quick cloud storage forensic analysis presentation

Cloud Storage Forensic Analysis

CloudStorageForensicAnalysisDarren [email protected]: Dr Kim-Kwang Raymond Choo

0 1 0 1 1This presentation provides an overview of the thesis Cloud Storage Forensic Analysis by Darren Quick - 28 October 2012. Supervised by Dr Kim-Kwang Raymond Choo.11 - Introduction2 - Literature Review3 - Research Method4 Digital Forensic Analysis Cycle5 - Dropbox6 - Skydrive7 - Google Drive8 - Preservation9 - SummaryOutlineThis presentation follows the same structure as the thesis; The first section introduces the topic; cloud storage forensic analysis. Section two explains the literature review. Section three details the research method, questions and hypotheses. Section four outlines the proposed Digital Forensic Analysis CycleSections 5, 6 and 7 explain the findings in relation to the experiments involving Dropbox, Microsoft SkyDrive, and Google DriveSection 8 details the preservation experiment and resultsSection 9 summarises the findings and the results of the experiments2Cloud computing Cloud storage Gartner Report (Kleynhans 2012)Personal cloud will replace PCs as the main storage by 2014Dropbox, Microsoft SkyDrive, and Google DrivePC; client software or browserPortable devices; browser or apps

IntroductionCloud computing describes computer resources available as a service over a network.Cloud storage is a popular option for users to store electronic data and be able to access it via a range of Internet connected devices.Gartner highlight the trend is shifting from a focus on PCs to portable devices, and that a personal cloud will replace PCs as the main storage by 2014 (Kleynhans 2012).Dropbox, Microsoft SkyDrive, and Google Drive are all popular services that offer free storage.These can be accessed via PC; client software or browser, and portable devices browser or apps.

3Criminals and victims data of interestVirtualised, geographically disbursed and transientTechnical and legal issues for investigators;Identification of data; i.e. service providerUsername, Data in the accountDifficult to prove ownershipData may be moved or erased before it can be preservedIntroductionCriminals and victims data may be stored in the cloud. Data of interest may be virtualised, geographically disbursed and transient.This presents technical and legal issues for law enforcement and security agencies.Issues in relation to identification of data; including the associated service provider, username, and data held in the account.In addition, it becomes difficult to prove ownership and who has accessed data.If not identified in a timely manner, data may be moved or erased before it can be preserved.

4Objective 1: To examine current research published in literature relating to cloud storage and identified cloud storage analysis methodologies.Objective 2: To develop a digital forensic analysis framework that will assist practitioners, examiners, and researchers follow a standard process when undertaking forensic analysis of cloud storage services.Objective 3: To conduct research using popular cloud storage services; Dropbox, Microsoft SkyDrive, and Google Drive, and determine whether there are any data remnants which assist digital forensic analysis and investigations.Objective 4: To examine the forensic implications of accessing and downloading cloud stored data from popular cloud storage services; Dropbox, Microsoft SkyDrive, and Google Drive. Research ObjectivesThe objectives of the research are outlined in the thesis introduction and consist of the following;

Objective 1: To examine current research relating to cloud storage and identified cloud storage analysis methodologies.

Objective 2: To develop a digital forensic analysis framework that will assist practitioners, follow a standard process when undertaking forensic analysis of cloud storage services.

Objective 3: To conduct research using popular cloud storage services and determine whether there are any data remnants which assist digital forensic analysis and investigations.

Objective 4: To examine the forensic implications of accessing and downloading cloud stored data from popular cloud storage services; Dropbox, Microsoft SkyDrive, and Google Drive. 5NIST (2011) definition of cloud computingIaaS Infrastructure as a Service user controlPaaS Platform as a Service OS providedSaaS Software as a Service User has limited controlCriminal useSecurity of cloud services is well addressedMobile devicesLiterature ReviewThe literature review examines current literature focusing on cloud storage and digital investigations. The first section in the thesis examines cloud computing and storage. The next sections provide an overview of digital investigations and implications with cloud storage.

The definition from NIST (2011) is used, which is; convenient, on demand network access to shared resources that can be rapidly provisioned with minimal management.

These are divided into IaaS, PaaS, and SaaS. With IaaS, the user has a lot of control such as choosing and managing the OS and software. With PaaS the OS is provided and the user installs and manages software, and with SaaS the software is provided, and the user has minimal control.

Criminals use cloud storage to store illicit data, and also target the services and data of victims.The security of cloud services is well addressed, but forensic response and analysis remains an issue.The growth in the use of mobile devices and the ability to access cloud storage is also an issue for investigators.

6Digital forensic analysis processCommon procedures for investigationMcClain (2011) Dropbox analysisChung et al. (2012) Dropbox, Google Docs, Amazon S3 and EvernoteZhu (2011) examines Skype, Viber, Mail, DropboxReese (2010) examines Amazon EBSClark (2011) examines Exif metadata in pictures

Literature ReviewThe digital forensic analysis process, as defined by McKemmish (1999) is a process of; identification, preservation, analysis, and presentation.

It has been identified there is a need for common processes and procedures for cloud storage investigation.

Literature of note include;McClain (2011) who examines Dropbox analysis, but the focus is on a previous version of the client software, and since October 2011 the database files are encrypted.

Chung et al. (2012) examine Dropbox, Google Docs, Amazon S3 and Evernote. Their research is of a wide scope, but doesnt include SkyDrive, Google Drive, or other browsers, and is also an earlier version of Dropbox which is not encrypted.

Zhu (2011) examines Skype, Viber, Mail, Dropbox; but the focus is on mobile devices only.

Reese (2010) examines Amazon EBS, but this is not applicable to cloud storage.

Clark (2011) examines Exif metadata in pictures, so is quite narrow in its focus.

7Objectives not answered in literatureNeed to conduct primary research

Q1What data remnants result from the use of cloud storage to identify its use?

H0 - There are no data remnants from cloud storage use

H1 There are remnants from cloud storage useResearch MethodIt is concluded that the four objectives were not answered in literature.

Hence there is a need to conduct primary research.

From the objectives, two research questions were outlined;

Question 1 - What data remnants result from the use of cloud storage to identify its use?

This leads to the two hypotheses;

H0 - There are no data remnants from cloud storage use to identify the service provider, username, or file details.

H1 There are remnants from cloud storage use which enable the identification of the service, a username, or file details.

8What data remains on a Windows 7 computer hard drive after cloud storage client software is installed and used to upload and store data with each hosting provider.What data remains on a Windows 7 computer hard drive after cloud storage services are accessed via a web browser with each hosting provider?What data is observed in network traffic when client software or browser access is undertaken? What data remains in memory when client software or browser access is undertaken?What data remains on an Apple iPhone 3G after cloud storage services are accessed via a web browser with each hosting provider?What data remains on an Apple iPhone 3G after cloud storage services are accessed via an installed application from each hosting provider?

Research Question 1The following sub questions from Q1 were also outlined;

Q1a)What data remains on a Windows 7 computer hard drive after cloud storage client software is installed and used to upload and store data with each hosting provider.

Q1b)What data remains on a Windows 7 computer hard drive after cloud storage services are accessed via a web browser with each hosting provider?

Q1c)What data is observed in network traffic when client software or browser access is undertaken?

Q1d)What data remains in memory when client software or browser access is undertaken?

Q1e)What data remains on an Apple iPhone 3G after cloud storage services are accessed via a web browser with each hosting provider?

Q1f)What data remains on an Apple iPhone 3G after cloud storage services are accessed via an installed application from each hosting provider?

9Q2What forensically sound methods are available to preserve data stored in a cloud storage account?H0 the process of downloading files from cloud storage does not alter the internal data or the associated file metadata.H1 the process of downloading files from cloud storage alters the internal file data and the associated file metadata.H2 the process of downloading files from cloud storage does not alter the internal data, but does alter the file metadata. H3 the process of downloading files from cloud storage alters the internal data, but not the associated file metadata.Research Question 2Research Question Two is;

What forensically sound methods are available to preserve data stored in a cloud storage account?

This leads to the following four alternative hypotheses;

H0 the process of downloading files from cloud storage does not alter the internal data or the associated file metadata.

H1 the process of downloading files from cloud storage alters the internal file data and the associated file metadata.

H2 the process of downloading files from cloud storage does not alter the internal data, but does alter the file metadata.

H3 the process of downloading files from cloud storage alters the internal data, but not the associated file metadata.

10Research Question 2aQ2a) What data can be acquired and preserved from a cloud storage account using existing forensic tools, methodologies, and procedures when applied to cloud storage investigations?A sub question from Q2 is What data can be acquired and preserved from a cloud storage account using existing forensic tools, methodologies, and procedures when applied to cloud storage investigations?

11Research Method

Research experiment undertaken using Virtual PCs to create various circumstances of accessing cloud storage services. VMs forensically preserved and analysed for data remnants

The research experiment was undertaken using Virtual PCs to create various circumstances of accessing cloud storage services. The use of Virtual systems allowed for a wider range of circumstances to be created and analysed than would be possible with physical hardware.

In the experiment, the VMs are forensically preserved and analysed for data remnants.

The block diagram summaries the scope, from a control installation, each popular service is chosen, and VMs created with control data using client software and four popular browsers. The Memory, Network data, and hard drives are preserved for analysis.

An Apple iPhone is also used to conduct analysis of the client applications and browser access to the three services12Prepare Virtual PCs with Windows 7Base (control) clean installationInstall Browser (Internet Explorer, Mozilla Firefox, Google Chrome, Apple Safari)Install Client Software and upload test filesUse browser to access account and view filesUse browser to access and download filesUse Eraser to erase filesUse CCleaner to remove browsing historyUse DBAN to erase virtual hard driveExperiment ProcessThe experiment encompasses a range of circumstances;Using Virtual PCs with Windows 7 home basic;Start with a Base (control) clean installationInstall the selected browser (Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari)Install Client Software and upload test filesUse the browser to access the research account and view the filesUse the browser to access the research account and download filesUse Eraser to erase the downloaded filesUse CCleaner to remove file and browsing historyUse DBAN to erase the virtual hard drive

This was done for each service with each browser, resulting in 96 VMs, memory captures, and Network capture files

13Commence (Scope)Prepare and RespondIdentify and CollectPreserve (Forensic Copy)AnalysePresentFeedbackCompleteDigital Forensic Analysis Cycle

As identified in the literature review, there is a need to define a process for analysis of cloud environments. The proposed framework builds upon the process outlined by McKemmish (1999) and includes processes from intelligence analysis (Ratcliffe 2003).The process is cyclic, and can break off from the main cycle to return to previous steps for newly identified data, as indicated with the internal arrows.

The scope is outlined to focus the investigation. Preparation of equipment and practitioners, and response if necessary. Data is identified and collected.Data is preserved in forensically sound methods, such as write blocking and hash comparisons.Analysis is conducted, which may identify additional data, hence the process breaks for the new data to prepare, identify, collect and preserve.Meanwhile, the analysis continues.Presentation is a standard step, and usually completes the process.However, Feedback and review is important to ensure the investigation is complete.A final decision should also be made to finalise the investigation, and decide if further enquiries are necessary, otherwise the files and data are archived for retrieval if needed.

14

Using the Framework to guide the processAnalysis of the VM imagesIn the Control VMs; Dropbox referencesClient Software 1.2.52; encrypted, sample filesSystem Tray link to launch Dropbox websiteBrowser remnantsOS remnants; Prefetch information, Link Files, $MFT, Registry, Thumbcache, Event logsNetwork traffic; IPs, URL client/webRAM; password in cleartextEraser/CCleaner; left remnantsDBAN; all erasedDropboxThe proposed framework was applied to the analysis of Dropbox, using the methodology outlined earlier.

Dropbox references were found in the control media, hence undertaking a keyword search for dropbox will not be conclusive.

The client software database files appear to be encrypted in version 1.2.52, unlike previous versions of the software.

There is an icon in the system tray which when selected launches a browser with full access to the account, without needing a password or username.

Sample files were installed in the process which can be used to identify the presence of the software.

There were a range of remnants when a browser was used to access an account, in addition there were a lot of remnants found in OS files, such as prefetch, $MFT, Link files and registry.

Data was observed in the network traffic, but was mainly encrypted.

The password was observed in cleartext in memory captures.

Anti forensic software did not remove the data remnants.

A full erase of the hard drive did remove the remnants.15iPhone 3G iOS 4.2.1 (using the framework)Base (control); nil locatedBrowser; filenames in History.plist + URLDropbox App; username in keychain.plist

Case study (used to illustrate findings)Botnet hypothetical example describing finding information on PC and iPhone re Dropbox useDropbox

Next an iPhone was used to identify remnants, again using the proposed analysis cycle.

There was no information in the control image.

Filenames were located when the browser was used.

The username and filenames were located when the client software was used.

In the thesis, a case study was used to illustrate the findings in relation to Dropbox.16Conclusion;dbx files are now encrypted, earlier versions; Filecache.db and config.dbPassword in cleartext in memoryProcess of booting a forensic image in a virtual PC will synchronise and provide access to the account without requiring a username or password

Current Police investigation; located illicit data being stored in a Dropbox account (real world application of the research)

Dropbox

In relation to Dropbox, the conclusion reached was that there are data remnants of interest, and outlined in the theses. For the earlier versions of the client software, the two database files are important, but in version 1.2.52 the files are encrypted.

The password was observed in cleartext.

A process of booting a forensic image in a virtual system allows for access to a user account without knowing the username or password.

A real world application of the research was in a current Police investigation, illicit data being hosted in a Dropbox account was identified using the information from this research. The investigation is ongoing, hence details of the investigation cannot be discussed.17

Using the Framework to guide the processAnalysis of the VM imagesIn the Control VMs; skydrive referencesClient Software; SyncDiagnostics.log, OwnerID.datOS remnants; Prefetch information, Link Files, $MFT, Registry, Thumbcache, Event logsNetwork traffic; IPs, filenamesRAM; password in cleartextEraser/CCleaner; left remnantsDBAN; all erased

Microsoft SkyDriveAgain, using the framework, this time with SkyDrive, using the methodology outlined earlier.

SkyDrive references were found in the control media, hence undertaking a keyword search for skydrive will not be conclusive.

SyncDiagnostics.log lists the files uploaded and downloaded, Owner information and dates and times. The OwnerID file lists the storage locations on the hard drive.



The password was observed in cleartext in memory captures.


A full erase of the hard drive did remove the remnants.

18

iPhone 3G iOS 4.2.1 (using the framework)Base (control); nil locatedBrowser; OwnerID in URL, filenames in History.plistSkyDrive App; username in keychain.plist

Case study (used to illustrate findings)IP Theft hypothetical example describing finding information on PC and iPhone re SkyDrive use

Microsoft SkyDriveNext an iPhone was used to identify remnants, again using the proposed analysis cycle.


The OwnerID and filenames were located when the browser was used.

The username and filenames were located when the client software was used.

In the thesis, a case study was used to illustrate the findings in relation to SkyDrive.

19Conclusion;SyncDiagnostics.log and OwnerID.dat filesPassword in cleartext in memoryProcess of booting a forensic image in a virtual PC may synchronise the files in an account. Access to the account requires a password.

Microsoft SkyDrive

In relation to SkyDrive, the conclusion reached was that there are data remnants of interest, and outlined in the theses.

The two files identified have data which may be important to an investigation.

The password was observed in cleartext in memory.

Booting a forensic image in a VM may synchronise the files in an account, however, access to the account requires a password which is good for security.20Using the Framework to guide the processAnalysis of the VM imagesIn the Control VMs; drive google referencesClient Software; Sync_config.db and snapshot.dbPassword in cleartext stored on Hard DriveSystem Tray link to visit Google Drive on the web OS remnants; Prefetch information, Link Files, $MFT, Registry, Thumbcache, Event logsNetwork traffic; IPs, usernameEraser/CCleaner; left remnantsDBAN; all erased

Google Drive

Again, using the framework, this time with Google Drive, using the methodology outlined earlier.

drive google references were found in the control media, hence undertaking a keyword search for this will not be conclusive.

Sync_config.db and snapshot.db list the files uploaded and downloaded, owner information and dates and times.


The password was observed in cleartext on the hard drive and in memory captures.

When running a forensic image as a VM, selecting a link in the system tray allowed full access to an account without requiring a username or password.



A full erase of the hard drive did remove the remnants.

21

iPhone 3G iOS 4.2.1 (using the framework)Base (control); nil locatedBrowser; username in cookies, filenames in History.plistGoogle Drive App; unable to install, need iOS 5

Case study (used to illustrate findings)Steroid importation hypothetical example describing finding information on PC andiPhone re Google Drive use

Google DriveNext an iPhone was used to identify remnants, again using the proposed analysis cycle.


Filenames were located when the browser was used.

The client software was unable to be installed to the iPhone used, hence an opportunity for future research.

In the thesis, a case study was used to illustrate the findings in relation to Google Drive.

22Conclusion;sync_config.db and snapshot.db files filesPassword in cleartext in RAM and on Hard DriveSystem Tray link to visit Google Drive on the web Process of booting a forensic image in a virtual PC will give full access to an account without requiring a username or password

Google Drive

In relation to Google Drive, the conclusion reached was that there are data remnants of interest, and outlined in the theses.

The two files identified have data which may be important to an investigation.

The password was observed in cleartext on the hard drive and in memory.

It is possible to run a forensic image in a VM and get full access to an account without knowing the username or password from the client software.

23No documented process to collect data once identifiedSome jurisdictions have legal power to secure data accessible at the time of serving a warrant, such as 3LA Crimes Act 1914Tested in VM with Dropbox, Microsoft SkyDrive, and Google DriveAccess via Browser and Client SoftwareNo change to files (Hash values same after downloading when compared with original)Forensic PreservationAs identified in the literature review, these is a need for a process to collect identified data.

Australia has legislation to collect data, such as section 3LA of the Crimes Act 1914.

Experiments were conducted with control VM systems to preserve data from research accounts with the three providers.

Access was undertaken using a browser and using client software, which was then compared with the original files.

There were no changes to the original files hash values, hence no change to the internal data.24Times and Dates change;

Forensic Preservation

There were changes to the associated dates and times, as per the table. For example, if downloading a file from a Google Drive account using a browser, the created date on the file will be 1/1/1980, and not the created date from the original file. The only date/time value the same as the original was when using the client software, the last written times were the same as the original file.

These changes must be understood by an examiner, otherwise the information may be misinterpreted, and incorrect conclusions made.25Q1 = H1There are remnants from cloud storage use which enable the identification of the service, a username, or file details.

Q2 = H2The process of downloading files from cloud storage does not alter the internal data, but does alter the file metadata.

ResultsIn the thesis, the final chapter lists each question and sub question and how each has been addressed.

To summarise;

In relation to research question 1, the correct hypotheses is H1, there are remnants from cloud storage use.

In relation to question 2, preserving data by accessing an account does not change the internal data, but there are changes to the associated timestamps of the files when they are downloaded, therefore H2 is correct.26Identified software files for each service, e.g.SyncDiagnostics.log SkyDriveSnapshot.db Google DriveFilecache.db DropboxIdentified OS remnants;PrefetchLink filesRegistryIdentified Browser History remnantsNo change to access and download filesDifference in timestamps for downloaded filesProcess to boot PC in a VMContributionsThe main contributions of the thesis are;

The identification of files which store information which may be relevant to an investigation for each service provider, for example the SyncDiagnostics.log file for SkyDrive.

Identified that there are a range of data remnants on a Windows 7 PC hard drive, such as in Prefetch files, link files, $MFT, Registry, etc.

Identified there are a range of data remnants in the browser histories for the popular browsers.

Identified that accessing and downloading files from an account does not alter the contents of the files, verified with the hash value.

However, the timestamps of the downloaded files are different to the original files, and must be considered when forming conclusions. As per the table on slide 24.

A process to access an account in a forensically sound manner was also outlined, and if client software has been pre-installed it will provide access to the files in an account for Google Drive and Dropbox; or if the username and password were located during analysis, this can be used. Legal considerations must be met to ensure accessing the account is permitted, ie. 3LA of the Crimes Act (Cth).27Other cloud storage services;Amazon S3, iCloud, and UbuntuOnePhysical iPhone extract compared to logical extractAndroid, Windows Mobile devicesApple iOS 5 devicesFurther test the frameworkFuture researchResearch opportunities identified include;

Other (less) popular cloud storage providers, such as Amazon S3, Apple iCloud, and UbuntuOne.

Compare a physical iPhone extract to the logical extracts undertaken in this research.

Examine other portable device operating systems, such as Android and Windows Mobile.

Examine the latest Apple iOS

These could all serve to further assess the proposed framework.28Quick, D & Choo, K-K R 2012. Dropbox Analysis: Data Remnants on User Machines. Submitted to Digital InvestigationQuick, D & Choo, K-K R 2012. Digital Droplets: Microsoft SkyDrive forensic data remnants. Submitted to Future Generation Computer SystemsQuick, D & Choo, K-K R 2012. Forensic Collection of Cloud Storage Data from a Law Enforcement Perspective. Submitted to Computers & SecurityQuick, D & Choo, K-K R 2012. Google Drive: Forensic Analysis of data remnants. Submitted to Journal of Network and Computer ApplicationsPublications(in submission / under review)The listed four papers were based on chapters in the thesis, and have been submitted for peer review. All four are currently under consideration.29Chung, H, Park, J, Lee, S & Kang, C (2012), Digital Forensic Investigation of Cloud Storage Services, Digital InvestigationClark, P (2011), 'Digital Forensics Tool TestingImage Metadata in the Cloud', Department of Computer Science and Media Technology, Gjvik University College.Kleynhans, S (2012), The New Pc Era- the Personal Cloud, Gartner Inc, McClain, F (2011), Dropbox Forensics, updated 31 May 2011, Forensic FocusMcKemmish, R (1999), 'What Is Forensic Computing?', Trends and Issues in Crime and Criminal Justice, Australian Institute of Criminology, vol. 118, pp. 1-6.NIST (2011), Challenging Security Requirements for Us Government Cloud Computing Adoption (Draft), U.S. Department of Commerce. Ratcliffe, J (2003), 'Intelligence-Led Policing', Trends and Issues in Crime and Criminal Justice vol. 248, pp. 1-6Reese, G (2010), Cloud Forensics Using Ebs Boot Volumes, Oreilly.comZhu, M (2011), 'Mobile Cloud Computing: Implications to Smartphone Forensic Procedures and Methodologies', AUT University.

References30

quick cloud storage forensic analysis presentation

Documents

personal cloud

main storage

free storage

electronic data

data remnants

microsoft skydrive

google drivesection

popular services