A Comparison of Cloud Storage Technologies as Sources of Digital Evidence

Büter R, Engst G, Esser K, Freiling F, Friedrich K, Friedrich T, Hammer A, Heine L, Heinlein L, Korn O, Minuth C, Müller M, Müller N, Reithmeier J, Ripley N, Schulze M, Sievers M, Srikhaolan C, Zenk J (2022)

Publication year: 2022

Due to their ease of use and their reliability, managed storage services "in the cloud" have become a standard way to store personal files for many users. In fact, many apps on mobile devices use local storage on the client merely as a cache for data that is fully stored on a remote server. Consequently, data from cloud storage services is an increasingly valuable source of digital evidence in forensic investigations. This document presents the results of a student project that was performed at Friedrich-Alexander-Universität Erlangen-Nürnberg in the winter term 2021/22. Six groups of students analyzed the most relevant network storage technologies (Samba, Nextcloud, Dropbox, Google Drive, OneDrive, iCloud) regarding two questions: (1) What effect does data acquisition by the client have on the data stored on the server? (2) Does the technology support delayed verification of data acquisition in any way? The two questions refer to critical aspects of forensic evidence collection, namely in what way does evidence collection interfere with the evidence, and how easy is it to prove the provenance of data in a forensic investigation. In the concluding discussion we compare the different technologies and develop a taxonomy of storage services that can be used to assess other cloud storage services with regarding the evidental value of data acquired from them.

