Cloud storage is a new upcoming technology that will pave the way for the future. No longer will people have to store data on their physical hard drives; it can now be uploaded to the web in the cloud, allowing anyone to share their data with other people and access it wherever they go. Although this might help people save time and space, it also creates more hardship for forensic investigators because criminals can upload or share data from one computer and open it up on another computer without leaving much of a trace. Not much forensic research has been done with cloud storage services, so we will be conducting this research on a few of these services. The three services we will be focusing on are Google Drive, Dropbox, and SkyDrive.
There are a couple of different pieces we will be looking at with this project. We want to see how the application works and its capabilities, what changes the application makes to the computer, and if we can, try to recover data after it’s been deleted from the cloud storage. In order to do this we are going to download each application onto a clean Windows 7 VM, load files into each cloud storage application, and then delete some of the files. Throughout the whole process we will be running Process Monitor, so that we can go back and view the changes. Additionally, after every step we will be creating an image of the VMs with FTK Imager, which we will analyze with EnCase and Internet Evidence Finder.
So far we have a clean install of a Windows 7 VM to work with for each program and we have started doing research on them as well. Previous work has been done with Dropbox and Google Drive, but the previous work done with SkyDrive is fairly limited. Listed below are links to some prior work that we found. Additionally, the LCDI has already done some preliminary research on Dropbox and SkyDrive. We are in the process of creating a data set and soon we will start downloading the applications onto the VMs.
– Maegan Katz