Hi to all. I'm studying digital forensics, and I need little help in one area. As you know, cloud forensics is an evolving science, and because of the nature of the cloud, it can get very complicated. With cloud computing, you can commit a crime and there will be no data in your local machine an investigator can use as an evidence against you.
Anyways, I'm doing a research on cloud forensics for one of my courses and discussing techniques that can be used to make cloud forensics doable. What I want to do is to somehow be able to find data stored in the cloud by finding artifacts left in the computer used to access this data. One thing I found was to use a password decrypter for dropbox and then use it to access the dropbox account normally, but I think that's too easy.
Things I tried
I downloaded Magnet forensics IEF program and created test account for google drive and onedrive and dropbox. It worked but you can't actually access the files. You can see them but you can't open them.
The other thing I tried was downloading Deft linux which is a cyber forensics linux distribution that can do many things. I downloaded it and installed it as a virtual machine on my computer but couldn't really do anything with it. It was hard.
I also read somewhere that the user name and passwords used to access a cloud storage service can be read from a memory dumb file. I was able to generate the dump file but didn't know how open/view/analyze it.
I just want to demonstrate that cloud forensics can be done effectively with a simple experiment. I found this place, and thought it is appropriate to ask for help here.
Many thanks,
Saoud
With cloud computing, you can commit a crime and there will be no data in your local machine an investigator can use as an evidence against you.
Really? Do you have an example?
I just want to demonstrate that cloud forensics can be done effectively with a simple experiment. I found this place, and thought it is appropriate to ask for help here.
I'd think that the first thing you need to do is clearly define the goals for your project. Right now, you seem to not be doing "cloud forensics", as much as you're attempting to do password recovery so that you can access cloud storage. As such, I'm having a hard time understanding what sort of "crime" you're looking to address, as cloud storage is just that…storage. Essentially, there's no difference between what you seem to be attempting, and analyzing a USB drive.
Perhaps the reason that "cloud forensics" seems to be so difficult is that there isn't a solid understanding of what it is…so maybe you could start there…
Just a thought.
With cloud computing, you can commit a crime and there will be no data in your local machine an investigator can use as an evidence against you.
Really? Do you have an example?
I just want to demonstrate that cloud forensics can be done effectively with a simple experiment. I found this place, and thought it is appropriate to ask for help here.
I'd think that the first thing you need to do is clearly define the goals for your project. Right now, you seem to not be doing "cloud forensics", as much as you're attempting to do password recovery so that you can access cloud storage. As such, I'm having a hard time understanding what sort of "crime" you're looking to address, as cloud storage is just that…storage. Essentially, there's no difference between what you seem to be attempting, and analyzing a USB drive.
Perhaps the reason that "cloud forensics" seems to be so difficult is that there isn't a solid understanding of what it is…so maybe you could start there…
Just a thought.
Not to mention the horrible pain inflicted by having multiple jurisdictions involved in privacy matters.
Cloud storage is part of cloud computing. File storage is provided for you as a service. What does password recovery has to do with my goals? That was just an example.
With cloud computing, you may decide not to buy a certain software (because it is expensive) but you will "rent" its use for some money. This will be better for you because you actually will not be using the software all the time. You only need to use once a month for example. So, it makes since not to buy it but access it remotely from you local machine at home using an internet connection, and pay only for the duration you used it. This is an example of cloud computing. Criminals can take advantage of this, and commit crimes for which evidences can't be found in their local machines. And if a law enforcement wants to search the cloud, they will need to get a permission from the cloud services provider. It can get very complicated.
I want to show and explain that cloud forensics are certainly feasible with an actual experiment…. that's all I want to do.
Hopefully this made it clear
I'll come back again with more explanation. I'm little busy now.
Please feel free to ask questions.
Thanks.
This is an example of cloud computing.
Okay, I follow your question now…I used to do these investigations when I worked at a company that provided cloud services. One of the things we provided was the ability to turn up a server or system, with a set configuration…which bad guys would do with stolen credit card numbers. Or they would get access to a virtualized cloud system that someone else already owned, and run their tools from there.
Criminals can take advantage of this, and commit crimes for which evidences can't be found in their local machines. And if a law enforcement wants to search the cloud, they will need to get a permission from the cloud services provider. It can get very complicated.
It's not really complicated, but like you said, the key is to get permission…and that's not an issue that you can solve through technical means.
Accessing systems for the purpose you've expressed in your post is something that needs to be established contractually when the services are purchased. Having worked for a company that provides/provided these services, I'm acutely aware how the contracts play a role…our network monitor staff would tell the client that there was unusual activity emanating from a system the the client had rented from us, and on which they'd loaded their applications and data. At that point, they'd ask us to do IR…but that service wasn't part of the contract…the contract that they'd signed. And they certainly didn't want to drive to the site to have someone do the IR collection for them.
I want to show and explain that cloud forensics are certainly feasible with an actual experiment…. that's all I want to do.
Of course it's feasible…there's no question about that. Once you've identified the system and obtained permission to access it in whichever way you are able, it's no different from performing forensic analysis on any other system, albeit a virtualized one.
With cloud computing, you may decide not to buy a certain software (because it is expensive) but you will "rent" its use for some money. This will be better for you because you actually will not be using the software all the time. You only need to use once a month for example. So, it makes since not to buy it but access it remotely from you local machine at home using an internet connection, and pay only for the duration you used it. This is an example of cloud computing.
Agreed…this is an example of a kind of cloud computing.
However, the subject line for the thread specifically states "cloud storage programs", and your examples include Dropbox and Google Drive.
Know, in your response, you've shifted gears to remotely accessing a virtualized system that provides computing functionality, not just storage. I would suggest that for the purposes of your studies, identifying the direction you want to go will make things much easier for you to perform your study.
And if a law enforcement wants to search the cloud, they will need to get a permission from the cloud services provider. It can get very complicated.
As a side note - and whether this is relevant in the context of your research is highly debatable 😯 - it's not like the need for the LE to obtain access through a Court order from the cloud provider is something absurd or crazy, it is what the Law normally states in most countries, maybe it is complicated, but it is not like hacking or guessing a password - which may be easier - is really a "solution".
Information not gathered through legal means (which does mean a Court order) would be null or non admissible in any civil or criminal case, being a sort of "fruit of the poisonous tree"
https://
(in the US, but again many countries may have similar procedures to validate the evidence and the way it was procured).
Additionally if anyone (LE or not, and no matter if for a good cause or not) accesses illegally a computer system (and accessing a remote system impersonating a given user, through a "cracked" or "hacked" or "guessed" password may represent such an illegal access), he/she may be committing a crime unless properly authorized.
jaclaz
I'm sorry the title was little misleading and wasn't proper. I wrote the first post very quickly because I had to catch something. Anyways, the project isn't a big one. What I intend to do is write a paper about cloud forensics–still being discussed with the instructor–and talk about cloud computing can make it harder for the digital forensics investigator, and what are the techniques one can follow to overcome the obstacles raised by the nature of cloud computing itself.
To add some edge to my paper, I want to inject an experiment that shows cloud forensics is certainly feasible .
I'm trying something now, and I'll let you know about it if it works.
Thanks again.
–and talk about cloud computing can make it harder for the digital forensics investigator, and what are the techniques one can follow to overcome the obstacles raised by the nature of cloud computing itself.
Can you share what those obstacles might be?
Like I said, I used to perform the type of investigations you're referring to…and to be honest, I really didn't see many obstacles…
–and talk about cloud computing can make it harder for the digital forensics investigator, and what are the techniques one can follow to overcome the obstacles raised by the nature of cloud computing itself.
Can you share what those obstacles might be?
Like I said, I used to perform the type of investigations you're referring to…and to be honest, I really didn't see many obstacles…
I'm talking in general terms. If you do a search in google for cloud forensics, you will find some research papers talking about why and how cloud forensics can be complicated. This is an example
http//
Nevertheless, you might be the best one to help me since you have done it before. Can you help me come up with a crime scenario committed in the cloud which I can solve by using some digital forensics tool?
I thought about cloud storage at first because I thought it would be the easiest.
For example, let's assume person A has child pornography photos in his google drive and I want to prove him guilty of it. How? Technically?