Digital forensics framework for investigating client cloud storage applications on smartphones

In today's modern world, the growing use of smartphones with the Internet access supported increasing deployment of cloud storage applications to access data anywhere, anytime. It provides a sharp increase of the possibility of malicious activities to abuse the cloud storages. One of the emerging challenges regarding digital forensic research investigations is cloud storage, as well as increasing use of cloud storage applications on mobile devices. The overlap of these two growing technologies further cyber criminals opportunities to conduct malicious activities such as identity theft,piracy, illegal trading, sexual harassment, cyber stalking and cyber terrorism. This has made mobile devices as an important source of evidence in digital investigation. Not knowing where the data may reside can impede the investigators, as it could take considerable time to contact all potential service providers to determine if the data is stored within their cloud service. Current mobile forensic analyzer tools, procedures and methods are able to extract valuable information from VoIP, Social Networking,Mail Applications on smartphones; however, the mobile forensic analyzer tools cannot acquire enough valuable information from cloud applications on smartphones. Therefore, there is a forensically sound need for a digital forensic framework focusing on analysis phase of smartphones to identify potential data on cloud storages. In this thesis, a framework for investigating client cloud storage applications on smartphones is proposed. Using the framework, we seek to analyze and determine the data remnants from the use of five popular cloud client Apps of OneDrive, Box, Mega, GoogleDrive, and Dropbox on the popular smartphones that use operating systems of Android and iOS. A variety of circumstances have been considered, including methods to upload, download, delete and share files in the cloud storage clients to determine residue data on client devices. Moreover, in terms of evidence preservation, possible modifications in files content and metadata that may affect preservation of evidence from these platforms are examined. A variety of artifacts were detected from different users’ activities such as login, upload, download, delete, and sharing files. Moreover, the cloud client applications in the Android device did not cause any alteration to the content of the files. However, the files’ timestamps were changed from the original sample files, and this needs to be considered when forming conclusions in relation to examination of times and dates of the files within the cloud client applications. The findings may assist forensic examiners and practitioners in real world examination of cloud client applications on Android and iOS platforms.