Welcome to my first blog post for my Capstone project! I will be doing my Capstone on a cloud service called IDrive. Before I start with what I am doing, let me introduce myself. My name is Colby Lahaie and I am currently a senior attending Champlain College in the Computer and Digital Forensics program. The Capstone is the final project where we take everything that we have learned over our 4 years and conduct a research project on a topic that has never been done before.
Now, some of you might not know what Computer and Digital Forensics is, so I'll tell you. Computer and Digital Forensics is the science of searching, collecting, and analyzing computers and other digital devices, such as cell phones, for digital evidence in a forensically sound manner and to present these facts/opinions about this information. Basically, it's like looking for evidence of a crime at a traditional crime scene, but in a virtual space.
I will forensically analyze the IDrive Windows application (version 6.0.0.39) to find the different artifacts that it leaves behind on a computer. IDrive is an Online Backup and Cloud Storage service and has versions for Windows, Mac, Android, iOS, and Windows Mobile devices. With everything moving to the Cloud, it is much harder for investigators to conduct traditional analyses, so it is important to find out everything that one can about how these services work.
There have been a few cloud services that have been forensically analyzed, such as Dropbox, but IDrive has yet to be forensically analyzed in depth. I initially had a hard time with a topic for my Capstone, because I had a couple ideas to choose from, but after searching the webs, I was able to decide on a final a topic I found on the Forensic Focus website. Thank you Forensic Focus!
For this project, I will be analyzing network traffic, RAM (Random Access Memory), default folder locations, and registry changes, all within a Windows 7 virtual machine. I will be looking to see what data is stored on the computer and what data is left behind when data is deleted as well as after IDrive is uninstalled.
Some questions I will be attempting to answer through my research:
- Where are the default save locations of IDrive?
- What other artifacts are left behind?
- What registry changes are made?
- What does the log file show?
- Can deleted files be recovered?
- What is left behind after IDrive has been uninstalled?
- What details can be found about the computer connected to IDrive?
Some of the tools I will be using are:
