Syngress Publishing Cloud Storage Forensics (2014) by 未知

Author:未知
Format: epub
Published: 0101-01-01T00:00:00+00:00

100

CHAPTER 5 Forensic Analysis of Cloud Storage Data Remnants

Table 5.1 Example of Snapshot.db SQLite File Contents for enron.jpg File

Resource id:

“file:XXwUTD1c9KXiMXXJCVXFsZElqRkE”

Filename:

“Enron3111.jpg”

Modified:

“1328766794” (DCode Unix Numeric Value 5 Thu, 09 February 2012

15:23:14. 10930)

Created:

“1339309046” (DCode Unix Numeric Value 5 Sun, 10 June 2012

15:47:26. 10930)

Acl role:

“0”

Doc type:

“1”

Removed:

“0”

URL:

“https://docs.google.com/file/d/XXwUTD1c9KXiMXXJCVXFsZElqRkE/

edit”

Size:

“315868”

Checksum:

“77638319ea64cc1b70d4d4f20a56295d”

Shared:

“0”

Also of note is that the password for the Google Drive user account was

located

in cleartext

within

the

file

“C\Users\[username]\AppData\Local

\Microsoft\Internet Explorer\Recovery\Last Active\ {F9C06D05 B2C2 11E1

B53F 000C29985EDE}.dat” near the text “&Passwd

,” such as:

&ktl

&ktf

&Email

username@mail.

com&Passwd

XXXXXXXX&PasswdAgain

XXXXXXX

This information was located within the IE Upload-VM and also in System

Volume Information Restore Points. The password in the file was not observed

when the other browsers were used. While this may be beneficial to a forensic

investigation, this also presents a security risk to users. Subashini and Kavitha

(Subashini et al., 2011) explained that “[m]alicious users can exploit weaknesses in the data security model to gain unauthorized access to data.” A password and

username stored within files on a hard drive could easily be discerned by a crimi-

nal user who has gained remote access to a victim’s computer using a common

exploit, and could be used to extract data from an account or to store illicit data

in the victim’s account.

When installed, the Google Drive client software ran automatically when the

Windows operating system started and logged in to the user account without

prompting for a password. This can be of assistance in an investigation, as a

forensic copy of a seized computer hard drive can be used with software which

will allow the forensic copy of a hard drive to be run within a virtual environ-

ment. Software such as Virtual Forensic Computing or LiveView will scan the

forensic image of a hard drive and prepare the requisite files to run an operating

system on a hard drive within VMware Player. In tests conducted, when the

forensic copy of a hard drive contains the Google Drive client software with a

Google drive forensics: Windows 7 PC

101

user account and password already stored, the PC when started in a VM automati-

cally signed in to the Google Drive account. This process will provide a practi-

tioner access to the files stored within the Google Drive user account (once

synchronized). In addition, there was an option with the Google Drive client soft-

ware from the Google Drive icon at the bottom right of the Desktop on Windows

7 labeled “visit Google Drive on the web” which when selected resulted in the

opening of the default browser and provided full access to the Google Drive

account, including the ability to view user activity, all items, and view the modi-

fied, edited, and last opened dates for files. In a forensic environment, care would

need to be taken when connecting a forensic image to the Internet. Legal author-

ity would be required to ensure a practitioner has the appropriate authority within

their jurisdiction to examine the data stored within the cloud storage account,

which could potentially be stored overseas or in another jurisdiction. For example

in Australia, Section 3L of the Crimes Act 1914 (Cth) has a provision for the exe-

cuting officer of a warrant to access data which includes data not held at the pre-

mises, i.e., accessible from a computer or data storage device.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.