Cloud Storage Forensics: A Case Study On MEGA Cloud App Essay.

Question:

You are a Digital Forensics Examiner. Considering a real or a hypothetical case you are required to produce a formal report consisting of facts from your findings to your attorney who has retained you.

In this era of ICT, smartphones have become an important part of the life of the people. Cloud storage applications are gaining importance as it allows the users to gain access to their own information from any location and at any time. Mobile phones play a significant role in assisting the criminals to commit any criminal act (Poisel, Malzer & Tjoa, 2013). These mobile devices act as evidence in the investigations of cyber crimes as well as traditional crimes. MEGA is a cloud app that can be used in place of Google Drive and Dropbox (Daryabar, Dehghantanha & Choo, 2017).

This forensics report examines a scenario on cloud storage forensics. It focuses on the MEGA cloud app case study. It gives a brief overview of the concept of cloud forensics along with its usage. It analyzes a real life scenario called MEGA case study and tries to find out what modifications to the metadata during the process of downloading and uploading process might affect the preservation of evidences on an android as well as iOS platforms. This report also discusses about the findings and gives the result of the analysis.   

Cloud Forensics

Cloud forensics can be considered to be an application of the digital forensics. This field combines the concept of cloud computing with digital forensics. Digital forensics applies science to identify, collect, examines and analyzes data while maintaining its integrity (De Marco, Kechadi & Ferrucci, 2013). Cloud computing on the other hand is an IT paradigm that deals with allowing users to get access to shared resources over the Internet on the basis of their demand.  Cloud forensics is a part of network forensics. There are three main dimensions of cloud forensics called technical, legal as well as organizational dimension. The cloud storage platform services that are used, mainly the mobile applications have the ability to leave behind trace or information that can be useful in any civil or criminal litigation.  

Organizations consist of internal as well as external staffs that play a major role in the process of digital forensics (Ruan & Carthy, 2012). The investigators play the most significant role in forensics. They have high knowledge about forensic capabilities. IT professionals are also involved in assisting the investigators in identifying any crime activity. Legal advisors also play a crucial role in cloud forensics.

Usages of Cloud Forensics

Use of Cloud Forensics

Cloud forensics has various usages like:

Investigation: It can be used for investigating crime as well as policy violation in a cloud environment. It can be useful in providing evidences to the court (Ruan et al., 2013).

Troubleshooting: Data files can be located physically and virtually in the cloud environment.

Log monitoring: It assists in auditing and regulatory compliance (Thorpe et al., 2013).

Data Recovery: It helps to recover data that has been deleted in an accidental manner. It also helps to recover encrypted data.

Tools and Methodologies

The cloud computing forensics uses certain procedures to carry out the forensic process. They are discussed below:

Data collection: This process deals with the identification and acquisition of forensic data from various sources of information present in the cloud. These data can be either client side information or provider side information. The tools that are used for collecting data are different for different service models of cloud computing. Data can be collected in a sequential manner depending upon its volatility. If the data has high volatility then it can be collected first and if the data has low volatility then can be collected later.

Elastic, live and static forensics: The resources of cloud storage can be provisioned on the demand of the clients. The tools that are used in cloud computing can be elastic in nature. Most of the cases use live and static forensic tools. Examples of such cases are e-discovery, data recovery and data acquisition.

Evidence segregation: Cloud computing allows the users to share resources over the Internet and save the cost. It supports multi tenant environment. Procedures and tools for segregating forensic data present in the cloud need to be developed.

Investigation: Investigation can be carried out based on the data that are retrieved from the cloud platform. But the data present in the cloud are susceptible to various attacks.

Pro-active preparation: This stage involves designing of forensic-aware cloud apps. It also involves design principles, tracking authentication as well as access-control records.

The investigation framework of the MEGA case study is as follows:

Identification as well as collection: Evidences had been collected from the internal memory of Samsung Galaxy Tab II and the internal memory of iPad. Its network traffic had also been monitored and captured by TCPDump.

Preservation: The entire acquired file was verified by calculating the MD5 hash value.

Examination as well as analysis: The images from the internal memory and backups were examined for determining data remnants of using MEGA application on iOS and Android devices.

Procedures of Cloud Forensics

EDRM was downloaded in order to carry out the experiment. Separate experiments were conducted on the iOS and Android devices in order to carry out the investigation. Ten experiments had been conducted and the devices were reset. 0xED was used for Mac and the Hex Workshop was used for Android device. These were used for the purpose of analyzing internal storage. The experiments conducted on Android as well as iOS devices are shown in a tabular format (Appendix 1 and 2)

Amazon S3, Google Docs, Evernote and Dropbox are such models that help in the investigation process of cloud storage apps (Chung et al., 2012). Researchers have been able to recover data remnants like username, names of the uploaded and downloaded files from Motorola Droid that was running Android 2.2.2 version and from iPhone 4 that was running iOS 4.3.5 version as well as from Mac PC and Widows PC (Grispos, Glisson & Storer, 2015). Windows 7 was investigated for the purpose of identifying forensic information from Google Docs, Dropbox, Flickr and PicasaWeb (Marturana, Me & Tacconi, 2012).   Forensic tools can be injected into the virtual machines of Amazon EC2 (Dykstra & Sherman, 2012). Client as well as server analysis can also be held (Martini & Choo, 2013). There are other cloud forensic models that can be used for the purpose of examining Google Drive and SkyDrive. These models were also able to determine whether there was any alteration of the content of the file and documents (Quick & Choo, 2014). The non-preinstalled application document contents of iCloud remained unchanged.  But on the other hand the MD5 hash values were not matched and the timestamps had been changed.  There is a process that contains six steps for collecting data in a programmed manner from a remote location (Martini & Choo, 2014). A brief snapshot of the cloud forensics research is presented in a tabular form (Appendix 3).

Findings

A forensic process is sound and correct if certain key criteria are satisfied. These key criteria are as follows:

Meaning: This means that the data evidence that has been collected for the purpose of carrying out investigations based on digital forensics must not lose its real meaning as well as interpretation. The data must retain its integrity.

Error: Errors must be identified at the correct time so that it does not harm the validity of the information that was found. Hash functions can be used for the purpose of identifying errors during the process of forensic collection.

Findings from MEGA Case Study

Transparency: The forensic processes must be transparent so that the investigation is carried out in an effective and honest manner. This will help in the validation of the process integrity.

Experience: The individuals who are involved in the process of forensic investigation must have high knowledge and sufficient experience for carrying out the investigation of forensic data. Forensic investigation is done in case of extremely serious issues and any fault in the process can harm several individuals as well as organizations. Experience plays a significant role in the cloud forensic investigations.    

In order to find out whether a forensic data is sound or not, the potential changes in the document data as well as metadata during the time of download and upload must be detected.  In the MEGA case study the MD5 hashes value of the actual files was found out and then it was compared with data of the downloaded file using the cloud applications on the iOS as well as Android devices. The hash values of the real file had completely matched with the downloaded file. This determined that there were no changes made to the document and file contents during the process of downloading and uploading. Then the timestamps were compared between the original and the downloaded documents by using the stat command.  The comparison determined that the timestamps were different for both the types of files. All the timestamps was same as that of the destination folders of all the devices.  It has been seen that if the user modifies the date and time of the iOS or Android device before the process of download takes place then the timestamps of the file that is downloaded will also change and this will not match with timestamp of the original file that was uploaded.

Findings of the Android devices are as follows:

• It has been determined that whenever a user logs into the account by using application then the internal memory of the Android device stores the username.
• Decrypted files can also be determined.
• It has also been found out that the shared URL links can be created as well as saved to files. The files can be shared which depends on its settings.

Findings of the iOS devices are as follows:

• It was found out that the ‘mega.ios.plist’ files were possible to be recovered. The login details could also be found out.
• It was also possible to recover uploaded files.

It is clear from the findings that the MEGA app could not modify the downloaded file contents. The hash values of the original as well as the downloaded files remained the same. Only the timestamps were different (Quick & Choo, 2013). The timestamps were same as that of the client devices. URLs as well as the IP addresses that were used by the app, server names, timestamps as well as the certification provider that were used by the cloud storage services could be determined.  There are also certain challenges in the cloud storage forensics.

Challenges in Cloud Forensics Investigations

Glossary

E-discovery: Electronic discovery (also called e-discovery or ediscovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.

TCPDump: TCPDump is a common packet analyzer that runs under the command line.

MD5: The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities.

Amazon S3: Amazon Simple Storage Service is storage for the Internet. It is designed to make web-scale computing easier for developers.

VM: In computing, a virtual machine (VM) is an emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer.

URL: A Uniform Resource Locator (URL), colloquially termed a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifier (URI), although many people use the two terms interchangeably.

IP: An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.

Conclusion

It can be concluded from this report that that the MEGA app could not modify the downloaded file contents. This report gave a brief overview of the concept of cloud forensics and its usage. It said that a forensic process is sound and correct if certain key criteria are satisfied .This report stated that the hash values of the original as well as the downloaded files remained the same. Only the timestamps were different. This report discussed that the cloud certain procedures to carry out the cloud storage forensic process like data collection and evidence segregation.

References

Chung, H., Park, J., Lee, S., & Kang, C. (2012). Digital forensic investigation of cloud storage services. Digital investigation, 9(2), 81-95.

Daryabar, F., Dehghantanha, A., & Choo, K. K. R. (2017). Cloud storage forensics: MEGA as a case study. Australian Journal of Forensic Sciences, 49(3), 344-357.

De Marco, L., Kechadi, M. T., & Ferrucci, F. (2013, September). Cloud forensic readiness: Foundations. In International Conference on Digital Forensics and Cyber Crime (pp. 237-244). Springer, Cham.

Dykstra, J., & Sherman, A. T. (2012). Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digital Investigation, 9, S90-S98.

Grispos, G., Glisson, W. B., & Storer, T. (2015). Recovering residual forensic data from smartphone interactions with cloud storage providers. arXiv preprint arXiv:1506.02268.

Martini, B., & Choo, K. K. R. (2013). Cloud storage forensics: ownCloud as a case study. Digital Investigation, 10(4), 287-299.

Martini, B., & Choo, K. K. R. (2014, September). Remote programmatic vCloud forensics: a six-step collection process and a proof of concept. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 IEEE 13th International Conference on (pp. 935-942). IEEE.

Marturana, F., Me, G., & Tacconi, S. (2012, October). A case study on digital forensics in the cloud. In Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2012 International Conference on (pp. 111-116). IEEE.

Poisel, R., Malzer, E., & Tjoa, S. (2013). Evidence and Cloud Computing: The Virtual Machine Introspection Approach. JoWua, 4(1), 135-152.

Quick, D., & Choo, K. K. R. (2013). Forensic collection of cloud storage data: Does the act of collection result in changes to the data or its metadata?. Digital Investigation, 10(3), 266-277.

Quick, D., & Choo, K. K. R. (2014). Google drive: forensic analysis of data remnants. Journal of Network and Computer Applications, 40, 179-193.

Ruan, K., & Carthy, J. (2012, October). Cloud forensic maturity model. In International Conference on Digital Forensics and Cyber Crime (pp. 22-41). Springer, Berlin, Heidelberg.

Ruan, K., Carthy, J., Kechadi, T., & Baggili, I. (2013). Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results. Digital Investigation, 10(1), 34-43.

Thorpe, S., Grandison, T., Campbell, A., Williams, J., Burrell, K., & Ray, I. (2013, June). Towards a forensic-based service oriented architecture framework for auditing of cloud logs. In Services (SERVICES), 203 IEEE Ninth World Congress on (pp. 75-83). IEEE