Cloud storage, like email before it, has gained wide acceptance and general adoption by consumers. Whether that is Google Drive, Amazon Drive, iCloud, Dropbox, or OneDrive, there are abundant options from which to choose from. One reason these services have become popular is the ease at which you can share and access important files on any device. That same benefit, however, can be used with malicious intent to extradite data from corporate or protected environments. In this post, we will explore the Box cloud service on Windows and discuss artifacts created as a by-product of its usage.
The Legal Review series answers questions often posed about evidence with high-level descriptions of forensic artifacts.
What programs were run on the machine? This is a common question that is relevant in most investigations. Application execution gives insight into the normal usage of a particular computer. Just as importantly, examining forensic artifacts associated with application usage can also reveal abnormal behavior. Knowing what a user did regularly or even immediately leading up to their departure from a company can be telling. Did they use a wiping utility to cover their tracks? Did they use cloud software to extract intellectual property? For our purposes, we will discuss this in the context of Windows operating systems and the prefetch and userassist artifacts.