Extract filename fr...
 
Notifications
Clear all

Extract filename from an encrypted URL string

cybertend
(@cybertend)
New Member

I have the users computer...actually playing around with my own to see if there is some way to solve this.  

I can see activity to google drive, docs and gmail...but this should apply to other cloud storage as well.

In this example, I created and edited a document within the google drive environment.

The URL string looks something like this: _htt_ps://docs.google.com/document/d/1fHkKMUxgvu7gLJKZNxz5SmM6riGstZxQrFAcSjmtRgK/edit

minus the _ of course as I didnt want to post a clickable link.

what an investigator would be looking to do is decrypt that string between the /d/<encrypted filename>/edit

If possible, you could easily see the filenames that were accessed in a google drive for example

Also, to add to this...you can click send shareable link...the encrypted string is the same that you would send an external party

This is a clue anyway of where to possibly start, or stop I suppose, given that it is probably not a locally stored google token and may not be possible at all if it is something generated on the google side only to link to a file/folder

This topic was modified 7 months ago by cybertend
Quote
Topic starter Posted : 11/05/2021 6:49 pm
Passmark
(@passmark)
Active Member

I would think it would be impossible to decrypt (except maybe with a truly massive rainbow table).

Code to make the ID is likely something like this,

$document_id = base64url_encode(hash('sha256', "FileName.txt", true));

function base64url_encode($data)
{
   $b64 = base64_encode($data);
   $url = strtr($b64, '+/', '-_');
   return $url;
}

This is just a guess, I don't really know. But if it was like this, reversing a SHA256 hash just isn't possible, unless the file name was something really short like "a.txt".

But it is probably even worse than the above example as they might be salting the hash, or including the full document path as part of the file name, in which case even the trivial case would be impossible to decode. Or it might not be the file name at all. Just some internal document ID number. 

An easy test would be to,

1) Create a document, note the URL. Delete it and recreate it with the same name again. Do you get the same URL for the 2nd instance of the document, if it has the same name?

2) Create a document, note the URL. Rename the document. Does the original URL still work?

 

 

 

ReplyQuote
Posted : 13/05/2021 6:52 am
Share: