Mobile Forensics for Cloud Data: Practical and Legal Considerations John Bjornson School of Computing and Academic Studies British Columbia Institute of Technology Burnaby, BC, Canada Email: john.m.bjornson@gmail.com Aaron Hunter School of Computing and Academic Studies British Columbia Institute of Technology Burnaby, BC, Canada Email: aaron hunter@bcit.ca Abstract—Forensic examinations of a mobile phone that con- sider only the internal memory can miss potentially vital data that is accessible from the device, but not stored locally. In this paper, we look at a forensic tool that is able to download data stored on the cloud, using credentials gleaned from device extractions. Through experimention with a variety of devices and configurations, we examine the effectiveness of the software for its stated purpose. The results suggest that we are able to obtain information from the cloud in this manner, but only under some relatively strong assumptions. Practical issues and legal considerations are discussed. I. I NTRODUCTION Digital forensic tools have traditionally been used by law enforcement agencies to help with criminal investigations by extracting data from computing devices. Over time, the empha- sis has shifted from data stored on personal computers to data stored on mobile phones. In both cases, the process is similar: a forensic image is obtained from the device in a manner that does not modify the data, and then information is obtained from this image using suitable software. This process involves specialized hardware and software, the reliability of which has been an important focus for the forensic community[3]. However, simply extracting data from a device is no longer sufficient. A great deal of important information is now stored on the cloud, so a traditional forensic image does not capture everything an investigator needs to know. In order to address this issue, we need to move beyond the device to obtain information that is stored remotely. In this paper, we evaluate a new tool for obtaining cloud- based information associated with a mobile device. We make two contributions to existing research in digital forensics. First, while the importance of cloud data is widely known, it is generally hard to know how effective tools will really be in the field. Through contacts at the Royal Canadian Mounted Police (RCMP), we were able to obtain a variety of real discarded mobile phones for testing. This provides us with a more accurate assessment of utility. It is worth noting that the device evaluated in this document is currently available for law enforcement, but it can not be sold to academic institutions. The second contribution of this paper is a preliminary discussion of the legality of the process. The challenge in dealing with cloud data is that information sources must be accessed quickly before data can be deleted. This raises important questions around the notion of search and seizure. II. BACKGROUND A. Data Extraction Cellebrite’s Universal Forensic Extraction Device (UFED) line of tools and applications is widely used today by the digital forensics community, including law enforcement. The UFED Touch is hardware that supports acquiring data from mobile devices. There are several different levels of extrac- tion. The lowest-level form is a physical extraction, which essentially creates an exact copy of memory of the mobile device [1]. The tool also supports file system extraction, which simply replicates the files and data on the device. This not only includes standard files like images and video, but it also includes things like passwords and message logs. Upon completing an acquisition using the UFED Touch, the resulting data can be opened by UFED Physical Analyzer for decoding and analysis. Physical Analyzer essentially exports the data obtained to a readable format, such as Word, Excel or PDF. Additionally, in cases where the UFED Touch does not itself provide native support for extracting data from a device, Physical Analyzer offers the ability to bring in data extractions such as flash memory dumps for analysis. This is useful in cases where advanced techniques such as Joint Test Action Group (JTAG) or physical removal of the flash memory chip (chip-off) from the printed circuit board (PCB) are needed to acquire data from a mobile device. With this flexibility and functionality, Physical Analyzer has grown to become an invaluable tool for forensic examiners. B. Cloud Analyzer In 2015, Cellebrite introduced UFED Cloud Analyzer, which takes data extraction beyond simply what is stored on a device’s physical memory [2]. Using login credentials gleaned from a device extraction, Cloud Analyzer attempts to download private user data stored on connected cloud services. In cases where on-device encryption or limited caching of application data might once have served to restrict the amount of recoverable information from local storage, having the ability to download the full content of a users cloud data