cloud forensics LCDI project Dropbox, OneDrive, iCloud, and Google Drive logos

Cloud Forensics Update 2

Introduction

After creating our data generation script and installing the proper software clients, we are into the next phase of our research. This week in Cloud Forensics we powered on our virtual machines and completed our data generation. The purpose of the data generation is to document the steps taken, in detail, during the examination of each Cloud service. All groups collaborated on one script to follow, and, using that script, the groups were able to make more specific instructions, based on the particular features of each cloud software. The created data generation allows the examiners to recall the steps taken, and in what order, for each and every operation completed within the analysis. Each group analyzed the same file types (.docx, jpg, mp3, and pdfs) to see how data is stored on different cloud services.

Analysis of cloud forensics progress

Over the last few weeks we have been working on our OneDrive data generation script in order to create a guideline as to how to conduct our forensic research. We accessed an EXSi server where our OneDrive virtual machine(VM) was installed. To pull an image from the VM, we installed the VMWare vCenter Converter Standalone Client, and the client converted the EXSi based VMFS file to a VMDK file. We then created three different Disk Images. We are now in the process of analyzing the OneDrive images in Encase v7.

Unlike the other services, which were run on Windows 7 VMs, iCloud’s data generation was completed using a Mac VM. This decision was based on the features that iCloud integrates with the Mac OS, which we plan on further exploring later in the research project. Because we were not using the same OS as the other cloud services, we needed to make some changes to our data generation script, so that it was more compatible. As we went through the data generation we ran into some complications, mainly compatibility issues. For one, we could not run our virtual machine on a Windows machine, as the Mac VM was not compatible. Instead we had to run the Mac VM on another Mac desktop. In regards to the data generation script, we did not have to install the desktop client, as iCloud comes pre-installed on all current models of Mac. Also, due to the .docx file type not being able to be edited through iCloud, we had to change to an office suite that was compatible with both iCloud and Mac. We decided on LibreOffice. We did continue to use the same jpg, mp3, and pdf files, as the other cloud services, however. We worked through the complications, and the data generation is now completed and we can continue to the next phase of the project.

Conclusion

With data generation complete, the next order of business is to examine the data that we received from the analysis. In order to do this, all groups will be using the forensic software EnCase v7.10 as we continue our work on the Cloud Forensics project.

Feel free to reach out to the LCDI through email at lcdi@champlain.edu. You can also follow us on Facebook or Twitter for the most recent updates on projects and more!