Authors: Jacques Boucher and Nhien An Le Khac (University College Dublin)
DFRWS EU 2018
Today, application developers strive to make a user’s experience seamless as they move from one device to the next by synchronizing the user’s data between the devices. With the ever-increasing proliferation of Internet connected devices we can expect to see greater integration and synchronization between these devices. The end user benefits of this seamless synchronization of data between devices. The synchronization of data between devices translates to both a benefit and a challenge for computer forensic examiners. The benefit is that the device being analyzed may contain evidence that synced from another device that cannot be found. The challenge for a computer forensic examiner is that the device being analyzed may contain evidence that synced from another device. In most jurisdictions police must prove mens rea, the intention or knowledge of wrongdoing. It is a challenge for examiners if a user claims that the evidence found on their laptop was created by an unknown user on another device, and that activity synced to their laptop. There is very little research on synchronization of data between devices in literature. Therefore, in this paper, we propose a framework to guide computer forensic examiners in their quest to determine if data is local or synced. We also demonstrate the application of our framework on a known scenario to evaluate the confidence an analyst can attribute to each section of the framework, and caveats that need to be considered when forming an opinion on whether data is local or synced.