Forensic Cloud Service Collector

Metaspike Community - I’m sure the rest of you are with me when I say that Arman and his team put together great products with FEC and Obliterator. Both tools are super user friendly and do a great job at verification and logging. I also love the token generator to avoid sharing of credentials. When you put all of that together with their support and level of customer engagement, you have a tool that everyone should have in their toolbox.

I know for me, the forensic collection of cloud data sources can be frustrating and difficult. We are constantly buying new tools to get the job done. I sure would love to see Metaspike release a tool in this space. How about the rest of you?

8 Likes

Thanks for the kind words, Scott! Forensic collection from cloud data sources is right in our wheelhouse, and we are looking forward to adding more tools to our repertoire in that area.

Considering there are a few existing products in the market, it would be very interesting and helpful to know what everyone’s pain points are in securing data from the cloud and running it through your workflow end to end. For instance, Josh Headley had a great post on the CCE listserv last Saturday on a related topic where he outlined where his current tools are falling short.

One area I’m personally feeling the need for a better solution is preservation from cloud storage services such as Drive, OneDrive, Dropbox, etc. We are looking into this carefully at the moment to see how we can bring value to the community.

Would love to receive more feedback on other cloud sources such as Slack, Instagram, LinkedIn, etc. How often do they come up? Are the exports you currently get readily usable in your DFIR and eDiscovery tools?

1 Like

Hi Arman - from my perspective, cloud storage is definitely a need. There are a couple of tools out there that do a decent job but they all seem to lack completeness for the Business versions of the products outlined above. I think it is important for the data to be downloaded into some sort of container rather than sitting loosely on a file system. In addition (since I work for an eDiscovery service provider) its important for the data to be extracted out to a windows file system while preserving the metadata for processing into eDiscovery tools.

More and more we are seeing Slack come into play from a collection standpoint and would love to have the ability to collect the data in a format that can play nicely with data processing or review tools. I also think anything you can do in the social media space would be helpful. That market is so volatile it is great to have several trusted tools in our forensic tool box to collect and verify work that is done.

For me, one of the biggest headaches when dealing with cloud data sources (both storage and social media) is related to authentication. Some services require 2FA to be enabled to access using third party applications. Other services require using an application password. Some tools only allow you to access the data if 2FA is turned off. And on top of all of that, we often run into the “this device is not recognized” prompts even when we think its not going to require additional security verification. This often frustrates custodians and lawyers and that is why we love the token for FEC! We just need a version for Mac OS :smiley:. Anything you can do to make the authentication piece easier for the end user will greatly be appreciated!

2 Likes

Excellent feedback, Scott. Much appreciated!

I see your point regarding acquiring the data into a container. This is something we are looking into for FEC as well. Do you have a preference for the type of container? For example, VHD/VHDX is quite versatile and can be mounted in Windows easily, but may not play well with all eDiscovery tools. Logical evidence files such as L01 and AD1 are proprietary, and again may not be super eDiscovery friendly although they are widely used by DFIR tools. The common denominator seems to be something along the lines of a ZIP (or multipart ZIP) that is hashed after written. I know of mobile forensics tools that do this with their output.

Social media acquisition is also something we are always looking into. As you said, APIs are fairly volatile there, and social media platforms are not eager to have third-party tools tap into their system and pull user data out. The value we would like to add here is to present the data in a plug & play format rather than as a data dump that is hard to consume.

Authentication has been an increasing pain point and was one of the main reasons we decided to create FEC in the first place. Custodians’ sharing their passwords was simply not cutting it. We will bring more API-based providers that support OAuth and Remote Authentication as the technology becomes available. Hopefully, you will rarely need to use legacy authentication in the near future. Also, Remote Authenticator for Mac is in the works! :smile:

+1 on the request for Slack. Onna has a solid solution for that, but competition is always good.

We also get a steady number of requests for collections from Atlassian tools (primarily Confluence and Jira) and Zendesk.

1 Like

Thanks for the insight, Lars. We have been thinking about help desk providers such as Zendesk, Desk.com, Intercom, etc. These services usually contain, among other things, tickets, emails, knowledge base articles, and live chats.

These data points are often accessible through the APIs of each service provider. I can imagine legal teams would be very interested in this type of electronic evidence, especially in IP cases. One can review a product’s documentation, including its revisions—just like Drive files, many help desk providers keep revisions of articles!—and any support requests and responses associated with it.

Any other data points you would be interested in capturing from Zendesk? AFAIK, they also offer CRM and community forum functionality.

Regarding Confluence and Jira—I have approached such engagements as a combination of forensic preservation of the servers, possibly bringing up a replica environment for analysis, as well as analysis and reporting from the database. Both Confluence and Jira are very customizable.

Are you thinking of a workflow where you can capture and export some of the data points (e.g., issues in Jira) in a way that they can be ingested into mainstream legal review tools at the document level?

Spend a lot of time in cloud storage/social media. For cloud storage is fairly easy to obtain the docs via sync or export. The problems are, like email, in the beginning with account setup/access/2FA. A single user interface with provisioning mapped out like in FEC would be a big productivity boost. There are other annoyances like Google Vault outputting Drive docs in one folder and providing XML logs that have to be parsed to match custodian with files…and the fact that Vault is an add-on license.

For social media, X1 was an excellent tool but post-Cambridge Analytica provider API restrictions have really hurt the capture ability. For some providers you can run the risk of the collection account being terminated for abuse by using the tool. For them and other tools there is also the issue of doing a forensically-sound preservation but outputting in a format that doesn’t look like the original website. It’s silly but a big issue with attorneys and others. Continuous scroll websites like Instagram are a great example. Need the images and associated metadata but they also want a good looking continuous screen cap as well. We can get it done but always looking for better mouse traps. Also some providers do a good job but price per capture which is a pain to handle. Self-help tools, even if more expensive, are always preferred.

For chat, Slack would be at the top of the list of requests.

1 Like

This was super helpful, Sean. Thanks for sharing your experience!

I agree that we can offer a productivity boost in the cloud storage area. We are making some progress there and will keep everyone posted!

As you said, striking a balance between forensic integrity and presentation can often be a challenge. I have seen tools that don’t pay enough attention to the presentation which makes the evidence hard to consume. Legal teams often seek output that resembles the presentation in the original cloud service.

For those screen captures that complement social media collections, I have found Hunchly to be an interesting tool. I feel that the pay-per-capture model used by some other software just doesn’t jibe with the way things work in the legal industry, especially for larger consulting firms and law firms.

Your vote for Slack has been duly noted! Slack is coming up often so we need to start digging into their API very soon!

How difficult would it be to do ISOs? I could see that format as widely accessible, and still a container format that could be moved around easily.

ISO is one of the options as well but the format has severe limitations on the total number of directories in a volume, max file size, naming of files, max path length, etc. which make it not very suitable to store FEC’s output.