npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
MITRE ATLAS
Overview
Cloud storage forensic acquisition involves collecting digital evidence from services like Google Drive, OneDrive, Dropbox, and Box through both API-based remote acquisition and local endpoint artifact analysis. Modern investigations must address the challenge that cloud-synced files may exist in multiple states: locally synchronized, cloud-only (on-demand), cached, and deleted. Endpoint devices that have synchronized with cloud storage contain a wealth of metadata about locally synced files, files present only in the cloud, and even deleted items recoverable from cache folders. API-based acquisition using service-specific APIs provides direct access to remote data with valid credentials and proper legal authorization.
When to Use
- When conducting security assessments that involve performing cloud storage forensic acquisition
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Legal authorization (warrant, consent, or corporate policy) for cloud data access
- Valid user credentials or administrative access tokens
- Magnet AXIOM Cloud, Cellebrite Cloud Analyzer, or equivalent tool
- KAPE with cloud storage target files
- Python 3.8+ with google-api-python-client, msal, dropbox SDK
- Network connectivity for API-based acquisition
Acquisition Methods
Method 1: API-Based Remote Acquisition
Google Drive API Acquisition
from google.oauth2.credentials import Credentials
from googleapiclient.discovery import build
from googleapiclient.http import MediaIoBaseDownload
import io
import os
import json
from datetime import datetime
class GoogleDriveForensicAcquisition:
"""Forensically acquire files and metadata from Google Drive via API."""
def __init__(self, credentials_path: str, output_dir: str):
self.creds = Credentials.from_authorized_user_file(credentials_path)
self.service = build("drive", "v3", credentials=self.creds)
self.output_dir = output_dir
os.makedirs(output_dir, exist_ok=True)
self.acquisition_log = []
def list_all_files(self, include_trashed: bool = True) -> list:
"""List all files including trashed items."""
files = []
page_token = None
query = "" if include_trashed else "trashed = false"
while True:
results = self.service.files().list(
q=query,
pageSize=1000,
fields="nextPageToken, files(id, name, mimeType, size, "
"createdTime, modifiedTime, trashed, trashedTime, "
"owners, sharingUser, permissions, md5Checksum, "
"parents, webViewLink, driveId)",
pageToken=page_token
).execute()
files.extend(results.get("files", []))
page_token = results.get("nextPageToken")
if not page_token:
break
return files
def download_file(self, file_id: str, file_name: str, mime_type: str) -> str:
"""Download a file from Google Drive preserving forensic integrity."""
output_path = os.path.join(self.output_dir, file_name)
if mime_type.startswith("application/vnd.google-apps"):
export_formats = {
"application/vnd.google-apps.document": "application/pdf",
"application/vnd.google-apps.spreadsheet": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
"application/vnd.google-apps.presentation": "application/pdf",
}
export_mime = export_formats.get(mime_type, "application/pdf")
request = self.service.files().export_media(fileId=file_id, mimeType=export_mime)
else:
request = self.service.files().get_media(fileId=file_id)
with io.FileIO(output_path, "wb") as fh:
downloader = MediaIoBaseDownload(fh, request)
done = False
while not done:
_, done = downloader.next_chunk()
self.acquisition_log.append({
"timestamp": datetime.utcnow().isoformat(),
"file_id": file_id,
"file_name": file_name,
"output_path": output_path,
"action": "downloaded"
})
return output_path
def get_activity_log(self, file_id: str) -> list:
"""Retrieve activity/revision history for a specific file."""
revisions = self.service.revisions().list(
fileId=file_id,
fields="revisions(id, modifiedTime, lastModifyingUser, size, md5Checksum)"
).execute()
return revisions.get("revisions", [])
def export_acquisition_report(self) -> str:
"""Export acquisition log for chain of custody documentation."""
report_path = os.path.join(self.output_dir, "acquisition_log.json")
with open(report_path, "w") as f:
json.dump({
"acquisition_start": self.acquisition_log[0]["timestamp"] if self.acquisition_log else None,
"acquisition_end": datetime.utcnow().isoformat(),
"total_files": len(self.acquisition_log),
"entries": self.acquisition_log
}, f, indent=2)
return report_pathOneDrive / Microsoft 365 API Acquisition
import msal
import requests
import os
import json
from datetime import datetime
class OneDriveForensicAcquisition:
"""Forensically acquire files and metadata from OneDrive via Microsoft Graph API."""
def __init__(self, client_id: str, tenant_id: str, client_secret: str, output_dir: str):
self.output_dir = output_dir
os.makedirs(output_dir, exist_ok=True)
authority = f"https://login.microsoftonline.com/{tenant_id}"
self.app = msal.ConfidentialClientApplication(
client_id, authority=authority, client_credential=client_secret
)
token_result = self.app.acquire_token_for_client(
scopes=["https://graph.microsoft.com/.default"]
)
self.access_token = token_result.get("access_token")
self.headers = {"Authorization": f"Bearer {self.access_token}"}
self.base_url = "https://graph.microsoft.com/v1.0"
def list_user_files(self, user_id: str) -> list:
"""List all files in user's OneDrive."""
url = f"{self.base_url}/users/{user_id}/drive/root/children"
files = []
while url:
response = requests.get(url, headers=self.headers)
data = response.json()
files.extend(data.get("value", []))
url = data.get("@odata.nextLink")
return files
def download_file(self, user_id: str, item_id: str, filename: str) -> str:
"""Download a file from OneDrive."""
url = f"{self.base_url}/users/{user_id}/drive/items/{item_id}/content"
response = requests.get(url, headers=self.headers, stream=True)
output_path = os.path.join(self.output_dir, filename)
with open(output_path, "wb") as f:
for chunk in response.iter_content(chunk_size=8192):
f.write(chunk)
return output_path
def get_deleted_items(self, user_id: str) -> list:
"""Retrieve items from OneDrive recycle bin."""
url = f"{self.base_url}/users/{user_id}/drive/special/recyclebin/children"
response = requests.get(url, headers=self.headers)
return response.json().get("value", [])Method 2: Local Endpoint Artifact Collection
KAPE Targets for Cloud Storage
# Collect all cloud storage artifacts using KAPE
kape.exe --tsource C: --tdest C:\Output\CloudArtifacts --target GoogleDrive,OneDrive,Dropbox,Box
# OneDrive artifacts
# %USERPROFILE%\AppData\Local\Microsoft\OneDrive\logs\
# %USERPROFILE%\AppData\Local\Microsoft\OneDrive\settings\
# %USERPROFILE%\OneDrive\
# Google Drive artifacts
# %USERPROFILE%\AppData\Local\Google\DriveFS\
# Contains metadata SQLite databases and cached files
# Dropbox artifacts
# %USERPROFILE%\AppData\Local\Dropbox\
# %USERPROFILE%\Dropbox\.dropbox.cache\
# Contains filecache.dbx (encrypted SQLite), host.dbx, config.dbxOneDrive Local Database Analysis
import sqlite3
import os
def analyze_onedrive_sync_engine(db_path: str) -> list:
"""Analyze OneDrive SyncEngineDatabase for file metadata."""
conn = sqlite3.connect(db_path)
cursor = conn.cursor()
# Query for all tracked files including cloud-only items
cursor.execute("""
SELECT fileName, fileSize, lastChange,
resourceID, parentResourceID, eTag
FROM od_ClientFile_Records
ORDER BY lastChange DESC
""")
files = []
for row in cursor.fetchall():
files.append({
"filename": row[0],
"size": row[1],
"last_change": row[2],
"resource_id": row[3],
"parent_id": row[4],
"etag": row[5]
})
conn.close()
return filesCloud Storage Artifacts Summary
| Service | Local Database | Cache Location | Log Files |
|---|---|---|---|
| OneDrive | SyncEngineDatabase.db | %LOCALAPPDATA%\Microsoft\OneDrive\cache\ | %LOCALAPPDATA%\Microsoft\OneDrive\logs\ |
| Google Drive | metadata_sqlite_db | %LOCALAPPDATA%\Google\DriveFS{account}\content_cache\ | %LOCALAPPDATA%\Google\DriveFS\Logs\ |
| Dropbox | filecache.dbx (encrypted) | %APPDATA%\Dropbox.dropbox.cache\ | %APPDATA%\Dropbox\logs\ |
| Box | sync_db | %LOCALAPPDATA%\Box\Box\cache\ | %LOCALAPPDATA%\Box\Box\logs\ |
References
- SANS Cloud Storage Acquisition: https://www.sans.org/blog/cloud-storage-acquisition-from-endpoint-devices
- Magnet AXIOM Cloud: https://www.magnetforensics.com/blog/how-to-acquire-and-analyze-cloud-data-with-magnet-axiom/
- AWS Cloud Forensics Framework: https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/cyber-forensics.html
- API-Based Forensic Acquisition of Cloud Drives: https://arxiv.org/abs/1603.06542
Example Output
$ python3 cloud_forensic_acquire.py --provider google-drive --auth /tokens/gdrive_token.json \
--user jsmith@corporate.com --output /acquisition/gdrive
Cloud Storage Forensic Acquisition Tool v3.2
==============================================
Provider: Google Drive
Account: jsmith@corporate.com
Start Time: 2024-01-19 08:00:15 UTC
Auth Method: Admin SDK (domain-wide delegation)
[+] Enumerating files...
Total files: 2,345
Total folders: 178
Shared with me: 456
Trashed items: 89 (included in acquisition)
Total size: 14.7 GB
[+] Acquiring file contents...
Downloaded: 2,345 / 2,345 [████████████████████████████████] 100%
Errors: 0
Elapsed: 18m 32s
[+] Acquiring metadata...
File metadata: 2,345 entries
Revision history: 8,912 revisions across 1,234 files
Sharing permissions: 3,456 permission entries
Activity log: 12,345 events
[+] Acquiring trashed items...
Recovered: 89 / 89 items (234 MB)
--- Acquisition Log ---
Timestamp (UTC) | Action | File | Size | SHA-256
2024-01-19 08:00:45 | Downloaded | /My Drive/Finance/Q4_Report.xlsm | 245 KB | 7a3b8c9d...
2024-01-19 08:00:46 | Downloaded | /My Drive/Finance/Budget_2024.xlsx | 1.2 MB | 8b4c9d0e...
...
2024-01-19 08:02:12 | Trash-Recovered | /Trash/employee_list_full.csv | 4.5 MB | 9c5d0e1f...
2024-01-19 08:02:13 | Trash-Recovered | /Trash/network_diagram_v3.vsdx | 2.1 MB | 0d6e1f2a...
2024-01-19 08:02:14 | Trash-Recovered | /Trash/credentials_backup.kdbx | 128 KB | 1e7f2a3b...
--- Sharing Analysis ---
Files Shared Externally:
/My Drive/Finance/Q4_Report.xlsm → j.smith.personal8842@protonmail.com (2024-01-16 03:10 UTC)
/My Drive/HR/employee_list_full.csv → j.smith.personal8842@protonmail.com (2024-01-16 03:12 UTC)
/My Drive/IT/network_diagram_v3.vsdx → anonymous (link sharing, 2024-01-16 03:15 UTC)
--- Revision History (Suspicious) ---
File: /My Drive/Finance/Q4_Report.xlsm
Rev 1: 2024-01-10 09:00:00 UTC (245 KB) - Original
Rev 2: 2024-01-15 14:35:00 UTC (248 KB) - Modified (macro added)
Rev 3: 2024-01-16 03:05:00 UTC (245 KB) - Reverted (macro removed - anti-forensics)
Acquisition Summary:
Files acquired: 2,345 (14.7 GB)
Trashed items: 89 (234 MB)
Revisions: 8,912
Chain of custody hash (full archive):
SHA-256: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
Output directory: /acquisition/gdrive/
Acquisition log: /acquisition/gdrive/acquisition_log.csv
Completion Time: 2024-01-19 08:18:47 UTCReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md6.0 KB
API Reference: Cloud Storage Forensic Acquisition
Libraries Used
| Library | Purpose |
|---|---|
boto3 |
AWS S3 object listing, download, and versioning |
json |
Parse object metadata and access logs |
hashlib |
Generate SHA-256 hashes for evidence integrity |
datetime |
Filter objects by time range for incident scope |
Installation
pip install boto3Authentication
import boto3
import os
session = boto3.Session(
aws_access_key_id=os.environ.get("AWS_ACCESS_KEY_ID"),
aws_secret_access_key=os.environ.get("AWS_SECRET_ACCESS_KEY"),
region_name=os.environ.get("AWS_REGION", "us-east-1"),
)
s3 = session.client("s3")AWS S3 Forensic Operations
List All Object Versions (Including Deleted)
def list_all_versions(bucket, prefix=""):
"""List all object versions including delete markers for forensic timeline."""
paginator = s3.get_paginator("list_object_versions")
versions = []
for page in paginator.paginate(Bucket=bucket, Prefix=prefix):
for v in page.get("Versions", []):
versions.append({
"key": v["Key"],
"version_id": v["VersionId"],
"last_modified": v["LastModified"].isoformat(),
"size": v["Size"],
"is_latest": v["IsLatest"],
"etag": v["ETag"],
})
for dm in page.get("DeleteMarkers", []):
versions.append({
"key": dm["Key"],
"version_id": dm["VersionId"],
"last_modified": dm["LastModified"].isoformat(),
"is_delete_marker": True,
"is_latest": dm["IsLatest"],
})
return sorted(versions, key=lambda v: v["last_modified"])Download Object with Integrity Verification
import hashlib
def forensic_download(bucket, key, output_path, version_id=None):
"""Download an S3 object and compute SHA-256 hash for chain of custody."""
params = {"Bucket": bucket, "Key": key}
if version_id:
params["VersionId"] = version_id
resp = s3.get_object(**params)
sha256 = hashlib.sha256()
with open(output_path, "wb") as f:
for chunk in resp["Body"].iter_chunks(chunk_size=8192):
f.write(chunk)
sha256.update(chunk)
return {
"key": key,
"version_id": version_id,
"output_path": output_path,
"sha256": sha256.hexdigest(),
"content_type": resp.get("ContentType"),
"last_modified": resp["LastModified"].isoformat(),
"metadata": resp.get("Metadata", {}),
}Recover Deleted Objects
def recover_deleted_objects(bucket, prefix=""):
"""Find and restore objects with delete markers."""
recovered = []
paginator = s3.get_paginator("list_object_versions")
for page in paginator.paginate(Bucket=bucket, Prefix=prefix):
for dm in page.get("DeleteMarkers", []):
if dm["IsLatest"]:
# Remove delete marker to restore the object
s3.delete_object(
Bucket=bucket,
Key=dm["Key"],
VersionId=dm["VersionId"],
)
recovered.append({
"key": dm["Key"],
"delete_marker_removed": dm["VersionId"],
})
return recoveredGet S3 Access Logs for Incident Timeline
def get_access_logs(log_bucket, prefix, start_time, end_time):
"""Parse S3 access logs to build forensic timeline."""
paginator = s3.get_paginator("list_objects_v2")
log_entries = []
for page in paginator.paginate(Bucket=log_bucket, Prefix=prefix):
for obj in page.get("Contents", []):
if start_time <= obj["LastModified"].isoformat() <= end_time:
resp = s3.get_object(Bucket=log_bucket, Key=obj["Key"])
content = resp["Body"].read().decode("utf-8")
for line in content.strip().split("\n"):
log_entries.append(line)
return log_entriesAcquire Bucket Metadata
def acquire_bucket_metadata(bucket):
"""Collect all bucket configuration for forensic evidence."""
metadata = {"bucket": bucket}
metadata["versioning"] = s3.get_bucket_versioning(Bucket=bucket)
metadata["encryption"] = s3.get_bucket_encryption(Bucket=bucket).get(
"ServerSideEncryptionConfiguration", {}
)
try:
metadata["logging"] = s3.get_bucket_logging(Bucket=bucket).get("LoggingEnabled", {})
except Exception:
metadata["logging"] = None
try:
metadata["lifecycle"] = s3.get_bucket_lifecycle_configuration(Bucket=bucket).get("Rules", [])
except Exception:
metadata["lifecycle"] = []
try:
metadata["policy"] = json.loads(s3.get_bucket_policy(Bucket=bucket)["Policy"])
except Exception:
metadata["policy"] = None
return metadataEvidence Chain of Custody
import json
from datetime import datetime, timezone
def create_chain_of_custody(evidence_items):
"""Generate a chain-of-custody record for acquired evidence."""
record = {
"acquisition_time": datetime.now(timezone.utc).isoformat(),
"examiner": os.environ.get("EXAMINER_NAME", "automated"),
"case_id": os.environ.get("CASE_ID", "unknown"),
"items": [],
}
for item in evidence_items:
record["items"].append({
"source": f"s3://{item['bucket']}/{item['key']}",
"local_path": item["output_path"],
"sha256": item["sha256"],
"acquired_at": datetime.now(timezone.utc).isoformat(),
})
return recordOutput Format
{
"bucket": "incident-bucket",
"acquisition_time": "2025-01-15T10:30:00Z",
"total_objects": 1542,
"total_versions": 3891,
"deleted_objects_recovered": 23,
"evidence_items": [
{
"key": "sensitive/data.csv",
"version_id": "abc123",
"sha256": "a1b2c3d4e5f6...",
"last_modified": "2025-01-14T08:00:00Z"
}
]
}standards.md0.8 KB
Standards - Cloud Storage Forensic Acquisition
Standards
- NIST SP 800-86: Guide to Integrating Forensic Techniques
- ISO/IEC 27037: Digital Evidence Collection
- NIST Cloud Computing Forensic Science Challenges (NISTIR 8006)
- CSA Cloud Forensics Capability Implementation Guide
Tools
- Magnet AXIOM Cloud: Commercial multi-cloud acquisition
- Cellebrite Cloud Analyzer: SaaS evidence collection
- kumodd: Open-source proof-of-concept cloud acquisition tool
- KAPE: Endpoint-based cloud artifact collection
API References
- Google Drive API v3: https://developers.google.com/drive/api/v3/reference
- Microsoft Graph API: https://docs.microsoft.com/en-us/graph/api/resources/onedrive
- Dropbox API v2: https://www.dropbox.com/developers/documentation/http/documentation
workflows.md0.8 KB
Workflows - Cloud Storage Forensic Acquisition
Workflow 1: API-Based Remote Acquisition
Obtain legal authorization and credentials
|
Authenticate via service API (OAuth2 / app credentials)
|
Enumerate all files including shared and trashed items
|
Download file contents preserving metadata
|
Collect revision history and activity logs
|
Hash all acquired files (SHA-256)
|
Generate acquisition log with timestampsWorkflow 2: Endpoint Artifact Collection
Identify cloud sync client installations
|
Collect local sync databases (KAPE cloud targets)
|
Parse sync engine databases (OneDrive, GDrive, Dropbox)
|
Identify cloud-only files from metadata
|
Recover cached and deleted files from local storage
|
Correlate local artifacts with API-acquired dataScripts 2
agent.py10.5 KB
#!/usr/bin/env python3
"""Cloud storage forensic acquisition agent.
Acquires forensic copies of cloud storage objects from AWS S3, Azure Blob
Storage, and GCP Cloud Storage with integrity verification using SHA-256
hashes, metadata preservation, and chain-of-custody logging.
"""
import argparse
import hashlib
import json
import os
import sys
from datetime import datetime, timezone
try:
import boto3
from botocore.exceptions import ClientError
HAS_BOTO3 = True
except ImportError:
HAS_BOTO3 = False
def acquire_s3_objects(bucket, prefix="", output_dir=".", profile=None, region=None):
"""Acquire S3 objects with forensic integrity verification."""
if not HAS_BOTO3:
print("[!] boto3 required: pip install boto3", file=sys.stderr)
sys.exit(1)
kwargs = {}
if profile:
kwargs["profile_name"] = profile
if region:
kwargs["region_name"] = region
session = boto3.Session(**kwargs)
s3 = session.client("s3")
print(f"[*] Acquiring objects from s3://{bucket}/{prefix}")
evidence_log = []
# List objects
paginator = s3.get_paginator("list_objects_v2")
pages = paginator.paginate(Bucket=bucket, Prefix=prefix)
total_objects = 0
total_bytes = 0
for page in pages:
for obj in page.get("Contents", []):
key = obj["Key"]
size = obj["Size"]
if key.endswith("/"):
continue
total_objects += 1
local_path = os.path.join(output_dir, key.replace("/", os.sep))
os.makedirs(os.path.dirname(local_path), exist_ok=True)
# Get object metadata
try:
head = s3.head_object(Bucket=bucket, Key=key)
metadata = {
"content_type": head.get("ContentType", ""),
"last_modified": head.get("LastModified", "").isoformat()
if hasattr(head.get("LastModified", ""), "isoformat")
else str(head.get("LastModified", "")),
"etag": head.get("ETag", "").strip('"'),
"version_id": head.get("VersionId", ""),
"server_side_encryption": head.get("ServerSideEncryption", ""),
"storage_class": head.get("StorageClass", "STANDARD"),
"user_metadata": head.get("Metadata", {}),
}
except ClientError as e:
metadata = {"error": str(e)}
# Download with hash computation
sha256 = hashlib.sha256()
try:
s3.download_file(bucket, key, local_path)
with open(local_path, "rb") as f:
while True:
chunk = f.read(8192)
if not chunk:
break
sha256.update(chunk)
file_hash = sha256.hexdigest()
total_bytes += size
entry = {
"source": f"s3://{bucket}/{key}",
"local_path": local_path,
"size": size,
"sha256": file_hash,
"metadata": metadata,
"acquired_at": datetime.now(timezone.utc).isoformat(),
"status": "OK",
}
print(f" [{total_objects:4d}] {key} ({size} bytes, SHA256: {file_hash[:16]}...)")
except ClientError as e:
entry = {
"source": f"s3://{bucket}/{key}",
"status": "FAIL",
"error": str(e),
"acquired_at": datetime.now(timezone.utc).isoformat(),
}
print(f" [FAIL] {key}: {e}")
evidence_log.append(entry)
print(f"[+] Acquired {total_objects} objects ({total_bytes / 1024 / 1024:.2f} MB)")
return evidence_log
def acquire_s3_versions(bucket, key, output_dir=".", profile=None, region=None):
"""Acquire all versions of a specific S3 object."""
if not HAS_BOTO3:
print("[!] boto3 required", file=sys.stderr)
sys.exit(1)
kwargs = {}
if profile:
kwargs["profile_name"] = profile
if region:
kwargs["region_name"] = region
session = boto3.Session(**kwargs)
s3 = session.client("s3")
print(f"[*] Acquiring all versions of s3://{bucket}/{key}")
evidence_log = []
try:
versions = s3.list_object_versions(Bucket=bucket, Prefix=key)
except ClientError as e:
print(f"[!] Error listing versions: {e}", file=sys.stderr)
return evidence_log
for version in versions.get("Versions", []):
vid = version.get("VersionId", "null")
size = version.get("Size", 0)
is_latest = version.get("IsLatest", False)
safe_vid = vid.replace("/", "_")[:20]
base_name = os.path.basename(key)
local_path = os.path.join(output_dir, f"{base_name}.v_{safe_vid}")
try:
s3.download_file(bucket, key, local_path,
ExtraArgs={"VersionId": vid} if vid != "null" else {})
sha256 = hashlib.sha256()
with open(local_path, "rb") as f:
while True:
chunk = f.read(8192)
if not chunk:
break
sha256.update(chunk)
entry = {
"source": f"s3://{bucket}/{key}?versionId={vid}",
"version_id": vid,
"is_latest": is_latest,
"local_path": local_path,
"size": size,
"sha256": sha256.hexdigest(),
"last_modified": str(version.get("LastModified", "")),
"acquired_at": datetime.now(timezone.utc).isoformat(),
"status": "OK",
}
print(f" Version {vid[:12]:12s} | {size:10d} bytes | "
f"{'LATEST' if is_latest else ' '} | SHA256: {sha256.hexdigest()[:16]}...")
except ClientError as e:
entry = {"source": f"s3://{bucket}/{key}", "version_id": vid,
"status": "FAIL", "error": str(e)}
evidence_log.append(entry)
# Also acquire delete markers
for marker in versions.get("DeleteMarkers", []):
evidence_log.append({
"source": f"s3://{bucket}/{key}",
"version_id": marker.get("VersionId", ""),
"type": "DELETE_MARKER",
"last_modified": str(marker.get("LastModified", "")),
"is_latest": marker.get("IsLatest", False),
})
return evidence_log
def verify_integrity(evidence_log):
"""Verify SHA-256 hashes of acquired files."""
print(f"\n[*] Verifying integrity of {len(evidence_log)} acquired objects...")
verified = 0
failed = 0
for entry in evidence_log:
if entry.get("status") != "OK" or not entry.get("local_path"):
continue
local_path = entry["local_path"]
expected_hash = entry.get("sha256", "")
if not os.path.isfile(local_path):
entry["integrity"] = "MISSING"
failed += 1
continue
sha256 = hashlib.sha256()
with open(local_path, "rb") as f:
while True:
chunk = f.read(8192)
if not chunk:
break
sha256.update(chunk)
if sha256.hexdigest() == expected_hash:
entry["integrity"] = "VERIFIED"
verified += 1
else:
entry["integrity"] = "MISMATCH"
failed += 1
print(f" [FAIL] {local_path}: hash mismatch")
print(f"[+] Integrity check: {verified} verified, {failed} failed")
return verified, failed
def format_summary(evidence_log, verified, failed):
"""Print acquisition summary."""
print(f"\n{'='*60}")
print(f" Cloud Storage Forensic Acquisition Report")
print(f"{'='*60}")
ok = sum(1 for e in evidence_log if e.get("status") == "OK")
err = sum(1 for e in evidence_log if e.get("status") == "FAIL")
total_bytes = sum(e.get("size", 0) for e in evidence_log if e.get("status") == "OK")
print(f" Objects Acquired : {ok}")
print(f" Objects Failed : {err}")
print(f" Total Size : {total_bytes / 1024 / 1024:.2f} MB")
print(f" Integrity OK : {verified}")
print(f" Integrity FAIL : {failed}")
def main():
parser = argparse.ArgumentParser(
description="Cloud storage forensic acquisition agent"
)
sub = parser.add_subparsers(dest="command")
p_s3 = sub.add_parser("s3", help="Acquire S3 bucket objects")
p_s3.add_argument("--bucket", required=True, help="S3 bucket name")
p_s3.add_argument("--prefix", default="", help="Object key prefix filter")
p_s3.add_argument("--output-dir", default="./evidence", help="Local output directory")
p_ver = sub.add_parser("s3-versions", help="Acquire all versions of S3 object")
p_ver.add_argument("--bucket", required=True)
p_ver.add_argument("--key", required=True, help="S3 object key")
p_ver.add_argument("--output-dir", default="./evidence")
parser.add_argument("--profile", help="AWS CLI profile")
parser.add_argument("--region", help="AWS region")
parser.add_argument("--skip-verify", action="store_true", help="Skip integrity verification")
parser.add_argument("--output", "-o", help="Output JSON report path")
parser.add_argument("--verbose", "-v", action="store_true")
args = parser.parse_args()
if not args.command:
parser.print_help()
sys.exit(1)
os.makedirs(getattr(args, "output_dir", "./evidence"), exist_ok=True)
if args.command == "s3":
evidence_log = acquire_s3_objects(
args.bucket, args.prefix, args.output_dir, args.profile, args.region
)
elif args.command == "s3-versions":
evidence_log = acquire_s3_versions(
args.bucket, args.key, args.output_dir, args.profile, args.region
)
verified, failed = 0, 0
if not args.skip_verify:
verified, failed = verify_integrity(evidence_log)
format_summary(evidence_log, verified, failed)
report = {
"timestamp": datetime.now(timezone.utc).isoformat(),
"tool": "Cloud Forensic Acquisition",
"command": args.command,
"evidence_log": evidence_log,
"integrity": {"verified": verified, "failed": failed},
}
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
print(f"\n[+] Report saved to {args.output}")
elif args.verbose:
print(json.dumps(report, indent=2))
if __name__ == "__main__":
main()
process.py4.8 KB
#!/usr/bin/env python3
"""
Cloud Storage Forensic Acquisition Processor
Collects and analyzes local cloud storage sync client artifacts
from endpoint devices for OneDrive, Google Drive, and Dropbox.
"""
import sqlite3
import os
import sys
import json
import hashlib
from datetime import datetime
from pathlib import Path
class CloudStorageArtifactCollector:
"""Collect and analyze local cloud storage sync artifacts."""
def __init__(self, evidence_root: str, output_dir: str):
self.evidence_root = Path(evidence_root)
self.output_dir = Path(output_dir)
self.output_dir.mkdir(parents=True, exist_ok=True)
self.findings = {}
def find_onedrive_artifacts(self) -> dict:
"""Locate and parse OneDrive sync artifacts."""
onedrive_paths = [
"AppData/Local/Microsoft/OneDrive/settings",
"AppData/Local/Microsoft/OneDrive/logs",
]
artifacts = {"databases": [], "logs": [], "config_files": []}
for user_dir in self.evidence_root.glob("Users/*"):
for rel_path in onedrive_paths:
full_path = user_dir / rel_path
if full_path.exists():
for f in full_path.rglob("*"):
if f.is_file():
category = "databases" if f.suffix in (".db", ".dat") else "logs"
artifacts[category].append(str(f))
# Try to parse SyncEngineDatabase
for db_path in artifacts["databases"]:
if "SyncEngineDatabase" in db_path:
try:
conn = sqlite3.connect(f"file:{db_path}?mode=ro", uri=True)
cursor = conn.cursor()
cursor.execute("SELECT name FROM sqlite_master WHERE type='table'")
artifacts["sync_tables"] = [r[0] for r in cursor.fetchall()]
conn.close()
except Exception as e:
artifacts["sync_error"] = str(e)
return artifacts
def find_google_drive_artifacts(self) -> dict:
"""Locate and parse Google Drive FS artifacts."""
artifacts = {"databases": [], "cache_files": [], "logs": []}
for user_dir in self.evidence_root.glob("Users/*"):
gdrive_path = user_dir / "AppData/Local/Google/DriveFS"
if gdrive_path.exists():
for f in gdrive_path.rglob("*"):
if f.is_file():
if "metadata_sqlite_db" in f.name:
artifacts["databases"].append(str(f))
elif "content_cache" in str(f):
artifacts["cache_files"].append(str(f))
elif f.suffix == ".log":
artifacts["logs"].append(str(f))
return artifacts
def find_dropbox_artifacts(self) -> dict:
"""Locate and parse Dropbox artifacts."""
artifacts = {"databases": [], "cache_files": [], "config": []}
for user_dir in self.evidence_root.glob("Users/*"):
dropbox_path = user_dir / "AppData/Local/Dropbox"
if dropbox_path.exists():
for f in dropbox_path.rglob("*"):
if f.is_file():
if f.suffix in (".dbx", ".db"):
artifacts["databases"].append(str(f))
elif "cache" in str(f).lower():
artifacts["cache_files"].append(str(f))
dropbox_cache = user_dir / "Dropbox/.dropbox.cache"
if dropbox_cache.exists():
for f in dropbox_cache.rglob("*"):
if f.is_file():
artifacts["cache_files"].append(str(f))
return artifacts
def generate_report(self) -> str:
"""Generate comprehensive cloud storage artifact report."""
self.findings = {
"analysis_timestamp": datetime.now().isoformat(),
"evidence_root": str(self.evidence_root),
"onedrive": self.find_onedrive_artifacts(),
"google_drive": self.find_google_drive_artifacts(),
"dropbox": self.find_dropbox_artifacts(),
}
report_path = self.output_dir / "cloud_storage_artifacts.json"
with open(report_path, "w") as f:
json.dump(self.findings, f, indent=2)
for service in ["onedrive", "google_drive", "dropbox"]:
data = self.findings[service]
db_count = len(data.get("databases", []))
print(f"[*] {service}: {db_count} databases found")
print(f"[*] Report: {report_path}")
return str(report_path)
def main():
if len(sys.argv) < 3:
print("Usage: python process.py <evidence_root> <output_dir>")
sys.exit(1)
collector = CloudStorageArtifactCollector(sys.argv[1], sys.argv[2])
collector.generate_report()
if __name__ == "__main__":
main()