Darren Quick

Google Drive: Forensic analysis of data remnants

Cloud storage is an emerging challenge to digital forensic examiners. The services are increasingly used by consumers, business, and government, and can potentially store large amounts of data. The retrieval of digital evidence from cloud storage services (particularly from offshore providers) can be a challenge in a digital forensic investigation, due to virtualisation, lack of knowledge on location of digital evidence, privacy issues, and legal or jurisdictional boundaries. Google Drive is a popular service, providing users a cost-effective, and in some cases free, ability to access, store, collaborate, and disseminate data. Using Google Drive as a case study, artefacts were identified that are likely to remain after the use of cloud storage, in the context of the experiments, on a computer hard drive and Apple iPhone3G, and the potential access point(s) for digital forensics examiners to secure evidence. Digital evidence can be stored in cloud storage services, such as Google Drive.Identification of potential data storage is a challenge to forensic examiners.Google Drive was examined in relation to data remnants on a PC and an iPhone.Investigation points include directory listings, prefetch, link and registry files.

Dropbox analysis: Data remnants on user machines

Cloud storage has been identified as an emerging challenge to digital forensic researchers and practitioners in a range of literature. There are various types of cloud storage services with each type having a potentially different use in criminal activity. One area of difficulty is the identification, acquisition, and preservation of evidential data when disparate services can be utilised by criminals. Not knowing if a cloud service is being used, or which cloud service, can potentially impede an investigation. It would take additional time to contact all service providers to determine if data is being stored within their cloud service. Using Dropbox(TM) as a case study, research was undertaken to determine the data remnants on a Windows 7 computer and an Apple iPhone 3G when a user undertakes a variety of methods to store, upload, and access data in the cloud. By determining the data remnants on client devices, we contribute to a better understanding of the types of terrestrial artifacts that are likely to remain for digital forensics practitioners and examiners. Potential information sources identified during the research include client software files, prefetch files, link files, network traffic capture, and memory captures, with many data remnants available subsequent to the use of Dropbox by a user.

Digital droplets: Microsoft SkyDrive forensic data remnants

Cloud storage services such as the popular Microsoft(C) SkyDrive(C) provide both organisational and individual users a cost-effective, and in some cases free, way of accessing, storing and disseminating data. The identification of digital evidence relating to cloud storage services can, however, be a challenge in a digital forensic investigation. Using SkyDrive as a case study, we identified the types of terrestrial artefacts that are likely to remain on a clients machine (in the context of our experiments; computer hard drive and iPhone), and where the access point(s) for digital forensics examiners are, that will allow them to undertake steps to secure evidence in a timely fashion.

Forensic collection of cloud storage data: Does the act of collection result in changes to the data or its metadata?

The timely acquisition and preservation of data from cloud storage can be an issue for law enforcement agencies and other digital forensic practitioners. In a jurisdiction which has legal provisions to collect data available to a computer or device, the process may involve accessing an account to collect the data. Using three popular public cloud storage providers (Dropbox, Google Drive, and Microsoft SkyDrive) as case studies, this research explores the process of collecting data from a cloud storage account using a browser and also downloading files using client software. We then compare these with the original files and undertake analysis of the resulting data. We determined that there were no changes to the contents of files during the process of upload, storage, and download to the three cloud storage services. The timestamps of the files were also examined in relation to the files downloaded via a browser and via client software. It was observed that some of the timestamp information remained the same throughout the process of uploading, storing and downloading files. Timestamp information may be a crucial aspect of an investigation, prosecution, or civil action, and therefore it is important to record the information available, and to understand the circumstances relating to a timestamp on a file.

Impacts of increasing volume of digital forensic data

A major challenge to digital forensic analysis is the ongoing growth in the volume of data seized and presented for analysis. This is a result of the continuing development of storage technology, including increased storage capacity in consumer devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has led to increasing backlogs of evidence awaiting analysis, often many months to years, affecting even the largest digital forensic laboratories. Over the preceding years, there has been a variety of research undertaken in relation to the volume challenge. Solutions posed range from data mining, data reduction, increased processing power, distributed processing, artificial intelligence, and other innovative methods. This paper surveys the published research and the proposed solutions. It is concluded that there remains a need for further research with a focus on real world applicability of a method or methods to address the digital forensic data volume challenge.

Big forensic data reduction: digital forensic images and electronic evidence

An issue that continues to impact digital forensics is the increasing volume of data and the growing number of devices. One proposed method to deal with the problem of “big digital forensic data”: the volume, variety, and velocity of digital forensic data, is to reduce the volume of data at either the collection stage or the processing stage. We have developed a novel approach which significantly improves on current practice, and in this paper we outline our data volume reduction process which focuses on imaging a selection of key files and data such as: registry, documents, spreadsheets, email, internet history, communications, logs, pictures, videos, and other relevant file types. When applied to test cases, a hundredfold reduction of original media volume was observed. When applied to real world cases of an Australian Law Enforcement Agency, the data volume further reduced to a small percentage of the original media volume, whilst retaining key evidential files and data. The reduction process was applied to a range of real world cases reviewed by experienced investigators and detectives and highlighted that evidential data was present in the data reduced forensic subset files. A data reduction approach is applicable in a range of areas, including: digital forensic triage, analysis, review, intelligence analysis, presentation, and archiving. In addition, the data reduction process outlined can be applied using common digital forensic hardware and software solutions available in appropriately equipped digital forensic labs without requiring additional purchase of software or hardware. The process can be applied to a wide variety of cases, such as terrorism and organised crime investigations, and the proposed data reduction process is intended to provide a capability to rapidly process data and gain an understanding of the information and/or locate key evidence or intelligence in a timely manner.

Big forensic data management in heterogeneous distributed systems: quick analysis of multimedia forensic data

The growth in the data volume and number of evidential data from heterogeneous distributed systems in smart cities, such as cloud and fog computing systems and Internet‐of‐Things devices (e.g. IP‐based CCTVs), has led to increased collection, processing and analysis times, potentially resulting in vulnerable persons (e.g. victims of terrorism incidents) being at risk. A process of Digital Forensic Data Reduction of source multimedia and forensic images has provided a method to reduce the collection time and volume of data. In this paper, a methodology of Digital Forensic Quick Analysis is outlined, which describes a method to review Digital Forensic Data Reduction subsets to pinpoint relevant evidence and intelligence from heterogeneous distributed systems in a timely manner. Applying the proposed methodology to real‐world data from an Australian police agency highlighted the timeliness of the process, resulting in significant improvements in processing times in comparison with processing a full forensic image. The Quick Analysis methodology, combined with Digital Forensic Data Reduction, has potential to locate evidence and intelligence in a timely manner. Copyright

Pervasive social networking forensics

In pervasive social networking forensics, mobile devices (e.g. mobile phones) are a typical source of evidence. For example, figures from an Australian law enforcement agency show the number of mobile phones submitted for analysis increasing at an average of 60% per annum since 2006, and data from FBI regional computer forensics laboratory showing an increase of 67% per annum for mobile phone examinations. When coupled with the growth in capacity of memory card and device storage, which doubles approximately every 15 months, there is an ongoing and increasing growth in the volume of data available for evidence and intelligence analysis. There is a potential for information relevant to a range of crimes within the extracted data, such as terrorism and organised crime investigations, with potential cross-device and cross-case linkages. In this paper, we propose the Digital Forensic Intelligence Analysis Cycle (DFIAC). Using mobile device extracts from an Australian law enforcement agency, we demonstrate the utility of DFIAC in locating information across an increasing volume of forensically extracted data from mobile devices, and a greater understanding of the developing trends in relation to mobile device forensic analysis. Display Omitted Digital forensic intelligence analysis cycle.Pervasive social networking forensics.Social network forensic intelligence and evidence analysis.Mobile device forensic and intelligence analysis.

Digital forensic intelligence: Data subsets and Open Source Intelligence (DFINT+OSINT): A timely and cohesive mix

Abstract Advances in technologies and changing trends in consumer behaviour have led to an increase in the volume, variety, velocity, and veracity of data available for digital forensic analysis. A benefit of analysis of big digital forensic data is that there may be case-related information contained within disparate data sources. This paper presents a framework for entity identification and open source information cohesion to add value to data holdings from digital forensic data subsets. Application of the framework to test data resulted in locating additional information relating to the entities contained within the digital forensic data subsets, which led to adding intelligence value relating to the entities. Analysis of real-world data confirmed the potential to add value to big digital forensic data to uncover disparate information and open source information. The results demonstrate the benefits of applying the process to achieve greater understanding of digital forensic data in a timely manner.

Google Drive: Forensic Analysis of Cloud Storage Data Remnants

Cloud storage is an emerging challenge to digital forensic examiners. The services are increasingly used by consumers, business, and government, and can potentially store large amounts of data. The retrieval of digital evidence from cloud storage services (particularly from offshore providers) can be a challenge in a digital forensic investigation, due to virtualisation, lack of knowledge on location of digital evidence, privacy issues, and legal or jurisdictional boundaries. Google Drive is a popular service, providing users a cost-effective, and in some cases free, ability to access, store, collaborate, and disseminate data. Using Google Drive as a case study, artefacts were identified that are likely to remain after the use of cloud storage, in the context of the experiments; on a computer hard drive and Apple iPhone3G, and the potential access point(s) for digital forensics examiners to secure evidence.