sugarsync forensic analysis
TRANSCRIPT
This article was downloaded by: [University Of South Australia Library]On: 13 April 2015, At: 01:36Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registeredoffice: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK
Click for updates
Australian Journal of Forensic SciencesPublication details, including instructions for authors andsubscription information:http://www.tandfonline.com/loi/tajf20
SugarSync forensic analysisMohammad Shariatia, Ali Dehghantanhaa & Kim-Kwang RaymondChoob
a School of Computing, Science and Engineering, University ofSalford, Greater Manchester, UKb School of Information Technology & Mathematical Sciences,University of South Australia, Adelaide, AustraliaPublished online: 08 Apr 2015.
To cite this article: Mohammad Shariati, Ali Dehghantanha & Kim-Kwang RaymondChoo (2015): SugarSync forensic analysis, Australian Journal of Forensic Sciences, DOI:10.1080/00450618.2015.1021379
To link to this article: http://dx.doi.org/10.1080/00450618.2015.1021379
PLEASE SCROLL DOWN FOR ARTICLE
Taylor & Francis makes every effort to ensure the accuracy of all the information (the“Content”) contained in the publications on our platform. However, Taylor & Francis,our agents, and our licensors make no representations or warranties whatsoever as tothe accuracy, completeness, or suitability for any purpose of the Content. Any opinionsand views expressed in this publication are the opinions and views of the authors,and are not the views of or endorsed by Taylor & Francis. The accuracy of the Contentshould not be relied upon and should be independently verified with primary sourcesof information. Taylor and Francis shall not be liable for any losses, actions, claims,proceedings, demands, costs, expenses, damages, and other liabilities whatsoever orhowsoever caused arising directly or indirectly in connection with, in relation to or arisingout of the use of the Content.
This article may be used for research, teaching, and private study purposes. Anysubstantial or systematic reproduction, redistribution, reselling, loan, sub-licensing,systematic supply, or distribution in any form to anyone is expressly forbidden. Terms &
Conditions of access and use can be found at http://www.tandfonline.com/page/terms-and-conditions
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
SugarSync forensic analysis
Mohammad Shariatia, Ali Dehghantanhaa* and Kim-Kwang Raymond Choob
aSchool of Computing, Science and Engineering, University of Salford, Greater Manchester, UK;bSchool of Information Technology & Mathematical Sciences, University of South Australia,
Adelaide, Australia
(Received 5 October 2014; accepted 26 January 2015)
Cloud storage services are popular with both individuals and businesses as theyoffer cost-effective, large capacity storage and multi-functional services on a widerange of devices such as personal computers (PCs), Mac computers, and smartmobile devices (e.g. iPhones). However, cloud services have also been known to beexploited by criminals, and digital forensics in the cloud remains a challenge, partlydue to the diverse range of cloud services and devices that can be used to accesssuch services. Using SugarSync (a popular cloud storage service) as a casestudy, research was undertaken to determine the types and nature of volatile andnon-volatile data that can be recovered from Windows 8, Mac OS X 10.9, Android4 and iOS 7 devices when a user has carried out different activities such as uploadand download of files and folders. We then document the various digital artefactsthat could be recovered from the respective devices.
Keywords: cloud forensic; SugarSync; digital forensics; cloud storage forensic
1. Introduction
Cloud storage services such as Dropbox and SugarSync are increasingly popular withboth individual consumers and organisations. Cloud storage services, also known asSTorage as a service (STaaS), is an architectural model in which cloud service provi-ders (CSPs) offer elastic and scalable space to potential customers where data can bestored, shared and accessed anywhere anytime using internet-connected devices (e.g.mobile devices and personal computers). A report by Gartner, for example, suggestedthat the trend among end users is a shift away from personal computers to portabledevices and that the personal cloud will replace the personal computer by 201415.
Cloud storage services like any other technologies are vulnerable to attack andexploitation by criminals, such as compromising cloud servers to exfiltrate user data,and store or distribute illegal contents9,17. The 2011 online data breach involving themisuse of Amazon servers by cybercriminals to cripple Sony PlayStation Network3 is astark reminder that threats by and to cloud services are real and can have real-worldimplications to both individual and organisation users.
As a number of researchers have pointed out, the use of cloud storage services bycriminals has complicated investigation and forensic examinations2,4,6,7,12. It is unlikelythat conventional digital forensic techniques can be used to identify and seize evidentialdata from the cloud as data would probably be distributed worldwide and in different
*Corresponding author. Email: [email protected]
© 2015 Australian Academy of Forensic Sciences
Australian Journal of Forensic Sciences, 2015http://dx.doi.org/10.1080/00450618.2015.1021379
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
data-centres. As Quick and Choo10–12 had posited, it is imperative that forensicexaminers are knowledgeable (or have access to such information) about popular cloudstorage services as well as the data artefacts and remnants that can be accessible fromclient devices in order to identify, preserve and analyse evidential data in casesinvolving the use of cloud (storage) services.
SugarSync is one popular cloud storage services that enables file hosting and shar-ing on a wide range of devices. In 2014, SugarSync was ranked as one of the top fivebest cloud storage and online backup solutions1. SugarSync used to provide 5 GB offree data storage space. However, from February 2014, SugarSync is on a paid-onlymodel. The service can be accessed via a browser (e.g. Internet Explorer) or a clientapplication that is available for Windows and Mac personal computers, and iOS,Android, Blackberry, Simbian and Windows mobile devices. Similar to other popularcloud storage services studied by Quick and Choo10–12 Ruan et al.14 and Hale5,SugarSync is capable of uploading, downloading and synchronising files and folders.However, SugarSync client application allows the user to upload a folder in a magicbriefcase, and any folder can be easily uploaded using drag-and-drop into the clientapplication. In addition, SugarSync client application does not limit the upload of a filebigger than 300 MB, typically imposed by other cloud storage applications.
In this paper, we examine SugarSync with the aim of answering the followingresearch questions.
(1) What data can be found in a device’s persistent storage after the user had usedSugarSync client software and can the locations of data remnants withinWindows 8, Mac OS X 10.9, Android 4 and iOS 7 devices be found?
(2) What data can be found in a device’s persistent storage after the user had usedSugarSync via a web browser?
(3) What data can be seen in live memory on the Windows 8, Mac OS X 10.9,Android 4 and iOS 7 devices of a SugarSync user?
(4) What data can be captured from network traffic after SugarSync had beenaccessed on Windows 8, Mac OS X 10.9, Android 4 and iOS 7 devices?
This paper is organised as follows. In the next section, we briefly review existingliterature. Our experimental setup is detailed in Section 3. We describe our findings andconclude our paper in the final two sections.
2. Related works
Although challenges faced by forensic investigators in cases involving the use of cloudservices are well documented, including technical, legal and policy issues4,6,8,22, itshould be noted that the number of academic publications with a technical focus oncloud forensics is relatively few compared with established disciplines, such asinformation and network security. It has been pointed out that ‘in recent months, asmall number of papers discussing the forensic collection of cloud storage productshave appeared, and their focus is on the client side digital forensic process assumedlydue to the difficulties in obtaining access to a cloud provider’s data centre to conductserver analysis’18.
The first cloud forensic framework was proposed by Martini and Choo7, and thiswas subsequently validated using ownCloud8, Amazon EC216, XtreemFS18, andvCloud19. Another cloud forensic framework was proposed a year later by Quick and
2 M. Shariati et al.
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
Choo10 and validated using Dropbox11, SkyDrive10 and Google Drive13. These twoframeworks were subsequently merged into one9.
Other researchers have also attempted to extract evidential data from data remnantson client devices when a cloud storage service has been accessed on these devices. Forexample, Chung et al.2 analysed Amazon S3, Google Docs and Evernote and, based onthe findings, presented a plan to collect data from personal computers and mobiledevices. Hale 5 studied the Amazon cloud drive on Windows XP and Windows 7computers.
The cloud forensics ‘space’ can be seen as a race, not only to keep up with device(i.e. hardware) and software releases by providers, but also to keep up with new cloudservices that may result in a variation of the type of data that can be collected. Thechallenges faced by digital forensic researchers and practitioners are compounded dueto the constant evolution of cloud security threats and vulnerability, partly in responseto defensive actions or crime displacement20. As noted in a 2014 National Institute ofStandards and Technology’s draft report21 and in a recent review of cloud forensicsliterature,
Work in the cloud forensics field will be ongoing for as long as cloud computing continuesto change and evolve. For example, there is a need for in-depth product analysis … todetermine the best practices for cloud computing investigations that are inclusive of allpotential evidence sources22
This is the aim of this paper is to contribute to this knowledge gap by investigatinganother popular cloud storage service, namely SugarSync, on a range of populardevices and computers running the two most popular OS.
3. Experiment setup
Our experiments comprised five settings; each based on different operating systems(OS) and different ways of access to SugarSync:
(1) Windows browser-based (see Section 3.1);(2) Windows app-based (see Section 3.2);(3) Mac OS X app-based (see Section 3.3);(4) Android app-based (see Section 3.4); and(5) iOS app-based (see Section 3.5).
The version of SugarSync used in our experiments is 2.0.42.120603.20131120, whichallowed the user to store up to 5 GB free storage for a period of three months.
In these experiments, we performed a series of upload, download, open, deleteoperations on our sample data-set. Similar to Quick and Choo10–13, we used Enronemail data-set downloaded from the project website (http://bailando.sims.berkeley.edu/enron_email.html) on 9 December 2013. The text contents of the 13,100 email mes-sages were copied and saved in ‘rtf’ and ‘txt’ text files. The text contents were alsocopied and saved in a Word 2013 document (i.e. ‘docx’ format). A picture file in ‘jpg’format was also created from the email message. Our data-set also included the follow-ing files from datasets used in the digital forensic research workshop challenge 2013(see http://www.dfrws.org/2013/challenge/index.shtml, downloaded on 9 December2013).
Australian Journal of Forensic Sciences 3
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
� dfrws-13-challenge-tests.zip� 13100.docx� 13100.jpg� 13100.rtf� 13100.txt
VMware player 6.0.1 build-1,379,776 was used to build the virtual machines (VMs)for our experiments; and Windows 8 64bit was used in the Windows-based experimentswith the default configuration. Each VM, configured with one CPU, 2 GB of RAM and20 GB of hard disc, was used as the base VM in the Windows-based experiments. Thesoftware configuration is shown in Table 1.
3.1. Windows browser-based
We made four copies of the Base-VM, where we installed each of the four mostpopular browsers, namely: Microsoft Internet Explorer (IE) version 10.0.9200.16384,Mozilla Firefox (MF) version 25.0.1, Google Chrome (GC) version 31.0.1650.63, andApple Safari (AS) version5.1.7 on each of the four VMs (i.e. IE Base-VM, MFBase-VM, GC Base-VM, and AS Base-VM). Similar to the approach undertaken byQuick and Choo10–13, we made copies of the respective VMs as labelled below:
� Four copies of Upload-VMs (i.e. a copy of the IE Base-VM, a copy of the MFBase-VM, a copy of the GC Base-VM, and a copy of the AS Base-VM);
� Four copies of Download-VMs;� Four copies of Open-VMs; and� Four copies of Delete-VMs,
We then performed the same series of upload, download, open, and delete operationstwice on the hard discs of the respective VMs (i.e. Upload-VM: upload operations,Download-VM: download operations, Open-VM: open operations, and Delete-VM:delete operations) to ensure consistency – see Figure 1.
When a user accesses SugarSync via an online interface, an obvious source of evi-dence is the browser remnant files; therefore, we paid special attention to the browsercache and history. In our experiments, we copied the browser cache and history to ouranalysis machine manually after performing the same series of upload, open, downloadand delete operations because the tool we used (Digital Detective NetAnalysis 1.5evaluation version) was not able to run on virtual environments. The local analysis ofthe browser cache and history was conducted using Nirsoft cache and history viewtools to complement the analysis using NetAnalysis. The NTUSER.dat was backed upfor further examination on the analysis machine.
Table 1. Software on Base-VM in Windows-based experiments.
Software Version
Regshot 1.9.0Process Monitor 3.05Nirsoft web browser passview 1.43
4 M. Shariati et al.
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
3.2. Windows app-based
Similar to our experiment setup described in Section 3.1, we made a copy of theBase-VM with SugarSync app (version 2.0.42.120603.20131120) installed. In additionto the series of upload, download, open and delete operations undertaken, we installedand uninstalled the SugarSync app to determine whether there were additional sourcesof evidential data. The series of upload, download, open and delete operations werealso undertaken twice for consistency, and the NTUSER.dat was backed up for furtherexamination on the analysis machine. A total of six VMs were created for this research(i.e. one Base-VM, and one for each of the operations) – see Figure 2.
3.3. Mac OS X app-based
The Mac OS X 10.9 Mavericks was used in the experiments. Uninstallation of applica-tions in Mac OS X differs from uninstalling applications in a Microsoft Windows envi-ronment, as there is no registry on a machine running Mac OS X. While mostWindows programmes include an uninstaller via the ‘Add/Remove Programmes’ in thecontrol panel, no such feature exists in Mac OS X. Hence, most users would simplymove application bundles to the Trash. SugarSync offers a specific uninstallation filethat makes the uninstallation process different from the default uninstallation process.This uninstallation method recommended by SugarSync may provide useful digital arte-facts in a forensic examination. Hence, we conducted additional experiments to analysedata remnants after performing the ‘standard’ and the ‘recommended’ uninstallationmethods. We conducted seven different experiments on the respective VMs describedin Figure 3. The hardware configuration of the seven VMs used in the Mac OS Xexperiments was two CPUs, 1 GB of RAM and 150 GB of hard disc.
Base-VMs(IE, MF, AS,GC)
Upload-VMs(IE, MF, AS, GC)
Open-VMs(IE, MF, AS, GC)
Delete-VMs(IE, MF, AS, GC)
Download-VMs(IE, MF, AS, GC)
Figure 1. VMs created in browser-based experiments for this research.
Upload-VM Download-VM Open-VM Delete-VM Uninstall-VM
Base-VM(Install & Login)
Figure 2. VMs created in browser-based experiments for this research.
Australian Journal of Forensic Sciences 5
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
3.4. Android app-based
We used a Samsung Galaxy Tab 10.1 GT-P7500 running Android 4.0.4 in this research.A Base-VM running Android 4.4 was also created for this experiment, and the hard-ware specification is as follows: 1CPU, 2 GB of RAM and 1 GB hard disc.
To acquire the data from the mobile device, we require root privilege in order toaccess and export the targeted data from the kernel space. Without rooting the device,we would risk missing potential evidential data. The first step in our Android experi-ments was to root the device using VRoot 1.7.3. Once root privilege was gained, wehad access to protected directories. Android terminal emulator 10.0.58 was installed toallow Android commands to run on the device (e.g. to dump and acquire device mem-ory using the dd command on the SD directory of the device). Android file manager3.1.2 was used to browse filesystems and directories to find SugarSync data remnants.Acquired SugarSync databases, log files and memory dump file were sent to the analy-sis machine for further examination and analysis. The Android experiments were car-ried out on both a physical device and a VM in six different stages, namely:installation & login, upload, download, open, delete and uninstallation; a total of 12experiments were conducted. A total of six VMs were created for this research – seeFigure 4.
3.5. iOS app-based
Unlike the other experiments described in this paper, there is no known method to cre-ate a VM for iOS devices. Therefore, the iOS-based experiments were undertaken on aphysical device. The device used in the iOS experiments was an iPhone 4s runningiOS 7.0.6. We jailbreak the device in order to have access to all files and folders.
Base-VM
(Install & Login)
Upload-VM Download-VM Open-VM Delete-VM Uninstall-VM
(Default MacApproach)
Uninstall-VM
(SugarSyncApproach)
Figure 3. VMs created in Mac OS X experiments for this research.
Upload-VM
(Android 4.0.4& 4.4.)
Download-VM
(Android 4.0.4& 4.4.)
Open-VM
(Android 4.0.4& 4.4.)
Delete-VM
(Android 4.0.4& 4.4.)
Uninstall-VM
(Android 4.0.4& 4.4.)
Base-VM(Install & Login)
Figure 4. VMs created in Android experiments for this research.
6 M. Shariati et al.
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
After the device was jailbroken, we installed Cydia and iFile version 2.0.1–1 (a filemanager and viewer) on the device. Using iFile, we were able to browse iOS directo-ries. The directory that holds the associated files and folders of installed applications onthe device is /private/var/mobile/Applications, which has various subdirectories. The‘Activating Applications Names’ option in the iFile Preferences/File manager sectionallowed us to view the names of all subdirectories based on the name of installedapplications. Mobile Terminal and OpenSSH applications were installed which allowedus to execute UNIX commands in the iOS environment and send SugarSync databasesand log files to the analysis machine for further analysis, respectively. Sys ActivityManager 4.1 installed from the Apple Store, was used to analyse the running processesand iOS memory.
SugarSync iOS app is able to upload photos taken by the device camera but doesnot have access to any other locations by default. At the time of browsing files anddirectories in iFile, it was observed that whenever a file is selected, there is an optionto add this particular file to SugarSync. Consequently, the data-set was uploaded toSugarSync using iFile. Six experiments were conducted using the iPhone 4S to exam-ine artefacts left behind when SugarSync was accessed.
4. Analysis and findings
In this section, we present our findings, particularly residual artefacts generated bySugarSync when cross-platform methods were used to manipulate data hosted on thecloud. Generally, acquiring and analysing data remnants occur either at the time of thedevice seizure (live acquisition of volatile data) or in the forensic laboratory. The for-mer may allow forensic examiners to recover information from devices that areunlocked and still login to SugarSync (and other services such as Facebook) withoutthe need to compel the suspect to provide the password to unlock the device. Thesetwo methods complement each other, and it is beyond the scope of this paper to discussthe legalities and implications live acquisition have on the admissibility of the evidencein a court of law.
We examined the virtual hard disks, virtual memory, images of real memory andnetwork traffic using a range of forensic tools in the respective experiments. We tooksnapshot of virtual machines to obtain VMEM (including memory information) andVMDK (contains hard disk data files) files available in each VM folder. These fileswere analysed using AccessData FTK version 1.86.1. Hex Workshop v6.7 was used toanalyse the acquired live memory and hard drives of the devices. For example, we con-ducted keyword searches to locate SugarSync credentials, the data-set and keywordssuch as ‘SugarSync’, ‘SugarSync.om’ and ‘Sharpcast’. The network traffic was cap-tured using Wireshark 1.10.2, and NetworkMiner 1.5 was used in the network captureanalysis. SQLite DB Browser included in OSForensics version 2, PList Explorer v1.0and Notepad++ 6.4 were used to access and recover evidential data from SugarSyncdatabases and log files in the experiments. AccessData Registry Viewer 1.7.4.2 andRegripper 2.8 were used to analyse the NTUSER.dat files.
4.1. Windows browser-based
When accessing SugarSync via IE, Google Chrome, Apple Safari, and Mozilla Firefox,we recovered various types of artefacts. Examination would include a step-by-stepprocess to review different data sources described below.
Australian Journal of Forensic Sciences 7
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
Live memory. When we were searching for SugarSync username and password, welocated two unique identifiers, namely: nickname and userid (instead of the SugarSynccredentials used in our experiments) as shown in Figure 5. In our experiments, weobserved that the same identifiers were used with alternative names like ownerid havingthe same values.
The values associated with the unique identifiers (nickname and userid) were thenused as keywords when searching the memory to locate other relevant information suchas first name, last name and email address (the email address was the username). Figure 6illustrates the information located by searching using the userid as the keyword.
As shown in Figure 7, searching within the memory using the email address as thekeyword, we located the password in all web-browsers except Mozilla Firefox.
Data-set. We were able to recover data associated with the upload, download, open,delete operations in the memory, such as the name of the file, and in some cases theassociated date in UNIX time format.
Upload. In all cases, the name of the downloaded files can be found in the memory bysearching for ‘name=“files[]”; filename=’. Figure 8 shows part of the memory thatincludes the file name of an uploaded file.
It is then possible to search using the name of the file to locate the path of the fileon the client device.
Download and open. In all cases, the names of downloaded file could be found in thememory by searching for ‘My SugarSync/’ – see Figure 9.
We can also locate the downloaded files and folders by searching for ‘https://app.sugarsync.com/getfolder” or “https://app.sugarsync.com/getfile’ – see Figure 10.
Delete. The only way in most cases to locate information about deleted files (e.g. file-name, size and the date and time of deletion in UNIX based format) was to search for‘dateDeleted:new Date’ – see Figure 11.
Cache and history of browsers. Cache and history of the browsers were analysed usingDigital Detective NetAnalysis. The identifiers, nickname, and userid were found in thecache of the four browsers in our experiments. Upon success login to SugarSync, thefirst page appeared with the following URL: https://app.sugarsync.com/home?mktg=1#cGFnZUlkPWNsb3VkSG9tZSZkaXNhYmxlU2VsZWN0Vmlldz10cnVlJmlzSXRlbVJlZnJlc2hBbGxvd2VkPXRydWUmdXNlcklkPTc1NjUxMTUmdXNlck5pY2tuYW1lPXN1Z2Fyc3luY2ZvcmVuc2ljJnNob3dHcmF2ZXlhcmQ9ZmFsc2UmY3VycmVudE93bmVySWQ9NzU2NTExNQ==
The part after https://app.sugarsync.com/home?mktg=1# is a base64 encoding,which was decoded to the following text: pageId=cloudHome&disableSelectView=
Figure 5. The occurrences of nickname and userid within memory.
8 M. Shariati et al.
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
true&isItemRefreshAllowed=true&userId=7,565,115&userNickname=sugarsyncforen-sic&showGraveyard=false¤tOwnerId=7,565,115.
We also located the nickname and userid in the URL part of the cached address:https://www.sugarsync.com/api/accountpreferences?uid=7,565,115&callback=jQuery171039337688009254634_1387546534246&_=1,387,546,546,021 and https://sugarsyncforensic.sugarsync.com/postlogin?isDefaultLogin=true&targetUrl=%2Ffiles%3FisDefaultLogin%3Dtrue.
Figure 6. First name, last name and primary email located by searching for the userid.
Figure 7. Located SugarSync credentials.
Figure 8. Name of the uploaded file in the memory.
Figure 9. Name of downloaded file.
Figure 10. Name of downloaded files and folders.
Australian Journal of Forensic Sciences 9
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
We were, however, unable to locate SugarSync credentials and the sample data-set.It should also be noted that Apple Safari does not appear to cache SSL pages.Nirsoft cookie view was used to examine the recovered browser cookies, if any, to
determine whether there is an entry associated with the usage of SugarSync. We wereable to recover cookies using keyword searching. We then obtained timestamp informa-tion such as expiration date, last accessed and created time. Such information may beuseful in assisting an investigator.
Finally, Nirsoft web browser passview was used to examine the browsers to deter-mine whether any and, if so, what information was saved when the user selected ‘Keepme logged in’. We were unable to recover information such as username and password,but it should be noted that one could gain access to the SugarSync account without theneed for credentials if the ‘Keep me logged in’ was selected.
Registry. Our registry analysis in all 16 experiments revealed no evidence of SugarSynccredentials and the sample data-set. However, when IE was used to access SugarSync,we were able to recover the typed URL from the registry – see Figure 12.
We could also recover the RecentDocs list, which is a listing of recently viewedfiles and folders. Unless the forensic examiner knows which files were associated withSugarSync, this information may not be as helpful. However, if the user has down-loaded the default SugarSync folder, My SugarSync, the information in RecentDocswould be useful for the examiner – see Figure 13.
By viewing the registry, we were able to obtain information associated with Safariusage and the files in data-set associated with comdlg32 file – see Figure 14.
4.2. Windows app-based
As indicated earlier, SugarSync app allows a user to upload files with more than300 MB capacity, and synchronises any folder on the user device without the need to
Figure 11. Name and time of the deleted file.
Figure 12. Typed URLs located during analysis of IE registry.
10 M. Shariati et al.
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
store the files in the default SugarSync folder. Installation of the app creates a foldernamed My SugarSync stored in \Users\<user>\Documents\My SugarSync by default.The folder only can be opened and accessed as long as the app is running. Otherwise,the folder appears as offline and cannot be accessed. A SugarSync Drive is also createdand will be available when the SugarSync app is running, and its network path is\\SUGARSYNC_LOCAL\SugarSyncDrive\My SugarSync. ‘SugarSync Drive’ is a vir-tual drive that allows users to view their folders and manage their content stored in thecloud from any device. Similar to other apps, installation of SugarSync will result inthe creation of folders on a local device (e.g. personal computer) used to store log files,databases and other related files. SugarSync files will be stored in the followinglocations in Windows 8:
� \Programme Files (x86)\SugarSync� \Users\<user>\AppData\Local\SugarSync
Figure 13. RecentDocs.
Figure 14. Registry information of Safari.
Australian Journal of Forensic Sciences 11
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
Our examination revealed that some files and folders remained on the local system afteruninstallation of SugarSync. For example, the SugarSync folder and its contents andthe file named ‘VFSNamespaceExt.log’ in \Users\<user>\AppData\Local\SugarSyncwere located during examination, which is an indication to a forensic examiner that theSugarSync app had been uninstalled from the device.Live memory. Unlike browser-based experiments, analysis of live memory did not resultin the recovery of the password, although the username was located. We located theusername (i.e. [email protected]) in the memory, as well as the nickname(i.e. sugarsyncforensic) – see Figure 15.
The userid (i.e. 7,565,115) was located immediately after the term ‘rootfolder$/sc/’where ‘sc’ is the abbreviation of SharpCast – see Figure 16. The path /sc/<userid>/<digits>referred to the stored path in the SharpCast server.
The device name is another potentially useful information detected in the memoryby searching for ‘dev_type’, and as shown in Figure 17, the word ‘dn’ was locatedbetween ‘dev_type’ and device name.
Searching the network path of SugarSync Drive helped to locate the uploaded files.We found evidence of the open operation when we searched for the local path MySugarSync folder – see Figure 18. It should be noted that the network path ofSugarSync Drive is identical in all our Windows-based experiments, although the localpath of My SugarSync folder may vary between the Windows versions.
The names of the deleted files were located in the memory after the words‘date_deleted’ and ‘dn’ respectively, while the word ‘fs’ was located after the deletedfile – see Figure 19.Registry. The installation of SugarSync results in the creation of hives in the registry,which can be located in the following locations:
� HKEY_CURRENT_USER\Software\Sharpcast\SugarSync� HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sharpcast\SugarSync� HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run:
Value created for SugarSync (see Figure 20)
Using the RecentDocs entries from registry hives, we recovered the opened files inSugarSync (Figure 21).
We found evidence of the uninstallation of SugarSync app from the followingregistry key:
� HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\App-CompatFlags\Compatibility Assist\Store\C:\Programme Files (x86)\SugarSync\un-install.exe
Figure 15. Username and nickname located in the memory.
12 M. Shariati et al.
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
Filesystem. We examined the databases and log files stored on \Users\<user>\AppData\Local\SugarSync, and located three folders named filecache.db, fslink.db and lvol.db(these were the respective container of the SQLite databases). The last folder, lvol.db,included eight tables. In these tables, ‘bucket_id’ referred to userid, and we located ‘sc’in a number of entries associated with the path in Sharpcast servers. Of the eight tables,‘ScBase’ contained records that comprise three fields, namely: ‘id’, ‘p’, and ‘data’representing the type integer, text, and blob respectively. The username of SugarSyncwas extracted from the blob value of ‘data’ column of the record which had the valueof ‘/sc/1/login_info’ in the ‘p’ field – see Figure 22.
The main log file of SugarSync is named ‘sc1.log’, which contains detailedinformation of every operation and event that had taken place in SugarSync sinceinstallation. The log file includes the exact time of each operation, name of fileassociated with the operation and their locations. We also located the OS type, useridand the device name entered by the user when they first logged into SugarSync fromthe log file.
Figure 16. Userid located in the memory.
Figure 17. Found device name in the memory.
Figure 18. Uploaded and opened filenames located in the memory.
Figure 19. Deleted file located in the memory.
Australian Journal of Forensic Sciences 13
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
Figure 20. Values created when SugarSync was installed.
Figure 21. Opened files in SugarSync.
14 M. Shariati et al.
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
4.3. Mac OS X app-based
SugarSync Mac OS X version app also supports SugarSync Drive, which is availableunder the following address as long as SugarSync is running:
� /Volumes/SugarSync-<user>
The default SugarSync folder, My SugarSync, is located in /Users/<user>/Docu-ments/My SugarSync, and can be accessed via SugarSync Drive path. Installation ofSugarSync creates directories in the following locations:
� /Users/<user>/Library/Application Support/SugarSync� /Users/<user>/Library/Savedapplicationstate/com.SugarSync.SugarSync.saveState� /Application/SugarSync.app
SugarSync databases and log files are stored in the SugarSync directory underApplication Support. Depending on the mode of uninstallation (standard or recom-mended), this operation may leave trails on the client device that would indicate to aforensic examiner that SugarSync had been uninstalled from the device. For example,the ‘default’ uninstallation process of an application from Mac OS X (typically used bythe average Apple users) is to remove the application permanently from the Applica-tions directory. If SugarSync is uninstalled using this method, we could recover Sugar-Sync default folder and its contents as well as SugarSync directories under ApplicationSupport and the Savedaplicationstate directory. The uninstallation file of SugarSync,
Figure 22. SugarSync username extracted from the “ScBase” table.
Australian Journal of Forensic Sciences 15
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
SugarSyncUninstaller.command, could also be located in /Applications/SugarSync.app/Contents/Resources. One could remove SugarSyncUninstaller.command in order toobstruct forensic examination.
Live memory. We were not able to recover the password using live memory analysis onMac OS X although we located the username. The method for recovering the user-name, device name and deleted file names was the same as Windows 8, except whenlooking for downloaded or uploaded files in the memory, we searched using the localpath of My SugarSync folder within the memory – see Figure 23.
Filesystem. Similar to our experiments for devices running Windows, we were able torecover the log files and the databases and only their locations were different.
4.4. Android app-based
Android is the, if not one of the, most popular OS for mobile devices (including tab-lets). Therefore, it is necessary for forensic examiners to have in-depth and up-to-dateknowledge of Android apps. The default folder location of the SugarSync app is ‘/mnt/sdcard/My SugarSyn Folders’, and upon installing the app, the following directorieswere created:
� /data/data/com.sharpcast.sugarsync� /storage/emulated/0/.sugarsync
We recovered both ‘My SugarSync Folders’ and ‘.sugarsync’ from the Androiddevice where the app had been uninstalled prior to our examination. This, again, is anindication that SugarSync had been previously installed on the device and may warrantfurther analysis.
We locate the username by first recovering the userid. Once the userid was located,we searched for ‘session ID =’ and ‘User id < userid>’, which led us to the username –see Figure 24.
The process of finding the device name and deleted files was the same as the pro-cesses undertaken in the Windows and Mac OS X experiments, although searching forfilenames during upload and download operations were different as SugarSync defaultfolder was located in a different path on the Android devices – see Figure 25.
FileSystem. The databases of the SugarSync Android app were stored in /data/data/com.sharpcast.sugarsync/databases. There were two SQLite databases named < use-rid>and SugarSyncDB. The latter had a table named rec_to_offline_, and file_<use-rid>contained filenames and metadata associated with the saved file in the MySugarSync Folders for offline review. The recovered metadata included timestamp of
Figure 23. Found uploaded/download filenames in the memory.
16 M. Shariati et al.
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
last modification and synchronisation time in UNIX time format. We also recovered afile named sc_appdata located in /data/data/com.sharpcast.sugarsync/app_SugarSync/SugarSync/, which had information that would be useful to a forensic examiner, suchas username, userid and date of last access to SugarSync. The recovered main log fileof SugarSync, sugarsync.log, was located at /data/data/com.sharpcast.sugarsync/app_SugarSync/SugarSync/log.
When we run the ps command, we obtained the pid of SugarSync associated withthe com.sharpcast.sugarsync process.
4.5. iOS app-based
The directory created by the installation of the SugarSync app on the iPhone 4S waslocated in /var/mobile/Applications/, and was detected by iFile. In the context of ourexperiments, the directory was AEA8E11C-4CBB-43 EB-86CE-095DC4D50AB3. Eachinstallation of SugarSync creates a directory under the above path with the name that isdistinguishable from previous installation(s). Although there was a default folder, MySugarSync, we were not able to locate the local location on the device. Using the ‘SysActivity Manager’ tool, we noticed that the process name of SugarSync in the memorywas Ringo.
FileSystem. There were two databases named Ringo.sqlite and < userid>.sqlite. The for-mer had a table named ZSYNCOBJECT with the metadata of saved files for offlinereview. The locations of those databases in SugarSync directory were as follows:
� Documents/Ringo.sqlite� Library/userid.sqlite
Figure 24. Userid and username located in the memory.
Figure 25. Filenames located in the memory.
Australian Journal of Forensic Sciences 17
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
Two .plist files, com.sharpcast.sugarsync.plist and iTunesMetadata.plist, werelocated in Library/Preferences and the root directory of SugarSync. Using Plist Exploreto analyse both files, we obtained the data described in Tables 2 and 3.
As shown in Table 3, the Apple ID (used to download the app) and the purchasedate provided useful information to a forensic examiner.
We were then able to recover account specific information (e.g. username) from thefile ringo.appdata located in the /Documents directory – see Figure 26.
We could also locate the ‘tmp’ directory and its three subdirectories, namely:‘cache’, ‘http_cache’ and ‘links’. As the name of the directory suggested, files savedfor offline review were found in these subdirectories. The log file of SugarSync wasrecovered from ‘Library/Caches/Logs/’, which provided information such as the list offiles accessed and the time of access.
4.6. Network traffic
Network traffic analysis is another source when investigating volatile data, and data onnetwork traffic could be more ephemeral than the data obtained from the memory.Therefore, it is important to include this data capture channel wherever possible.
We captured the ‘pcap’ file saved by Wireshark and reviewed it using NetworkMiner.The findings from our analysis of the network traffic in all 32 experiments are describedas follows.
Browser-based. Our analysis of network traffic suggested that the majority of packetswere encrypted using TLS v1 or v1. 2. The initial transmissions were established on
Table 2. com.sharpcast.sugarsync.plist.
Type Name Value
Integer SCUserId <userid>AnsiString ScLastLoginEmail <username>Date ScQuitTime date and time
Table 3. iTunesMetadata.plist.
Type Name Value
AnsiString bundleDisplayName SugarSyncAnsiString AppleID <email>AnsiString purchaseDate date and time
Figure 26. ringo.appdata.
18 M. Shariati et al.
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
port 80 while subsequent communication was encrypted over port 443. When accessingSugarSync via an online interface, the session was established with IP ranges from74.201.0.0 to 74.201.255.255 which were associated with SugarSync. The securitycertificates used were signed by VeriSign/Thawte services, in the 199.7.0.0 -199.7.255.255 IP range – see Table 4.
As the majority of communications were encrypted, we were unable to recoverSugarSync credentials or contents of sample data-set.
Client-based. Network traffic was captured while user log-in process was performed.Table 5 shows the list of captured IP addresses in our experiments.
When the SugarSync app was downloaded, the URL of Amazon Cloudfront wasobserved in our network capture – 204.246.165.23 [di98a4js1fi9 m.cloudfront.net][download.sugarsync.com].
When we searched for ‘?userid=’ or ‘?userId=’, we located the userid in the net-work capture in our experiments on Windows and Mac OS X devices. In the experi-ments on Android and iOS devices, we used the keywords capture ‘/pgr/’, ‘/apa/’, ‘?ts=’ and ‘&ts=’ to locate the userid in the network.
5. Concluding remarks
Cloud storage services such as SugarSync allow users to access, store, upload, down-load and share their data 24/7. However, it is well documented that these services maybe misused and consequently become the target or subject of a forensic examination.Quick et al.9 explained the importance of cloud storage forensics and noted the impor-tance of ‘conducting research into the remnants of other cloud computing and storageservices, with the aim of determining data remnants from other cloud computing andstorage service providers’.
In this paper, we examined SugarSync, a popular cloud storage service and demon-strated that a number of useful artefacts could be forensically recovered when a userhad used SugarSync on a device. We were able to recover a number of useful artefactswhen a user had used SugarSync on a device to upload, download, open and/or deletefiles – see Table 6. Our research demonstrated that a forensic examiner is likely todetect SugarSync usage on a client device even if the app had been uninstalled prior tothe device being seized for forensic examination. In the browser-based experiments, ifuser data are downloaded to the default SugarSync folder, this activity can be detectedduring forensic examination.
The credentials of SugarSync were determined not to be encrypted in the memorydump when a browser is used to access the service. The username can be recoveredfrom databases, log files and other files associated with SugarSync, as demonstrated inour client app-based experiments. Our research also suggested that recovering the user-name from the memory dump is possible, and, therefore, forensic examiners shouldconsider conducting memory dump and network capture when searching for artefacts.
In addition, our research demonstrated that filenames, log files and databases can berecovered from the memory dump. The Registry is another potentially useful source forforensic examiners to locate filenames, especially when a browser had been used toaccess SugarSync.
In conclusion, it is possible to extract SugarSync credentials, method of access, file-names and associated metadata when SugarSync is used to access, store and downloadfiles and folders from the service. Such information would potentially allow evidence
Australian Journal of Forensic Sciences 19
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
Table
4.A
listof
captured
IPaddressesin
ourbrow
ser-basedexperiments.
IPaddressescaptured
Hostnam
e
74.201
.0.0–74.20
1.25
5.25
5www.sug
arsync.com
119.81
.0.0–119
.81.25
5.25
5ko
ntagent.n
et68
.232
.0.0–68.23
2.25
5.25
5;117.18
.0.0
-117.18
.255
.255
Edg
eCastNetworks
23.51.0.0-23
.51.25
5.25
5;23
.41.0.0-23
.41.25
5.25
5;23
.10.0.0-23
.10.25
5.25
5;23
.201
.0.0
-23
.201
.255
.255
;118
.214
.0.0
-118.21
4.25
5.25
5;12
5.25
2.0.0-12
5.25
2.25
5.25
5;118.21
5.0.0–118.21
5.25
5.25
5;18
4.29
.0.0
-18
4.29
.255
.255
Akamai
Techn
olog
ies.com
37.252
.0.0
-37
.252
.255
.255
;68
.67.0.0-68
.67.25
5.25
5AdN
exus
50.16.0.0-50
.16.25
5.25
5;]54.22
5.0.0-54
.225
.255
.255
;54.24
1.0.0-54
.241
.255
.255
;54
.243
.0.0
-54
.243
.255
.255
;54.25
1.0.0-
54.251
.255
.255
;17
4.12
9.0.0-17
4.12
9.25
5.25
5176
.32.0.0-17
6.32
.255
.255
;18
4.73
.0.0
-18
4.73
.255
.255
;207
.171
.0.0
-20
7.17
1.25
5.25
5;54
.224
.0.0
-54
.239
.255
.255
;54.24
2.0.0-54
.243
.255
.255
;23
.20.0.0-23
.23.25
5.25
5
Amazon
.com
50.31.0.0-50
.31.25
5.25
5New
Relic
54.230
.0.0–54.23
0.25
5.25
5;20
4.24
6.0.0–
204.24
6.25
5.25
5clou
dfront.net
(Amazon
.com
)64
.18.0.0-64
.18.25
5.25
5pu
blic-trust.com
(Betrusted)
182.50
.0.0
-18
2.50
.255
.255
God
addy.com
184.17
2.0.0-18
4.17
2.25
5.25
5ThePlanet.com
Internet
Services
199.7.0.0-19
9.7.25
5.25
5VERISIG
N.COM
207.54
.0.0
-20
7.54
.255
.255
MONGOOSEMETRICS
74.125
.0.0
-74
.125
.255
.255
;17
3.19
4.0.0-17
3.19
4.25
5.25
5Goo
gle
20 M. Shariati et al.
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
Table
5.A
listof
captured
IPaddressesin
ourclient-based
experiments.
IPaddresses
Hostnam
e
199.7.0.0-19
9.7.25
5.25
5VeriSign
182.50
.0.0
-18
2.50
.255
.255
God
addy
74.201
.86.29
sugarproxy.sharpcast.com
119.81
.0.0
-119.81
.255
.255
api.asia.ko
ntagent.n
et20
7.17
1.16
0.0-20
7.17
1.19
1.25
5204
.246
.160
.0-20
4.24
6.19
1.25
5Amazon
119.81
.0.0
-119.81
.255
.255
173.19
2.0.0-17
3.19
3.25
5.25
5SoftlayerTechno
logies
23.32.0.0-23
.67.25
5.25
5Akamai
Techn
olog
ies
74.201
.86.21
www.sugarsync.com
74.125
.0.0
-74
.125
.255
.255
www.goo
gle.com
117.18
.232
.0-117.18
.239
.255
Edg
eCastNetworks
AsiaPacificNetwork
Australian Journal of Forensic Sciences 21
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
Table
6.Sum
maryof
find
ings.
Way
ofaccess
Artefactsfoun
d
Windowsbrow
ser-based
Usernam
e:mem
orydump
Passw
ord:
mem
orydu
mp
Nickn
ame:
mem
orydu
mpandbrow
sercache
Userid:
mem
orydump,
brow
sercacheandnetworktraffic
Sam
pledata-set:mem
orydu
mpandregistry
Usage:MySug
arSyn
c.zipfile
Windo
wsapp-based
Usernam
e:filesystem
andmem
orydu
mp
Passw
ord:
notfoun
dNickn
ame:
mem
orydu
mpandfilesystem
Userid:
mem
orydu
mp,
networktrafficandfilesystem
Sam
pledata-set:mem
orydu
mp
Usage:MySug
arSyn
cfolder,registry
andfile
system
Mac
OSX
app-based
Usernam
e:mem
orydu
mpandfilesystem
Passw
ord:
notfoun
dNickn
ame:
mem
orydu
mpandfilesystem
Userid:
Filesystem
andnetworktraffic
Sam
pledata-set:mem
orydu
mp
Usage:MySug
arSyn
cfolder
And
roid
app-based
Usernam
e:mem
orydu
mpandfilesystem
Passw
ord:
notfoun
dNickn
ame:
mem
orydu
mp
Userid:
mem
orydu
mp,
networktrafficandfilesystem
Sam
pledata-set:mem
orydu
mp
Usage:MySug
arSyn
cFolders
iOSapp-based
Usernam
e:filesystem
Passw
ord:
notfoun
dUserid:
filesystem
andnetworktraffic
Sam
pledata-set:filesystem
Usage:Associatedappdata
folder
Passw
ord:
notfoun
d
22 M. Shariati et al.
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15
to be secured in a timely fashion. For example, once an investigator was aware thatSugarSync had been used on the case exhibit device, the investigator could contact theservice provider (via the appropriate channel) to obtain information relating to the sus-pect’s account. More importantly, piecing together the artefacts recovered and obtainedfrom different sources would allow the investigator to better create the sequence ofevents.
References1. Best Cloud Storage Providers and Reviews Online. 2014. [Cited 10 May 2014]. Available
from: http://www.top10cloudstorage.com/2. Chung H, Park J, Lee S, Kang C. Digital forensic investigation of cloud storage services.
Digital Invest. 2012;9(2):81–95. doi:10.1016/j.diin.2012.05.015.3. Galante J, Kharif OAP. Sony network breach shows Amazon cloud’s appeal for hackers.
Bloomberg: 2011 [cited 10 May 2014]. Available from: http://www.bloomberg.com/news/2011-05-15/sony-attack-shows-amazon-s-cloud-service-lures-hackers-at-pennies-an-hour.html
4. Grispos G, Storer T, Glisson WB. Calm before the storm: the challenges of cloud. Int JnlDig Crime and For 4(2):28–48, 2012.
5. Hale JS. Amazon cloud drive forensic analysis. Digital Invest. 2013;10(3):259–265.doi:10.1016/j.diin.2013.04.006.
6. Hooper C, Martini B, Choo K-KR. Cloud computing and its implications for cybercrimeinvestigations in Australia. Comput Law Security Rev. 2013;29(2):152–163. doi:10.1016/j.clsr.2013.01.006.
7. Martini B, Choo K-KR. An integrated conceptual digital forensic framework for cloudcomputing. Digital Invest. 2012;9(2):71–80. doi:10.1016/j.diin.2012.07.001.
8. Martini B, Choo K-KR. Cloud storage forensics: ownCloud as a case study. Digital Invest.2013;10(4):287–299. doi:10.1016/j.diin.2013.08.005.
9. Quick D, Martini B, Choo K-K. Forensics, cloud storage. Syngress; 2014 Waltham, MA,USA.
10. Quick D, Choo K-KR. Digital droplets: Microsoft SkyDrive forensic data remnants. FutureGener Comp Sy. 2013;29(6):1378–1394. doi:10.1016/j.future.2013.02.001.
11. Quick D, Choo K-KR. Dropbox analysis: data remnants on user machines. Digital Invest.2013;10(1):3–18. doi:10.1016/j.diin.2013.02.003.
12. Quick D, Choo K-KR. Forensic collection of cloud storage data: does the act of collectionresult in changes to the data or its metadata? Digital Invest. 2013;10(3):266–277.doi:10.1016/j.diin.2013.07.001.
13. Quick D, Choo K-KR. Google drive: forensic analysis of data remnants. J Network ComputAppl. 2014;40:179–193. doi:10.1016/j.jnca.2013.09.016.
14. Ruan K, Carthy J, Kechadi T, Crosbie M. Cloud Forensics. IFIP Advances in Informationand Communication Technology. 2011;35–46. doi:10.1007/978-3-642-24212-0_3.
15. Kleynhans S. The new PC era: the personal cloud. Gartner. 2012 [cited 2014 May 10].Available from: http://www.gartner.com/newsroom/id/1947315
16. Thethi N, Keane A. Digital forensics investigations in the cloud. IEEE International AdvanceComputing Conference (IACC). 2014; 1475–1480. doi:10.1109/IAdCC.2014.6779543.
17. Choo KKR. Cloud computing: challenges and future directions. Trends Issues Crime Crimjustice. 2010;400:1–6.
18. Martini B, Choo KKR. Distributed filesystem forensics: XtreemFS as a case study. DigitalInvestigation. 2014a;11(4):295–313.
19. Martini B, Choo KKR. Remote programmatic vcloud forensics. Proceedings of 13th IEEEInternational Conference on Trust, Security and Privacy in Computing and Communications;2014b September; TrustCom 2014.
20. Choo K-KR. Legal issues in the cloud. IEEE Cloud Comput Mag. 2014;1(1):94–96.21. National Institute of Standards and Technology. NIST Cloud Computing Forensic Science
Challenges. NIST draft NISTIR 8006; 2014.22. Martini B, Choo KKR. Cloud forensic technical challenges and solutions: a snapshot. IEEE
Cloud Comput Mag. 2014c;1(4):20–25.
Australian Journal of Forensic Sciences 23
Dow
nloa
ded
by [
Uni
vers
ity O
f So
uth
Aus
tral
ia L
ibra
ry]
at 0
1:36
13
Apr
il 20
15