API-Based Forensic Acquisition of Cloud Drives

Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 484)

Abstract

Cloud computing and cloud storage services, in particular, pose new challenges to digital forensic investigations. Currently, evidence acquisition for these services follows the traditional method of collecting artifacts residing on client devices. This approach requires labor-intensive reverse engineering effort and ultimately results in an acquisition that is inherently incomplete. Specifically, it makes the incorrect assumption that all the storage content associated with an account is fully replicated on the client. Additionally, there is no current method for acquiring historical data in the form of document revisions, nor is there a way to acquire cloud-native artifacts from targets such as Google Docs.

This chapter introduces the concept of API-based evidence acquisition for cloud services, which addresses the limitations of traditional acquisition techniques by utilizing the officially-supported APIs of the services. To demonstrate the utility of this approach, a proof-of-concept acquisition tool, kumodd, is presented. The kumodd tool can acquire evidence from four major cloud drive providers: Google Drive, Microsoft OneDrive, Dropbox and Box. The implementation provides command-line and web user interfaces, and can be readily incorporated in established forensic processes.

Keywords

Cloud forensics Cloud drives API-based acquisition 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Chung, H., Park, J., Lee, S., Kang, C.: Digital forensic investigation of cloud storage services. Digital Investigation 9(2), 81–95 (2012)CrossRefGoogle Scholar
  2. 2.
    DeFelippi, D.: Dropship (2016). github.com/driverdan/dropship
  3. 3.
    Drago, I., Bocchi, E., Mellia, M., Slatman, H., Pras, A.: Benchmarking personal cloud storage. In: Proceedings of the ACM Internet Measurement Conference, pp. 205–212 (2013)Google Scholar
  4. 4.
    Drago, I., Mellia, M., Munafo, M., Sperotto, A., Sadre, R., Pras, A.: Inside dropbox: understanding personal cloud storage services. In: Proceedings of the ACM Internet Measurement Conference, pp. 481–494 (2012)Google Scholar
  5. 5.
    Dropbox, Core API Best Practices, San Francisco, California (2016). www.dropbox.com/developers/core/bestpractices
  6. 6.
    ElcomSoft, ElcomSoft Cloud eXplorer, Moscow, Russia (2016). www.elcomsoft.com/ecx.html
  7. 7.
    Garfinkel, S., Nelson, A., Young, J.: A general strategy for differential forensic analysis. Digital Investigation 9(S), S50–S59 (2012)CrossRefGoogle Scholar
  8. 8.
    Gartner, Gartner’s 2014 hype cycle for emerging technologies maps the journey to digital business, Stamford, Connecticut, August 11, 2014. www.gartner.com/newsroom/id/2819918
  9. 9.
    Gartner, Gartner Hype Cycle, Stamford, Connecticut (2016). www.gartner.com/technology/research/methodologies/hype-cycle.jsp
  10. 10.
    Google, Drive, Mountain View, California (2016). developers.google.com/drive
  11. 11.
    Hale, J.: Amazon Cloud Drive forensic analysis. Digital Investigation 10(3), 295–265 (2013)CrossRefGoogle Scholar
  12. 12.
    Huber, M., Mulazzani, M., Leithner, M., Schrittwieser, S., Wondracek, G., Weippl, E.: Social snapshots: digital forensics for online social networks. In: Proceedings of the Twenty-Seventh Annual Computer Security Applications Conference, pp. 113–122 (2011)Google Scholar
  13. 13.
    Martini, B., Choo, R.: Cloud storage forensics: ownCloud as a case study. Digital Investigation 10(4), 287–299 (2013)CrossRefGoogle Scholar
  14. 14.
    Mell, P., Grance, T.: The NIST Definition of Cloud Computing, NIST Special Publication 800–145, National Institute of Standards and Technology, Gaithersburg, Maryland (2011)Google Scholar
  15. 15.
    Orland, K.: Dropbox clarifies its policy on reviewing shared files for DMCA issues, Ars Technica, March 30, 2014Google Scholar
  16. 16.
    Quick, D., Choo, R.: Dropbox analysis: Data remnants on user machines. Digital Investigation 10(1), 3–18 (2013)CrossRefGoogle Scholar
  17. 17.
    Quick, D., Choo, R.: Google Drive: Forensic analysis of data remnants. Journal of Network and Computer Applications 40, 179–193 (2014)CrossRefGoogle Scholar
  18. 18.
    RightScale, RightScale 2015 State of the Cloud Report, Santa Barbara, California (2015). assets.rightscale.com/uploads/pdfs/RightScale-2015-State-of-the-Cloud-Report.pdf
  19. 19.
    Roussev, V., McCulley, S.: Forensic analysis of cloud-native artifacts. Digital Investigation 16(S), S104–S113 (2016)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of New OrleansNew OrleansUSA
  2. 2.Archon Information SystemsNew OrleansUSA

Personalised recommendations