Cloud Forensics

INTRODUCTION to Cloud Forensics

Storing data “on the cloud” is one of the tech industry’s newest buzzwords. Cloud storage is the process of preserving digital information through large networks of virtualized servers owned by a host company. You, the client, send data through the Internet to one of these services, which distributes it among their storage devices, keeping it secure and accessible for when it’s next requested through a browser or local application. Essentially, cloud servers save things so you don’t have to. This semester, the LCDI’s Cloud Forensics team is tasked with analyzing four large file hosting services – Microsoft’s OneDrive, Google Drive, Apple’s iCloud, and DropBox – then examining what traceable evidence is left behind after utilizing them over multiple devices.


Some of OneDrive’s unique characteristics showed themselves quite clearly during our initial analysis. OneDrive for Business, its enterprise-level variant, allows multiple users to modify .docx and .xlsx files in real-time. Its Internet connections are secured with SSL and TLS protocols and data is protected with AES-256 encryption. Files can be given backup destinations to ensure accessibility in the event of a failure. Research into prior digital forensic evaluations of OneDrive show that potential artifacts such as app data, logs, metadata, restore points and temp data can be retrieved, and each has a part to play in the investigation process.

iCloud lacks the manner of compatibility that the other services possess, in that it can only be accessed through Apple devices whereas the remaining cloud storage companies have clients for OS X and iOS as well as Android and Windows. However, it is a very robust storage solution – data being transferred from a client device to Apple servers are reinforced with 128-bit encryption, and sensitive data such as passwords and payment information is hidden behind AES-256. Active sessions are secured with SSL, and data can be recovered up to 30 days after deletion. Apple also has a master key that can be used to unlock any account protection for seizing data or recovering lost access.

Drive’s client software creates a directory within the local file system of the machine it is installed on which leaves behind multiple types of artifacts. Thus far, we have consulted multiple studies identifying SQLite databases that document traces of the user accounts associated with the machine and details of documents stored by those accounts (Epifani, 28). A 2013 study conducted in Australia also identified that account information – including passwords – can be identified in clear text within a database located in Internet Explorer’s recovery directory (Quick, Choo). Past that, we have established that Google uses AES-128 server side encryption for files stored in their cloud, and SSL encryption for data in transit.

Upon looking at Dropbox, it immediately became obvious that the installation of the local client makes a big difference in terms of artifacts left behind. Things are looking up so far because it appears there is a registry key that can be used to trace the local client’s changing of files.


Our preliminary research is coming to an end as we attempt to nail down as much as we can about the functions of these cloud services as well as details regarding their security and potential vulnerabilities we can exploit to find artifacts that will provide us with information applicable to a digital forensic investigation. The next step is to ascertain how exactly we’ll be executing data generation in order to give us the best look at what these apps leave behind. Stay tuned.

If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at Don’t forget to like us on Facebook for the most recent updates!

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team