%0 Conference Proceedings
%T API-Based Forensic Acquisition of Cloud Drives
%+ University of New Orleans
%+ Archon Information Systems
%A Roussev, Vassil
%A Barreto, Andres
%A Ahmed, Irfan
%Z Part 4: CLOUD FORENSICS
%< avec comité de lecture
%( IFIP Advances in Information and Communication Technology
%B 12th IFIP International Conference on Digital Forensics (DF)
%C New Delhi, India
%Y Gilbert Peterson
%Y Sujeet Shenoi
%I Springer International Publishing
%3 Advances in Digital Forensics XII
%V AICT-484
%P 213-235
%8 2016-01-04
%D 2016
%R 10.1007/978-3-319-46279-0_11
%K Cloud forensics
%K Cloud drives
%K API-based acquisition
%Z Computer Science [cs]Conference papers
%X Cloud computing and cloud storage services, in particular, pose new challenges to digital forensic investigations. Currently, evidence acquisition for these services follows the traditional method of collecting artifacts residing on client devices. This approach requires labor-intensive reverse engineering effort and ultimately results in an acquisition that is inherently incomplete. Specifically, it makes the incorrect assumption that all the storage content associated with an account is fully replicated on the client. Additionally, there is no current method for acquiring historical data in the form of document revisions, nor is there a way to acquire cloud-native artifacts from targets such as Google Docs.This chapter introduces the concept of API-based evidence acquisition for cloud services, which addresses the limitations of traditional acquisition techniques by utilizing the officially-supported APIs of the services. To demonstrate the utility of this approach, a proof-of-concept acquisition tool, kumodd, is presented. The kumodd tool can acquire evidence from four major cloud drive providers: Google Drive, Microsoft OneDrive, Dropbox and Box. The implementation provides command-line and web user interfaces, and can be readily incorporated in established forensic processes.
%G English
%Z TC 11
%Z WG 11.9
%2 https://inria.hal.science/hal-01758692/document
%2 https://inria.hal.science/hal-01758692/file/431606_1_En_11_Chapter.pdf
%L hal-01758692
%U https://inria.hal.science/hal-01758692
%~ IFIP-LNCS
%~ IFIP
%~ IFIP-AICT
%~ IFIP-TC
%~ IFIP-WG
%~ IFIP-TC11
%~ IFIP-DF
%~ IFIP-WG11-9
%~ IFIP-AICT-484