A forensic analysis of rclone and rclone's prospects for digital forensic investigations of cloud storage
Détails
Télécharger: 1-s2.0-S266628172200124X-main.pdf (1872.75 [Ko])
Etat: Public
Version: Final published version
Licence: CC BY-NC-ND 4.0
Etat: Public
Version: Final published version
Licence: CC BY-NC-ND 4.0
ID Serval
serval:BIB_39C602F7E3F4
Type
Article: article d'un périodique ou d'un magazine.
Collection
Publications
Institution
Titre
A forensic analysis of rclone and rclone's prospects for digital forensic investigations of cloud storage
Périodique
Forensic Science International: Digital Investigation
ISSN
2666-2817
Statut éditorial
Publié
Date de publication
09/2022
Peer-reviewed
Oui
Volume
43
Pages
301443
Langue
anglais
Résumé
Organizations and end users are moving their data into the cloud and trust Cloud Storage Providers (CSP) such as pCloud, Dropbox, or Backblaze. Given their popularity, it is likely that forensic examiners encounter one or more online storage types that they will have to acquire and analyze during an investigation. To access cloud storage, CSPs provide web-interfaces, proprietary software solutions (e.g., Dropbox client for Windows) as well as APIs allowing third-party access. One of these third-party applications is rclone which is an open-source tool to access many common CSPs through a command line interface. In this article, we look at rclone from two perspectives: First, we perform a forensic analysis on rclone and discuss aspects such as password recovery of the configuration file, encryption, and JA3 fingerprints. Second, we discuss rclone as a prospect to be a forensic tool which includes its read-only mount feature and sample cases. Under the circumstances tested, rclone is suitable for forensic practitioners as it is open-source, documented, and includes some essential functionality frequently needed but practitioners need to be aware of the caveats.
Mots-clé
Rclone, Cloud storage, Acquisition, Application forensics, Cloud computing forensics
Open Access
Oui
Création de la notice
28/09/2022 8:47
Dernière modification de la notice
23/01/2024 7:16