Cloud computing and cloud storage services, in particular, pose a new challenge to digital forensic investigations. Currently, evidence acquisition for such services still follows the traditional method of collecting artifacts on a client device. This approach requires labor-intensive reverse engineering efforts, and ultimately results in an acquisition that is inherently incomplete. Specifically, it makes the incorrect assumption that all storage content for an account is fully replicated on the client; further, there are no means to acquire historical data in the form of document revisions, nor is there a way to acquire cloud-native artifacts, such as Google Docs. In this work, we introduce the concept of API-based evidence acquisition for cloud services, which addresses these concerns by utilizing the officially supported API of the service. To demonstrate the utility of this approach, we present a proof-of-concept acquisition tool, kumodd, which can acquire evidence from four major cloud drive providers: Google Drive, Microsoft OneDrive, Dropbox, and Box. The implementation provides both command-line and web user interfaces, and can be readily incorporated into established forensic processes.

翻译：特别是云计算和云存储服务对数字法证调查构成了新的挑战。目前,为此类服务获取证据仍然遵循传统的收集客户设备文物的方法。这种方法需要劳动密集型反向工程努力,最终导致本已不完整的获取。具体地说,它不正确地假定一个账户的所有存储内容都完全复制在客户身上;此外,没有办法以文件修订的形式获取历史数据,也没有办法获取云性文物,如谷歌文档。在这项工作中,我们引入了基于API的云性服务证据获取概念,通过使用官方支持的API服务来解决这些关切。为了展示这一方法的效用,我们提出了一个验证概念获取工具kumodd,它可以从四个主要的云驱动供应商获取证据:谷歌驱动器、微软OneDrive、Droppox和Box。实施提供了指令和网络用户界面界面,可以随时纳入既定的法证程序。