Cloud Data Extraction is a method of extracting information that is stored in cloud storage services and platforms. With the development of cloud technology and the increasing amount of data stored in the cloud, this method has become an important part of digital forensics investigation software. Cloud data extraction is used to access information that is not stored directly on mobile devices or computers but can be synchronized and accessed through cloud services such as Google Drive, iCloud, OneDrive, Dropbox, and others.
Key features of cloud data extraction
Remote Data Access: Unlike physical or logical extraction, this method allows you to access information that is stored in cloud storage rather than on the device. Data in the cloud can include device backups, photos, documents, messages, contacts, and more.
Using credentials: Extracting data from the cloud requires access to a user account used for authentication in the cloud service. This can be accomplished through legitimate requests to service companies (e.g., court-ordered) or using previously known credentials such as passwords or access tokens.
Accessing backup data: Many mobile devices synchronize data with cloud storage, making it possible to recover data that has been deleted from the device but continues to be stored in the cloud.
The process of retrieving data from the cloud
Account Identification: The first step involves identifying the cloud service and the account with which the device is associated. This can be Google, Apple, Microsoft, or another cloud provider. Alternative services such as social media (Facebook, Instagram) or cloud-based email services (Gmail, Yahoo, Outlook) can also be used.
Gaining access to the account: Users can provide their cloud service credentials voluntarily or by court order. However, if they cannot or are not willing to do so, there are still a few ways to retrieve them:
- Obtaining passwords and tokens: If there is access to the device, authorization tokens can be retrieved to allow access to the account.
- Formal requests: In some cases, forensics can request data directly from the cloud provider through official channels, such as a court order.
Data Extraction: Once the cloud is accessed, data is extracted using specialized software tools. This may include downloading backups, messages, documents, photos, and other information. Note that many online services nowadays use two-factor authentication. That is why, besides account credentials, the process of extraction may require access to the cloud account users’ emails or devices to confirm the authentication.
Data Analysis: Extracted data is stored and then analyzed.
Types of data that can be extracted from the cloud
Device backups: Mobile devices are often automatically backed up to cloud services. For example, iPhones synchronize with iCloud and Android devices synchronize with Google Drive. These backups can include a lot of valuable information from your device, from photos and messages to contacts and app data.
Messages and chats: Many apps such as WhatsApp, Telegram, Viber, and others can back up messages to the cloud, including chats, media files, and call history.
Photos and videos: Cloud storage services such as Google Drive or iCloud automatically synchronize photos and videos created on mobile devices. Even if these files are deleted from your device, they can be saved in the cloud.
Documents and Files: Cloud services such as Google Drive, Dropbox, OneDrive, and iCloud Drive store documents, files, spreadsheets, and other data that can be useful in an investigation.
Contacts and calendars: Cloud services often store information about contacts, calendars, and other data synchronized from mobile devices.
Browser History and Internet Activity: Cloud services may store browsing history, bookmarks, passwords, and other data related to a user’s browser activity.
Application data: Some applications synchronize their data with cloud storage, including activity logs, cached data, and other information related to the operation of the application.
Benefits of extracting data from the cloud
Access to remote data: If the device is missing or damaged, cloud storage can contain its backup data that can provide insights for investigations.
Recovery of deleted data: Even if data has been deleted from a device, it can still be stored in the cloud, allowing it to be recovered.
Disadvantages of extracting data from the cloud
Requirement of credentials: To access data in the cloud, user credentials such as login and password are required. If access to the account is blocked, the data extraction process can become complicated.
Data Encryption: Many cloud services use encryption to protect data. For example, Apple iCloud uses end-to-end encryption for certain types of data, which can make it difficult to retrieve without encryption keys.
Cloud provider dependency: Data retrieval may depend on the policies and procedures of a particular cloud provider, including requirements to provide data only pursuant to court requests.
Methods for extracting data from the cloud
Using credentials: One of the most common methods is to use user authentication data, such as passwords or access tokens, which can be retrieved from the device or obtained through investigation.
API methods: Many cloud services provide APIs (application programming interface) that can be used to extract data through program requests.
Requests from providers: In some cases, forensic investigators can request data directly from a cloud provider by providing legal grounds (e.g., a court order). Cloud providers can provide full backups of accounts, activity logs, and other data.
Software tools: There are specialized tools for forensic data analysis, such as Cellebrite UFED, Magnet AXIOM, Elcomsoft Cloud Explorer, or Belkasoft X, that can extract data from cloud services when credentials or a court request is available.
Software tools for analyzing cloud data
Belkasoft X: A tool that helps to retrieve data from cloud services and social networks, supporting a wide range of platforms and applications. The program can also be used as mobile forensic software to extract data from mobile devices.
Elcomsoft Cloud Explorer: A software product that allows you to extract data from cloud services such as Google and iCloud. It can use authentication credentials to access backups, messages, photos, and other information.
Cellebrite UFED Cloud Analyzer: A specialized tool for extracting data from cloud services and social networks. It supports multiple platforms including Google, iCloud, Facebook, Instagram and more.
AXIOM Cloud Magnet: AXIOM Cloud Magnet allows you to extract data from multiple cloud services and applications such as Google, iCloud, Facebook, Dropbox and others.
Applying cloud data extraction in practice
Forensic Investigations: Data from cloud services can be used to recover deleted messages, photos and documents that are key to forensic investigations.
Criminal activity analysis: Cloud services can store data on user interactions with various online services and applications, which can be used to trace the user’s online activities.
