Ubuntu One Investigation: Detecting Evidences on Client Machines

TL;DR

This study investigates digital evidence remnants on client devices after user interactions with Ubuntu One cloud service across multiple operating systems, aiding digital forensic investigations.

Contribution

It provides a systematic analysis of artifacts left by Ubuntu One activities on Windows, Mac OS X, and iOS devices, enhancing forensic evidence identification.

Findings

Evidence found in databases and log files

Remnants in device memory and network traffic

Artifacts vary across operating systems

Abstract

STorage as a Service (STaaS) cloud services has been adopted by both individuals and businesses as a dominant technology worldwide. Similar to other technologies, this widely accepted service can be misused by criminals. Investigating cloud platforms is becoming a standard component of contemporary digital investigation cases. Hence, digital forensic investigators need to have a working knowledge of the potential evidence that might be stored on cloud services. In this chapter, we conducted a number of experiments to locate data remnants of users' activities when utilizing the Ubuntu One cloud service. We undertook experiments based on common activities performed by users on cloud platforms including downloading, uploading, viewing, and deleting files. We then examined the resulting digital artifacts on a range of client devices, namely, Windows 8.1, Apple Mac OS X, and Apple iOS. Our examination extracted a variety of potentially evidential items ranging from Ubuntu One databases and log files on persistent storage to remnants of user activities in device memory and network traffic.