Authors: Uk Hur, Soojin Kang, Giyoon Kim, Jongsung Kim
DFRWS USA 2023
Various user data stored in cloud services for data continuity and efficiency is one of the main collection targets in digital forensic investigation. Some forensic tools collect cloud data based on user account and password, or provide data collection functions based on user credentials stored in the web browser. However, because many web services require additional authentication using user devices to protect user data, access using only the account and password is becoming difficult. In the case of credentials generated by auto-login, it does not work or requires re-authentication when moved to the investigator’s device. This is so that other devices cannot utilize the credentials that are kept on the device due to security measures. In this paper, we propose a new method to migrate the credentials stored by the web browser to other devices and effectively utilize them, unlike the forensic method that involves using local credentials. Our analysis revealed that the majority of browsers encrypt and store credentials, so we researched credential decryption methods. We proceeded with the migration; move and encrypt the decrypted credentials to the investigator’s device, or move the not encrypted credentials simply. As a result, we conducted credentials migration experiments on a total of 28 browsers, among which we have clarified that migration is possible in all browsers except three that do not store data, such as Tor. We verified that it is possible to log in and collect data on 20 types of web services that are frequently used using migrated credentials. Although the approach we propose is straightforward, it allows for effective and efficient cloud data collection in digital forensic investigation.