Forensicating Endpoint Artifacts in the World of Cloud Storage Services
2021-08-06, 13:30–14:00, Main Track

In this presentation, I will discuss the key forensic artifacts that can be used whenever DFIR professionals encounter cloud storage services into the host such as OneDrive, GoogleDrive, Box and Dropbox. These are all essentials especially when the attacker or insider threat leverage these services to exfiltrate data. I will also show how to perform data acquisition to get these artifacts in forensically sound manner.


Today we are embracing the benefits and advantages of having cloud storage in most environments especially now when everyone is working work from home and data transmits from one place to another by the use of cloud storage services such as one drive, box, dropbox & google drive. There are a couple of artifacts on the endpoint side that gives us the ability to see the bigger picture when these cloud services are being used to perform data exfiltration and any malicious actions. In short, cloud storage data can be more accessible on the local device and can contain files and metadata distinctly different than the current cloud repository. I'm going to show how to perform data acquisition on these cloud storage applications installed in endpoint and what are those metadata and evidence that we can extract from the forensics standpoint.

Renzon Cruz, a Filipino security professional living in Dubai who works as Digital Forensics & Incident Response in a company based in UK. He previously worked as Sr. Security Consultant as part of a National Cyber Security Agency in Qatar. He was also accepted to various international conferences as a speaker such as BSides Vancouver (2019), BSides London (2019), BSides Doha (2020), and ROOTCON Hacking Conference (2020). He is also co-founder and instructor of GuideM, a real-world cybersecurity training center based in the Philippines. He's mainly interested in defensive strategy, threat hunting, DFIR, malware analysis, & adversary simulation.