Cloud Storage Forensic Analysis Framework

This research project focuses on developing a digital forensic analysis framework for cloud storage services like Dropbox, Microsoft SkyDrive, and Google Drive. The aim is to explore methodologies to assist practitioners in investigating data remnants and conducting forensic analysis efficiently in cloud computing environments. The study delves into the challenges of accessing and preserving digital evidence in virtualized and transient cloud storage systems, addressing technical and legal complexities. By examining current literature, defining objectives, and reviewing common procedures, the research aims to contribute to the evolving field of cloud storage forensics.

• Cloud Storage
• Forensic Analysis
• Digital Evidence
• Cloud Computing
• Investigation

yeer120 Follow

Uploaded on Mar 06, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. 0 1 0 1 1 0 1 0 1 1 Darren Quick quidp003@mymail.unisa.edu.au Supervisor: Dr Kim-Kwang Raymond Choo

2. 1 - Introduction 2 - Literature Review 3 - Research Method 4 Digital Forensic Analysis Cycle 5 - Dropbox 6 - Skydrive 7 - Google Drive 8 - Preservation 9 - Summary

3. Cloud computing Cloud storage Gartner Report (Kleynhans 2012) Personal cloud will replace PC s as the main storage by 2014 Dropbox, Microsoft SkyDrive, and Google Drive PC; client software or browser Portable devices; browser or apps

4. Criminals and victims data of interest Virtualised, geographically disbursed and transient Technical and legal issues for investigators; Identification of data; i.e. service provider Username, Data in the account Difficult to prove ownership Data may be moved or erased before it can be preserved

5. Objective 1: literature relating to cloud storage and identified cloud storage analysis methodologies. Objective 2 that will assist practitioners, examiners, and researchers follow a standard process when undertaking forensic analysis of cloud storage services. Objective 3 services; Dropbox, Microsoft SkyDrive, and Google Drive, and determine whether there are any data remnants which assist digital forensic analysis and investigations. Objective 4 accessing and downloading cloud stored data from popular cloud storage services; Dropbox, Microsoft SkyDrive, and Objective 1: To examine current research published in Objective 2: To develop a digital forensic analysis framework Objective 3: To conduct research using popular cloud storage Objective 4: To examine the forensic implications of Google Drive.

6. NIST (2011) definition of cloud computing IaaS Infrastructure as a Service user control PaaS Platform as a Service OS provided SaaS Software as a Service User has limited control Criminal use Security of cloud services is well addressed Mobile devices

7. Digital forensic analysis process Common procedures for investigation McClain (2011) Dropbox analysis Chung et al. (2012) Dropbox, Google Docs, Amazon S3 and Evernote Zhu (2011) examines Skype, Viber, Mail, Dropbox Reese (2010) examines Amazon EBS Clark (2011) examines Exif metadata in pictures

8. Objectives not answered in literature Need to conduct primary research Q Q1 1 What data remnants result from the use of cloud storage to identify its What data remnants result from the use of cloud storage to identify its use? use? H0 - There are no data remnants from cloud storage use H1 There are remnants from cloud storage use

9. What data remains on a Windows 7 computer hard drive after cloud storage client software is installed and used to upload and store data with each hosting provider. What data remains on a Windows 7 computer hard drive after cloud storage services are accessed via a web browser with each hosting provider? What data is observed in network traffic when client software or browser access is undertaken? What data remains in memory when client software or browser access is undertaken? What data remains on an Apple iPhone 3G after cloud storage services are accessed via a web browser with each hosting provider? What data remains on an Apple iPhone 3G after cloud storage services are accessed via an installed application from each hosting provider? a) b) c) d) e) f)

10. Q Q2 2 What forensically sound methods are available to preserve data stored in a cloud storage account? H0 the process of downloading files from cloud storage does not alter the internal data or the associated file metadata. H1 the process of downloading files from cloud storage alters the internal file data and the associated file metadata. H2 the process of downloading files from cloud storage does not alter the internal data, but does alter the file metadata. H3 the process of downloading files from cloud storage alters the internal data, but not the associated file metadata. What forensically sound methods are available to preserve data stored in a cloud storage account?

11. Q2a) What data can be acquired and preserved from a cloud storage account using existing forensic tools, methodologies, and procedures when applied to cloud storage investigations?

12. Research experiment undertaken using Virtual PC s to create various circumstances of accessing cloud storage services. VM s forensically preserved and analysed for data remnants Windows client software Memory VMEM Internet Explorer Dropbox Mozilla Firefox Hard drive VMDK Control installation Microsoft SkyDrive Google Chrome Network PCAP Google Drive Apple Safari XRY Apple iPhone

13. Prepare Virtual PCs with Windows 7 Base (control) clean installation Install Browser (Internet Explorer, Mozilla Firefox, Google Chrome, Apple Safari) Install Client Software and upload test files Use browser to access account and view files Use browser to access and download files Use Eraser to erase files Use CCleaner to remove browsing history Use DBAN to erase virtual hard drive

14. Commence (Scope) Prepare and Respond Identify and Collect Preserve (Forensic Copy) Analyse Present Feedback Complete

15. Using the Framework to guide the process Analysis of the VM images In the Control VM s; Dropbox references Client Software 1.2.52; encrypted, sample files System Tray link to launch Dropbox website Browser remnants OS remnants; Prefetch information, Link Files, $MFT, Registry, Thumbcache, Event logs Network traffic; IP s, URL client/web RAM; password Eraser/CCleaner; left remnants DBAN; all erased launch Dropbox website password in cleartext cleartext

16. iPhone 3G iOS 4.2.1 (using the framework) Base (control); nil located Browser; filenames in History.plist + URL Dropbox App; username in keychain.plist Case study (used to illustrate findings) Botnet hypothetical example describing finding information on PC and iPhone re Dropbox use

17. Conclusion; dbx files are now encrypted, earlier versions; Filecache.db Password in cleartext in memory Process of booting a forensic image in a virtual PC will synchronise and provide access to the account without requiring a username or password Filecache.db and config.db config.db Current Police investigation; located illicit data being stored in a Dropbox account (real world application of the research)

18. Using the Framework to guide the process Analysis of the VM images In the Control VM s; skydrive references Client Software; SyncDiagnostics.log, OwnerID.dat OS remnants; Prefetch information, Link Files, $MFT, Registry, Thumbcache, Event logs Network traffic; IP s, filenames RAM; password Eraser/CCleaner; left remnants DBAN; all erased password in cleartext cleartext

19. iPhone 3G iOS 4.2.1 (using the framework) Base (control); nil located Browser; OwnerID in URL, filenames in History.plist SkyDrive App; username in keychain.plist Case study (used to illustrate findings) IP Theft hypothetical example describing finding information on PC and iPhone re SkyDrive use

20. Conclusion; SyncDiagnostics.log Password in cleartext in memory Process of booting a forensic image in a virtual PC may synchronise the files in an account. Access to the account requires a password. SyncDiagnostics.log and OwnerID.dat OwnerID.dat files

21. Using the Framework to guide the process Analysis of the VM images In the Control VM s; drive google references Client Software; Sync_config.db Password System Tray link to visit Google Drive on the web OS remnants; Prefetch information, Link Files, $MFT, Registry, Thumbcache, Event logs Network traffic; IP s, username Eraser/CCleaner; left remnants DBAN; all erased Sync_config.db and snapshot.db cleartext stored on Hard Drive visit Google Drive on the web snapshot.db Password in cleartext

22. iPhone 3G iOS 4.2.1 (using the framework) Base (control); nil located Browser; username in cookies, filenames in History.plist Google Drive App; unable to install, need iOS 5 Case study (used to illustrate findings) Steroid importation hypothetical example describing finding information on PC and iPhone re Google Drive use

23. Conclusion; sync_config.db Password System Tray link to visit Google Drive on the web Process of booting a forensic image in a virtual PC will give full access to an account without requiring a username or password sync_config.db and snapshot.db Password in cleartext snapshot.db files cleartext in RAM and on Hard Drive visit Google Drive on the files files web

24. No documented process to collect data once identified Some jurisdictions have legal power to secure data accessible at the time of serving a warrant, such as 3LA Crimes Act 1914 Tested in VM with Dropbox, Microsoft SkyDrive, and Google Drive Access via Browser and Client Software No change to files downloading when compared with original) No change to files (Hash values same after

25. Times and Dates Times and Dates change; browser client browser client Last Accessed File Created Last Written unZIP time same unZIP time same Entry Modified unZIP time download time unZIP time download time Dropbox Google Drive Last Written (UTC) download time 1/01/1980 last written Last Written (UTC) download time 1/01/1980 download time SkyDrive browser client upload date/time download time upload date/time download time unZIP time same unZIP time download time

26. Q1 = H1 There are remnants from cloud storage use which enable the identification of the service, a username, or file details. Q2 = H2 The process of downloading files from cloud storage does not alter the internal data, but does alter the file metadata.

27. Identified software files for each service, e.g. SyncDiagnostics.log SkyDrive Snapshot.db Google Drive Filecache.db Dropbox Identified OS remnants; Prefetch Link files Registry Identified Browser History remnants No change to access and download files Difference in timestamps for downloaded files Process to boot PC in a VM

28. Other cloud storage services; Amazon S3, iCloud, and UbuntuOne Physical iPhone extract compared to logical extract Android, Windows Mobile devices Apple iOS 5 devices Further test the framework

29. Quick, D & Choo, K-K R 2012. Dropbox Analysis: Data Remnants on User Machines . Submitted to Digital Investigation Quick, D & Choo, K-K R 2012. Digital Droplets: Microsoft SkyDrive forensic data remnants . Submitted to Future Generation Computer Systems Quick, D & Choo, K-K R 2012. Forensic Collection of Cloud Storage Data from a Law Enforcement Perspective . Submitted to Computers & Security Quick, D & Choo, K-K R 2012. Google Drive: Forensic Analysis of data remnants . Submitted to Journal of Network and Computer Applications

30. Chung, H, Park, J, Lee, S & Kang, C (2012), Digital Forensic Investigation of Cloud Storage Services, Digital Investigation Clark, P (2011), 'Digital Forensics Tool Testing Image Metadata in the Cloud', Department of Computer Science and Media Technology, Gj vik University College. Kleynhans, S (2012), The New Pc Era- the Personal Cloud, Gartner Inc, McClain, F (2011), Dropbox Forensics, updated 31 May 2011, Forensic Focus McKemmish, R (1999), 'What Is Forensic Computing?', Trends and Issues in Crime and Criminal Justice, Australian Institute of Criminology, vol. 118, pp. 1-6. NIST (2011), Challenging Security Requirements for Us Government Cloud Computing Adoption (Draft), U.S. Department of Commerce. Ratcliffe, J (2003), 'Intelligence-Led Policing', Trends and Issues in Crime and Criminal Justice vol. 248, pp. 1-6 Reese, G (2010), Cloud Forensics Using Ebs Boot Volumes, Oreilly.com Zhu, M (2011), 'Mobile Cloud Computing: Implications to Smartphone Forensic Procedures and Methodologies', AUT University.