Skip to main content

API-Based Forensic Acquisition of Cloud Drives

Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT,volume 484)

Abstract

Cloud computing and cloud storage services, in particular, pose new challenges to digital forensic investigations. Currently, evidence acquisition for these services follows the traditional method of collecting artifacts residing on client devices. This approach requires labor-intensive reverse engineering effort and ultimately results in an acquisition that is inherently incomplete. Specifically, it makes the incorrect assumption that all the storage content associated with an account is fully replicated on the client. Additionally, there is no current method for acquiring historical data in the form of document revisions, nor is there a way to acquire cloud-native artifacts from targets such as Google Docs.

This chapter introduces the concept of API-based evidence acquisition for cloud services, which addresses the limitations of traditional acquisition techniques by utilizing the officially-supported APIs of the services. To demonstrate the utility of this approach, a proof-of-concept acquisition tool, kumodd, is presented. The kumodd tool can acquire evidence from four major cloud drive providers: Google Drive, Microsoft OneDrive, Dropbox and Box. The implementation provides command-line and web user interfaces, and can be readily incorporated in established forensic processes.

Keywords

  • Cloud forensics
  • Cloud drives
  • API-based acquisition

References

  1. Chung, H., Park, J., Lee, S., Kang, C.: Digital forensic investigation of cloud storage services. Digital Investigation 9(2), 81–95 (2012)

    CrossRef  Google Scholar 

  2. DeFelippi, D.: Dropship (2016). github.com/driverdan/dropship

  3. Drago, I., Bocchi, E., Mellia, M., Slatman, H., Pras, A.: Benchmarking personal cloud storage. In: Proceedings of the ACM Internet Measurement Conference, pp. 205–212 (2013)

    Google Scholar 

  4. Drago, I., Mellia, M., Munafo, M., Sperotto, A., Sadre, R., Pras, A.: Inside dropbox: understanding personal cloud storage services. In: Proceedings of the ACM Internet Measurement Conference, pp. 481–494 (2012)

    Google Scholar 

  5. Dropbox, Core API Best Practices, San Francisco, California (2016). www.dropbox.com/developers/core/bestpractices

  6. ElcomSoft, ElcomSoft Cloud eXplorer, Moscow, Russia (2016). www.elcomsoft.com/ecx.html

  7. Garfinkel, S., Nelson, A., Young, J.: A general strategy for differential forensic analysis. Digital Investigation 9(S), S50–S59 (2012)

    CrossRef  Google Scholar 

  8. Gartner, Gartner’s 2014 hype cycle for emerging technologies maps the journey to digital business, Stamford, Connecticut, August 11, 2014. www.gartner.com/newsroom/id/2819918

  9. Gartner, Gartner Hype Cycle, Stamford, Connecticut (2016). www.gartner.com/technology/research/methodologies/hype-cycle.jsp

  10. Google, Drive, Mountain View, California (2016). developers.google.com/drive

  11. Hale, J.: Amazon Cloud Drive forensic analysis. Digital Investigation 10(3), 295–265 (2013)

    CrossRef  Google Scholar 

  12. Huber, M., Mulazzani, M., Leithner, M., Schrittwieser, S., Wondracek, G., Weippl, E.: Social snapshots: digital forensics for online social networks. In: Proceedings of the Twenty-Seventh Annual Computer Security Applications Conference, pp. 113–122 (2011)

    Google Scholar 

  13. Martini, B., Choo, R.: Cloud storage forensics: ownCloud as a case study. Digital Investigation 10(4), 287–299 (2013)

    CrossRef  Google Scholar 

  14. Mell, P., Grance, T.: The NIST Definition of Cloud Computing, NIST Special Publication 800–145, National Institute of Standards and Technology, Gaithersburg, Maryland (2011)

    Google Scholar 

  15. Orland, K.: Dropbox clarifies its policy on reviewing shared files for DMCA issues, Ars Technica, March 30, 2014

    Google Scholar 

  16. Quick, D., Choo, R.: Dropbox analysis: Data remnants on user machines. Digital Investigation 10(1), 3–18 (2013)

    CrossRef  Google Scholar 

  17. Quick, D., Choo, R.: Google Drive: Forensic analysis of data remnants. Journal of Network and Computer Applications 40, 179–193 (2014)

    CrossRef  Google Scholar 

  18. RightScale, RightScale 2015 State of the Cloud Report, Santa Barbara, California (2015). assets.rightscale.com/uploads/pdfs/RightScale-2015-State-of-the-Cloud-Report.pdf

  19. Roussev, V., McCulley, S.: Forensic analysis of cloud-native artifacts. Digital Investigation 16(S), S104–S113 (2016)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Vassil Roussev .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 IFIP International Federation for Information Processing

About this paper

Cite this paper

Roussev, V., Barreto, A., Ahmed, I. (2016). API-Based Forensic Acquisition of Cloud Drives. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XII. DigitalForensics 2016. IFIP Advances in Information and Communication Technology, vol 484. Springer, Cham. https://doi.org/10.1007/978-3-319-46279-0_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-46279-0_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-46278-3

  • Online ISBN: 978-3-319-46279-0

  • eBook Packages: Computer ScienceComputer Science (R0)