 24 hours before logged data starts getting streamed and pulled into that. If it's a smaller tenant and it's on one of Microsoft's newer servers, or it's been a more recently subscribed tenant, usually it's within hours we can start seeing data. May not be complete but you'll start actually seeing data populate in there. So what's one of the first things you need to do as an instant responder? And it's establish a global admin account. Now Microsoft's got an interesting tier to the user accounts and you can be a global admin, you can be normal user, or you can be a member of one of many user, kind of levels. If you have a global admin think of it as domain admin. It is your power user within the tenant but even as a global admin I still do not have 100% capabilities across the tenant. I still need to be assigned roles and we'll talk about that in a couple minutes. There's a roll particularly you need if you want actually download PSTs or search the results of a content search. Know your environment. This is probably one of the more important slides. If have not done Office 365 Forensics these are the areas, the first three are the areas within O365 where you will be focused the most on. http://protection.office.com gets you to the security compliance portal. Which allows you to access unified audit log and it allows you to access the content search. Which allows you to do searches within user accounts for particular messages and generate PSTs that you can download and do offline forensics on. The O365 admin center is where you can look up users and I've been engaged on intrusion investigations where we've been told by the client, we know there was phising emails being sent out from this one particular user, or there was something fishy going on with this account and emails were being deleted or marked as read, and I go in here and the client had deleted the account and created the user another account. Well as soon as they did that they break the linkage within Office 365 to the unified audit log for that user. You could try searching for that user you will not find any logs. You've about a 30-day window to restore that account. The restoration will relink the logs for you and you'll be able to rerun a search query within the unified audit log. To the admin center is where you will spend a lot of your time if you're looking up particular users. If you wanna see what their titles are, you wanna see how they're configured within the tenant, what licensing is assigned to them, it gives you, I kind of, I kind of equate it to metadata about the user and it may help you with your investigation. Windows Azure. So for those of you that know Azure and the environment, it's kind of, I would kind of equate it to Amazon AWS, you know, at the end of the day you can spin up servers but it also by default, depending on the licensing level of your tenant, has active directory resources in it and we're gonna talk about some of the forensic artifacts that are relevant there to Office 365 and email accounts specifically. And then the last one, Windows Powershell. I don't know Nathan personally. I've gotten to talk to him over email a couple times. Really good guy. He wrote a tool called Pshell for 0365 and you can Google it and find it off a, there's a third-party website that posts his article and the tool. What's great about the tool is that it has bundled with it all the dependencies in the Powershell command list for all of Office 365. Azure, OneDrive, SharePoint, all of those are pre bundles when you run his installer. You have all of the commandlets loaded on your local system so that you can actually enter, if you need to, into Powershell and I have some Powershell queries I'll show you in a bit where by default loggin' in from a normal Windows stock machine you're not able to run those commandlets without this. I'm not gonna to spend too much time on this. As most of us is seasoned investigators we understand if there's something wrong within an account we need to identify which accounts at risk and usually with a typical business email compromised life cycle usually someone is found out about it because of either A, you know, admitted, "Hey I found a, I had a weird link and it was for a document, or it was for an invoice, and I had to go, and it asked me to log in my credentials." And of course, you're going (face palm) and they've kind of self-admitted. Or all the sudden you have a report that a user's email account was sending out messages asking for something. And it's like hundreds of messages going out. That's a clue. So you usually know it, those of us that do this, which email account needs to actually be investigated and now we have our accounts we're gonna pivot off of for the evidence. So we're exploring the log. The unified audit log. This is the screen I was mentioning. So when you go to search and compliance, and you go specifically to that, it loads this screen, allows you to run a search of a particular user, or users you can do multiple, at the end of the day it's, you know, depending what tool you're using, Splunk, or Excel, or, you know, whatever tool you might prefer. It may be helpful to download one log per user and try to separate those events. I've seen users and instant responders that will try to load up, you know, 15 email addresses into this box and you get a really large file and they're all meshed together. Again, you know, it depends on, I guess, your preference for analysis. I like running it and getting the individual log file so I can kind of see what happened and then I'll merge em together based on what's relevant. Cuz again, if you're doing an instant response investigation for actor activity most likely you're also going to see legitimate account activity. So now you have to try to correlate yourself as the instant responder, what's bad, what's good? You know, the good guy in his account using Outlook. Bad guy in the account using a web browser. And then I need to separate that out. And it becomes a little more convoluted if you're running, you know, 15 something users all through this search screen. By default, once loggings, of course, turned on, I have seen logs available for 30 days, up to 90 days, and I've seen some larger tenants available for about 6 months worth of data. There is a Powershell query. You can change the default setting up to I believe the 180-day mark. I do not believe you can exceed that. Like, so I've never seen any documentation and when I've tried via Powershell to exceed that I usually get an error message. I do know that Microsoft can exceed that number. I was dealing with one client who had two years of unified audit log data. Which blew my mind. It was an immense amount of data and we were just amazed because when you bring up the calendar, I don't think I have a slide, when you bring up the calendar it actually shows you a color-coded dates for what days have logs available and I just kept going back and back and I'm like surely there's something wrong and I pulled a log from like 2 years prior that actually had data in it. Found out they had, had a prior issue. They had reached out to Microsoft and Microsoft kind of flipped the magic switch and gave them longer retention data. So Microsoft humor. I have found significant issues with trying to run this search engine, if you will and typing in users if you are using Chrome or Firefox. In fact, when I have tried with those browsers, even with the newer versions, you start typing in there, the cursor actually disappears and keeps you from typing. It's a really weird bug. But of course, Microsoft's browsers work just perfectly. So again, I'm not sure if that's just something odd with my testing or if that's a Microsoft joke to try to prevent or force people to use their browsers. One requirement, I mentioned the content search, and I think I mentioned it twice so far. The content search allows you to download PSTs for users so that you can do offline forensics. That export tool that Microsoft has created requires a Microsoft based browser. The little plug-in that loads, I've not had any success with it loading in a non-Microsoft browser. And as your AD, which we'll talk about in a bit, same functionality, some of the search fields and the search boxes, some of the sliders, it just it will not render as well unless you're using Edge or IE 11. Under the search window that we were talkin' about a couple screens ago, in the top right-hand corner is where you download the results of your search. I'm gonna go back for just a quick minute here. This may be easier said than done cuz I forgot how many slides it was back. This might have been a bad idea. Sorry about that. I thought I had a screen a couple back that actually showed the results a little but better. Bear with me as I get back. Okay. In the top right-hand corner though is where you'll export. Now, interesting nuance here, save loaded results versus download all results. Kind of self-explanatory, but for those of you that may not have done this before, save loaded results will only download a JSON dump of what's loaded on the screen and by default, it's loading about one screen worth of data. As you scroll down it keeps loading more and more data into the browser. If you only do save loaded it will only save out what is loaded on the screen versus download all results which will dump everything responsive to the query you've executed. I have a little bit of a joke there that with the Microsoft Excel. This data if JSON and it does not render super well in Excel but I'll talk about that in a minute. So I made a chart for all of the operators or the auditable events that are captured as well as their default status by Microsoft, the unified audit log. It's a couple interesting ones here. A message being copied to another folder. That action is an audible event but it is not on by default if you are a delegate or if you are the account owner. So if I have an email account in Office 365 and I copy a message that is not an auditable event. If I'm an admin level user it is. Folder bind and message bind. Now, these are two are very interesting ones. So folder bind. A mailbox folder being accessed. Well, that can be extremely useful to an instant responder, right? If a bad guys been in one of my users' email accounts be extremely useful to know if a bad guy was traversing down through folder structures. Did he stay in my inbox or did he go to my doctor's folder with his rounding list where he's been keeping my pick up patient PII and PHI for going back for years? Did he ever access that folder cuz that changes a forensic finding of years worth of notifications now for the client? Or bad guy was only looking for invoice data in the inbox. Not auditable for typical owner accounts. It cannot be configured. It cannot be turned on. When you try it in Powershell to force that operator to be logged you'll get an error response back. So message find being even more important. Message being viewed in the preview pane or opened. Now this is speaking to if I log in whether as a legit user or a bad guy into http://office365.com and I'm looking at an email account via the web browser and I'm clicking down through messages, or objects is how Microsoft refers to it in their nomenclature, all of the objects that are being viewed. If you are normal owner or a delegate the clicking of those messages is not captured in the unified audit log. If you're an admin, interestingly enough, I have seen where it sometimes is and sometimes is not. Regardless of it being on or off. No explanation for that. So the Powershell query to force on certain operators that are not on by default is here. And, of course, then you can comma separate the values or the operators that you want to turn. By default, Microsoft does not have all of the operators on. Well, as we already discussed, by default the loggings not even on and then once you've turned it on only a certain amount of operators are logged by default. So now you actually can go in yourself and turn on additional ones if they're supported. So now we're into the analysis of the unified audit log. Again it's JSON data. It's a little ugly to look at in Excel but just for ease I brought it up here and it's this kind of a sanitized one so apologies for the big black boxes but at the end of the day you have four main columns that you'll see in Excel when you open this up. Creation date and time, the user IDs of the user accounts you've export, and then the operations or the operators. These are the auditable events recorded down to the unified audit log. User logged in. Files being accessed. The files being accessed and files being viewed is actually very interesting cuz that speaks specifically to OneDrive and SharePoint activity. Now a lot of the business email compromise cases I've worked over the years typically the actors are getting in, they're looking at messages. We have seen a percentage of our cases though where the actors will actually host the file they're gonna use for phising on the compromised accounts OneDrive or in their SharePoint and you can actually see that activity and it timelines out very well out of the unified audit log. So again that's just kind of the highlight of the actual operators and how they correlate and then the data that's in that JSON blob to the to the right on that last screen those are kind of the more granular effects I have another screenshot of that but the mailbox login is one of the most important if you're trying to pivot around actor timelines and their activity within an account. It's not as simple though as just looking for just one operator to identify when a user logged in. Microsoft has several. In fact, this isn't even a complete list. I think there's eight. But these are the six that I see the most in the investigations that I've done. User logged in is the most basic. That is the easiest one to search for or grep for. But the other ones that are here depending on the client's mail environment, the way they've got it set up, you may see all of these other types of logins to capture a username and password and an authentication event into the Office 365 account. Now for the most part user logged in is the default. If a bad guys logged in via http://office365.com via web browser this is the one you'll see the most common but depending on if the clients using some type of an ADFS or a hybrid environment where they still have exchange on-prem maybe they haven't migrated all their users into Office 365 or they're hosting locally but they're using a licensing in Office 365. A lot of those factors can affect the way Microsoft sees the authentication into their infrastructure. Hence the different operators that make capture a login event. So you'd be remiss if when you load that data you're only looking for user logged in. You may miss other types of login events. So here's that JSON blob I was talking about and these are kind of the most important aspects of that. The creation time. What is the actual operator that you're caring about? The user logged in for this, for the purposes of this example, the IP address. Where is that person logging in from as far as an IP? The extended properties. The user agent. This is fantastic for base lining a user's account. You know, most the times when my team is brought in we don't know the user's environment, the clients' environment, as well as the client's IT team so I don't know what a normal user may be using at their system. Are they using the most recent version of Outlook? Are they a remote user? Are they using a browser when they're traveling? So I can go in here we can pull this data out and I can baseline an accounts activity. Now, what are my outliers? IP addresses are always geo-locating to this one part of the United States. That's right where the headquarters is for this client. I'll listen, I've got a login that's a significant outlier and it's coming from a different part of the world. Now I have something to pivot off of. Very quickly. Very easily. Same thing for the user agent string though. Am I only ever seeing Outlook as the normal baseline activity for this client? And all of the sudden I see a web browser and it's some odd version of Opera. That's an outlier and now I can pivot off of that. And of course the result status detail. Value success. I don't care about value fails and you'll see a lot of failures when you're doing these types of logs. Filter em all out. I mean at the end of the day it may help give you some information, then you know, is someone beating on the door, someone trying passwords, but at the end of the day, I care about success and if there was an unauthorized access I don't normally care. I care about the success and this is where you would be able to go and pull that. Three more operators that are significantly important, add mailbox permission, add recipient permission, and set mailbox. Set mailbox is the forensic artifact that is laid down in the log when a change to the account has occurred. So the point in time via Powershell, via the interface. If I have changed a setting within the users Office 365 account there will be a set mailbox operator that records the moment in time that the changes have now taken effect on the account. This is a great one to pivot off of. Now I can just sort by set mailbox cuz typically most users aren't changing core settings in their account. If I'm looking in accounts I'm looking for settings like an auto-forwarding rule being created. I can very quickly filter by this and now I start to see the outliers. But the add mailbox permission and recipient permission is significant because if you have had a global admin account popped and that bad guy has been able to leverage that account to log in, so just say Devon Ackerman is the global admin, his account gets popped, and now he's that account is logging in and being set as a delegate on other email accounts, the add mailbox permission recipient permission will be recorded in the log for every account that my primary global admin is being used to log into. Those artifacts may not be on those users in their individual unified audit log but I'll see it on the global admins UAL. So again, this is not rocket science. Do this on a regular basis. I want to know if I've had an authorized access when did it happen and what else did the actor do in the account? So we're gonna baseline that user activity. We're gonna identify what is normal, what is legitimate, and now what is my outlier activity? And the outlier activity is what I'm gonna care about. You're gonna use user agent strings that we talked about. Mail rule creation. Typically I find that a lot of the actors from Europe, from, I don't know, I'm tryin' not to name a specific countries but from the African region that are usually interested in monetary gain through wire transfer they will create mail rules and they will create mail rules to either cover their tracks from the kind of the spam that they stay flood out or they will create a mail rule to auto-delete responses. And they wanna try to hide their activity as long as possible. So typically mail users are not creating a lot of mail rules in their accounts. If mail rules have been created within a certain time, something to help rise to the top If I'm looking at hundreds of accounts, to look for those outliers. In fact is a good example we're working a 191 account breach right now and one of the things we've done with this volume of accounts is A, is the 191 the total? I mean that's a lot of accounts that have had unauthorized access out of a 10-12000 account tenant. One of things we've been looking for is during the time we know of unauthorized access, who had mail rules? And we've found another 49 accounts and the mail rules were all malicious. It was a very quick way for us to pivot on that data and look for things. And the geolocation of the IP address is the end of the day whatever your preferred tool is. Splunk or another tool where you're doing geo IP lookups. Something that helps you on a map identify what is normal for this client or for these user accounts and what is an outlier. Especially because most actors in my experience are not very original. They will usually come from the same area or the same data centers or the same VPN client and you can very quickly start kind of seeing that on a map. One thing to look for in my experience is the IP addresses you may see from a bad guy on one account they may especially they're using like an IPVanish or they're using some type of VPN client or an anonymizer service they may get different IPs assigned to them over a period of time but typically there from that same IP netblock. And I've gotta Powershell query I'll show you. You can use to search an entire netblock and make sure you're not missing particular other IPs that you may not have seen specifically in a log. This allows you to have a lot more about broader scapple to see if there's other IPs from that same actor or group. Couple examples of clients you may see in the unified audit log and it Microsoft's very proud of their products, right? So they're going to give you a very detailed information about Outlook if it's their product their client and then in my experience and lookin' these logs if it's not an Outlook client they're like, "Eh, it's a IMAP". (laughs) Well, thanks Microsoft. You will notice they do not identify other non-Microsoft Outlook mail clients and they literally let you know there's a protocol which is indicative of an non-Microsoft Outlook mail client accessing the account. Which of course, you know, at the end of the day I'll let you be the forensic verifiers on that but in my opinion and through testing normally means the possibility is there that at least certain emails would have been allowed to be downloaded if not a complete ActiveSync of an email account. Going back to the rules we've touched on briefly a minute ago. So these are the operators you would see inside a unified audit log if a bad guy creates a mail rule to do whatever it is whether it's auto-forwarding, deleting messages based on certain keywords. These are the operators you would see written down to the log and again that's a change to the account so forensically you would see set mailbox as that last operator being recorded after the actor has gone and created the mail rule, updated the content or the rules, the arguments for the rule, and you can actually see almost the seconds between the actor clicking the different options with the mail role things and then when he hits save that's when the set mailbox is written to the log. There is something extremely unique to Office 365 that is not reflected in the Microsoft client, Outlook mail client, and that is another auto-forwarding feature. So you can auto-forward messages as a bad guy. Out of a victim's account using mail rule. You can also in Office 365 go to options, mail accounts, forwarding, and I can type in an email address here and say keep a copy of forwarded messages, so they still get delivered to the inbox, and now I have a second place I have to look as an instant responder to see if a bad guy has put an email address. And this, more times than not, is completely missed by infosec teams internal company. They know to go to look for mail rules. Mail rules have been around since as long, you know, Microsoft has had all earlier versions of Outlook. This is specific to Office 365 and the only way you'd be able to go in and find that is to actually you can do via Powershell or go into the user's account and manually go look for this. Here's the IP address example that I was telling you about. So if you want to search unified audit log from Powershell, you're a command line guru, you wanna dive in, this would be the command that you would issue from Powershell to actually search the unified audit log, and this is actually searched all unified audit logs, so all the audit logs for all of your users in your tenant, this is a quick way quick way, quick down and dirty way, if you have some indicators of compromise, type em in, you give the dates, the start, and the end, export to a CSV, and boom. Usually within seconds this query can run and it immediately can give you IPs helping you identify other accounts that you may not know about. And this second example there is what I'd recommend if you're tryin' to do netblock. So if you know I have a bad IP it goes back to a hosting center no legitimate activity do a Whois, do a DNS lookup, figure out what is the netblock owned by that organization. I'd recommend you search the whole thing. You may find that actors using other boxes from that hosting provider or other IP's within that range. So beyond the unified audit log. In Azure, depending on the licensing of the tenant, usually it requires an E1 or an E3 licensing, there are a couple additional things that Microsoft has done to try to help instant responders pull out suspicious activity. And you would see users flagged for risk and risky sign-ins and those would be two very quick logs you'd go to. Usually is logs 7 days or 30 days is the max they're available. So they're extremely volatile. So wrapping up real quick. So I think I'm pushing my time. If you wanna jump to Powershell you can additionally do some interesting queries to pull out a massive amount of data about a particular user account. Not necessarily of a lot of forensic interest but it is some very interesting details about what auditable events are turned on for an account when the last password reset was for the account, and some very interesting activity that may tell you just general information about the user you're investigating. I talked briefly that a global admin does not have 100% rights within a tenant. You would need to, if you want to do PST forensics and look for other artifacts within that PST, you would need to assign the global admin an eDiscovery admin role so that he can download the actual PST contents. So this was very briefly had an instant response scenario we were doing. Had a couple emails that I pulled out of a PST and, "Hello Frank, per our prior conversation, please let me know what you think about it." I'm thinking this looks a little odd. It was right during the unauthorized access. I thought this was the actor. It was. So Julie responds, excuse me, Frank responds, "Julie is this legitimate?" Of course, now Julie is the account that has been popped and the actor is the one sending the messages out. "Frank, yes it is, I sent it." Thank you Mr. Actor. I appreciate that. So, not gonna spend too much long on the email analysis. You guys know what you're doing with that, right? At the end of the day, you're lookin' at the emails that may be of interest and may still be left over in the PST and those of course help from a timeline analysis standpoint. If we know the actor was in the account or we're looking for particularly what they did you may find some very interesting emails actually still left in the account. RSS subscriptions is a very popular folder I recommend you go look at. Actors love hiding messages there. It's a default folder Microsoft has in Outlook. Almost no one ever uses it and it's a great spot where actors rules will usually mark as read and move messages to there. Second really funny scenario. Phishing email with an attachment received. We've identified through the PST forensics the message had been marked as read so we knew the user, the legitimate user, had clicked the link in the phishing email. He'd gone to the website, submitted his credentials, he was arguing he had not done this but I found an email that said and him responding to the actor, "Send me something I can open and not something that makes me feel uncomfortable." I usually get asked, "What can my client" so I usually get asked, "What can we do to make sure that we protect and harden ourself". You know, multi-factor authentication usually will nullify probably 99% of these types of attacks, right? You're using single factor, and a phishing page captures username and password, you're gonna have a little bit of an issue there. If you turn multi-factor on of course you're going to have that second level of factor. You're gonna have the token. It's much harder for a bad guy to capture that. I have seen a trend where actors are starting to also put a token field on these phish kit pages so it asks for username, password, and your token. And I have had some instances where users have given up their token. Tokens usually good for 10-15 minutes, depending how it's configured, and the bad guy still gets in. So be aware of that. But domain auto-forwarding blocks. At the end of the day auto-forwarding messages out of your tenant because a bad actors create a mail rule is a significant issue. These would be ways where you can stop that. I've in most clients I speak with and do consulting work for they're like, "We don't have a legitimate reason to be sending messages outside of our tenant to an external third-party." Microsoft gives you a Powershell way to actually block that tenant wide and those messages are attempted to be auto-forwarded they will get dropped and they will not be delivered successfully. And that's it. What questions? (audience applause) (thumping music)
Info
Channel: SANS Digital Forensics and Incident Response
Views: 6,181
Rating: 4.951807 out of 5
Keywords: digital forensics, incident response, threat hunting, cyber threat intelligence, dfir training, dfir, learn digital forensics, learn computer forensics, forensic data, forensics artifacts, free digital forensics, free computer forensics, yt:cc=on
Id: CubGixACC4E
Channel Id: undefined
Length: 34min 30sec (2070 seconds)
Published: Thu Nov 08 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.