以網路封包分析結果來說,我們發現OneDrive、Google Drive 及 MEGA 這幾款 APP 均有採用 HTTPS 協定傳輸相關資料,確保網路傳輸的安全性,但我們利用 Burp Suite
‧
帳號密碼 /login.live.com)進行身 分驗證,身分驗證失敗 photoExif 、 location 及 sha1hash 等資訊。
‧
kydrive/analytics/v1 底下存有 log 檔案。2、在路徑/Library/Caches/com.microsoft.skydrive 底下有 HST S.plist 檔案,內含許多網站資訊。
3、在路徑Library/Caches/io.fabric.sdk.ios.data/com.microsoft.s kydrive 底下的 settings.json 檔案,包含發生錯誤時的提 示、傳送與報告儲存設定。
4、在/Library/Preferences 路徑底下的 com.microsoft.skydrive.
plist 檔案可發現 OneDrive 相關基本資訊。
‧
Google Drive
1、在路徑/Library/Caches/com.google.Drive 底下有 HSTS.plis t 檔案,內含許多網站資訊。
2、在路徑/Library/Caches/Preferences 底下的 com.google.Driv e.plist 檔案可發現 Google Drive 相關基本資訊。
MEGA
在路徑/Library/Preferences 路徑底下的 mega.ios.plist 檔案,可 發現關於MEGA 的設定資訊。
使用者相 關資訊
OneDrive
在路徑 Library/Cookies 底下有 Cookies.binarycookies 檔案,
裡面包含使用者帳號及系統ID 資訊。
Google Drive
1、在路徑/Documents/drivekit/users/114685138436259289442/
contacts 底下的 gdk-contact-store-db.sqlite 檔案,可發現共 享資料的其他聯絡人資料。
2、在路徑/Library/Caches/com.google.commmon.SSO/114685 138436259289442 底下的 Profile.plist 檔案,含有使用者登 入的email 及使用者名稱。
MEGA 未發現相關資料。
快照圖片
OneDrive
1、在路徑/Library/Caches/PSPDFKit/Pages 底下含有文件檔 案的快照圖片;另外 PSPDFCache.sqlite 檔案,記錄快照 檔案的資訊。
2、在 路 徑 /Library/Caches/Snapshots/com.microsoft.skydrive 底下,可發現OneDrive 對手機畫面截圖的圖片。
Google Drive 1、在路徑/Documents/drivekit/users/114685138436259289442/
‧
1、在 路 徑/Library/Caches/Snapshots/mega.ios 底 下 , 發 現 MEGA 對手機畫面截圖的圖片。
在路徑/Library/Database 底下的 moddatabase.db 檔案,記錄雲 端檔案的metadata 資訊。
Google Drive
1、在路徑/Documents/drivekit/users/114685138436259289442/
cello 底下的 cello.db 檔案,含有雲端檔案的 metadata 資訊。
2、在路徑/Library/Application Support/MediaUploaderDB 底 下的 MediaUploader_114685138436259289442.sqlite 檔
‧
OneDrive 在/Library/ StreamCache 路徑底下則含有檔案的快取資料。
Google Drive
在路徑/tmp 底下發現有.tmp 檔案,可以還原出殘缺的圖片檔
會呼叫存取路徑/Library/Application Support/底下的 MEGA CD.sqlite
輸入帳號 密碼
OneDrive
會呼叫Pages.lock、HSTS.plist 還有 Cookies.binarycookies_t mp_5158_0.dat 這 3 個檔案。
Google Drive 1、輸入帳號時,會先存取 HSTS.plist 及 Cookies.binarycook
‧
ies_tmp_5432_0.dat 這兩個檔案。
2、輸入密碼時,則會存取 com.google.commmon.SSO 及 Pr ofile.plist 檔案。
3、登入後會先讀取 HSTS.plist、Cookies.binarycookies、co m.google.commmon.SSO 等檔案,然後會再存取 upload_
state.dat、cello_settings.plist、drivekit00.log 等檔案,以 即時更新目前上傳狀態、網路設定及 log 檔案,接著建 立目前儲存於 Google Drive 所有檔案的 thumbnail,所 有thumbnail 會儲存在路徑/Documents/drivekit/users/114 685138436259289442/thumbnail 底下。
MEGA
輸入帳號密碼並未存取任何檔案,登入後會先產生所有雲 端檔案的thumbnail。
上傳圖片 檔案
OneDrive
1、檔案會儲存在路徑/Library/manualFileUpload/底下。
2、在路徑/Library/Cache/com.apple.nsurlsessiond/Downloads /com.microsoft.skydrive/會出現.tmp 的暫存檔。
Google Drive
1、會呼叫存取upload_state.dat 檔案,然後建立上傳圖片的 thumbnail,同時儲存在路徑/Documents/drivekit/users/11 4685138436259289442/thumbnail 底下。
2、開啟檢視任何儲存於 Google Drive 上的圖片,會自動下 載該圖片,並儲存於路徑/Library/Caches/drivekit/users/1 14685138436259289442/images 底下
‧
端檔案的thumbnail。下載 PDF 檔案
OneDrive
1、開啟 PDF 時,會預先產生暫存檔並儲存於/tmp/TempDo wnloadFiles 底下;另外該 PDF 檔案會儲存在路徑/Libra ry/SreamCache 底下。
2、點選開啟下載後,會將該 PDF 檔案下載至路徑/tmp/PSP DFKit 底下,並且會記錄至 log 檔中。
Google Drive
1、開啟該 PDF 檔案,會先建立該檔案的 thumbnail。
2、點選開啟下載後,在路徑/tmp 底下會產生暫存檔案。
MEGA
1、開啟該 PDF 檔案,會產生.getxfer.5658.0.mega 檔案。
2、點選開啟下載後,則會存取.mecabrc 檔案,下載成功後,
會再次存取或產生所有雲端檔案的thumbnail。
經過我們利用網路封包分析、檔案分析及 APP 執行分析這三種分析方法澈底研究 後,可更加瞭解OneDrive、Google Drive 及 MEGA 所能產生的數位證據以及所儲存的 路徑。
‧
‧
[1] A. Banks and C.S. Edge, “Learning iOS Security,” 1st ed., Packt Publishing Ltd., 2015.
[2] S. Bommisetty, R. Tamma, and H. Mahalik, “Practical Mobile Forensics,” 1st ed., Packt Publishing Ltd., 2014.
[3] L. Chen and Q. Zhang, “Forensic Analysis to China’s Cloud Storage Services,” International Journal of Machine Learning and Computing, vol. 5, no. 6, pp.
467-470, 2015.
[4] H. Chung, J. Park, S. Lee, and C. Kang, “Digital forensic investigation of cloud storage services,” Digital Investigation, vol. 9, no. 2, pp. 81-95, 2012.
[5] M. Epifani and P. Stirparo, “Learning iOS Forensics,” 1st ed., Packt Publishing Ltd., 2015.
[6] J. Farina, M. Scanlon, N.A. Le-Khac, and M.T. Kechadi, “Overview of the Forensic Investigation of Cloud Service,” IEEE 10th International Conference on Availability, Reliability and Security, pp. 556-565, 2015.
[7] G. Horsman and L.R. Conniss, “Investigating evidence of mobile phone usage by drivers in road traffic accidents,” Digital Investigation, vol. 12, no. 1, pp. S30-S37, 2015.
[8] H. Jeong and E. Choi, “User Authentication using Profiling in Mobile Cloud Computing,”
AASRI Procedia, vol. 2, no. 1, pp. 262-267, 2012.
[9] S.L. Garfinkel, “Digital forensics research: The next 10 years,” Digital Investigation, vol.
7, no. 1, pp. S64-S73, 2010.
[10] M. Goodman, “FUTURE CRIMES,” 1st ed, Randon House Audio, 2015.
[11] V.M. Katilu, V.N.L. Franqueira, and O. Angelopoulou, “Challenges of Data Provenance for Cloud Forensic Investigations,” 2015 10th International Conference on Availability, Reliability and Security, pp. 312-317, 2015.
[12] D.Y. Kao, “Cybercrime Investigation Countermeasure Using Created-Accessed-Modified Model in Cloud Computing Environments,” Journal of Supercomputing, vol. 72, no. 1, pp. 141-160, 2016.
[13] W. Lee and H. Kim, “Heterogeneous cloud storage system for privacy,” 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN), pp. 193-198, 2014.
[14] B. Martini and K.K.R. Choo, “An integrated conceptual digital forensic framework for cloud computing,” Digital Investigation, vol. 9, no. 2, pp. 71-80, 2012.
[15] B. Martini and K.K.R. Choo, “Cloud storage forensics: ownCloud as a case study,”
Digital Investigation, vol. 10, no. 4, pp. 287-299, 2013.
[16] B. Martini and K.K.R. Choo, “Cloud Forensic Technical Challenges and Solutions:A Snapshot,” IEEE Cloud Computing , vol. 1, no. 4, pp. 20-25, 2014.
[17] G. Meyer and A. Stander, “Cloud Computing:The Digital Forensics Challenge,”
‧
Proceedings of Informing Science & IT Education Conference(InSITE), pp. 285-299, 2015.
[18] P.N. Ninawe and S.B. Ardhapurkar, “Design and implementation of cloud based mobile forensic tool,” 2015 International Conference on Innovations in Information, Embedded and Communication Systems (ICIIECS), pp. 1-4, 2015.
[19] K. Oestreicher, “A forensically robust method for acquisition of iCloud data,” Digital Investigation, vol. 11, no. 2, pp. S106-S113, 2014.
[20] D. Quick and K.K.R. Choo, “Digital droplets: Microsoft SkyDrive forensic data remnants,” Future Generation Computer Systems, vol. 29, no. 6, pp. 1378-1394, 2013.
[21] D. Quick and K.K.R. Choo, “Dropbox analysis: Data remnants on user machines,”
Digital Investigation, vol. 10, no. 1, pp. 3-18, 2013.
[22] D. Quick and K.K.R. Choo, “Forensic collection of storage data: Does the act of collection result in changes to the data or its metadata? ,” Digital Investigation, vol. 10, no. 3, pp. 266-277, 2013.
[23] D. Quick and K.K.R. Choo, “Google Drive: Forensic analysis of data remnants,” Journal of Network and Computer Applications, vol. 40, no. 1, pp. 179-193, 2014.
[24] V. Roussev and S. McCulley, “Forensic analysis of cloud-native artifacts,” Digital Investigation, vol. 16, no. 1, pp. S104-S113, 2016.
[25] N. Samet, A.B. Letaifa, M. Hamdi, and S. Tabbane, “Forensic Investigation in Mobile Cloud Environment,” The 2014 International Symposium on Networks, Computers and Communications, pp. 1-5, 2014.
[26] J. Sammons, “DIGITAL FORENSICS,” 1st ed., Elsevier Inc., 2015.
[27] SANS Institute InfoSec Reading Room, “iPwn Apps:Pentesting iOS Applications”, 2014.
[28] K. Selvamani and P.K. Arya, “Credential Based Authentication Approach for Dynamic Group in Cloud Environment,” Procedia Computer Science, vol. 48, no. 1, pp. 166-172, 2015.
[29] D.H. Sharma, C.A. Dhote, and M.M. Potey, “Identity and Access Management as Security-as-a-Service from Clouds,” Procedia Computer Science, vol. 79, no. 1, pp.
170-174, 2016.
[30] O. Tabona and A. Blyth, “A forensic cloud environment to address the big data challenge in digital forensics,” 2016 SAI Computing Conference (SAI), pp. 579-584, 2016.
[31] D. Walnycky, I. Baggili, A. Marrington, J. Moore, and F. Breitinger, “Network and device forensic analysis of Android social-messaging applications,” Digital Investigation, vol. 14, no. 1, pp. S77-S84, 2015.
[32] S. Zawoad, A.K. Dutta, and R. Hasan, “SecLaaS:Secure Logging-as-a-Service for Cloud Forensics,” 8th ACM symposium on information, computer and communications security(ASIACCS), pp. 219-230, 2013.
[33] S. Zawoad, R. Hasan, and J. Grimes, “LINCS: Towards building a trustworthy litigation hold enabled cloud storage system,” Digital Investigation, vol. 14, no. 1, pp. S55-S67, 2015.