Recovering Residual Forensic Data from Smartphone Interactions with Cloud Storage Providers

TL;DR

This paper explores how forensic tools can recover residual data from smartphones to aid investigations of cloud storage services, highlighting the potential of end-device data to reveal cloud-stored evidence.

Contribution

It demonstrates that smartphones can provide partial evidence of cloud data, compares recovery effectiveness across app versions, and documents artefacts on iOS and Android devices.

Findings

Smartphones retain data from cloud storage apps.

Multiple device data amalgamation improves evidence completeness.

Different app versions produce varying artefacts and recoverable files.

Abstract

There is a growing demand for cloud storage services such as Dropbox, Box, Syncplicity and SugarSync. These public cloud storage services can store gigabytes of corporate and personal data in remote data centres around the world, which can then be synchronized to multiple devices. This creates an environment which is potentially conducive to security incidents, data breaches and other malicious activities. The forensic investigation of public cloud environments presents a number of new challenges for the digital forensics community. However, it is anticipated that end-devices such as smartphones, will retain data from these cloud storage services. This research investigates how forensic tools that are currently available to practitioners can be used to provide a practical solution for the problems related to investigating cloud storage environments. The research contribution is threefold. First, the findings from this research support the idea that end-devices which have been used to access cloud storage services can be used to provide a partial view of the evidence stored in the cloud service. Second, the research provides a comparison of the number of files which can be recovered from different versions of cloud storage applications. In doing so, it also supports the idea that amalgamating the files recovered from more than one device can result in the recovery of a more complete dataset. Third, the chapter contributes to the documentation and evidentiary discussion of the artefacts created from specific cloud storage applications and different versions of these applications on iOS and Android smartphones.