3. Cloud computing
Cloud storage
Gartner Report (Kleynhans 2012)
Personal cloud will replace PC’s as the main
storage by 2014
Dropbox, Microsoft SkyDrive, and
Google Drive
PC; client software or browser
Portable devices; browser or apps
4. Criminals and victims data of interest
Virtualised, geographically disbursed and
transient
Technical and legal issues for investigators;
◦ Identification of data; i.e. service provider
◦ Username,
◦ Data in the account
◦ Difficult to prove ownership
◦ Data may be moved or erased before it can be
preserved
5. Objective 1: To examine current research published in
literature relating to cloud storage and identified cloud
storage analysis methodologies.
Objective 2: To develop a digital forensic analysis framework
that will assist practitioners, examiners, and researchers
follow a standard process when undertaking forensic analysis
of cloud storage services.
Objective 3: To conduct research using popular cloud storage
services; Dropbox, Microsoft SkyDrive, and Google Drive, and
determine whether there are any data remnants which assist
digital forensic analysis and investigations.
Objective 4: To examine the forensic implications of
accessing and downloading cloud stored data from popular
cloud storage services; Dropbox, Microsoft SkyDrive, and
Google Drive.
6. NIST (2011) definition of cloud computing
IaaS – Infrastructure as a Service – user
control
PaaS – Platform as a Service – OS provided
SaaS – Software as a Service – User has
limited control
Criminal use
Security of cloud services is well addressed
Mobile devices
7. Digital forensic analysis process
Common procedures for investigation
McClain (2011) Dropbox analysis
Chung et al. (2012) Dropbox, Google Docs,
Amazon S3 and Evernote
Zhu (2011) examines Skype, Viber, Mail,
Dropbox
Reese (2010) examines Amazon EBS
Clark (2011) examines Exif metadata in
pictures
8. Objectives not answered in literature
Need to conduct primary research
Q1 What data remnants result from the use of
cloud storage to identify its use?
H0 - There are no data remnants from cloud
storage use
H1 – There are remnants from cloud storage use
9. a) What data remains on a Windows 7 computer hard drive
after cloud storage client software is installed and used
to upload and store data with each hosting provider.
b) What data remains on a Windows 7 computer hard drive
after cloud storage services are accessed via a web
browser with each hosting provider?
c) What data is observed in network traffic when client
software or browser access is undertaken?
d) What data remains in memory when client software or
browser access is undertaken?
e) What data remains on an Apple iPhone 3G after cloud
storage services are accessed via a web browser with
each hosting provider?
f) What data remains on an Apple iPhone 3G after cloud
storage services are accessed via an installed application
from each hosting provider?
10. Q2 What forensically sound methods are
available to preserve data stored in a cloud
storage account?
◦ H0 the process of downloading files from cloud storage
does not alter the internal data or the associated file
metadata.
◦ H1 the process of downloading files from cloud storage
alters the internal file data and the associated file metadata.
◦ H2 the process of downloading files from cloud storage
does not alter the internal data, but does alter the file
metadata.
◦ H3 the process of downloading files from cloud storage
alters the internal data, but not the
associated file metadata.
11. Q2a) What data can be acquired and preserved
from a cloud storage account using existing
forensic tools, methodologies, and procedures
when applied to cloud storage investigations?
13. Prepare Virtual PC’s with Windows 7
Base (control) clean installation
Install Browser (Internet Explorer, Mozilla
Firefox, Google Chrome, Apple Safari)
Install Client Software and upload test files
Use browser to access account and view files
Use browser to access and download files
Use Eraser to erase files
Use CCleaner to remove browsing history
Use DBAN to erase virtual hard drive
15. Using the Framework to guide the process
Analysis of the VM images
In the Control VM’s; ‘Dropbox’ references
Client Software 1.2.52; encrypted, sample files
System Tray link to ‘launch Dropbox website’
Browser remnants
OS remnants; Prefetch information, Link Files,
$MFT, Registry, Thumbcache, Event logs
Network traffic; IP’s, URL client/web
RAM; password in cleartext
Eraser/CCleaner; left remnants
DBAN; all erased
16. iPhone 3G iOS 4.2.1 (using the framework)
◦ Base (control); nil located
◦ Browser; filenames in History.plist + URL
◦ Dropbox App; username in keychain.plist
Case study (used to illustrate findings)
◦ ‘Botnet’ hypothetical example describing finding
information on PC and iPhone re Dropbox
use
17. Conclusion;
◦ dbx files are now encrypted, earlier versions;
Filecache.db and config.db
◦ Password in cleartext in memory
◦ Process of booting a forensic image in a virtual
PC will synchronise and provide access to the
account without requiring a username or
password
Current Police investigation; located illicit
data being stored in a Dropbox account
(real world application of the research)
18. Using the Framework to guide the process
Analysis of the VM images
In the Control VM’s; ‘skydrive’ references
Client Software; SyncDiagnostics.log,
OwnerID.dat
OS remnants; Prefetch information, Link Files,
$MFT, Registry, Thumbcache, Event logs
Network traffic; IP’s, filenames
RAM; password in cleartext
Eraser/CCleaner; left remnants
DBAN; all erased
19. iPhone 3G iOS 4.2.1 (using the framework)
◦ Base (control); nil located
◦ Browser; OwnerID in URL, filenames in History.plist
◦ SkyDrive App; username in keychain.plist
Case study (used to illustrate findings)
◦ ‘IP Theft’ hypothetical example describing finding
information on PC and iPhone re SkyDrive
use
20. Conclusion;
◦ SyncDiagnostics.log and OwnerID.dat files
◦ Password in cleartext in memory
◦ Process of booting a forensic image in a virtual
PC may synchronise the files in an account.
Access to the account requires a password.
21. Using the Framework to guide the process
Analysis of the VM images
In the Control VM’s; ‘drive google’ references
Client Software; Sync_config.db and snapshot.db
Password in cleartext stored on Hard Drive
System Tray link to ‘visit Google Drive on the web’
OS remnants; Prefetch information, Link Files,
$MFT, Registry, Thumbcache, Event logs
Network traffic; IP’s, username
Eraser/CCleaner; left remnants
DBAN; all erased
22. iPhone 3G iOS 4.2.1 (using the framework)
◦ Base (control); nil located
◦ Browser; username in cookies, filenames in
History.plist
◦ Google Drive App; unable to install, need iOS 5
Case study (used to illustrate findings)
◦ ‘Steroid importation’ hypothetical example
describing finding information on PC and
iPhone re Google Drive use
23. Conclusion;
◦ sync_config.db and snapshot.db files files
◦ Password in cleartext in RAM and on Hard Drive
◦ System Tray link to ‘visit Google Drive on the
web’
◦ Process of booting a forensic image in a virtual
PC will give full access to an account without
requiring a username or password
24. No documented process to collect data once
identified
Some jurisdictions have legal power to
secure data accessible at the time of serving
a warrant, such as 3LA Crimes Act 1914
Tested in VM with Dropbox, Microsoft
SkyDrive, and Google Drive
Access via Browser and Client Software
No change to files (Hash values same after
downloading when compared with original)
25. Times and Dates change;
Last Accessed File Created Last Written Entry Modified
Dropbox browser Last Written (UTC) Last Written (UTC) unZIP time unZIP time
client download time download time same download time
Google browser 1/01/1980 1/01/1980 unZIP time unZIP time
Drive client last written download time same download time
SkyDrive browser upload date/time upload date/time unZIP time unZIP time
client download time download time same download time
26. Q1 = H1
There are remnants from cloud storage use
which enable the identification of the service,
a username, or file details.
Q2 = H2
The process of downloading files from cloud
storage does not alter the internal data, but
does alter the file metadata.
27. Identified software files for each service, e.g.
◦ SyncDiagnostics.log – SkyDrive
◦ Snapshot.db – Google Drive
◦ Filecache.db – Dropbox
Identified OS remnants;
◦ Prefetch
◦ Link files
◦ Registry
Identified Browser History remnants
No change to access and download files
Difference in timestamps for downloaded files
Process to boot PC in a VM
28. Other cloud storage services;
◦ Amazon S3, iCloud, and UbuntuOne
Physical iPhone extract compared to logical
extract
Android, Windows Mobile devices
Apple iOS 5 devices
Further test the framework
29. Quick, D & Choo, K-K R 2012. ‘Dropbox Analysis: Data
Remnants on User Machines’. Submitted to Digital
Investigation
Quick, D & Choo, K-K R 2012. ‘Digital Droplets: Microsoft
SkyDrive forensic data remnants’. Submitted to Future
Generation Computer Systems
Quick, D & Choo, K-K R 2012. ‘Forensic Collection of Cloud
Storage Data from a Law Enforcement Perspective’. Submitted
to Computers & Security
Quick, D & Choo, K-K R 2012. ‘Google Drive: Forensic
Analysis of data remnants’. Submitted to Journal of Network
and Computer Applications
30. Chung, H, Park, J, Lee, S & Kang, C (2012), Digital Forensic Investigation of
Cloud Storage Services, Digital Investigation
Clark, P (2011), 'Digital Forensics Tool Testing–Image Metadata in the Cloud',
Department of Computer Science and Media Technology, Gjøvik University
College.
Kleynhans, S (2012), The New Pc Era- the Personal Cloud, Gartner Inc,
McClain, F (2011), Dropbox Forensics, updated 31 May 2011, Forensic Focus
McKemmish, R (1999), 'What Is Forensic Computing?', Trends and Issues in
Crime and Criminal Justice, Australian Institute of Criminology, vol. 118, pp.
1-6.
NIST (2011), Challenging Security Requirements for Us Government Cloud
Computing Adoption (Draft), U.S. Department of Commerce.
Ratcliffe, J (2003), 'Intelligence-Led Policing', Trends and Issues in Crime and
Criminal Justice vol. 248, pp. 1-6
Reese, G (2010), Cloud Forensics Using Ebs Boot Volumes, Oreilly.com
Zhu, M (2011), 'Mobile Cloud Computing: Implications to Smartphone
Forensic Procedures and Methodologies', AUT University.
Editor's Notes
This presentation provides an overview of the thesis ‘Cloud Storage Forensic Analysis’ by Darren Quick - 28 October 2012. Supervised by Dr Kim-Kwang Raymond Choo.
This presentation follows the same structure as the thesis;
The first section introduces the topic; cloud storage forensic analysis.
Section two explains the literature review.
Section three details the research method, questions and hypotheses.
Section four outlines the proposed Digital Forensic Analysis Cycle
Sections 5, 6 and 7 explain the findings in relation to the experiments involving Dropbox, Microsoft SkyDrive, and Google Drive
Section 8 details the preservation experiment and results
Section 9 summarises the findings and the results of the experiments
Cloud computing describes computer resources available as a service over a network.
Cloud storage is a popular option for users to store electronic data and be able to access it via a range of Internet connected devices.
Gartner highlight the trend is shifting from a focus on PC’s to portable devices, and that a personal cloud will replace PC’s as the main storage by 2014 (Kleynhans 2012).
Dropbox, Microsoft SkyDrive, and Google Drive are all popular services that offer free storage.
These can be accessed via PC; client software or browser, and portable devices browser or apps.
Criminals and victims data may be stored in the cloud.
Data of interest may be virtualised, geographically disbursed and transient.
This presents technical and legal issues for law enforcement and security agencies.
Issues in relation to identification of data; including the associated service provider, username, and data held in the account.
In addition, it becomes difficult to prove ownership and who has accessed data.
If not identified in a timely manner, data may be moved or erased before it can be preserved.
The objectives of the research are outlined in the thesis introduction and consist of the following;
Objective 1: To examine current research relating to cloud storage and identified cloud storage analysis methodologies.
Objective 2: To develop a digital forensic analysis framework that will assist practitioners, follow a standard process when undertaking forensic analysis of cloud storage services.
Objective 3: To conduct research using popular cloud storage services and determine whether there are any data remnants which assist digital forensic analysis and investigations.
Objective 4: To examine the forensic implications of accessing and downloading cloud stored data from popular cloud storage services; Dropbox, Microsoft SkyDrive, and Google Drive.
The literature review examines current literature focusing on cloud storage and digital investigations. The first section in the thesis examines cloud computing and storage. The next sections provide an overview of digital investigations and implications with cloud storage.
The definition from NIST (2011) is used, which is; convenient, on demand network access to shared resources that can be rapidly provisioned with minimal management.
These are divided into IaaS, PaaS, and SaaS. With IaaS, the user has a lot of control such as choosing and managing the OS and software. With PaaS the OS is provided and the user installs and manages software, and with SaaS the software is provided, and the user has minimal control.
Criminals use cloud storage to store illicit data, and also target the services and data of victims.
The security of cloud services is well addressed, but forensic response and analysis remains an issue.
The growth in the use of mobile devices and the ability to access cloud storage is also an issue for investigators.
The digital forensic analysis process, as defined by McKemmish (1999) is a process of; identification, preservation, analysis, and presentation.
It has been identified there is a need for common processes and procedures for cloud storage investigation.
Literature of note include;
McClain (2011) who examines Dropbox analysis, but the focus is on a previous version of the client software, and since October 2011 the database files are encrypted.
Chung et al. (2012) examine Dropbox, Google Docs, Amazon S3 and Evernote. Their research is of a wide scope, but doesn’t include SkyDrive, Google Drive, or other browsers, and is also an earlier version of Dropbox which is not encrypted.
Zhu (2011) examines Skype, Viber, Mail, Dropbox; but the focus is on mobile devices only.
Reese (2010) examines Amazon EBS, but this is not applicable to cloud storage.
Clark (2011) examines Exif metadata in pictures, so is quite narrow in it’s focus.
It is concluded that the four objectives were not answered in literature.
Hence there is a need to conduct primary research.
From the objectives, two research questions were outlined;
Question 1 - What data remnants result from the use of cloud storage to identify its use?
This leads to the two hypotheses;
H0 - There are no data remnants from cloud storage use to identify the service provider, username, or file details.
H1 – There are remnants from cloud storage use which enable the identification of the service, a username, or file details.
The following sub questions from Q1 were also outlined;
Q1a) What data remains on a Windows 7 computer hard drive after cloud storage client software is installed and used to upload and store data with each hosting provider.
Q1b) What data remains on a Windows 7 computer hard drive after cloud storage services are accessed via a web browser with each hosting provider?
Q1c) What data is observed in network traffic when client software or browser access is undertaken?
Q1d) What data remains in memory when client software or browser access is undertaken?
Q1e) What data remains on an Apple iPhone 3G after cloud storage services are accessed via a web browser with each hosting provider?
Q1f) What data remains on an Apple iPhone 3G after cloud storage services are accessed via an installed application from each hosting provider?
Research Question Two is;
What forensically sound methods are available to preserve data stored in a cloud storage account?
This leads to the following four alternative hypotheses;
H0 the process of downloading files from cloud storage does not alter the internal data or the associated file metadata.
H1 the process of downloading files from cloud storage alters the internal file data and the associated file metadata.
H2 the process of downloading files from cloud storage does not alter the internal data, but does alter the file metadata.
H3 the process of downloading files from cloud storage alters the internal data, but not the associated file metadata.
A sub question from Q2 is “What data can be acquired and preserved from a cloud storage account using existing forensic tools, methodologies, and procedures when applied to cloud storage investigations?”
The research experiment was undertaken using Virtual PC’s to create various circumstances of accessing cloud storage services. The use of Virtual systems allowed for a wider range of circumstances to be created and analysed than would be possible with physical hardware.
In the experiment, the VM’s are forensically preserved and analysed for data remnants.
The block diagram summaries the scope, from a control installation, each popular service is chosen, and VM’s created with control data using client software and four popular browsers. The Memory, Network data, and hard drives are preserved for analysis.
An Apple iPhone is also used to conduct analysis of the client applications and browser access to the three services
The experiment encompasses a range of circumstances;
Using Virtual PC’s with Windows 7 home basic;
Start with a Base (control) clean installation
Install the selected browser (Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari)
Install Client Software and upload test files
Use the browser to access the research account and view the files
Use the browser to access the research account and download files
Use Eraser to erase the downloaded files
Use CCleaner to remove file and browsing history
Use DBAN to erase the virtual hard drive
This was done for each service with each browser, resulting in 96 VM’s, memory captures, and Network capture files
As identified in the literature review, there is a need to define a process for analysis of cloud environments. The proposed framework builds upon the process outlined by McKemmish (1999) and includes processes from intelligence analysis (Ratcliffe 2003).
The process is cyclic, and can break off from the main cycle to return to previous steps for newly identified data, as indicated with the internal arrows.
The scope is outlined to focus the investigation.
Preparation of equipment and practitioners, and response if necessary.
Data is identified and collected.
Data is preserved in forensically sound methods, such as write blocking and hash comparisons.
Analysis is conducted, which may identify additional data, hence the process breaks for the new data to prepare, identify, collect and preserve.
Meanwhile, the analysis continues.
Presentation is a standard step, and usually completes the process.
However, Feedback and review is important to ensure the investigation is complete.
A final decision should also be made to finalise the investigation, and decide if further enquiries are necessary, otherwise the files and data are archived for retrieval if needed.
The proposed framework was applied to the analysis of Dropbox, using the methodology outlined earlier.
Dropbox references were found in the control media, hence undertaking a keyword search for ‘dropbox’ will not be conclusive.
The client software database files appear to be encrypted in version 1.2.52, unlike previous versions of the software.
There is an icon in the system tray which when selected launches a browser with full access to the account, without needing a password or username.
Sample files were installed in the process which can be used to identify the presence of the software.
There were a range of remnants when a browser was used to access an account, in addition there were a lot of remnants found in OS files, such as prefetch, $MFT, Link files and registry.
Data was observed in the network traffic, but was mainly encrypted.
The password was observed in cleartext in memory captures.
Anti forensic software did not remove the data remnants.
A full erase of the hard drive did remove the remnants.
Next an iPhone was used to identify remnants, again using the proposed analysis cycle.
There was no information in the control image.
Filenames were located when the browser was used.
The username and filenames were located when the client software was used.
In the thesis, a case study was used to illustrate the findings in relation to Dropbox.
In relation to Dropbox, the conclusion reached was that there are data remnants of interest, and outlined in the theses. For the earlier versions of the client software, the two database files are important, but in version 1.2.52 the files are encrypted.
The password was observed in cleartext.
A process of booting a forensic image in a virtual system allows for access to a user account without knowing the username or password.
A real world application of the research was in a current Police investigation, illicit data being hosted in a Dropbox account was identified using the information from this research. The investigation is ongoing, hence details of the investigation cannot be discussed.
Again, using the framework, this time with SkyDrive, using the methodology outlined earlier.
SkyDrive references were found in the control media, hence undertaking a keyword search for ‘skydrive’ will not be conclusive.
SyncDiagnostics.log lists the files uploaded and downloaded, Owner information and dates and times. The OwnerID file lists the storage locations on the hard drive.
There were a range of remnants when a browser was used to access an account, in addition there were a lot of remnants found in OS files, such as prefetch, $MFT, Link files and registry.
Data was observed in the network traffic, but was mainly encrypted.
The password was observed in cleartext in memory captures.
Anti forensic software did not remove the data remnants.
A full erase of the hard drive did remove the remnants.
Next an iPhone was used to identify remnants, again using the proposed analysis cycle.
There was no information in the control image.
The OwnerID and filenames were located when the browser was used.
The username and filenames were located when the client software was used.
In the thesis, a case study was used to illustrate the findings in relation to SkyDrive.
In relation to SkyDrive, the conclusion reached was that there are data remnants of interest, and outlined in the theses.
The two files identified have data which may be important to an investigation.
The password was observed in cleartext in memory.
Booting a forensic image in a VM may synchronise the files in an account, however, access to the account requires a password – which is good for security.
Again, using the framework, this time with Google Drive, using the methodology outlined earlier.
“drive google” references were found in the control media, hence undertaking a keyword search for this will not be conclusive.
Sync_config.db and snapshot.db list the files uploaded and downloaded, owner information and dates and times.
There were a range of remnants when a browser was used to access an account, in addition there were a lot of remnants found in OS files, such as prefetch, $MFT, Link files and registry.
The password was observed in cleartext on the hard drive and in memory captures.
When running a forensic image as a VM, selecting a link in the system tray allowed full access to an account without requiring a username or password.
Data was observed in the network traffic, but was mainly encrypted.
Anti forensic software did not remove the data remnants.
A full erase of the hard drive did remove the remnants.
Next an iPhone was used to identify remnants, again using the proposed analysis cycle.
There was no information in the control image.
Filenames were located when the browser was used.
The client software was unable to be installed to the iPhone used, hence an opportunity for future research.
In the thesis, a case study was used to illustrate the findings in relation to Google Drive.
In relation to Google Drive, the conclusion reached was that there are data remnants of interest, and outlined in the theses.
The two files identified have data which may be important to an investigation.
The password was observed in cleartext on the hard drive and in memory.
It is possible to run a forensic image in a VM and get full access to an account without knowing the username or password from the client software.
As identified in the literature review, these is a need for a process to collect identified data.
Australia has legislation to collect data, such as section 3LA of the Crimes Act 1914.
Experiments were conducted with control VM systems to preserve data from research accounts with the three providers.
Access was undertaken using a browser and using client software, which was then compared with the original files.
There were no changes to the original files hash values, hence no change to the internal data.
There were changes to the associated dates and times, as per the table. For example, if downloading a file from a Google Drive account using a browser, the created date on the file will be 1/1/1980, and not the created date from the original file. The only date/time value the same as the original was when using the client software, the last written times were the same as the original file.
These changes must be understood by an examiner, otherwise the information may be misinterpreted, and incorrect conclusions made.
In the thesis, the final chapter lists each question and sub question and how each has been addressed.
To summarise;
In relation to research question 1, the correct hypotheses is H1, there are remnants from cloud storage use.
In relation to question 2, preserving data by accessing an account does not change the internal data, but there are changes to the associated timestamps of the files when they are downloaded, therefore H2 is correct.
The main contributions of the thesis are;
The identification of files which store information which may be relevant to an investigation for each service provider, for example the SyncDiagnostics.log file for SkyDrive.
Identified that there are a range of data remnants on a Windows 7 PC hard drive, such as in Prefetch files, link files, $MFT, Registry, etc.
Identified there are a range of data remnants in the browser histories for the popular browsers.
Identified that accessing and downloading files from an account does not alter the contents of the files, verified with the hash value.
However, the timestamps of the downloaded files are different to the original files, and must be considered when forming conclusions. As per the table on slide 24.
A process to access an account in a forensically sound manner was also outlined, and if client software has been pre-installed it will provide access to the files in an account for Google Drive and Dropbox; or if the username and password were located during analysis, this can be used. Legal considerations must be met to ensure accessing the account is permitted, ie. 3LA of the Crimes Act (Cth).
Research opportunities identified include;
Other (less) popular cloud storage providers, such as Amazon S3, Apple iCloud, and UbuntuOne.
Compare a physical iPhone extract to the logical extracts undertaken in this research.
Examine other portable device operating systems, such as Android and Windows Mobile.
Examine the latest Apple iOS
These could all serve to further assess the proposed framework.
The listed four papers were based on chapters in the thesis, and have been submitted for peer review. All four are currently under consideration.
