Forensic Acquisition of Cloud Drives

Cloud computing and cloud storage services, in particular, pose a new challenge to digital forensic investigations. Currently, evidence acquisition for such services still follows the traditional method of collecting artifacts on a client device. This approach requires labor-intensive reverse engineering efforts, and ultimately results in an acquisition that is inherently incomplete. Specifically, it makes the incorrect assumption that all storage content for an account is fully replicated on the client; further, there are no means to acquire historical data in the form of document revisions, nor is there a way to acquire cloud-native artifacts, such as Google Docs. In this work, we introduce the concept of API-based evidence acquisition for cloud services, which addresses these concerns by utilizing the officially supported API of the service. To demonstrate the utility of this approach, we present a proof-of-concept acquisition tool, kumodd, which can acquire evidence from four major cloud drive providers: Google Drive, Microsoft OneDrive, Dropbox, and Box. The implementation provides both command-line and web user interfaces, and can be readily incorporated into established forensic processes.