Mobile and Cloud Forensics

Hiranya Prasad Bastakoti

Contents

Acquisition Mobile Mobile

Mobile Device
Procedure for Forensic Forensics
Forensics
Mobile Devices Equipment Tools;

Challenges in
Cloud Acquisitions in Cloud
Cloud
Forensics Cloud Investigation
Forensics

Tools for Cloud

Forensics
 • Mobile Device Forensics is a branch of digital forensics focused on
retrieving, analyzing, and preserving data from mobile devices,
such as smartphones and tablets, for legal investigations.
• Given the significant amount of personal and sensitive
information stored on these devices, mobile device forensics plays
a critical role in uncovering evidence related to criminal cases,
cybersecurity incidents, or civil disputes.
• These devices often hold a wealth of information, such as:
Mobile • Call logs
Device • Text messages (SMS/MMS)
• Emails and instant messaging logs
Forensics • Photos, videos, and browsing history
• Application and social media data
• GPS data and location information
The goal is to uncover critical evidence while ensuring it remains
admissible in court.
Importance of Mobile Forensics
Rich Source of Evidence: Mobile devices store diverse types of information that can provide critical
insights in investigations.

Increasing Usage: With the ubiquity of smartphones, more crimes and activities leave digital footprints
on these devices.

Financial Evidence: Mobile banking and digital wallets provide evidence for financial crimes or fraud.

Legal Compliance: Courts mandate proper procedures, such as obtaining search warrants, to access
mobile data legally. Forensics ensures the process complies with privacy laws, safeguarding evidence
integrity.

Wide Application: Mobile forensics supports a range of investigations, from violent crimes to identifying
cyber threats like malware and unauthorized access.
Challenges in Mobile Forensics
Technological Diversity: Different devices and operating systems have
unique storage structures, making standardized approaches impractical.

Rapid Innovation: New models and technologies emerge frequently,

requiring constant updates to forensic tools and techniques.

Data Privacy: Sensitive, unrelated information often needs to be redacted

to comply with privacy laws and prevent misuse.

Encryption: Modern devices incorporate robust encryption, adding

complexity to data extraction.
 Mobile Phone Basics
• Mobile phone technology has revolutionized communication, evolving rapidly from its
inception in the mid-20th century.
• Initially, mobile phones were bulky, expensive, and exclusive to the elite.
• Over time, they became smaller, more affordable, and feature-rich, transforming into
indispensable tools for personal and professional use.
Generations of Mobile Technology:
• 1G (Analog): Introduced basic calling functionality in bulky, limited devices.
• 2G (Digital PCS): Enhanced voice quality, text messaging, and basic data services.
• 3G (2008): Enabled mobile internet, video streaming, and multitasking capabilities.
• 4G (2009): Delivered high-speed connectivity with advanced technologies like LTE and
WiMAX.
• 5G (2020): Integrates cloud technology and supports ultra-fast, low-latency applications
such as IoT and autonomous vehicles.
Key
Network
Technologi
es
 Mobile WiMAX:IEEE 802.16e standard with
speeds up to 12 Mbps.

Ultra Mobile Broadband (UMB):Reached

speeds of 275 Mbps but was replaced by LTE.
Supporting
Technologies Long-Term Evolution (LTE):Commonly known
for 4G as 4G LTE, supports speeds between 45 Mbps
to 144 Mbps.

Multiple Input Multiple Output

(MIMO):Improves data rates and network
reliability, utilized in LTE and WiMAX.
Mobile Network Components
Base Transceiver Station (BTS):Defines cell coverage and
connects to mobile devices.

Base Station Controller (BSC):Manages BTS operations

and assigns communication channels.

Mobile Switching Center (MSC):Routes calls and digital

packets while maintaining a central subscriber database.
Mobile Device Hardware Overview

Mobile devices have evolved into compact, powerful tools equipped with:

Core Components: Microprocessor, ROM, RAM, digital signal processor,

radio module, microphone, and speaker.

Display and Storage: LCD screens, up to 64 GB internal memory, and

external memory options like SD cards.

Connectivity: Bluetooth, Wi-Fi, and GPS capabilities

 Operating Systems:

Basic Phones: Proprietary OS.

Mobile
Smartphones: Android, iOS, and Windows Mobile.
Device
Software
EEPROM: Allows firmware updates and reprogramming
without physical access.

ROM: Stores OS and essential system data, ensuring

persistence even without power.
 Memory Cards in Mobile
SIM Card Devices
• Types: Compact Flash (CF),
• Stores subscriber identity, service MultiMediaCard (MMC), and
information, and facilitates Secure Digital (SD) cards.
portability.
• Available as Standard, Micro, and
• Standard capacities range
Nano SIM cards,e-SIM. from 16 GB to 64 GB,
• Easily switch between devices or providing additional storage.
service providers by replacing the • Some devices, like Google
SIM card. Nexus, do not support
external SD cards.
• Understanding mobile basics and technologies is critical for mobile forensics.
• Modern devices hold vast amounts of personal and sensitive data, making them valuable sources of
evidence.
• Familiarity with evolving hardware, software, and network standards ensures effective data acquisition
and analysis.
Understanding Acquisition Procedures for Mobile Devices
Mobile devices are critical sources of evidence in investigations, storing sensitive data like messages, call logs, and
location information.

However, they present unique challenges due to their volatile memory, synchronization with cloud services, and
vulnerability to remote wiping.

Proper acquisition procedures are essential to preserve evidence integrity while adhering to legal protocols and ensuring
comprehensive data recovery.

Key Concerns:

Prevent loss of power to safeguard volatile memory (RAM).

Avoid synchronization with cloud services to prevent overwriting data.

Protect against remote wiping, which can erase crucial evidence.

 Contd.
1. At the Investigation Scene:
• If the device is off:
• Keep it off but connect it to a charger immediately.
• Log details about the device's power state and actions taken.
• If the device is on:
• Record the battery's current charge level.
• Disconnect the device from PCs, tablets, or the Internet to stop data synchronization.
• Collect associated peripherals (laptops, cables) to check for transferred or deleted
files.
2. Isolating the Device:
• Use one of the following methods to block incoming signals:
• Enable airplane mode (if available).
• Place the device in a Faraday bag or signal-blocking container (e.g., a paint can).
• Note that these methods can accelerate battery drain, requiring careful monitoring.
Contd.
4.Handling the Device Based on Its State:
• Device is on and unlocked: Isolate it from networks and disable screen lock/passcodes.
• Device is on and locked: Procedures vary by device type (e.g., iPhone, Android, or BlackBerry).
• Device is off: Attempt a physical static acquisition before powering it on.
5.Acquisition in the Forensic Lab:
• Decide between:
• Logical acquisition: Access visible files and folders.
• Physical acquisition: Perform bit-by-bit data recovery, including deleted files.
• Check data sources such as:
• Internal memory.
• SIM cards.
• External memory cards.
• Network provider servers (requires a warrant/subpoena).
 Contd.
6.Remote Wiping Risks:Remote wiping erases data like contacts, photos, and accounts
or resets the device to factory settings.
• Isolation measures are crucial to prevent this.
• Mobile Device Memory Types:
• Volatile memory: Stores frequently changing data (e.g., calls, messages).
• Non-volatile memory: Stores persistent data (e.g., OS files, personal information).
7.SIM Card Data:
• Stores service-related data, call logs, messages, and location information.
• Access often requires PIN or PUK codes.
• Investigators should look for manuals or documentation to retrieve access codes.
Contd.
A SIM card can store valuable data, including:
• Service-related data (e.g., SIM and subscriber IDs)
• Call data (dialed numbers)
• Message information (SMS records)
• Location information
• If power is lost, PINs or codes are needed to access the data.
Users often retain default PINs, and manuals at the scene can help.
• After three incorrect attempts, a PIN Unlock Key (PUK) from the
provider is required.
• Default codes like 1111 or 1234 are commonly used.
 Mobile Forensics Equipment
• Mobile forensics involves a range of tools and methods tailored to extract
and analyze data from mobile devices while maintaining the integrity of the
evidence.
• The equipment needed for mobile forensics includes devices for identifying
phones, connecting them to forensic workstations, and analyzing the data
extracted.
• With the rapid advancement of mobile phone technology, new models
continuously present challenges, as what works for one device may not work
for another.
• Therefore, forensic professionals must stay updated on the latest
developments in equipment and software tools.
SIM Card Readers
• SIM cards, particularly in GSM phones and newer mobile devices, are crucial sources of data in mobile
forensics.
• A SIM card reader is a combination hardware and software tool used to access the data stored on the SIM card.
• To use this tool, forensic professionals typically work in controlled environments, such as forensic labs, which
are equipped with antistatic devices to prevent damage to the components.
General Procedure for Using SIM Card Readers:
• Remove the Device’s Back Panel: Carefully open the mobile device.
• Remove the Battery: Disconnect the power source to ensure safe handling.
• Remove the SIM Card: Extract the SIM card from its holder.
• Insert the SIM Card into the Reader: Insert the SIM card into a SIM card reader and connect it to a forensic
workstation via USB.
• SIM card readers come in various models, some of which are forensically sound, while others may not be.
• It's important to document whether the SIM card reader used is forensically sound.
• Additionally, SIM card readers may encounter issues with unread text or SMS messages, as the device marks
messages as "read" after they have been viewed.
• Using screen capture tools to document messages before they are opened can provide valuable evidence.
 Mobile phone forensics tools are
essential for extracting, analyzing, and
preserving mobile device data.

Mobile Phone
Forensics The tools and methods vary depending
on the type of device, the available
Tools and software, and the level of access to the
device's data.
Methods
The primary goal is to maintain a chain
of custody while retrieving as much
data as possible, including deleted
data.
Common Mobile Forensic
Methods:
Manual Extraction: In this method, investigators manually browse the
device’s content and take screenshots or pictures. This is often used when
other extraction methods are not available or feasible.

Logical Extraction: This method involves connecting the mobile device to a

forensic workstation using wired (e.g., USB) or wireless (e.g., Bluetooth)
connections. The device’s file system information is extracted in a logical
manner, capturing accessible data.
Physical Extraction: This is a more in-depth method, similar to logical
extraction, but it involves creating a forensic copy of the entire device’s
memory. This allows for the recovery of deleted files and other items that
may not be accessible through logical extraction.
 Contd.
Hex dumping and Joint Test Action Group (JTAG) extraction—
o Hex Dumping: This involves using a modified boot loader to access the RAM for
analysis.
o JTAG Extraction: This method retrieves data from a device’s physical components,
such as the processor and flash memory. It is considered highly invasive and typically
requires specialized equipment.
• Chip-Off: This method involves physically removing the flash memory chip from the
device and gathering data directly from the memory at the binary level.
• Micro Read: This involves using an electron microscope to examine the logic gates of a
device, often to analyze overwritten data. It’s an expensive and specialized technique,
used mainly for high-security cases.
 Forensic Software Tools:
• Paraben E3:DS: A tool that examines IoT devices, handles locked mobile
devices, and performs data parsing and cloud data capture.
• Cellebrite UFED: Known for its wide compatibility with smartphones, PDAs,
tablets, and GPS devices, it offers a comprehensive solution for data
extraction.
• Micro Systemation XRY: Widely used by government agencies, this tool
supports smartphones, GPS devices, tablets, and more.
• MOBILedit Forensic: A tool that is user-friendly and connects directly to
phones via Bluetooth, cable, or infrared. It also includes a SIM card reader
function.
• BitPim: A read-only tool useful for viewing data on CDMA phones. Though
not specifically for forensics, it can still assist in data viewing under certain
conditions
 Using Mobile Forensics Tools
• Mobile forensics involves using specialized tools to extract and analyze data from mobile devices.
• Several tools are available for this purpose, each offering different extraction methods and features.
1. Cellebrite UFED (Universal Forensics Extraction Device)
• Cellebrite's UFED is a stand-alone portable device with software that can be loaded onto a computer. It's
widely used by law enforcement and military agencies.
• Features: UFED has been tested on over 19,000 devices and provides three extraction options:
• Logical Extraction: Extracts file system data, but excludes social media files (e.g., Facebook, Snapchat).
• File System Extraction: Retrieves the mobile device's file system.
• Physical Extraction: Retrieves deleted data by reconstructing it, though it may require advanced
techniques.
• Usage: Connect the mobile device to the UFED, and select the appropriate extraction method based on the
investigation.
 Magnet AXIOM is a mobile forensics software tool that allows users
to extract data from various devices, including Android, iOS, and
Windows phones.
• Usage Steps:
• Select "MOBILE" as the evidence source.
• Choose the device type (e.g., ANDROID, IOS).
• Specify whether the device is locked or unlocked.
Magnet • Connect the device and configure settings (e.g., USB
debugging, airplane mode).
AXIOM • Once access is gained, AXIOM loads software into RAM and
starts extracting data.
• After data extraction, the program restarts the device, and
access is confirmed by the computer. The software will then
perform either a basic or physical acquisition.
• Review and save the acquired data.
• Advantages: The software guides the user through the steps and
helps automate the extraction process for different device types.
 • Many other tools are available for mobile device
investigations, but they are typically not free.
• These tools evolve as the market for mobile forensics
grows. Some tools include:
• Paraben Software: Offers tools like E3:DS for
mobile device investigations.
Other • Cellebrite UFED: Known for its extensive device
support and is a top choice for professionals.
Forensic • BitPim: Used for CDMA phones (e.g., LG, Samsung)
Tools in read-only mode.
• Micro Systemation XRY: Often used by
government agencies for smartphone and GPS
device data extraction.
• MOBILedit Forensic: A user-friendly tool with
built-in write-blockers, capable of extracting data
via Bluetooth or cable.
 Cloud forensics refers to the application of digital forensics techniques to investigate incidents, recover
data, and analyze suspicious activity within cloud computing environments.

It is a subset of network forensics and has gained importance due to the increasing use of cloud
services and the growing prevalence of cybercrimes, data breaches, policy violations, and fraud in the
cloud.

Key Aspects of Cloud Forensics

Cloud Cloud forensics operates within three primary dimensions:

Forensics Organizational: This dimension focuses on the structure of cloud services, such as the location of data
storage and the administration of services. It ensures that forensic procedures are adapted to the
specific architecture and design of cloud systems.

Legal: Since cloud data can be stored across multiple countries, legal considerations are crucial.
Forensic investigators must navigate jurisdictional issues and service agreements that may impact data
access and compliance with legal requirements.

Technical: The technical dimension involves the procedures and specialized tools required to acquire,
analyze, and recover data from the cloud. Forensics tools must be able to handle the unique
challenges posed by cloud environments, including dynamic data storage and virtualized systems.
 • To effectively conduct forensic investigations in the cloud,
tools must support the following capabilities:
• Forensic Data Collection: Tools should be able to identify,
label, record, and acquire relevant data from the cloud
environment.
Key • Elastic, Static, and Live Forensics: Given the flexible
nature of cloud services, forensic tools need to handle
Capabilities varying data storage capabilities, adapting to the demand
for services as they scale up or down.
for Cloud • Evidence Segregation: Since clouds often use
multitenancy (multiple unrelated users share the same
Forensics infrastructure), forensic tools must be capable of
separating and isolating each customer's data for accurate
Tools investigation.
• Investigation in Virtualized Environments: As cloud
environments are often virtualized, forensic tools must be
designed to examine virtual machines (VMs), virtualized
networks, and other cloud-based components.
 • Cloud forensics is essential for several reasons:
• Increased Use of Cloud Services: As more businesses and
individuals migrate to the cloud, the likelihood of incidents like
data breaches, cyberattacks, and fraud increases.
• Cloud forensics provides the necessary framework to investigate
and resolve these issues.
Why Cloud • Jurisdictional and Legal Issues: Cloud data may span across
different countries, creating complex legal and jurisdictional
Forensics is challenges.
• Cloud forensics ensures that proper procedures are followed to
Important ? collect evidence while adhering to legal constraints.
• Complex Cloud Architectures: Cloud environments are often
complex, involving virtualized systems, multiple copies, and
failover capabilities.
• Cloud forensics tools need to be tailored to handle these
complexities and provide accurate, reliable data for investigation
 Challenges in Cloud Forensics
1. Legal and Jurisdictional Issues:
• Cloud data may be stored in multiple countries, each with its own legal system. This creates complications in determining
which laws apply when accessing or processing evidence.
• Investigators may face conflicts between national laws, particularly when a case involves cross-border data storage or when
data from multiple customers is stored in the same cloud environment.
2 Service Level Agreements (SLAs) and Cloud Service Agreements (CSAs):
• The terms defined in SLAs or CSAs between customers and cloud service providers (CSPs) can complicate the investigation
process, especially when it comes to defining access rights, responsibilities, and the extent of services provided by the CSP.
• Agreements might not address the needs of forensic investigators, especially concerning data retention, access control, or
security measures.
• Specific Challenges in SLAs:
• Service Hours and Availability: Restrictions on when the cloud service is available or supported can affect the timing of
forensic investigations.
• Customer Restrictions: CSPs may impose limitations on what users can access, which may hinder forensic data collection.
• Response Time and Throughput: SLAs specify response times for data transfers and throughput limitations, which can
delay the forensic process if these metrics are not met.
 Contd.
3. Accessing Cloud Evidence: Evidence in the cloud often requires specific legal permissions, such as warrants
or subpoenas, to access data. Cloud service providers may have complex processes for responding to legal
requests, making timely access difficult.
• Search warrants are often used in criminal cases, but the need to specify the data (not physical hardware)
and the risks of disrupting other customers’ operations pose significant challenges.
4.Data Commingling and Multi-Tenancy: In multi-tenant cloud environments, the data of multiple clients
may be stored on the same infrastructure, increasing the risk of mixing unrelated data. This creates
difficulties in segregating the evidence of interest from other customers' data.
• Investigators need specialized tools and techniques to ensure proper segregation and protection of the
relevant evidence without compromising the privacy of other users.
5.Elastic and Dynamic Nature of Cloud Services:Cloud environments are inherently dynamic, with resources
(such as virtual machines, storage, and processing power) being provisioned and deprovisioned rapidly based
on demand. This flexibility makes it difficult to track and preserve data effectively, especially when resources
are allocated across multiple geographies.
• Tools and procedures used for cloud forensics must adapt to this fluidity, ensuring that evidence is
preserved even as cloud resources change.
 Contd..
6. Cross-Jurisdictional Legal Conflicts:
• Data stored across borders introduces challenges regarding which jurisdiction’s laws should apply. This is
particularly problematic in cases involving the EU, where stricter privacy laws (such as the GDPR) apply, and in
the U.S., where laws may vary by state.
• Investigators may be limited in how they can access or transfer data between jurisdictions, complicating the
forensic process when data moves across international borders.
7. Cloud Architecture Complexity:
• Cloud systems often use virtualized environments with complex structures like virtual machines, virtualized
switches, and routers, as well as failover and disaster recovery processes. This complexity requires advanced tools
and expertise to ensure data integrity during forensic analysis.
• Investigators must understand cloud architecture thoroughly, including the various layers of virtualization, to
avoid missteps when acquiring or analyzing data.
8.Legal Framework and Privacy Protections:
• The Electronic Communications Privacy Act (ECPA) and similar regulations govern how electronic data is accessed,
but their application to cloud systems is still evolving.
• Privacy protections vary widely across jurisdictions and impact investigators' ability to access evidence.Some
countries, like those in the EU, impose strict regulations (e.g., the GDPR) that require prior consent before accessing
data, making evidence collection even more complex for global investigations.
 Contd
9 .Complex CSP Processes and Procedures:
• Cloud service providers often have detailed internal processes for managing, securing,
and backing up data.
• These processes can vary significantly between CSPs and can make it difficult for forensic
investigators to understand how data is stored or protected.
• Forensics professionals need access to these procedures, including backup protocols
and data restoration procedures, to collect the necessary evidence effectively.
10. Tools for Cloud Forensics:
• Forensic tools need to be adaptable to cloud environments, which include virtualized
systems and large-scale distributed architectures.
• Investigators may need specialized tools to recover data, segregate evidence, and
maintain chain-of-custody records in the cloud
 • The field of cloud forensics involves addressing
technical concerns like recovery, intrusion
detection, database and software security, and
international relations.
• The Cloud Security Alliance developed the
Technical Cloud Forensics Capability Maturity Model,
highlighting responsibilities of both customers
Challenges and Cloud Service Providers (CSPs) during
in Cloud incident response.
Forensics • Customers often rely on their own incident
response teams, while larger CSPs have
specialized teams with forensic tools to assist
in resolving incidents, such as compromised
VMs.
• Cooperation and clear procedures are vital.
NIST Cloud • Architecture
Computing • Data collection
Forensic • Analysis of cloud forensic data
Science • Anti-forensics
Working
Group • Incident first responders
identified key • Role management
challenges in • Legal issues
cloud forensics, • Standards and training
including:
 Key Aspects of Cloud Forensics
Architecture:
• Cloud architectures differ across CSPs(Cloud Service Providers) making data sorting and
storage location identification challenging.
• Variations in logging and recording procedures complicate evidence tracking and chain of
custody.
Analysis of Forensic Data:
• Verifying evidence involves comparing data with logs and reconstructing incident timelines.
• Metadata and MAC (Modified, Access, Created) timestamps are critical for timeline validation.
• Hash comparisons help identify altered files.
Anti-Forensics:
• Hackers use tactics like changing file extensions, manipulating metadata, or deploying
malware to hinder investigations.
• Techniques include encryption, data hiding, and altering timestamps to obfuscate evidence.
 Contd..
• Incident First Responders
• CSPs often have trained staff as first responders; otherwise, forensic examiners guide CSP
personnel.
• Tasks include securing cooperation, briefing on security, and training in evidence collection
protocols.
• Role Management
• Investigators assess roles like data ownership, access controls, and PII protection.
• This helps identify compromised data, additional victims, or suspects, and determines
intent.
• Standards and Training
• Efforts are ongoing to standardize cloud operations and forensics procedures.
• Key training resources include certifications like (ISC)² CCFP, SANS, and university-led
programs.
• These aspects ensure efficient incident handling, maintaining evidence integrity while
overcoming unique cloud challenges.
 Acquisitions in the Cloud refers to the process of collecting
and preserving digital evidence from cloud-based systems
and services during forensic investigations.
• It involves specific methods and techniques tailored to the
cloud's virtual and distributed environment. Key steps are:
Case-Specific Evidence Collection:
• For network penetration: Examine firewall and server logs.
Acquisitions
• For unauthorized database access: Focus on transaction
in the Cloud logs.
E-Discovery Methods:
• Use standard acquisition techniques (static or remote).
• Recovering deleted data depends on the file system (e.g.,
NTFS allows easier recovery than Linux/UNIX).
Contd.
• Challenges in Remote Acquisitions:
• Large data volumes and network speed limitations.
• Scope creep mitigation through attorney-CSP negotiations.
• Setting Up Investigation Systems:
• Dedicated cloud systems for investigations with restricted access.
• Use firewalls to secure external network connections.
• Snapshots for Analysis:
• Snapshots provide data states before, during, and after incidents.
• Compare file hashes, timestamps, and permissions to detect changes.
• Complexities in Virtual Environments:
• Thousands of virtual networks can coexist on physical servers.
• Identifying incident-related data involves analyzing logs, snapshots, and backups.
 Encryption in the Cloud
• Cloud Service Providers (CSPs) and third-party vendors often offer encryption services as a
security measure for cloud users.
• This makes it essential to anticipate encountering encrypted files during cloud investigations.
Understanding the use of encryption in cloud computing is crucial for effectively planning and
conducting forensic investigations.
• Types of Encrypted Data:Data at rest (on disk), data in motion (network transmission), and
data in use (RAM).
• Handling Encrypted Data:Collaborate with data owners or CSPs for decryption keys.
• Resort to legal assistance if data owners are uncooperative.
• CSP Encryption Features:Public CSPs (e.g., Google Cloud Storage, OneDrive) decrypt data
during access.
• Live acquisitions may be required for accessing encrypted data.
 • Encryption Services:
• Examples:
• Atalla Cloud Encryption: Trusted key management and
virtual disk encryption.
• Trend Micro SecureCloud: Combines encryption with
data wiping capabilities.
• Sophos SafeGuard: Automatic encryption for
Contd.. uploads/downloads.
• Advanced Encryption Techniques:Fully homomorphic
encryption (IBM):
• Uses ideal lattice mathematics for enhanced security.
• Blockchain Impact:Blockchain technology ensures secure
and traceable transactions.
• Anticipated to influence forensic procedures, especially in
finance sectors
 • Cloud investigations should follow a systematic approach
similar to standard digital forensics.
• The type of incident dictates the investigative methods:
network forensics for CSP cyberattacks or data recovery tools
for cloud storage issues.
Investigating CSPs
CSPs typically have incident response teams trained for
Cloud cyberattacks and e-discovery tasks. Investigators should clarify
the following:
Investigatio • Authority to use cloud resources for investigations.
n • Availability of detailed information on cloud topology,
policies, and storage methods.
• Restrictions on collecting evidence from remote storage.
• Whether data in multitenant systems can be separated to
avoid privacy violations.
• Access to local or remote data and the ability to establish a
forensically sound connection.
Investigating Cloud Customers
Cloud customers typically access CSPs using computers or mobile devices through web
browsers, apps, or other methods.

Many services, like iCloud and Samsung Cloud, activate automatically unless users disable
them.

If the CSP’s app is not installed, evidence may be found in the web browser’s cache files. If
the app is installed, file transfer evidence can often be located in the app’s folder under the
user’s account directory (e.g., C:\Users\username on a PC).

On mobile devices, the file location differs. Additional evidence of cloud application activity can
be found in the Windows Prefetch folder (C:\Windows\Prefetch), which logs synchronization
between the application and the device.
 Prefetch files speed up application startup by
storing DLL paths and metadata.

Prefetch files have a .pf extension, storing

event logs and accessed data/code.
Prefetch Files

It Includes application MAC times (UTC format)

and run count since creation.

Offsets: Key data locations in a prefetch file:

• 0x80: Create date and time.
• 0x88: Modified date and time.
• 0x90: Last access date and time.
• 0x98: Record date and time.
• 0xD4: Run count of the application.
 Dropbox, Google Drive, and OneDrive provide free and subscription-based storage.

Cloud Data on a PC
Examining Stored Cloud services sync files when connectivity is restored.

Evidence of previous installations can often be found in files, logs, or the registry.

1.Dropbox

A widely-used cloud storage service that supports file sharing, synchronization, and
collaboration.

Offers free storage up to 2 GB, with additional space available via subscription.

File Locations:
• C:\Users\username\Dropbox
• C:\Users\username\AppData\Roaming\Dropbox
• Windows 10: C:\Users\username\AppData\Roaming\DropboxOEM.

File Format: Base-64 encoded; requires tools like Magnet Forensics IEF or Dropbox
Decryptor for analysis.

Prefetch Files: Found in C:\Windows\Prefetch\ with filenames like DROPBOX.EXE-

nnnnnnnn.pf
 A cloud storage service integrated with Google Workspace
applications like Google Docs, Sheets, and Slides.

Provide Free storage up to 15 GB, shared across Gmail and

Google Photos, with paid plans for more space.

File Locations:
Google Drive

• Installed at C:\Program Files (x86)\Google\Drive.

• User profiles: C:\Users\username\AppData\Local\Google\Drive.
• Sync folder: C:\Users\username\Google Drive\.

Key Files:
• sync_config.db: Stores sync settings and version info.
• snapshot.db: Details file metadata, including MD5 values and timestamps.
• sync_log.log: Logs user cloud transactions.

Tools: SQL viewers (e.g., SQLite Database Browser) for

database analysis.
 Microsoft’s cloud storage platform, pre-installed on
Windows 8 and later, offering seamless integration with
Office apps.

Provide Free storage up to 5 GB, with options to purchase

additional space or subscribe to Microsoft 365 for
enhanced features.

File Locations:
OneDrive

• Log files:
• Windows
10 C:\Users\username\AppData\Local\Microsoft\OneDrive\logs.
• Windows 8.1
C:\Users\username\AppData\Local\Microsoft\Windows\SkyDrive\logs.
• Synchronized files:
• Windows 8.1 C:\Users\username\AppData\SkyDrive\OneDrive.

Prefetch Files: Found in C:\Windows\Prefetch\ with

filenames like ONEDRIVEREBRAND.EXE-nnnnnnnn.pf.
 Windows Prefetch Artifacts
Windows Prefetch is a performance optimization feature designed to speed up application
launches.

It works by creating prefetch files that store metadata and usage patterns of applications.
These files are stored in the C:\Windows\Prefetch directory and have a .pf extension.

Use disk editors (e.g., WinHex) or forensic tools (e.g., OSForensics).

Mount disk image.

Analysis Steps: Search for prefetch files in C:\Windows\Prefetch.
Use tools like WinHex to analyze MAC times and run counts at specified offs
 • In the early days of the cloud, very few tools
designed for cloud forensics were available, but
many digital, network, and e-discovery tools were
used to handle collecting andanalyzing data from
the cloud.
Tools for • Some vendors with integrated tools that can be
applied to cloud forensics include the following:
Cloud • Guidance Software EnCase eDiscovery and its
Forensics incident response and EnCase Cybersecurity tools
• AccessData Digital Forensics Incident Response
services and AD eDiscovery can collect cloud data
from Office 365, SharePoint, and OneDrive for
Business .
• F-Response and its cloud server forensics utility
Forensic Open-Stack Tools (FROST):
FROST integrates with OpenStack, an open-source platform for public and private IaaS cloud
environments, providing forensic response capabilities for Cloud Service Providers (CSPs).

It represents the first known attempt to establish a forensic process for cloud services.

A key feature of FROST is its ability to bypass the hypervisor of virtual machines, storing
collected data in the cloud’s management plane.

This plane, accessed via APIs through a web interface, enables dynamic reconfiguration of the
cloud.

However, bypassing the hypervisor poses risks, as malware can potentially control virtual
sessions, interfere with forensic analysis, and manipulate data access.
 F-Response for the Cloud:
F-Response is a remote access tool used in cloud forensics.
• It enables non-remote-capable forensic tools, such as X-Ways
Forensics, to access remote servers and data storage using
USB forwarding.
• To operate, F-Response requires tools like F-Response
Enterprise or Consultant)and KernelPro USB-Over-Ethernet .
• Magnet AXIOM Cloud:
Magnet AXIOM has developed a Cloud module that
Contd complements its Process and Examine modules, reflecting the
increasing need to gather data from cloud services.
• The tool retrieves information from applications like
Facebook Messenger, Skype, Instagram, Twitter, and iCloud,
among others.
• However, access to this data typically requires usernames and
passwords, which investigators can obtain from victims or
suspects.