Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Cloud Forensic Investigations: A Deep Dive

Verified

Added on 2020/05/11

AI Summary

This assignment delves into the complexities of cloud forensic investigations. It examines the unique challenges presented by cloud computing environments when collecting and analyzing digital evidence. The document explores various forensic techniques applicable to cloud storage platforms, such as Amazon S3 and Google Drive, discussing their strengths and limitations. Additionally, it addresses the legal considerations surrounding cloud forensics and highlights the importance of best practices for preserving digital integrity within cloud-based systems.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: CLOUD STORAGE FORENSICS
Cloud Storage Services
Name of the Student
Name of the University
Author’s notes

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1
CLOUD STORAGE FORENSICS
Table of Contents
Introduction......................................................................................................................................2
Analysis...........................................................................................................................................2
Cloud Forensics............................................................................................................................2
Use of Cloud Forensics.................................................................................................................3
Tools and Methodologies.............................................................................................................4
Findings...........................................................................................................................................6
Conclusion.......................................................................................................................................8
References........................................................................................................................................9
Glossary.........................................................................................................................................11
Appendices....................................................................................................................................12
Appendix 1..................................................................................................................................12
Appendix 2..................................................................................................................................12
Appendix 3..................................................................................................................................13

2
CLOUD STORAGE FORENSICS
Introduction
In this era of ICT, smartphones have become an important part of the life of the people.
Cloud storage applications are gaining importance as it allows the users to gain access to their
own information from any location and at any time. Mobile phones play a significant role in
assisting the criminals to commit any criminal act (Poisel, Malzer & Tjoa, 2013). These mobile
devices act as evidence in the investigations of cyber crimes as well as traditional crimes. MEGA
is a cloud app that can be used in place of Google Drive and Dropbox (Daryabar, Dehghantanha
& Choo, 2017).
This forensics report examines a scenario on cloud storage forensics. It focuses on the
MEGA cloud app case study. It gives a brief overview of the concept of cloud forensics along
with its usage. It analyzes a real life scenario called MEGA case study and tries to find out what
modifications to the metadata during the process of downloading and uploading process might
affect the preservation of evidences on an android as well as iOS platforms. This report also
discusses about the findings and gives the result of the analysis.
Analysis
Cloud Forensics
Cloud forensics can be considered to be an application of the digital forensics. This field
combines the concept of cloud computing with digital forensics. Digital forensics applies science
to identify, collect, examines and analyzes data while maintaining its integrity (De Marco,
Kechadi & Ferrucci, 2013). Cloud computing on the other hand is an IT paradigm that deals with
allowing users to get access to shared resources over the Internet on the basis of their demand.

3
CLOUD STORAGE FORENSICS
Cloud forensics is a part of network forensics. There are three main dimensions of cloud
forensics called technical, legal as well as organizational dimension. The cloud storage platform
services that are used, mainly the mobile applications have the ability to leave behind trace or
information that can be useful in any civil or criminal litigation.
Organizations consist of internal as well as external staffs that play a major role in the
process of digital forensics (Ruan & Carthy, 2012). The investigators play the most significant
role in forensics. They have high knowledge about forensic capabilities. IT professionals are also
involved in assisting the investigators in identifying any crime activity. Legal advisors also play
a crucial role in cloud forensics.
Use of Cloud Forensics
Cloud forensics has various usages like:
Investigation: It can be used for investigating crime as well as policy violation in a cloud
environment. It can be useful in providing evidences to the court (Ruan et al., 2013).
Troubleshooting: Data files can be located physically and virtually in the cloud
environment.
Log monitoring: It assists in auditing and regulatory compliance (Thorpe et al., 2013).
Data Recovery: It helps to recover data that has been deleted in an accidental manner. It
also helps to recover encrypted data.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4
CLOUD STORAGE FORENSICS
Tools and Methodologies
The cloud computing forensics uses certain procedures to carry out the forensic process.
They are discussed below:
Data collection: This process deals with the identification and acquisition of forensic data
from various sources of information present in the cloud. These data can be either client side
information or provider side information. The tools that are used for collecting data are different
for different service models of cloud computing. Data can be collected in a sequential manner
depending upon its volatility. If the data has high volatility then it can be collected first and if the
data has low volatility then can be collected later.
Elastic, live and static forensics: The resources of cloud storage can be provisioned on the
demand of the clients. The tools that are used in cloud computing can be elastic in nature. Most
of the cases use live and static forensic tools. Examples of such cases are e-discovery, data
recovery and data acquisition.
Evidence segregation: Cloud computing allows the users to share resources over the
Internet and save the cost. It supports multi tenant environment. Procedures and tools for
segregating forensic data present in the cloud need to be developed.
Investigation: Investigation can be carried out based on the data that are retrieved from
the cloud platform. But the data present in the cloud are susceptible to various attacks.
Pro-active preparation: This stage involves designing of forensic-aware cloud apps. It
also involves design principles, tracking authentication as well as access-control records.
The investigation framework of the MEGA case study is as follows:

5
CLOUD STORAGE FORENSICS
Identification as well as collection: Evidences had been collected from the internal
memory of Samsung Galaxy Tab II and the internal memory of iPad. Its network traffic had also
been monitored and captured by TCPDump.
Preservation: The entire acquired file was verified by calculating the MD5 hash value.
Examination as well as analysis: The images from the internal memory and backups were
examined for determining data remnants of using MEGA application on iOS and Android
devices.
EDRM was downloaded in order to carry out the experiment. Separate experiments were
conducted on the iOS and Android devices in order to carry out the investigation. Ten
experiments had been conducted and the devices were reset. 0xED was used for Mac and the
Hex Workshop was used for Android device. These were used for the purpose of analyzing
internal storage. The experiments conducted on Android as well as iOS devices are shown in a
tabular format (Appendix 1 and 2)
Amazon S3, Google Docs, Evernote and Dropbox are such models that help in the
investigation process of cloud storage apps (Chung et al., 2012). Researchers have been able to
recover data remnants like username, names of the uploaded and downloaded files from
Motorola Droid that was running Android 2.2.2 version and from iPhone 4 that was running iOS
4.3.5 version as well as from Mac PC and Widows PC (Grispos, Glisson & Storer, 2015).
Windows 7 was investigated for the purpose of identifying forensic information from Google
Docs, Dropbox, Flickr and PicasaWeb (Marturana, Me & Tacconi, 2012). Forensic tools can be
injected into the virtual machines of Amazon EC2 (Dykstra & Sherman, 2012). Client as well as
server analysis can also be held (Martini & Choo, 2013). There are other cloud forensic models

6
CLOUD STORAGE FORENSICS
that can be used for the purpose of examining Google Drive and SkyDrive. These models were
also able to determine whether there was any alteration of the content of the file and documents
(Quick & Choo, 2014). The non-preinstalled application document contents of iCloud remained
unchanged. But on the other hand the MD5 hash values were not matched and the timestamps
had been changed. There is a process that contains six steps for collecting data in a programmed
manner from a remote location (Martini & Choo, 2014). A brief snapshot of the cloud forensics
research is presented in a tabular form (Appendix 3).
Findings
A forensic process is sound and correct if certain key criteria are satisfied. These key
criteria are as follows:
Meaning: This means that the data evidence that has been collected for the purpose of
carrying out investigations based on digital forensics must not lose its real meaning as well as
interpretation. The data must retain its integrity.
Error: Errors must be identified at the correct time so that it does not harm the validity of
the information that was found. Hash functions can be used for the purpose of identifying errors
during the process of forensic collection.
Transparency: The forensic processes must be transparent so that the investigation is
carried out in an effective and honest manner. This will help in the validation of the process
integrity.
Experience: The individuals who are involved in the process of forensic investigation
must have high knowledge and sufficient experience for carrying out the investigation of

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7
CLOUD STORAGE FORENSICS
forensic data. Forensic investigation is done in case of extremely serious issues and any fault in
the process can harm several individuals as well as organizations. Experience plays a significant
role in the cloud forensic investigations.
In order to find out whether a forensic data is sound or not, the potential changes in the
document data as well as metadata during the time of download and upload must be detected. In
the MEGA case study the MD5 hashes value of the actual files was found out and then it was
compared with data of the downloaded file using the cloud applications on the iOS as well as
Android devices. The hash values of the real file had completely matched with the downloaded
file. This determined that there were no changes made to the document and file contents during
the process of downloading and uploading. Then the timestamps were compared between the
original and the downloaded documents by using the stat command. The comparison determined
that the timestamps were different for both the types of files. All the timestamps was same as that
of the destination folders of all the devices. It has been seen that if the user modifies the date and
time of the iOS or Android device before the process of download takes place then the
timestamps of the file that is downloaded will also change and this will not match with
timestamp of the original file that was uploaded.
Findings of the Android devices are as follows:
 It has been determined that whenever a user logs into the account by using
application then the internal memory of the Android device stores the username.
 Decrypted files can also be determined.
 It has also been found out that the shared URL links can be created as well as
saved to files. The files can be shared which depends on its settings.

8
CLOUD STORAGE FORENSICS
Findings of the iOS devices are as follows:
 It was found out that the ‘mega.ios.plist’ files were possible to be recovered. The
login details could also be found out.
 It was also possible to recover uploaded files.
It is clear from the findings that the MEGA app could not modify the downloaded file
contents. The hash values of the original as well as the downloaded files remained the same.
Only the timestamps were different (Quick & Choo, 2013). The timestamps were same as that of
the client devices. URLs as well as the IP addresses that were used by the app, server names,
timestamps as well as the certification provider that were used by the cloud storage services
could be determined. There are also certain challenges in the cloud storage forensics.
Conclusion
It can be concluded from this report that that the MEGA app could not modify the
downloaded file contents. This report gave a brief overview of the concept of cloud forensics and
its usage. It said that a forensic process is sound and correct if certain key criteria are
satisfied .This report stated that the hash values of the original as well as the downloaded files
remained the same. Only the timestamps were different. This report discussed that the cloud
certain procedures to carry out the cloud storage forensic process like data collection and
evidence segregation.

9
CLOUD STORAGE FORENSICS
References
Chung, H., Park, J., Lee, S., & Kang, C. (2012). Digital forensic investigation of cloud storage
services. Digital investigation, 9(2), 81-95.
Daryabar, F., Dehghantanha, A., & Choo, K. K. R. (2017). Cloud storage forensics: MEGA as
a case study. Australian Journal of Forensic Sciences, 49(3), 344-357.
De Marco, L., Kechadi, M. T., & Ferrucci, F. (2013, September). Cloud forensic readiness:
Foundations. In International Conference on Digital Forensics and Cyber Crime (pp.
237-244). Springer, Cham.
Dykstra, J., & Sherman, A. T. (2012). Acquiring forensic evidence from infrastructure-as-a-
service cloud computing: Exploring and evaluating tools, trust, and techniques. Digital
Investigation, 9, S90-S98.
Grispos, G., Glisson, W. B., & Storer, T. (2015). Recovering residual forensic data from
smartphone interactions with cloud storage providers. arXiv preprint arXiv:1506.02268.
Martini, B., & Choo, K. K. R. (2013). Cloud storage forensics: ownCloud as a case
study. Digital Investigation, 10(4), 287-299.
Martini, B., & Choo, K. K. R. (2014, September). Remote programmatic vCloud forensics: a
six-step collection process and a proof of concept. In Trust, Security and Privacy in
Computing and Communications (TrustCom), 2014 IEEE 13th International
Conference on (pp. 935-942). IEEE.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10
CLOUD STORAGE FORENSICS
Marturana, F., Me, G., & Tacconi, S. (2012, October). A case study on digital forensics in the
cloud. In Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC),
2012 International Conference on (pp. 111-116). IEEE.
Poisel, R., Malzer, E., & Tjoa, S. (2013). Evidence and Cloud Computing: The Virtual
Machine Introspection Approach. JoWua, 4(1), 135-152.
Quick, D., & Choo, K. K. R. (2013). Forensic collection of cloud storage data: Does the act of
collection result in changes to the data or its metadata?. Digital Investigation, 10(3),
266-277.
Quick, D., & Choo, K. K. R. (2014). Google drive: forensic analysis of data remnants. Journal
of Network and Computer Applications, 40, 179-193.
Ruan, K., & Carthy, J. (2012, October). Cloud forensic maturity model. In International
Conference on Digital Forensics and Cyber Crime (pp. 22-41). Springer, Berlin,
Heidelberg.
Ruan, K., Carthy, J., Kechadi, T., & Baggili, I. (2013). Cloud forensics definitions and critical
criteria for cloud forensic capability: An overview of survey results. Digital
Investigation, 10(1), 34-43.
Thorpe, S., Grandison, T., Campbell, A., Williams, J., Burrell, K., & Ray, I. (2013, June).
Towards a forensic-based service oriented architecture framework for auditing of cloud
logs. In Services (SERVICES), 203 IEEE Ninth World Congress on (pp. 75-83). IEEE.

11
CLOUD STORAGE FORENSICS
Glossary
E-discovery: Electronic discovery (also called e-discovery or ediscovery) refers to any
process in which electronic data is sought, located, secured, and searched with the intent of using
it as evidence in a civil or criminal legal case.
TCPDump: TCPDump is a common packet analyzer that runs under the command line.
MD5: The MD5 algorithm is a widely used hash function producing a 128-
bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function,
it has been found to suffer from extensive vulnerabilities.
Amazon S3: Amazon Simple Storage Service is storage for the Internet. It is designed to
make web-scale computing easier for developers.
VM: In computing, a virtual machine (VM) is an emulation of a computer system.
Virtual machines are based on computer architectures and provide functionality of a physical
computer.
URL: A Uniform Resource Locator (URL), colloquially termed a web address, is a
reference to a web resource that specifies its location on a computer network and a mechanism
for retrieving it. A URL is a specific type of Uniform Resource Identifier (URI), although many
people use the two terms interchangeably.
IP: An Internet Protocol address (IP address) is a numerical label assigned to each device
connected to a computer network that uses the Internet Protocol for communication.

12
CLOUD STORAGE FORENSICS
Appendices
Appendix 1
Figure 1: Experiments on the Android Device
(Source: Daryabar, Dehghantanha & Choo, 2017)
Appendix 2
Figure 2: Experiments on the iOS Device
(Source: Daryabar, Dehghantanha & Choo, 2017)

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13
CLOUD STORAGE FORENSICS
Appendix 3
Figure 3: A snapshot of existing cloud storage forensics research
(Source: Daryabar, Dehghantanha & Choo, 2017).

1 out of 14

+13062052269

info@desklib.com

Cloud Forensic Investigations: A Deep Dive

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Cloud Forensics Research Analysis

Digital Forensic: An Overview of the Application, Tools, and Future

Digital Forensic Framework for Cloud Computing Investigations

Recent Vulnerabilities in Information Security

Smartphone Forensic Analysis

Digital Forensic Technology: Evidence Recovery and Future Challenges