API-Based Acquisition of Evidence from Cloud Storage Providers

• Main Author: Barreto, Andres E
• Format: Others
• Published: ScholarWorks@UNO 2015
• Subjects: Cloud forensics; cloud storage; kumodd; API-based evidence acquisition; Google Drive; Dropbox; OneDrive; Box; Data Storage Systems; Information Security
• Online Access: http://scholarworks.uno.edu/td/2030; http://scholarworks.uno.edu/cgi/viewcontent.cgi?article=3123&context=td

Cloud computing and cloud storage services, in particular, pose a new challenge to digital forensic investigations. Currently, evidence acquisition for such services still follows the traditional approach of collecting artifacts on a client device. In this work, we show that such an approach not only requires upfront substantial investment in reverse engineering each service, but is also inherently incomplete as it misses prior versions of the artifacts, as well as cloud-only artifacts that do not have standard serialized representations on the client. In this work, we introduce the concept of API-based evidence acquisition for cloud services, which addresses these concerns by utilizing the officially supported API of the service. To demonstrate the utility of this approach, we present a proof-of-concept acquisition tool, kumodd, which can acquire evidence from four major cloud storage providers: Google Drive, Microsoft One, Dropbox, and Box. The implementation provides both command-line and web user interfaces, and can be readily incorporated into established forensic processes.