Researchers from the University of Salford, in the UK, have created a taxonomy to assist forensic research of data stored in cloud apps on Android-based mobile devices.
The importance of data retrieval from phones and tablets is of increasing relevance to law enforcement officials, who must follow proscribed evidentiary procedures to ensure that relevant data is retrieved properly. The taxonomy created by the researchers reflects residual data found in 31 separate cloud applications, to aid officials in correlating evidence of user activities with the data retrieved from the device.
The team examined a data set comprised of pictures, documents, audio, video, and web files which were downloaded to an Asus Nexus 7 Google tablet, using one of 31 cloud storage applications available for free on the Google Play Store.
They found that even when the data had been deleted and the tablet memory wiped, they were still able to retrieve different types of data from the device, and that the types and amount of data that could be retrieved varied depending on the cloud application used.
The cloud storage applications were examined using MicroSystemation XRY, a popular forensics tool, on a Windows 10 OS. The applications were all used to store data on the cloud so that it could be retrieved from the device itself or through a website, although some used a third-party cloud service.
The team uploaded the dataset on a closed network, from an alternate device to prevent polluting the data with remnants from the device’s internal storage.
Results showed that data that had been uploaded using the XXL Box Secure app could be retrieved in all formats – documents, audio and video files, spreadsheets, PDF and HTML files were all accessible using the XRY tool. Similar results were found with the FileManager and MyCloud WD applications.
8 of 9 types of data were recoverable from the FolderSync Lite application, where the team could retrieve all types of files studied excepting MBOX.
Using certain cloud storage applications, however, did not allow any of the data to be recovered using the XRY forensics tool. These applications include Google Drive, DropBox, Box, and the Adobe Creative Cloud.
In the future, the team plans to expand the study of cloud storage application forensics to other types of operating systems and different mobile devices.