A forensic analysis of rclone and rclone's prospects for digital forensic investigations of cloud storage

Details

Ressource 1Download: 1-s2.0-S266628172200124X-main.pdf (1872.75 [Ko])
State: Public
Version: Final published version
License: CC BY-NC-ND 4.0
Serval ID
serval:BIB_39C602F7E3F4
Type
Article: article from journal or magazin.
Collection
Publications
Institution
Title
A forensic analysis of rclone and rclone's prospects for digital forensic investigations of cloud storage
Journal
Forensic Science International: Digital Investigation
Author(s)
Breitinger Frank, Zhang Xiaolu, Quick Darren
ISSN
2666-2817
Publication state
Published
Issued date
09/2022
Peer-reviewed
Oui
Volume
43
Pages
301443
Language
english
Abstract
Organizations and end users are moving their data into the cloud and trust Cloud Storage Providers (CSP) such as pCloud, Dropbox, or Backblaze. Given their popularity, it is likely that forensic examiners encounter one or more online storage types that they will have to acquire and analyze during an investigation. To access cloud storage, CSPs provide web-interfaces, proprietary software solutions (e.g., Dropbox client for Windows) as well as APIs allowing third-party access. One of these third-party applications is rclone which is an open-source tool to access many common CSPs through a command line interface. In this article, we look at rclone from two perspectives: First, we perform a forensic analysis on rclone and discuss aspects such as password recovery of the configuration file, encryption, and JA3 fingerprints. Second, we discuss rclone as a prospect to be a forensic tool which includes its read-only mount feature and sample cases. Under the circumstances tested, rclone is suitable for forensic practitioners as it is open-source, documented, and includes some essential functionality frequently needed but practitioners need to be aware of the caveats.
Keywords
Rclone, Cloud storage, Acquisition, Application forensics, Cloud computing forensics
Open Access
Yes
Create date
28/09/2022 8:47
Last modification date
23/01/2024 7:16
Usage data