Authors: Jihyeok Yang (Korea University), Jieon Kim (Korea University), Jewan Bang (Korean National Police Agency), Sangjin Lee (Korea University), Jungheum Park (Korea University)



With the development of Internet technology, cloud-based services have improved the availability and usability of resources. Among them, cloud storage services enable users to remotely store, access, or share data over a network. Therefore, digital forensic investigators need to collect data stored in remote servers to comprehensively understand a suspect’s activities. Although several well-known commercial digital forensic tools provide features for cloud data acquisition in order to support this requirement, fewer studies have addressed whether they have full access to cloud resources and collect all the data as expected. In this regard, our findings from this work show that those commercial tools do not completely identify and collect data that are obviously available through dedicated clients (e.g., web-browsers and desktop/mobile apps). In this paper, we propose an investigative framework, CATCH (Cloud Data Acquisition through Comprehensive and Hybrid Approaches), which is composed of four steps (Authentication, Exploration, Filtering, and Collection). CATCH collects authentication data to access cloud resources and then, explores, filters, and collects all accessible metadata as well as contents from remote cloud servers by using Open and Internal APIs. To demonstrate our proposal, the CATCH frame- work is applied to collect a user’s Microsoft OneDrive storage from digital forensics perspectives. We then evaluate data collection results generated from a self-developed tool based on the proposed framework, by comparing them to results from commercial digital forensic tools.