Cloud Forensics: Analysis Of MEGA Cloud Application - Case Study

Question:

Discuss about the Forensic Analysis of Data Remnants.

Smartphones play a significant role in this generation. Almost everyone in this generation uses smartphones for the purpose of communicating with others and also carries out several other works. Smartphones consists of cloud applications that can be used for storage purposes. This facilitates the users to access their own data whenever required. Criminals have started to use these smartphones for carrying out illegal and criminal activities (Poisel, Malzer & Tjoa, 2013). The mobile devices that have been used by the criminals can be used for the purpose of investigating any traditional or cyber crime. MEGA is considered to be a cloud application that can store data just like Dropbox and Google Drive (Daryabar, Dehghantanha & Choo, 2017).

This report examines and analyzes a scenario that is based on cloud forensics. This report is based on the case study of the MEGA cloud application. It discusses about the cloud forensics concepts. It also discusses about the various usages of cloud forensics. This report critically analyzes the case study of MEGA app and attempts to find out the type of modification of the metadata that will take place when the file will be uploaded and downloaded. It also tries to find out how will the evidences that are present on an iOS and an android platform gets affected. This report also discusses the findings of the analysis.

Cloud forensics forms a part of digital forensics. This field is the combination of cloud computing along with the field of digital forensics. In digital forensics, data is identified, collected, examined and analyzed for the purpose of preserving its integrity and value (De Marco, Kechadi & Ferrucci, 2013). In cloud computing, users are allowed to share resources over the web depending on their demand by paying the price as per their usage. Cloud forensics can be considered to be a sub part of the network forensics. Cloud forensics has three dimensions called legal, technical and organizational dimension. Mobile phones often use cloud storage services. Mobile applications are able to store data and leave a trace of criminal activities. This can be helpful for the purpose of investigating any criminal act. It also plays a major role in criminal litigation as well as civil litigation.

An organizational structure consists of several types of staffs like internal and external employees and staffs. These staffs play a major role in digital forensic processes (Ruan & Carthy, 2012). Investigators are the most important and significant staff that participate in the process of digital forensics. They are highly qualified and experienced individuals who are capable of investigating a criminal activity by using the capabilities of forensics. IT professionals also play a major role in the process of investigation. They assist the investigators and help them when the knowledge of information technology is required. Another main role in the process of digital forensics is played by the legal advisors. These professionals help in identifying the criminals.

Usages of Cloud Forensics

There are several usages of cloud forensics. Some of them are as follows:

Investigation: This is the most important usage of cloud forensics. Crimes can be investigated in the cloud environments by using cloud forensics. If there is any violation of policy then that can also be investigated by taking the help of cloud storage forensics (Ruan et al., 2013). Cloud forensics will help to gather evidences for presenting it in the court.

Data recovery: The cloud applications can store data. Sometimes these data might get deleted accidentally or unintentionally. Cloud forensics has the capability to recover data after it has got deleted. Cloud forensics can also be used for recovering encrypted data.

Troubleshooting: Cloud forensics has made it simple for the users to locate files and documents physically as well as virtually.

Log monitoring: Cloud forensics play a significant role in monitoring logs (Thorpe et al., 2013). It helps in the process of regulatory compliance as well as auditing.

Data collection: Forensic data is identified as well as acquired from several information sources that exist in the cloud environment. The data can be either from the side of the provider or from the client side. There are different cloud platforms and a single tool cannot be applied in all the platforms. Different tools can be used in the different cloud service models. The collection of data is done in a sequential way and it depends upon the volatility of the data. At first the data with high volatility is collected and after that the low volatile data is collected.

Elastic and static forensics: Resources can be provisioned based on the client demand. The cloud forensics tools have an elastic nature. The static and live forensic tools are the most used tools in case of cloud storage forensics. E-discovery, data acquisition as well as data recovery are such examples where such tools are used.

Investigation: Data can be retrieved by cloud forensics and these data can be investigated. The data in the cloud platforms are highly susceptible to various kinds of threats and attacks.

Pro-active preparation: Forensic-aware cloud applications are designed in this stage. This stage also involves access-control records, tracking authentication and design principles.

Identification cum collection: The internal storage of iPad as well as that of Samsung Galaxy tab II had been discovered for the collecting evidences. TCPDump had been used for the purpose of monitoring and capturing network traffic.

Analysis of MEGA Cloud Application

Preservation: The file was acquired and verified by finding out the MD5 hash values.

Examination cum analysis: MEGA app was used on Android and iOS devices and then images present in the internal storage were examined.

There have been ten experiments where the resetting of the devises had been done. Hex Workshop and 0xED were used for Android devices and iOS devices respectively for carrying out analysis of the internal storage. EDRM was used in the experiment. The experiments that have been conducted on the iOS and Android devices are presented in a table format (Appendix 1 and 2).

Researchers have stated that data remnants like file names, usernames had been recovered from iPhone 4 that used iOS version 4.3.5 and from Motorola Droid that used Android version 2.2.2. Data had also been recovered from Windows PC as well as Mac PC (Grispos, Glisson & Storer, 2015). Dropbox, Evernote, Google Docs as well as Amazon S3 are the models that play a significant role in the cloud storage application investigation (Chung et al., 2012). Investigation on Windows 7 was conducted in order to find out forensic data from PicasaWeb, Flickr, Dropbox and Google Docs (Marturana, Me & Tacconi, 2012). Researchers have said that it is possible to insert forensic tools into the VMs of the Amazon EC2 platform (Dykstra & Sherman, 2012). Client analysis and server analysis can also be conducted (Martini & Choo, 2013). There are different models of cloud forensics that can be useful in finding out whether any alteration or modification of file contents has taken place (Quick & Choo, 2014). It was found out that the non-preinstalled app file contents of the iCloud remained same and unchanged. Data can be collected in a programmed way and from a remote or distant location by using a six steps procedure (Martini & Choo, 2014). The research of cloud forensics is depicted in a table format (Appendix 3).

A sound forensic process has to satisfy the following criteria as mentioned below:

Meaning: The real meaning of the data that is collected for investigation purpose must not be lost.

Errors: Detection of error is very important in order to maintain the validity of the data. Hash functions play a major role in this process.

Transparency: A transparent forensic process will help to carry out an effective as well as honest investigation.

Experience: The experience of the investigators and other professionals who play a significant role in investigation must be taken into account. Experienced individuals will help to take a correct decision.

Findings

 The MD5 hash values of the original as well as the downloaded files were determined in the MEGA case study. These has values were compared to find out if any changes had been made or not. Hash values of the files of iOS and Android devices were compared. After this the timestamps of the files were also compared.

Findings of Android devices are given below:

• It has been found out that when a user logs in an application then the username gets saved in the internal storage of the Android device (Daryabar, Dehghantanha & Choo, 2017).
• Determination of decrypted files was also possible.
• One of the main findings was that it was possible for the Android devices to create and save shared URL links to the files.

Findings of iOS devices are given below:

• Recovery of uploaded files was possible.
• Recovery of ‘mega.ios.plist’ documents and files was also possible. It was possible to find out the login details as well (Daryabar, Dehghantanha & Choo, 2017).

It can be said from the findings that modification of the contents of the downloaded files was not possible by the MEGA app. After comparing the hash values of the original and the downloaded documents it was found out that it remained the same. The timestamps of the original and the downloaded files differed (Quick & Choo, 2013). The timestamps of the files had been modified to the timestamps of the destination folders of the devices. The timestamps can be compared for detecting if the files have been modified or not. It is possible to determine the URLs and IP addresses that have been used by the app. It is also possible to determine the server names, certification provider and the timestamps that have been used by cloud storage platforms and devices.

Conclusion

This report concluded that it was not possible for the MEGA app to modify the contents of the files that have been downloaded. This report discussed about the cloud forensics concepts. It also discussed about the various usages of cloud forensics. This report critically analyzed the case study of MEGA app and found out the type of modification of the metadata that will take place when the file will be uploaded and downloaded. This report discussed about the findings from the case study of MEGA app. This report discussed about the criteria that needs to be satisfied by a sound forensic process. It said that the hash values of the original and downloaded files remained same but the timestamps differed. It also found out how will the evidences that are present on an iOS and an android platform gets affected. This report also gave an overview of the steps to be carried out in a forensic process.

References

Chung, H., Park, J., Lee, S., & Kang, C. (2012). Digital forensic investigation of cloud storage services. Digital investigation, 9(2), 81-95.

Daryabar, F., Dehghantanha, A., & Choo, K. K. R. (2017). Cloud storage forensics: MEGA as a case study. Australian Journal of Forensic Sciences, 49(3), 344-357.

De Marco, L., Kechadi, M. T., & Ferrucci, F. (2013, September). Cloud forensic readiness: Foundations. In International Conference on Digital Forensics and Cyber Crime (pp. 237-244). Springer, Cham.

Dykstra, J., & Sherman, A. T. (2012). Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digital Investigation, 9, S90-S98.

Grispos, G., Glisson, W. B., & Storer, T. (2015). Recovering residual forensic data from smartphone interactions with cloud storage providers. arXiv preprint arXiv:1506.02268.

Martini, B., & Choo, K. K. R. (2013). Cloud storage forensics: ownCloud as a case study. Digital Investigation, 10(4), 287-299.

Martini, B., & Choo, K. K. R. (2014, September). Remote programmatic vCloud forensics: a six-step collection process and a proof of concept. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 IEEE 13th International Conference on (pp. 935-942). IEEE.

Marturana, F., Me, G., & Tacconi, S. (2012, October). A case study on digital forensics in the cloud. In Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2012 International Conference on (pp. 111-116). IEEE.

Poisel, R., Malzer, E., & Tjoa, S. (2013). Evidence and Cloud Computing: The Virtual Machine Introspection Approach. JoWua, 4(1), 135-152.

Quick, D., & Choo, K. K. R. (2013). Forensic collection of cloud storage data: Does the act of collection result in changes to the data or its metadata?. Digital Investigation, 10(3), 266-277.

Quick, D., & Choo, K. K. R. (2014). Google drive: forensic analysis of data remnants. Journal of Network and Computer Applications, 40, 179-193.

Ruan, K., & Carthy, J. (2012, October). Cloud forensic maturity model. In International Conference on Digital Forensics and Cyber Crime (pp. 22-41). Springer, Berlin, Heidelberg.

Ruan, K., Carthy, J., Kechadi, T., & Baggili, I. (2013). Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results. Digital Investigation, 10(1), 34-43.

Thorpe, S., Grandison, T., Campbell, A., Williams, J., Burrell, K., & Ray, I. (2013, June). Towards a forensic-based service oriented architecture framework for auditing of cloud logs. In Services (SERVICES), 203 IEEE Ninth World Congress on (pp. 75-83). IEEE.