CloudMe Forensics: A Case of Big-Data Investigation

The issue of increasing volume, variety and velocity of has been an area of concern in cloud forensics. The high volume of data will, at some point, become computationally exhaustive to be fully extracted and analysed in a timely manner. To cut down the size of investigation, it is important for a digital forensic practitioner to possess a well-rounded knowledge about the most relevant data artefacts from the cloud product investigating. In this paper, we seek to tackle on the residual artefacts from the use of CloudMe cloud storage service. We demonstrate the types and locations of the artefacts relating to the installation, uninstallation, log-in, log-off, and file synchronisation activities from the computer desktop and mobile clients. Findings from this research will pave the way towards the development of data mining methods for cloud-enabled big data endpoint forensics investigation.

💡 Research Summary

The paper “CloudMe Forensics: A Case of Big‑Data Investigation” addresses the growing challenge of performing digital forensic investigations in cloud environments where the volume, variety, and velocity of data make full acquisition impractical. The authors focus on CloudMe, a SaaS‑based cloud storage service, and systematically identify the residual artefacts left on desktop (Windows, Ubuntu, macOS) and mobile (iOS, Android) clients as well as on the web interface after typical user actions such as installation, login, file upload/download, sharing, deletion, unsynchronisation, and uninstallation.

The study begins with a concise review of cloud‑forensics literature, highlighting the lack of research on CloudMe specifically and emphasizing the need for selective, evidence‑centric approaches rather than brute‑force imaging of entire storage volumes. The authors adopt the experimental methodology of Quick and Choo, constructing three virtual machines (Windows 8.1, Ubuntu 14.04, macOS Mavericks) and two physical mobile devices (iPhone 4 running iOS 7.1.2 and HTC One X running Android 4.4.4). All devices are prepared for root/jailbreak access to allow low‑level imaging.

A realistic dataset is generated from the Berkeley Enron email corpus (message 3111) and converted into a set of files of various formats (.rtf, .txt, .docx, .jpg, .zip, .pdf). The authors then execute a predefined series of actions that mimic everyday CloudMe usage: installing the client, logging in, synchronising files, sharing links, deleting content, and finally removing the client. After each action, snapshots are taken, and forensic images of the virtual disks (.VMDK → EnCase E01) and memory dumps (.VMEM) are collected. Mobile devices are imaged using “dd over SSH”.

Analysis tools include FTK Imager, Autopsy, HxD, Volatility, SQLite Browser, Photorec, and File Juicer. Keyword searches for “cloudme”, “xcerion”, and the Enron test file are performed across file systems, registry hives, $MFT, $LogFile, $UsnJrnl, browser caches, and SQLite databases.

Key findings:

1. Persistent client‑side artefacts – Each OS creates a “CloudMe” folder under the user profile (%AppData%\Local\CloudMe, ~/.local/share/CloudMe, ~/Library/Application Support/CloudMe). Within this folder, a SQLite database named cache.db stores the bulk of forensic‑relevant information. The database contains four tables of interest:

   • user_table – user identifiers, email, last login timestamps, and hashed credentials.
   • syncfolder_table – metadata about each synchronized folder (local path, remote ID, creation/modification times).
   • syncfolder_folder_table – hierarchical structure of nested folders.
   • syncfolder_document_table – per‑file records (file name, size, SHA‑1 hash, timestamps, sync status).

   SQL queries against cache.db allow investigators to reconstruct the complete chronology of file uploads, downloads, deletions, and sharing events without contacting the CloudMe server.

2. Residual files after uninstallation – Even after the client is removed, the CloudMe directory and its cache.db remain on disk, preserving a full forensic trail. The default sync folder (usually the user’s “Documents” directory) also persists unless manually purged.

3. Volatile memory artefacts – Using Volatility, the authors extract running CloudMe processes, open network sockets, and memory‑resident strings. They locate authentication tokens, session keys, and recent file names in the process address space. The “yarascan” plugin successfully discovers the literal strings “cloudme_user” and “auth_token”, demonstrating that memory dumps alone can reveal credential material.

4. Network evidence – Traffic analysis shows HTTPS connections to CloudMe’s CDN and API endpoints (port 443). Although encrypted, timestamps and IP addresses corroborate the timeline derived from disk artefacts.

5. Mobile client artefacts – On iOS, a plist file in the app’s sandbox stores user preferences and a reference to the authentication token; on Android, SharedPreferences holds the same data. Both platforms also maintain a copy of cache.db in their respective data directories, mirroring the desktop structure. Thumbnail caches and temporary files further enrich the evidential picture.

The authors argue that these client‑side artefacts constitute a “small but rich” evidence set that can be harvested without full‑scale cloud acquisition, thereby mitigating the big‑data bottleneck. They propose a data‑mining‑driven forensic workflow: (1) pre‑define artefact locations, (2) perform selective imaging, (3) automate SQLite extraction and memory string carving, and (4) correlate findings across devices.

Future work suggested includes extending the methodology to multi‑cloud environments, developing machine‑learning classifiers for artefact relevance, and contributing to standardisation efforts for cloud‑forensic evidence handling.

In summary, the paper delivers a practical, reproducible blueprint for investigating CloudMe usage across heterogeneous endpoints, demonstrating that even in a big‑data context, targeted artefact collection can yield a complete, admissible forensic narrative.