A forensic analysis of rclone and rclone’s prospects for digital forensic investigations of cloud storage

Organizations and end users are moving their data into the cloud and trust Cloud Storage Providers (CSP) such as pCloud, Dropbox, or Backblaze. Given their popularity, it is likely that forensic examiners encounter one or more online storage types that they will have to acquire and analyze during an investigation. To access cloud storage, CSPs provide web-interfaces, proprietary software solutions (e.g., Dropbox client for Windows) as well as APIs allowing third-party access. One of these third-party applications is rclone which is an open-source tool to access many common CSPs through a command line interface. In this article, we look at rclone from two perspectives: First, we perform a forensic analysis on rclone and discuss aspects such as password recovery of the configuration file, encryption, and JA3 fingerprints. Second, we discuss rclone as a prospect to be a forensic tool which includes its read-only mount feature and sample cases. Under the circumstances tested, rclone is suitable for forensic practitioners as it is open-source, documented, and includes some essential functionality frequently needed but practitioners need to be aware of the caveats.