You waited, and now it’s finally here – the Cloud Forensics final report! Read below to introduce you to the project and its scope and then follow this link to view and download the full report!
introduction
Cloud storage is a method of storing files and data within a server network by sending it over the Internet, where it is stored and will remain accessible through a dedicated application or browser client. Often, these servers are managed by cloud service providers, or companies that commercialize the use of the cloud to consumers. This means that data stored in the cloud can be retrieved from multiple devices without any transfer of physical storage. Cloud storage can be created privately and managed by corporations or high-level cloud providers that offer services exclusively to enterprises. Because of these conveniences, cloud storage has become a very popular choice of storage for both businesses and individuals. Over the course of this project, the LCDI seeks to investigate and explore some of the most popular consumer-level cloud services.
background of cloud forensics
The LCDI has conducted prior research regarding cloud services. The last report, released in November 2013, covered Google Drive, Dropbox, and Microsoft’s SkyDrive (the precursor to OneDrive). Since then, cloud usage has increased dramatically: in 2013 there were an estimated 979 exabytes (or 979 billion gigabytes) of IP traffic to personal clouds, which is expected to double in 2016 (Statisa). Cloud service software has undergone immense improvements by their developers since the previous report was published, warranting a re-evaluation of the services. Additionally, the LCDI decided to include iCloud in this analysis because of its presence on all modern Mac computers by default.
purpose and scope
The purpose of this report is to serve as a digital forensic resource identifying the default locations of artifacts produced when cloud services interact with a machine running a Windows 7 operating system. The exception is iCloud, which was analyzed through OS X El Capitan as it comes preinstalled on that particular OS. The results of this research will be useful for digital forensic investigations where relevant information may be stored over the cloud. Reporting the artifacts created when using cloud services and their default locations assists in digital investigation, as our data indicates the potential locations of information that may be pertinent.
As of March 2016, Windows 7 is the most commonly used operating system on desktop machines worldwide, with current usage at almost 46% of all desktop computers (Stat Counter), leading the LCDI to limit the scope of this investigation to machines largely running Windows 7.
research questions
- What artifacts are created or modified when the cloud storage application is installed?
- Is there evidence of files after they have been deleted from the cloud storage application folder?
- What changes are made to artifacts and metadata when a file is moved or copied from the base folder to another folder?
- What artifacts remain after the cloud storage application has been unlinked and uninstalled?