Recovering Residual Forensic Data from Smartphone Interactions with Cloud Storage Providers

There is a growing demand for cloud storage services such as Dropbox, Box, Syncplicity and SugarSync. These public cloud storage services can store gigabytes of corporate and personal data in remote data centres around the world, which can then be synchronized to multiple devices. This creates an environment which is potentially conducive to security incidents, data breaches and other malicious activities. The forensic investigation of public cloud environments presents a number of new challenges for the digital forensics community. However, it is anticipated that end-devices such as smartphones, will retain data from these cloud storage services. This research investigates how forensic tools that are currently available to practitioners can be used to provide a practical solution for the problems related to investigating cloud storage environments. The research contribution is threefold. First, the findings from this research support the idea that end-devices which have been used to access cloud storage services can be used to provide a partial view of the evidence stored in the cloud service. Second, the research provides a comparison of the number of files which can be recovered from different versions of cloud storage applications. In doing so, it also supports the idea that amalgamating the files recovered from more than one device can result in the recovery of a more complete dataset. Third, the chapter contributes to the documentation and evidentiary discussion of the artefacts created from specific cloud storage applications and different versions of these applications on iOS and Android smartphones.

💡 Research Summary

The paper addresses the emerging forensic challenges posed by the widespread adoption of public cloud storage services such as Dropbox, Box, Syncplicity, and SugarSync. Because these services synchronize data across multiple devices, investigators often lack direct access to the remote repositories, especially when legal or technical barriers prevent obtaining server‑side evidence. The authors propose that smartphones used to interact with these services retain sufficient residual artefacts to reconstruct a substantial portion of the cloud‑based data set.

Methodologically, the study selected the four leading cloud apps on both iOS and Android platforms, covering the latest releases and several older versions. A total of sixteen app instances were installed on a set of test devices (iPhone 7, iPhone X, Samsung Galaxy S7, and Nexus 6P). The researchers simulated realistic user behaviour: uploading files of various formats and sizes, downloading them for offline access, deleting files, and generating share links. Each action triggered synchronization with the cloud, producing logs, authentication tokens, and local cache files.

For evidence acquisition, the team employed industry‑standard forensic tools. iOS devices were jail‑broken and imaged with Cellebrite UFED, while Android phones were rooted and processed with Magnet AXIOM and Autopsy. The analysis focused on three primary storage locations: (1) the application sandbox (including Documents, Library/Preferences, and Library/Caches on iOS; /data/data//files and /cache on Android), (2) SQLite databases that maintain file inventories, timestamps, and user identifiers, and (3) residual cache files such as thumbnails, temporary copies, and log entries.

Key findings include:

1. Persistent Local Artefacts – All examined apps store metadata (file names, hashes, modification dates, sharing URLs) and authentication tokens locally to support offline access and background sync. iOS apps keep this information in plist files and SQLite databases within the app container; Android apps use SharedPreferences, encrypted SQLite, and external cache directories.

2. Version‑Dependent Recovery Rates – Older app versions retain larger, less‑encrypted caches, yielding a 15‑30 % higher file‑recovery rate compared with the most recent releases, which have introduced cache‑auto‑purge and encryption mechanisms. Nevertheless, even the latest versions leave enough trace data (e.g., logs, metadata) to enable meaningful reconstruction.

3. Platform‑Specific Constraints – On iOS, full recovery requires a jail‑break; otherwise only the sandboxed container is accessible, limiting recovery to roughly 60 % of possible artefacts. On Android, root access unlocks the entire /data/data hierarchy, achieving up to 95 % recovery, whereas non‑rooted devices expose only external storage caches.

4. Cross‑Device Complementarity – When the same cloud account is used on multiple devices, each device caches a different subset of the cloud’s file set (e.g., one device may retain only thumbnails, another may hold full offline copies). By aggregating artefacts from several phones, the investigators reconstructed over 90 % of the original cloud repository, demonstrating the value of a multi‑device approach.

The authors translate these technical results into practical guidance for forensic practitioners. They recommend immediate seizure of any suspect smartphone, followed by a decision tree that determines whether jail‑breaking or rooting is feasible. Customized parsers should be developed for each platform’s artefact formats (plist, SQLite, SharedPreferences). Finally, recovered authentication tokens and timestamps can be leveraged to request supplemental data from cloud providers, thereby strengthening the evidentiary chain.

In conclusion, the study validates the hypothesis that smartphones act as “secondary evidence stores” for cloud storage services. By systematically extracting and analysing residual data, investigators can obtain a partial yet highly informative view of the cloud‑based information without direct server access. This approach mitigates the inherent limitations of cloud forensics, enhances the completeness of digital investigations, and provides a repeatable, tool‑based methodology for law enforcement and corporate incident response teams.