What, When, Where of Cloud Forensics

The “Cloud” to me evokes images of fluffy clouds floating lazily in the sky with nuggets of data stored inside them. Sometimes these clouds rain data (as when they get hacked) and sometimes data has to be extracted nugget by nugget. The process of extracting data stored on the cloud is called Cloud Forensics. The cloud means different things to different people and has been a big cause of confusion and consternation in the investigation community.

Using my superpower of “simplespeak“, I would define cloud forensics as the extraction and analysis of data stored somewhere in what we call the internet. Of course this data is stored on servers, the data could be distributed, and the service could be located anywhere in the world. However for the sake of simplicity let’s just say that the data is stored on the “internet“.

To make things clear, let me give you a few examples of cloud sources of data or evidence. Some very good examples are Google Drive, dropbox, office 365, and other online storage providers.

Let’s take the google drive example. Google provides each free user with 15GB of space in what it calls the “Google Drive”. To the end user this looks like one continuous folder/storage drive which can be further subdivided into folders of his choice. However the reality is that while the cloud OS shows this as one contiguous area, the data is physically distributed over multiple servers which may be geographically dispersed.

So, what does this mean from a forensic perspective? For starters, we need to stop looking at this as similar to disk forensics , where we could take a physical image and carve out deleted data from unallocated space. Data acquisition in the realm of the cloud is similar to mobile forensic and logical acquisitions. Deleted data can be recovered from SQLite databases but not from physically unallocated sectors. This is because the data is physically distributed over multiple servers and storage systems in unknown geographically dispersed locations. For a normal forensic practitioner, the possibility of creating a physical image of cloud storage is outside his grasp.?

So what can we get with this kind of “Logically” acquired data? Actually, Quite a lot!

For starters we can get -

Alexa, Android Cloud (Google), Apple Watch, Box, DJI Cloud, Dropbox, Endomondo, Facebook, Fitbit, Google Accounts,Google Calendar,? Google Contacts,? Google Chrome, Google Drive,? Google Events, Google Fit (Google Takeout), Google Keep, YESxlix Google Location History,? Google Mail, Gmail, Google My Activity,? Google Photos,? Google Password, Google Profile, l Google Play (Google Takeout), Google Tasks,? Google Search History, Google+ (Google Takeout), Keep (Google Takeout), Profile (Google Takeout), YouTube (Google Takeout), Hangouts (Google Takeout),? Chrome, Huawei Cloud, iCloud Applications,? iCloud Backup,? iCloud Calendars,? iCloud Call History, Call Logs (iCloud), iCloud Contacts,? iCloud Drive,? iCloud iTunes Store, iCloud Location, iCloud Mail, iCloud Notes,? iCloud Photo Stream, iCloud Photos,? iCloud Reminder, iCloud Safari Bookmarks,? iCloud Safari History,? Safari Search (iCloud),? iTunes purchases, Instagram,? Live Calendars, Live Contacts, MAIL (IMAP), Mi Cloud, OneDrive,? Outlook Mail IMAP, QQ Mail, Samsung Cloud Backup, Samsung Cloud Data, Samsung Secure Folder, Swarm (Foursquare), Telegram,? Twitter, Viber (Google Backup), Viber (iCloud backup),? VKontake,? WhatsApp Cloud, WhatsApp Google Backup,? WhatsApp iCloud Backup, WhatsApp (iCloud), Windows Phone Cloud, Yahoo Mail (IMAP), Hotmail, IMAP Mail, Live, MSN, Office 365, Outlook, POP mail, SharePoint, Slack Appi, Lyft, Uber etc. etc.

And, this is just the tip of the iceberg.

In addition to all this we get additional data that was deleted in the SQLite databases, we get logs of activities, browser histories, passwords, etc etc. So quite a lot actually.

Normally to get this kind of data we need credentials to access the account and then we usually use the tools provided by the cloud storage owner to takeout the data.? Another way, also used by mobile forensic tool providers is to extract the cloud token stored on the phone and then use it to spoof the account to fool the cloud services into thinking it is interacting with the phone. This gives full access to the data that has been stored in the cloud by the mobile device in question.?

While a lot of organisations have migrated to the cloud recently to enable WFH or remote working, mobile devices have been connected with the cloud for quite a while now. In Fact some statistics show that 49% of mobile data is stored on the cloud. That is quite a lot! Some of the data that we can get from the cloud is at times not even present on the phone or device. So cloud data can be very important. Infact as investigators we can not consider an investigation complete until we have examined the associated cloud data as well.

Having established the importance of cloud forensics, we need to make it an important part of our SOP. No investigation would be complete without it.