Industry Roundup: Cloud Forensics

by Christa Miller

Only a few short years ago, the idea of recovering forensic data from the cloud seemed like either troubling overreach, or unnecessarily redundant given the availability of evidence from mobile devices.

As encryption became more prevalent on those, however, law enforcement has increasingly come to rely on cloud-based evidence to build cases. The law appears to be catching up, too, with legislation like the United States’ Clarifying Lawful Overseas Use of Data (CLOUD) Act and California’s new GDPR-style Consumer Privacy Act, along with decisions like last September’s Google LLC v. CNIL, in which a European court held that Europe’s “right to be forgotten” only applies to EU citizens. 

Cloud-based evidence has relevance to civil cases as well as criminal. Business documents are increasingly stored on cloud servers owned by Dropbox, Box.com, Microsoft OneDrive, Google, and many others. Many organizations and individuals also rely on cloud-based messaging platforms like Slack, Microsoft Teams, and Google Hangouts.

However, cloud forensic extractions aren’t as easy as importing data from cloud to tool. In some countries including the United States, this is seen by courts as overreach, with social media and cloud storage accounts — and preferably, specific data types — required to be enumerated and limited to specific date and time ranges in government search warrants.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

It can also be challenging to import data in a usable way. Whether directly to the tool from a provider’s API, or using a JSON file export from a provider, data from cloud-based sources typically requires additional processing or conversion rather than data retrieved from an operating system. Each provider has its own data structure to work within its own interface, and even using API developer kits, forensic tools can struggle to normalize different fields for processing, indexing, and search — to give it analytic value.

Joseph Pochron, Senior Manager, Forensic & Integrity Services in Privacy & Cyber Response at EY, explains that a native JSON dump from software may not be useful until it’s interpreted. As a result, he says, “Someone needs to review or analyze that data, which really can’t be done until that data’s been converted to something friendlier to the human eye.”

A related issue is the discovery process. Pochron says that rather than produce JSON files for opposing counsel, text or HTML is going to be a preferred native format. “JSON is a poor format for legal discovery,” says Pochron, “and lawyers want data interpretable.” At the same time, he adds, “Big Law” firms will need assistance with converting that data for review.

But cloud providers aren’t the only source of cloud-based data, and the notion of a “native format” is changing as a result. “What’s the native file format of an SMS?” Pochron says by way of example. “The entry? The database? The table entry? The forensic tool needs to normalize this.”

That way, it can capture the metadata along with the content. This is important when it comes to patterns in the metadata, especially when it comes to legal holds, because metadata can show whether data was modified or altered in any way before discovery. “If iMessages are set to delete every 30 days, was this intentional or automated?” Pochron says, adding that historical patterns can help to answer questions whose answers could be very costly for a litigant.

When it comes to APIs, a forensic tool is only as good as what the API makes available. In some cases, this may not be enough data; for example, Slack offers audit log data highly beneficial to forensic investigators and cybersecurity professionals, but this feature is not available to non-enterprise plans. On the flip side, applications like ZenDesk offer limited search capabilities through their APIs, often resulting in a need to export high volumes of data.

Pochron says providers can differ widely in what they offer in terms of granularity, deep dives, and data targeting. For example, a personal social media download may not make it possible to acquire messages from just one person. In contrast, popular email platforms now have built-in e-discovery tools, which offers “very clear, defined platforms for governance and retention,” says Pochron. “You can acquire a wide range of products, as well as run complex searches to cull the dataset at the point of collection.” Furthermore, he adds, at least one has recently added advanced processing capabilities like optical character recognition (OCR).

Pochron anticipates that artificial intelligence (AI), which is already being adopted in this space,  will continue to help in this area. He says automation using AI could also help to reduce the time humans would otherwise need to take scripting, converting, or dealing with other tricky scenarios with big data.

Until then, a number of forensic tool manufacturers make cloud forensic acquisition and analysis possible through dedicated or built-in tools. In this article, we round them up.

AccessData

AccessData’s new AD eDiscovery® 6.2 allows users to quickly collect data in the cloud from Office 365, SharePoint®, OneDrive® for Business and Office 365 Exchange. It is a next-generation e-discovery software product equipped with faster indexing and processing speeds that can be unleashed on data collected from the cloud.

Belkasoft Evidence Center

Belkasoft Evidence Center supports acquisition and analysis of a number of services. Among supported clouds are iCloud  (calendar, drive, photos, etc), Google Cloud (Drive, Gmail, Keep, and Timeline), WhatsApp, Instagram and a few dozens of webmail services. The product uses various authentication methods including user credentials, consent screen, and refresh tokens, retrieved from digital devices. Email from nearly 30 webmail clients, including Gmail, Yahoo! Mail, Hotmail, and more is available, along with messaging services from WhatsApp, Instagram, and others.

Cellebrite UFED Cloud Analyzer

UFED Cloud Analyzer was an early entrant to the field of forensic cloud data extraction. Today, the software supports the extraction, preservation, and analysis of data from both public feeds and private accounts among more than 50 social media, messaging, file storage, web page and other sources.

Cellebrite stresses its tool’s ability to help users comply with search and seizure requirements in their countries, whether they’re relying on the subject’s login credentials — either provided by them, or extracted from digital media or personal files — or via some other access method. Public data available for analysis from social media like Facebook, Twitter and Instagram includes shared location information, profiles, images, files, and communications.

Additionally, Chrome and Safari text search history on iOS devices backed up in iCloud, visited pages, voice-search recordings, foreign-language translations from Google web history, and Google Location History are all supported.

The software normalizes data across these sources, making it possible for users to search, filter and sort by Timeline, File Thumbnails, Contacts or Maps. The extraction process is logged, with each piece of extracted data hashed so that it can be compared later on with the original. Finally, cloud extractions are shareable via dynamic reports and exportable into Cellebrite’s Analytics Series or other advanced analytical tools.

UFED Cloud Analyzer is backed up by Cellebrite certification training courses including Cellebrite Social Network Investigations (CSNI), Cloud Extraction and Reporting (CLEAR), and Cellebrite Digital Forensics for Legal Pros (CDFL).

Elcomsoft Cloud eXplorer

Elcomsoft focuses on Google with its cloud extraction tool, enabling users to “extract significantly more information than available via Google Takeout,” according to its website. With both Windows and Mac versions, Cloud eXplorer is targeted both to law enforcement and IT security customers who need to access Google Account data to determine whether anything illegal or otherwise illicit has taken place.

Elcomsoft makes it possible for examiners to authenticate an account without a password and bypass two-factor authentication (2FA). This capability is based on Elcomsoft’s binary authentication token workaround, which allowed users to access Apple iCloud backups and synced data without the password.

Over-the-air acquisition is supported, enabling users to acquire user passwords, contacts (including those synced from mobile devices), and Google Drive files. Email is available via the Gmail API. Subjects’ location history — including enhanced mapping data such as routes and places — Hangouts Messages, Google Keep notes, Calendars, and stored Google Photos images are also available. A built-in viewer allows users to search, filter and analyze information.

Advising that some Google Chrome data may be encrypted with an additional password, Elcomsoft states that Cloud eXplorer can decrypt information with the correct password. Available Chrome data includes browsing history, search history and page transitions, synced bookmarks, Web forms, and logins and passwords.

Cloud eXplorer also supports SMS text messages for Android 7 (Nougat), Google Pixel and Pixel XL smartphones, as well as devices running Android 8 (Oreo) and above. Additional mobile data includes call logs and saved wi-fi SSIDs and passwords.

Elcomsoft states that Cloud eXplorer requires “no special expertise and no prior training” to obtain cloud-based data.

F-Response Universal with Cloud Collector

F-Response is designed for e-discovery, incident response, and digital forensics professionals in enterprise environments, with the result that its newly launched Universal software (v8) provides support for collecting remote cloud data stores — Amazon S3, Box.com, Dropbox, Gmail, Google Drive, GSuite, Microsoft Office 365, and OneDrive in VHD or local files and folder format.

F-Response has worked to improve its cloud collection process throughout 2019, including:

  • Handling large Dropbox files and the ability to more rapidly stream content to disk
  • Automatically redirecting the F-Response OAuth Helper callback model to a localhost bound service to collect data from Google and other providers 
  • Modifying the PowerShell script for the Client Credential Flow key generation process for Microsoft Office 365 

F-Response Universal collects the data directly to VHD or local share, making for a faster collection with reduced provider throttling.

HancomGMD MD-CLOUD

MD-CLOUD supports acquisition from major cloud services including (Drive, Docs, Photo, Calendar, Contacts, Location History and more), iCloud(Drive, Photo, Reminder, Note, Calendar, Contacts, etc), Samsung Cloud(Drive, Photo, IoT), email such as IMAP or POP3 including Gmail, Evernote, Google Takeout, Microsoft OneDrive, Twitter, Instagram, Tumblr, and some eCommerce apps. Besides, it supports data collection from the Baidu Cloud in China, Naver Cloud in Korea, and IoT data extraction from AI-powered speakers and smart home kits using both official and unofficial APIs for authentication. A web capturing feature is also supported for the collection of data from public web pages without an API.

Authentication via user ID and password, two-factor authentication, Captcha, and credentials are all supported in MD-CLOUD, along with session tokens acquired with MD-RED, HancomGMD’s forensic data analysis software, with which it integrates fully.

MD-CLOUD has a category-based viewer and each category is separated based on account holder’s credentials. MD-CLOUD also supports the auto-tagging algorithm which allows examiners to search and filter items with ease. Users can create and reuse multiple workviews based on the various filter and sorting configurations. MD-CLOUD has a Timeline-View and Summary-Chart which allow users to see all kind of activity flows such as, at a particular time user sends the email, uploads data into multiple cloud servers, etc. based on time.

MD-CLOUD creates reports in PDF and Excel formats, as well as exporting cloud data files.

Magnet AXIOM

Cloud acquisition and analysis capabilities are natively integrated into Magnet AXIOM. In addition to being able to acquire evidence from the most forensically relevant cloud services with user credentials or tokens and keychains from mobile devices, Magnet AXIOM can ingest and analyze warrant returns, publicly available information, and user-generated archives.

AXIOM can be used to:

  • Ingest warrant returns from Apple, Facebook, Instagram, Snapchat, and Google
  • Use publicly available information (posts, followers/following, etc.), from Twitter and Instagram (using a username or hashtag)
  • Ingest and analyze user-requested archive files (e.g. Google Takeout or Facebook “Download My Data”)
  • Access cloud accounts via user credentials from 50+ of the most forensically relevant cloud services including Apple, Google, Facebook, Microsoft, Slack, Dropbox, and Twitter, including metadata and audit logs
  • Access accounts with third-party tokens and keychains acquired from mobile devices
  • Recover and decrypt iCloud backup data for iOS 11 and iOS 12 backups

Because of the wealth of data available from so many sources, AXIOM additionally makes it possible for users to selectively acquire cloud-based artifacts.

MSAB XRY Cloud

A separate part of the XRY software, XRY Cloud can be used on its own, or as part of the wider MSAB Ecosystem suite of tools.

XRY Cloud relies on mobile device tokens, with or without the device in custody. With the device, the extraction is similar to any other device acquisition; without the device, the user can rely on known credentials to try to acquire data from apps that XRY supports.

From there, XRY Cloud’s “Automatic Mode” allows users to click from recovered app tokens and artifacts straight to the cloud to collect the data (assuming proper legal authority). This capability requires internet connectivity. XRY Cloud stores the data from disparate sources in a single XRY Case File.

Social media and app-based data from services such as Facebook, Google, iCloud, Twitter, Snapchat, WhatsApp, Instagram and more are all supported, along with connected cloud storage solutions including Facebook, Google, iCloud, Twitter and Snapchat.

Finally, XRY can decode Android file metadata from apps like Dropbox and Google Drive, regardless of whether file content is available on a device. From there, users can search these cloud-based data sources either via XRY Cloud or by serving the providers with legal orders to search.

Onna

Onna is marketed more as an e-discovery tool than as a digital forensics tool, but when it comes to cloud acquisitions, there may be some overlap. In particular, Onna’s e-discovery focus means it integrates with the most popular enterprise cloud apps, including GSuite, Office 365, and Slack Enterprise. 

Relying on what it calls “pre-trained categories,” Onna immediately identifies certain document types (e.g. contracts) from all unstructured data found within cloud apps. This capability can help with early case assessment.

Natural language processing and optical character recognition (OCR) make processed data fully searchable. Targeted searches are possible via text modifiers and pre-trained categories.

Onna is designed to facilitate real-time collaboration across internal and external legal teams, service providers, and others involved in the e-discovery process. Export of filtered data in CSV, DAT, or custom files is also possible to review the data in Relativity or other platforms.

OpenText

EnCase Forensic’s connectors enable the acquisition of cloud-based evidence, including email and other content, from Microsoft Office 365 and Exchange along with Box, Dropbox, Amazon S3, and Google Drive. On-premise collection is also supported, with EnCase collecting data in the background for direct preservation via an LX01/L01 file.

Courts can sanction organizations if reasonable steps are not taken to preserve electronic data. EnCase eDiscovery enables investigators to precisely collect and preserve potentially relevant data, either on the premises or in the cloud, with a defensible process that ensures strict chain of custody.

Oxygen Forensic Cloud Extractor

Built into Oxygen Forensic Detective at no additional charge, Oxygen Forensics Cloud Extractor supports 77 cloud, social media, and email services including Microsoft, Google, Samsung cloud, Huawei cloud, iCloud, Mi Cloud, Facebook, Twitter, Instagram, Amazon Alexa, WhatsApp, WickrMe, Viber, Line, Telegram, IMAP email servers, and many more.

The process starts with Oxygen Forensic Detective, which automatically finds and decodes both account credentials and tokens from Apple iOS and Android devices even if this data is securely encrypted. In addition, Oxygen Forensic KeyScout, which is available at no additional charge within Oxygen Forensic Detective, can collect and decrypt passwords and tokens on Windows, MacOS and Linux machines.

An exclusive cloud-based WhatsApp backup decryption method is available, along with WhatsApp extraction via QR code. iCloud decryption is also supported with Oxygen Forensic Detective.

After validating the credentials and logging in to extract the data, Oxygen Forensic Cloud Extractor can collect according to a specific time range. It provides detailed extraction logs upon completing acquisition.

Following collection, Oxygen Forensic Detective merges the cloud data with other acquired mobile and computer evidence for analysis. The data can be viewed, sorted, and filtered through a number of different views, including maps, social graphs, timelines, facial recognition and image categorization, and others. It can also be exported in PDF, XLS, XML, and other formats, or saved to backup for sharing with colleagues.

Paraben E3 Forensic Platform

Included in many of the E3 Forensic Platform licenses are wizards to allow you collect data from the cloud. Paraben’s Cloud Import Wizard helps investigators obtain cloud-based data using account credentials either entered manually, or imported from the data acquired from a mobile device.

E3:DS, one of the E3 Forensic Platform licenses, supports cloud data from iOS and Android app versions of Facebook, Gmail, Amazon Alexa, Google Locations, and Google Drive. E3 collects authentication tokens and credentials for these apps to collect the data.

Paraben also supports cloud data from both Microsoft Azure and Amazon Web Services.


Collecting cloud-based data walks a delicate line between obtaining readily available evidence needed to build cases, and not running afoul of legal privacy protections or company policy. As always, consult an attorney in your jurisdiction or organization before deploying cloud forensic tools.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 24 hours ago

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles