Hi,
I am wondering if anyone on here has come across the application "My Lockbox" created by FSpro Labs. Basically I am pretty sure I have found the folder it has "locked" as it is not available on the computer itself but I can see this folder in Encase where attributes don't suggest it is hidden or deleted ect.
If so, does anyone know if/where the config/registry file would be stored that points the application to the folder it has "locked" or hidden from view.
I am basically looking for a way to link the folder back to the application.
Thanks in advance.
Can you see the entire folder structure and all the files via EnCase?
I've used this software before and it doesn't stop the files from being listed in recent docs or the indexing process. You may be able to link back via shortcuts if you can see the folder structure.
I'm not sure where any config files might be stored but it may be worth installing the software yourself on a test machine and having a play to see what you can find out.
Can you see the entire folder structure and all the files via EnCase?
I've used this software before and it doesn't stop the files from being listed in recent docs or the indexing process. You may be able to link back via shortcuts if you can see the folder structure.
I'm not sure where any config files might be stored but it may be worth installing the software yourself on a test machine and having a play to see what you can find out.
Hi Adam,
Yeah I have installed the software and had a play around with it myself. I can see the complete file structure and I can also see link files/MRU pointing to the folder in question. I have also completed a keyword search for the file path but still have no way of linking the program back to the folder. I am trying to do this so I can prove the contents of the folder has been deliberately concealed.
In the registry files I have located keys called "FirstStart" and "LastOffer" which have hexadecimal values however I cannot link these locations back to the folder still.
Did anyone get anywhere with this? I have also had this come up in a case
Hello,
Are you asking how to determine where the "My Lockbox" folder/file exists outside of the actual computer hard drive itself?
For example, if the target "locked" folder/file was stored on an external USB device or on a network server for example?
If so, perhaps create a timeline of activity using EnCase or your favorite tool.
You might, for example, look at the last accessed date/time of the LNK/shortcut file for "My Lockbox" as a potential date the program was last launched by the user; meaning the date/time the user last double clicked on a desktop shortcut to "MyLockbox" and launching the program itself. Also look at the last accessed date/time for the MyLockbox executable itself.
Have you looked for a LOG file with the MyLockbox folder that might reveal usage information? Also, the registry entries for MyLockbox might include dates/times and number of times it was run.
Once you have a solid date/time the program was executed, take a look at what external USB devices were connected to the computer around the same time. I oftentimes just search for "E\", "F\", "G\", etc. across the entire computer as this can turn up hits with external USB drive folder and file paths. This might turn up the user accessing the MyLockbox target folder/file on an external drive, coinciding with the last date/time the MyLockbox LNK/shortcut file and/or executable was last accessed.
Internet Evidence Finder could be used to carve the Pagefile.sys / Hiberfil.sys files to hopefully recover the content of the MyLockbox encrypted file.
Hi Thanks for the reply,
Are you asking how to determine where the "My Lockbox" folder/file exists outside of the actual computer hard drive itself?
I am trying to acertain if there is a history of any folders being hidden as some on the machine contain IIC.
If so, perhaps create a timeline of activity using EnCase or your favorite tool.
No distinct date/times of useage I can discern.
Have you looked for a LOG file with the MyLockbox folder that might reveal usage information? Also, the registry entries for MyLockbox might include dates/times and number of times it was run.
I have looked and monitored the file activity and registry activity using 'Procmon' no dice.
Internet Evidence Finder could be used to carve the Pagefile.sys / Hiberfil.sys files to hopefully recover the content of the MyLockbox encrypted file.
Not encrypted just hidden. Everything from my testing has shown files 'hidden' with this software DO come up in encase as 'Adam10541' said. Its more whether or not they HAVE been hidden I want to use to show the users knowledge of the system.
Hi All,
Does anyone have any additional information ?
I am encountering Lockbox in my current investigation and I did not find much information.
Thanks