ABSTRACT
Cloud computing technology is rapidly growing globally and many businesses are starting to adopt cloud computing to leverage the computing power and cost of operation. Therefore, cloud-based storage services are gaining popularity among organizations and people since they provide simplicity in storing and transferring data across several geographical locations at a low cost.
However, with the difficulties in retrieving artifacts of evidential and economic value from cloud providers, cloud storage has become a target for cybercriminals for exploitation. As a result, artifacts from the client's computer might offer valuable evidence on which to build a case.
This study looked into the artifacts left by Evernote, a widely known cloud storage service, on Windows 10. The study used dead and live forensics to identify Evernote artifacts on Windows 10 for several situations such as Evernote install, file upload, file delete, and uninstall. Investigating these leftovers provides digital forensics investigators with a comprehensive grasp of the traces that are likely to persist and their evidential and business value.
The Evernote installer files, link files, browser, registry, prefetch files, and network traffic were identified as possible sources of information throughout the investigation. The traces discovered in the research can help in a criminal probe involving Evernote because they offer valuable information in trying to recreate the crime scene, and establish a chronology of occurrences, as well as knowledge of how to avoid such incidents in the future.
TABLE OF CONTENTS
DECLARATION ii
DEDICATION iii
ACKNOWLEDGEMENT iv
ABSTRACT v
CHAPTER ONE
INTRODUCTION
1.1 Background of the Research 2
1.2 Problem Statement 4
1.3 Research Aim 4
1.4 Research Questions 5
1.5 Objectives 5
1.6 Significance 5
1.7 Scope 5
CHAPTER TWO
LITERATURE REVIEW
2.1 Concepts of Digital Forensics 6
2.1.1 Digital Forensics Classification 6
2.2 Characteristics of Digital Evidence 8
2.2.1 Sources and types of Digital Evidence 9
2.3 Models for Digital Forensics 10
2.4 Cloud Storage Forensics Analysis 11
2.4.1 Cloud Storage Service 11
2.4.2 Cloud Forensics 12
2.5 Windows Evernote Forensics 12
2.6 Gap 14
2.7 Conceptual Framework 14
CHAPTER THREE
RESEARCH METHODOLOGY
3.1 Philosophy 16
3.2 Research Design 16
3.3 Target Population and Sample Size 17
3.4 Collection of Data 17
3.4.1 Initial Preparation 18
3.4.2 Digital Evidence Identification Phase 21
3.4.3 Digital Evidence Preservation Phase 21
3.4.4 Digital Evidence Analysis Phase 22
3.4.5 Digital Evidence Reporting Phase 22
3.5 Analysis of the Data 22
3.6 Research Limitations 22
3.7 Research Ethics Considered 23
CHAPTER FOUR
RESULTS AND DISCUSSION
4.1 Image Analysis of the Control VM 24
4.2 Installation of Evernote 25
4.2.1 Artifacts Analysis of File System 27
4.2.2 Registry Artifacts 29
4.4 File Deletion on Evernote 31
4.5 Uninstallation of Evernote 31
4.5.1 Artifacts Analysis of the File System 32
4.5.2 Registry Artifacts 33
4.6 Conclusion 34
CHAPTER FIVE
CONCLUSION AND RECOMMENDATIONS
5.1 Recommendations: Evidential and Business Value of the Artifacts 36
5.2 Contributions to Research and Knowledge 36
5.3 Future Research 37
REFERENCES 38
LIST OF TABLES
Table 1: Types of Digital Forensics 6
Table 2:Evernote Folders Location 13
Table 3: Applications Used in the Experiment 17
Table 4:Dead Forensics Virtual Machines 19
Table 5: Live Forensics Virtual Machines 20
LIST OF FIGURES
Figure 1:Conceptual framework 15
Figure 2: Research plan (Saunders et al. (2007) 16
Figure 3:Artifacts with Evernote reference in Control VM 25
Figure 4:Network Activities While Installing Evernote 25
Figure 5: Domain IP Address for Evernote 26
Figure 6:Domain Registration Information for Evernote 27
Figure 7:Folders & Files - AppData\Local\Programs/Evernote 28
Figure 8:Files - AppData\Roaming\Evernote 29
Figure 9:Evernote Prefetch Files 29
Figure 10:Registry Directory Structure Artifacts in EvernoteInstall-VM 30
Figure 11: Files Uploaded in Evernote for Live Forensics 31
Figure 12:Evernote Prefetch Files After Uninstallation 33
Figure 13:Registry Artifacts in EvernoteUninstalled-VM 33
CHAPTER ONE
INTRODUCTION
Cloud computing is a model for providing ubiquitous, easy, on-demand network access to a shared pool of configurable computing (e.g., servers, networks, servers, storage, services and applications) which can be quickly provided and disconnected with minimum overhead or interaction with cloud service providers (Mell and Grance, 2011).
Cloud computing can free users from a number of responsibilities associated with computers and data storage maintenance while also lowering related expenses (Mowbray 2009). The number of cloud-based services (some of which are free) that cater to the specific demands of users is huge and expanding quickly.
Constant demand for computing power and resources, cloud computing has grown in popularity (Simou et al., 2014), ensuring flexibility, dependability, scalability, and lower prices (Pichan,2015). People and corporations are migrating away from existing on-premise information technology infrastructure towards the cloud in order to save money by choosing the less costly operational option for this kind of technology (Ghafarian, 2015).
People generally use the cloud to easily exchange and store files (Ahmed and Li, 2016). Cloud computing crime has grown and developed as a result of the rise of cloud computing platforms (Laurie Lau Y. C. ,2015), which has aided crime. Although cloud technology improves productivity, it is also vulnerable to exploitation by hackers (Biggs and Vidalis, 2009). The advent of cloud computing broadens attack vectors, allowing attackers to exploit holes on such platforms. Because of the cloud's relative isolation, accessibility, and endless processing capability, attackers may carry out such assaults with ease (Pichan et al., 2015).The Sony PlayStation Network assault made use of Amazon's Web Service (Chung et al., 2012).
Cloud storage services are a typical use of cloud computing (Ghafarian, 2015). While cloud storage services are not new, they are becoming increasingly popular (Hu et al, 2010). Cloud storage options available in the cloud marketplace include Google Drive, Evernote, Apple iCloud, etc (Castinglione et al., 2017). Evernote is one of the best-known services for cloud storage (Evernote Review, 2022).
Evernote allows users to save and manage notes, ideas, images, data, and documents from any device at any given time. It works with a variety of operating systems, such as macOS, Windows, iOS and Android. Evernote has two plans: Evernote premium and Evernote free. The free version does not have a cost implication while the premium version costs $5 per month and option of $45 per year. Basic accounts allow users to save up to 25 MB per note or upload up to 60 MB each month. It contains a function that autosaves notes as the user edits them. The upload of a note adds to the user profile, which may then be arranged. A premium account requires a monthly or yearly fee. This bundles up to 100MB of additional storage space per note, allowing 1 GB of uploads per month. You can also invite others to edit your notes and do optical character recognition. It enables searchable documents in PDF and the ability to edit and view Evernote notes without an internet connection. (Evernote, 2021).
Despite advantages of cloud storage, it is still exploited by criminals (Ahmed and Li, 2016). Terrorist actions can lead to cloud storage abuse. In the United States, 14 people were killed and 22 injured in a terrorist attack in San Bernardino in 2015. One of the main culprits of the hack, he stopped iCloud backups months before the event (Cahyani et al., 2016). Cloud storage can be used by cybercriminals to store or share illegal materials, launch botnet attacks (Ahmed et al., 2016), or steal personal information (Chung et al., 2012). Additionally, steganographic techniques can be used to covertly exchange information in such attacks (Caviglione et al. 2016).
Cloud storage raises concerns about cloud storage security and forensic investigations. Data stored in the cloud can be hacked, which is a security concern. A concern in forensics is the difficulty of conducting investigations in the cloud (Ghafarian, 2015). Cloud-based crime poses many obstacles, especially regarding encryption, obscurity, and geolocation (Taylor et al., 2011), all of which make forensic evidence collection and investigation difficult (Guo et al.,2012). Furthermore, jurisdictional issues and lack of international coordination exacerbate the problem (Guo et al, 2012). With the rise of online crime (Damshenas et al., 2012), it is important to use innovative investigative methods to address cloud security and, more broadly, cloud investigation (Guo et al. 2012).
1.1 Background of the Research
Evernote offers storage with unlimited storage, several advanced text editing features, the ability to share notes and web clips with anyone you choose, optical character recognition for reminders, images, and advanced features for organizing and searching your notes. We are proud to be a respected web clipper that offers a great option for your desktop. A version with keyboard shortcuts to speed up your work, integration with third-party applications, compatibility with many platforms, no ads, and two layers of account verification security (Karen, 2014). Windows, on the other hand, prides itself on being the world's most popular desktop operating system, with a 75% market share (Stat Counter, 2022). Growing consumer awareness of Evernote and the Windows OS has led various researchers to forensically investigate Evernote on the Windows operating system.
Analyzed Evernote data remnants (Chung et al, 2012) and their location on Windows XP, Vista, and 7 respectively. The investigation included artifacts on the hard drive. The authors found that Evernote is installed in %UserProfile%\AppData\Local\Evernote\Databases for Windows Vista and 7 while for Windows XP %UserProfile%\LocalSettings\ApplicationData
\Evernote\Databases.
File [user ID]. exb and [UserID]. thumbnails are available in database folders. [UserID].exb contains data such as the title of the note, when the note was created and modified, where the user created the note, and what operating system was used to create the note. You can also identify information about attachments, such as creation time, file name and type.
There are two log files in the logs folder: AppLog_[date].txt and enclipper_[date].txt. AppLog_[Date].txt is created once a day when Evernote is started. This file contains credentials, account IDs, and application start and stop times. The enclipper_[date].txt file is created once a day, similar to AppLog_[date].txt. This file contains the time the application was started.
The Evernote database .exb files and the attachments located in
%UserProfile%\AppData\Local\Evernote\Databases are not encrypted. The attachment. backup extension if dropped will give access to the files using any program that can open it (Walther, 2016)
1.2 Problem Statement
Cloud storage services provide consumers with storage space that they can use to store and share information. Their use is widespread due to the inclusion of various additional services such as image editing, document editing, playing music and videos, sending emails, etc. Most hosting companies offer a certain amount of free storage space, and users who need more storage space can rent more storage space (Chung et al, 2012).
Cloud-based storage may be misused cybercriminal in accordance to (Ahmed and Li, 2016), and while paired with the problems of obtaining artifacts of evidentiary value from vendors of cloud- based storage (Biggs and Vidalis, 2009), undertaking cloud forensics investigations may need extra time and effort (Taylor et al., 2011). Cloud forensic investigation, on the alternative hand, can depend on artifacts amassed from endpoint device and the cloud company (Guo et al, 2012). Client-aspect artifacts can offer potential proof where artifacts from Cloud company is problematic or hard to get; in that situation, the case may be constructed at the client-aspect artifacts (Taylor et al., 2011). Evernote is one of the famous note-taking programs amongst cloud customers and a famous cloud garage service (Chung et al, 2012) there's a projection of cloud storage growth (Cisco,2018)
21). Windows is the maximum famous computer working device withinside the world, with 75% marketplace share (Stat Counter,2022.). With Microsoft announcing its discontinuation of Windows XP in 2009, Vista in 2012, and 7 in 2020 respectively this means that they are no longer going to provide support, updates, and security patches for its line of operating systems (Microsoft, 2020). Therefore, there is a need to undertake Evernote forensics in Windows 10 which is popularly being used currently across the World. As a result, instances of misuse of Evernote operating on Windows 10 are likely, and it is vital to establish how and where digital evidence may be obtained to aid forensic study of such scenarios (Zatyko and Bay, 2011).
1.3 Research Aim
This research sought to find out the data remnants of Evernote on Windows 10 operating system. The final aim is to find out whatever data remains are left over by Evernote after it is uninstalled from the Windows 10 operating system.
1.4 Research Questions
i. What digital forensic models are employed, and how well do they fit the needs of Evernote forensics?
ii. When Evernote is installed on Windows 10, what registry and file system artifacts does it leave behind?
iii. What artifacts does Evernote leave in the Windows 10 registry and file system after uninstallation?
1.5 Objectives
i. To analyze digital forensic models and their suitability for Evernote forensic on Windows 10 Operating System.
ii. To examine any registry and file system artifacts made by Evernote when installed on Windows Operating System.
iii. To investigate Evernote artifacts left behind on Windows 10 registry and file system after uninstalling, their evidential value to forensic investigators and its implication to business.
1.6 Significance
Finding traces of Evernote artifacts on Windows 10 generates a digital forensic expert's description of the artifacts present and where they were found. Findings show links between artifact locations and the value of evidence for digital forensics examiners while exposing cybercrimes utilizing Evernote on Windows 10 operating system.
1.7 Scope
This investigation was limited to Evernote forensics on the Windows 10 operating system and focused on Evernote artifacts related to application installation, use, and uninstallation on the Windows 10 operating system. The only artifacts evaluated are those found in the registry and file system. Other Evernote artifacts of network traffic and memory can also be examined, but that was outside the scope of this study.
1.8 Limitations and Assumptions
This study made use of open-source tools. As a result, the amount of detail of the recovered artifacts may be restricted by the tools' capabilities. However, this constraint has been partly overcome by employing various tools to obtain the findings. The tools utilized are not likely to jeopardize the integrity of the artifacts established.
Login To Comment