**3.2 Evidence collection from cloud storage**

*Digital Forensic Science*

**Figure 2.**

*Sample access log trace as evidence.*

4 Date: time

5 HTTP

*Description of the access log format.*

Timezone

request

8 Referral URL https://www.nitt.edu/

**S. No. Fields Value Description** 1 Remote Host 10.1.3.122 IP address of the HTTP user

2 Rfc931 — Identifier used to determine

3 Username — User name or user id used for

6 Status code 200 Status of HTTP request, i.e.,

7 Bytes 578 Number of bytes of data

OLCLD/view.php?q = book/

9 User agent Mozilla/4.08 [en] (Win98; I; Nav) Browser Identification String

[17-Mar-2015: 10: 49: 33 + 530] Date and timestamp of the

GET/scripts/root.exe?/c+dir/HTTP/1.0 HTTP request containing

who makes HTTP resource request

client

authentication

HTTP request

(a) HTTP method—GET (b) HTTP request resource scripts/root.exe?/c+dir/ and (c) HTTP protocol version −1.0

success or failure

transferred during the HTTP request

Referrer header of the HTTP request (containing URL of the page from which this request was initiated) if present, and "-" otherwise

**106**

**Table 2.**

It is the process of collecting evidence from cloud storage such as Dropbox, Microsoft SkyDrive, Google drive, etc., using the Web browser and also by downloading files using existing software tools [11–13]. This helps to identify the illegal modification or access of cloud storage during the uploading or downloading of file contents in storage media and also checks whether the attacker alters the timestamp information in user's accounts. The Virtual Forensic Computing (VFC) tool is used by forensic investigators to identify evidence from VM image file. The evidence is accessed for each account using the Web browser running in the cloud environment by recording the encoded value of VM image. The packets are captured using network packet tools, namely Wireshark, snappy, etc., of each VM instance running in hosts. The account information is synchronized and downloaded using client accessing software of each device which is used to identify the source of evidence. The evidence is isolated from the files found in VM using "C:\Users\[username]\ Dropbox\" for Dropbox as shown in **Figure 3**. The zip file contains the name of the folder that can be accessed via the browser to determine the effect of a timestamp in a drive. If an attacker modifies the contents of a file, the evidence is found by analyzing the VM hard drive, history of files stored in the cloud, and also from a cache. It can also be analyzed by computing the hash value of the VM image. The evidence of Google Drive cloud storage is depicted in **Figure 4**.

### **3.3 Evidence collection via a Web browser**

The clients communicate with the server in the cloud environment with the help of a Web browser to do various tasks, namely checking email and news, online shopping, information retrieval, etc. [14–18]. Web browser history is a critical source of evidence. The evidence is found by analyzing the URLs in Web browser history, timeline analysis, user browsing behavior, and URL encoding, and is recovered from deleted information. Here is an example of Web browser URLs,

https://www.nitt.edu/en#files:/Documents/<Folder name>,

https://www.nitt.edu/en#files:/E:<Folder ID>.

Similarly, the evidence stored in Web browser cache at the root directory of a Web application is used to identify the source of an attack. **Table 3** indicates the evidence collection process and recovery method for various Web browsers.


**Figure 3.** *Dropbox evidence.*


### **Figure 4.**

*Google Drive evidence.*


**109**

**Table 4.**

*Evidence presentation and reporting*

*Evidence collection process for cloud forensics.*

*Data Collection Techniques for Forensic Investigation in Cloud*

Here is an example of a Chrome forensic tool that captures and analyzes data stored in Google Web browser. It analyzes the data from the history, web logins, bookmarks, cookies, and archived history. It identifies the evidence from C:\Users\ USERNAME\Appdata\Local\Google chrome\UserData\Default. **Figure 5** depicts the

> Identification of evidence from cloud storage (Dropbox, iCloud, SkyDrive and Google Drive, etc.) and also from user

> to access the cloud storage account, using packet analysis tools such as Ethernet cap, Wireshark tool, Burp suite, etc. to capture packets between the client and

> Collecting evidence from VM browser such as Google Chrome, chromium browser, Internet Explorer, Apple Safari,

Collecting the evidence from cloud storage namely, user account and

Collecting the evidence from client software to access the VM hard drive and also to synchronize the user account to retrieve the files and folders

collection process to determine the source of attacks in cloud environment

Forensic investigator examines the evidence and presents the evidence in

account information

Mozilla Firefox, etc.

**Evidence collection** Collecting the evidence from VM image

server

password

in VMs

court

**Evidence analysis** Identifying patterns from the evidence

**Evidence collection for cloud storage Evidence collection for cloud log** 

**analysis**

cloud log files

Burp Suite, etc.

Determining the attack patterns from cloud log files and analyzing these patterns using cloud traceback mechanism to identify the source

Identifying the evidence from analysis and reporting the

of evidence.

evidence

Identification of evidence from

Collecting the evidence from various sources in VM as log files, namely network log, access log, authentication log, error log, database log, etc. and through network analysis tools such as Wireshark, Snort, Snappy tool,

*DOI: http://dx.doi.org/10.5772/intechopen.82013*

Google Chrome analysis forensic tool.

**Figure 5.**

*Chrome forensic analysis tool.*

**Forensic analysis framework**

**Evidence identification**

### **Table 3.**

*Evidence collection process and recovery method for different Web browsers.*

*Data Collection Techniques for Forensic Investigation in Cloud DOI: http://dx.doi.org/10.5772/intechopen.82013*

Here is an example of a Chrome forensic tool that captures and analyzes data stored in Google Web browser. It analyzes the data from the history, web logins, bookmarks, cookies, and archived history. It identifies the evidence from C:\Users\ USERNAME\Appdata\Local\Google chrome\UserData\Default. **Figure 5** depicts the Google Chrome analysis forensic tool.


### **Figure 5.**

*Digital Forensic Science*

**Web browser**

**Figure 4.**

Internet Explorer

*Google Drive evidence.*

Google Chrome

Mozilla Firefox

Safari History

Opera History

**Information to be analyzed**

Bookmark history Bookmark downloads Cookies List of search words Cache

History Cookies history Download list Cache Bookmarks

Cache Cookies

Cache Cookies Bookmarks

*Evidence collection process and recovery method for different Web browsers.*

Index.dat History Cache Cookies

**Tools for forensic investigation**

Web historian 6.13 Index.dat analyzer

Net analysis 1.52 Encase 6.3 FTK 3.3 WEFA

Chrome analysis 1.0 Net analysis 1.52 Cache back 3.17 WEFA

Firefox forensic 2.3 Net analysis 5.2 Cache back 3.17 Encase 6.3 FTK 3.3 WEFA

Web historian 6.13 Net analysis 1.52 Cache back 3.17 Encase 6.3 FTK 3.3 WEFA

Web historian 6.13 Net analysis 1.52 Cache back 3.17 Encase 6.3 WEFA

Pasco

2.5

**Recovery method for evidence** 

Analyzing the index.dat files weekly/daily

Recovery of the evidence from index.dat

Recovery of session file through carving

Recovery from internet files

file through carving method Recovery from cookies

Recovery of cache files

Recovery of cookies

Recovery of session files, cookies

**identification**

history

method

**108**

**Table 3.**

*Chrome forensic analysis tool.*


### **Table 4.**

*Evidence collection process for cloud forensics.*
