Cloud Storage Forensics: Analysis of Data Remnants on SpiderOak, JustCloud, and pCloud

STorage as a Service (STaaS) cloud platforms benefits such as getting access to data anywhere, anytime, on a wide range of devices made them very popular among businesses and individuals. As such forensics investigators are increasingly facing cases that involve investigation of STaaS platforms. Therefore, it is essential for cyber investigators to know how to collect, preserve, and analyse evidences of these platforms. In this paper, we describe investigation of three STaaS platforms namely SpiderOak, JustCloud, and pCloud on Windows 8.1 and iOS 8.1.1 devices. Moreover, possible changes on uploaded and downloaded files metadata on these platforms would be tracked and their forensics value would be investigated.


Introduction
Cloud computing enables businesses and individual to access computing resources such as servers and storages on an on-demand basis, where resources can be quickly provisioned with minimal efforts and interaction with the service provider (Mell & Grance, 2011).The National Institute of Standards and Technology (NIST) broadly categorised cloud computing services into three categories: 1.
Software as a Service (SaaS): When an application is used to access shared infrastructure of the Cloud Storage Service Provider (CSSP).A popular example of SaaS is Storage-as-a-Service (STaaS) cloud systems.2.
Platform as a Service (PaaS): Users may deploy their own applications on the CSSP's infrastructure 3.
Infrastructure as a Service (IaaS): The CSSP provides the underlying computing resources for the deployment of software (including Operation System (OS)) by the users (Mell & Grance, 2011).
The increasing popularity of STaaS and the potential for such services to be criminally exploited have attracted the attention of policing and forensics scholars in recent years (Damshenas, Dehghantanha, Mahmoud, & bin Shamsuddin, 2012).Many emerging and new platforms are now based on cloud services to operate.As noted by the National Institute of Standards and Technology (2014), cloud forensics is the application of scientific rules, technological exercises and approved methods to rebuild past events of crime committed in the cloud computing environment.
Although a number of STaaS have been examined (see Table 1), researchers (K.-K.R. Choo & Smith, 2008; K.-K.R. Choo, 2008) have posited that organized crime and cyber criminals are innovative and will constantly seek to "innovate" in order to evade the scrutiny and reach of law enforcement, such as using other STaaS to store incriminating evidence.ensure that their stored data will not be surrendered to law enforcement agencies by the cloud service provider.
JustCloud allows users to synchronize, create backup, and share files.In file synchronization, a folder is created on the user's desktop after JustCloud's client application is installed, which enables the user to access data stored on all devices where the client application has been installed.
Users may store, sync, and share their files using pCloud.A unique feature of this CSSP is the upload link.User can have files uploaded on their space by those who have access to the upload link.This CSSP is also capable of making backup from other services including Dropbox, Facebook, Instagram, and Picasa.Table 2 briefly compares the features of aforementioned services.In this paper, we answer the following questions: (1) What artifacts of forensic interest can be recovered from the Random Access Memory (RAM) and the Hard Disk (HDD) of a Windows device after using SpiderOak, JustCloud, and pCloud services via Internet Explorer (IE), Firefox (Fx), and Google Chrome (GC) browsers?(2) What artifacts of forensic interest can be recovered from the RAM and HDD of a Windows device after using SpiderOak, JustCloud, and pCloud services via the respective client Windows applications?(3) What artifacts of forensic interest can be recovered from the internal memory and internal storage of an iPhone device after using SpiderOak, JustCloud, and pCloud services via the respective iOS applications?(4) Whether the contents or the metadata of the investigated files change during the process of uploading and downloading, and whether the timestamp information of the downloaded files is reliable?
Research will be conducted on Windows 8.1 and iOS devices.At the time of research, Windows 8.1 is the latest version of Microsoft desktop OS and iOS is one of the most popular mobile platforms (Net Applications, 2014a, 2014b).
The rest of the paper is organized as follows: In Section 2, we describe the forensic framework used to guide the research and the experiment setup.The findings from the analysis of SpiderOak, JustCloud, and pCloud are presented in sections 3, 4, and 5 respectively.Finally, the last section concludes this paper.

Cloud forensic framework
When conducting a forensic investigation, the investigator should adopt best practices such as those of the Association of Chief Police Officers (ACPO).The ACPO specifies four principles for collecting and examining digital evidence (Williams, 2012):  Principle 1: Data which may subsequently be relied upon in a court of law should not be changed. Principle 2: In the event that a person needs to access the original data, that person must be suitably qualified and is able to justify and explain the implications of the actions. Principle 3: An appropriate auditing and record-keeping processes should be in place which would ensure that an independent third party would be able to examine the recorded processes and achieve the same result. Principle 4: The investigating officer needs to ensure that the law and these principles are adhered to.
It is also common practice that a forensic framework be used to guide the investigation.In the context of our paper, we adopt the cloud forensic framework introduced by Martini and Choo (Martini & Choo, 2012).This is, perhaps, the first digital forensic framework designed to conduct both client and server investigations of cloud services.The framework has also been validated by the authors using ownCloud (Martini & Choo, 2013), (Martini & Choo, 2014b), (Martini & Choo, 2014c), and by Thethi and Keane (2014) on EC2 cloud.There are four stages in this framework, namely: evidence source identification and preservation, collection, examination and analysis, and reporting and presentation for collecting digital evidence from the cloud environment.1.Evidence Source Identification, Collection and Preservation.In this phase, potential sources of relevant data are identified.Any device capable of connecting to STaaS, either via a browser or a client application, is considered a potential source of evidence.In this phase, the investigator should also ensure that ACPO principles are adhered to, wherever possible.During collection of evidence from storage media, particularly media belonging to external parties, the investigator should also ensure that relevant laws and regulations are followed (Kent, Chevalier, Grance, & Dang, 2006).In this research, the .vmemand vmdk files of each virtual machine (VM) were collected with extension E0 using AccessData FTK Imager.The former was cloned while the VM was running, whereas the latter was duplicated after the VM was shut down.The logs of Wireshark, recording communications between VMs and the respective STaaS were also acquired at this stage.The MD5 hash checksum of collected evidence files were documented.2. Examination and analysis.Information from acquired data is extracted in this phase.Methods to circumvent or bypass protection mechanism on the devices may be used to examine and analyze information collected and preserved from the previous phase (e.g.use of tools to brute-force password-protected data).
During this phase, findings should also be reviewed with information or intelligence drawn from other sources and investigations (e.g.see metadata analysis described in Sections 3 to 5; and (D Quick & Choo, 2014) before a conclusion is drawn.3. Presentation.In the last phase, findings are documented for presentation in a court of law (Kent et al., 2006).

Windows
The Windows-based experiments were implemented on VMs using VMware Player 6.0.1.The following files with forensic value were collected and examined:  .vmemfile: A paging file that includes the backup of the VM's main memory (VMware Inc., n.d.). .vmdkfile: A virtual disk file that stores the contents of the VM's hard disk drive (VMware Inc., n.d.).
Windows 8.1 Build 9600 along with IE 11.0.9600.16384,Fx 33.0.2, and GC 38.0.2125.111m were installed on a VM with 25 GB hard disk and 1 GB memory.In this research, 14 files from a dd image file developed by Carrier (2004) were used as the dataset (see Table 3).The original dd image file was mounted on the VM using OSFMount 1.5.

Table 3. Files used in the Windows-based experiment
From the base VM, the following snapshots were created:  VM-W1: A SpiderOak account was created using IE.
 VM-W2: A SpiderOak account was created on Fx.  VM-W3: A SpiderOak account was created using GC. VM-W4: A JustCloud account was created using IE. VM-W5: A JustCloud account was created on Fx.  VM-W6: A JustCloud account was created using GC. VM-W7: A pCloud account was created on IE.  VM-W8: A pCloud account was created on Fx in this VM. VM-W9: A pCloud account was created using GC. VM-W10: The SpiderOak's client application was installed.Sample files were also uploaded and downloaded using the client application. VM-W11: The JustCloud's client application was installed, and a series of uploading and downloading of sample files using the client application was undertaken. VM-W12: The pCloud's client application was installed. VM-W16: A series of downloading of sample files using SpiderOak with IE.  VM-W17: Sample file were downloaded using SpiderOak via Fx. VM-W18: A series of downloading of sample files using SpiderOak with GC.  VM-W19: A series of downloading of sample files using JustCloud with IE.  VM-W20: A series of downloading of sample files using JustCloud with Fx.  VM-W21: A series of downloading of sample files using JustCloud with GC.  VM-W22: A series of downloading of sample files using pCloud with IE.  VM-W23: A series of downloading of sample file using pCloud with Fx.  VM-W24: A series of downloading of sample files using pCloud with GC.  4).Table 4. Research email accounts SpiderOak 5.1.8,JustCloud 1.4.0.28, and pCloud 1.3.2 were respectively installed on VM-W10, VM-W11, and VM-W12 and sample files were uploaded and downloaded using the respective client applications.
VM-W10, VM-W11, and VM-W12 were shut down and cloned respectively to VM-W13, VM-W14, and VM-W15.They were used for the investigation of data remnants after uninstallation of the client applications.On the last nine VMs (i.e.VM-W15 to VM-W24), the sample files were uploaded and downloaded using the respective browsers.On VM-W10, VM-W-11 and VM-W16 to VM-W24, MD5 checksum of the downloaded files were recorded and compared with the original ones.
In all our experiments, we configured the browsers and client applications to decline storing the passwords.In additional, prior to cloning each .vmemfile, the corresponding browser was closed without the user signing out.The base VM was configured to create only one .vmdkfile, and other VMs were generated by taking snapshots of the base .vmdkfile.VMware Virtual Disk Manager Utility was used to merge the base .vmdkfile with the snapshot files in order to make creating of the image file using FTK Imager possible.
The following files were collected for further analysis on a personal computer (PC): The above collected files were analysed using following tools:  Wireshark 1.12.1 was used to filter network traffic to detect IPs and ports used by the respective STaaS web-portal and client application.
 Autopsy Version 3.1.1was used to conduct keyword search within E0 files linked to VMs' HDDs, and analyze browser cookies, browser histories and filtered files of E0 images. ESEDatabaseView v1.23 was used to analyse tables located in IE database.
More specifically, for IE versions 10 and 11, the browser database is stored in an Extensible Storage Engine (ESE) file named WebCacheV01.dat(Malmström & Teveldal, 2013).The tables to be examined are contained in the ESE file located in %LocalAppData%\Microsoft\Windows\WebCache\. SQLite Manger was used to extract sqlite files of Fx and GC. DCode Date (Wilson, n.d.) was used for converting dates and times from hex, epoch, and WebKit formats to human readable format. Thumbcache Viewer 1.0.2.7 was used to extract thumbcache files. FTK Imager was used to analyze other files of interest. iExplorer was used for mounting and browsing iPhone backups.
Files from each of the E0 files that containing matching keywords were identified and filtered for further analysissee Table 5.
Table 5. Keyword search items The iPhone backups were also searched for user email address, name, IDs, and 2 pCloud registration process does not ask for the name of the account.
3 Accounts of JustCloud and pCloud do not have ID. password.

Observations: SpiderOak's account created using the respective browsers
We were able to recover various information associated with the creation of the SpiderOak's account using the respective browserssee Tables 6 to 8. The "spideroak" word, email address, ID, and name of the created account Browser related files The email address used in signing up process (see Figure 2) The date and the UTC time of visiting Unallocated space The email address, the ID and the full name of the registered account (see Figure 3) Other files SpiderOak's website was observed in a file located in %AppData%\Microsoft\Windows\Recent\CustomDestinations "spideroak" word, the email address, the ID, the name, and the password of the created account (see Figure 4) Browser related files Information about visited spideroak.comwith the date and the UTC time of the last visit and "spideroak.com"word, the email address, the full name, and the ID of the created account Unallocated space The email address of the created account Other files SpiderOak's website was seen in a file in %AppData%\Microsoft\Windows\Recent\CustomDestinations Memory.SpiderOak, the username, the email address, and the password of the created the account along with the share ID (with the date and the time of creation), the shared URL and its password, the name of the shared folder, the name of the downloaded files, the name of the created sync and its folder on the host and on the target device, all were obtained from the collected vmem file (see Figure 5 and Figure 6).Client application files.Client information such as the username, the share ID, RoomKey, the name of the shared folder, the name of the downloaded files, the name of the created sync and its folder on the host and on the target device as well as the date and the time of launched backup and synchronization were seen in %AppData%\SpiderOak\spider_###############.log.In the log file, an IP address was found which was appeared to be used for broadcasting on ports 21327 and 21328.
The three first octal were the same as the device's IP address.In the oak_###############.log, similar events regarding the application along with the date and the time of occurrence were found.In %AppData%\SpiderOak\config.txt, the Hive path was observed.Files in %AppData%\SpiderOak\Sync contained the details of created syncs including the date and the time of their processing and source and destination paths, all, in SQLite format.
MFT.The sync name, the downloading folder name, and the installation filename were identified in the MFT$.
Registry.Installation filename and its storing path were found in the following keys:  HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store  HKEY_USERS\S-1-5-21-1335463704-3291414260-3134846049-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store Moreover, SpiderOak's client application created inbound rules on both TCP and UDP protocols in Windows Firewall.The related keys' paths are as follow: Prefetch.Installation filename was observed in Prefetch folder.
Paging file.The installation filename and the name of the downloaded files and their storing path were located in pagefile.sys.
Windows events.In the Application node, some records linked to the client application installation were located.
 %SystemRoot%\System32\config\SYSTEM and SYSTEM.LOG1 Based on the collected MD5 checksums, apart from file13.dll, the contents of other sample files were preserved by the CSSP.We were not able to restore ADS from file13.dll.Metadata of file12.docsuch as Authors value remained the same as the original file.It was also evident that the Modified value of downloaded files did not alter.However, we observed that the values of Created and Accessed fields were changed to the date and the time of downloading (see Figure 7).

Observations: Uninstalling SpiderOak's Application Program
Memory.Although the uninstall wizard asked for restart, restarting did not occur.Aside from the password of the shared URL, the result of memory analysis is similar to that reported in Section 3.2 (see Figure 8).Client application files.After uninstalling SpiderOak on VM-W13, we observed that the Hive folder and its contents remained.We were also able to locate the files located in %AppData%\SpiderOak\ previously discussed in Section 3.2.MFT and paging file.Both MFT and paging file contained spideroak word, the sync name, and downloading folder name.NTFS log."spideroak.exe" was observed in $LogFile.Registry.The following keys pointed to spideroak.exeafter uninstalling: Several other files we located also contained the spideroak.exeword.

Observations: Downloading from SpiderOak using the respective browsers
We were able to collect information with forensic value associated with the downloading from SpiderOak using the respective browserssee Tables 9 to 11.The username and the device name were visible in the URL (see Figure 9), shared titlethe page was browsed -, and download folder name (SO Downloaded Files) Browser logs The URLs of SpiderOak that were visited along with the date and the UTC time of browsing, the downloading folder name and its path, the username stated in a URL, and the device name MFT and NTFS log The device name, the downloading folder name, the RoomKey, and the shared title (see Figure 10) Registry In addition to Typed URL, the following keys pointed to spideroak.com:The name of the downloaded file was seen in $LogFile Link The only related link file observed was %AppData%\Microsoft\Windows\Recent\e_.lnk, which referred to an archive of all sample files downloaded from SpiderOak Unallocated space spideroak.com,the device name, username were visible in the URL, and the downloaded filename were located in the unallocated space.

Other files
The name of the downloaded file was observed in the below files: • %LocalAppData%\Microsoft\Windows\WebCache\V01.log and WebCacheV01.datAccording to the recorded MD5 checksums, the contents of the downloaded files, with the exception of file13.dll,remained intact.We were not able to restore ADS from file13.dll.Metadata of file12.docsuch as Authors value remained the same as the original file.Unlike the result presented in Section 3.2, in addition to Created and Accessed fields, Modified value was also changed to the date and the time of downloading.

Observations: Browsing and downloading from SpiderOak's iOS app
As shown in Figure 13, a file named Cache.db-wallocated in \Apps\SpiderOak\Library\Caches\com.spideroak.SpiderOak\nsurlcache contained valuable information regarding the registered account and created backups and syncs.Apart from the file13.dll,the MD5 signatures of the sample files were the same as the original files.Modified date was pointing to the download time.

Observations: JustCloud's account created in using IE the respective browsers
Recovered information associated with the creation of the JustCloud's account using the respective browsers are presented in Tables 12 to 14.

Memory
The "justcloud" word, the email address and the name of the created account Browser related files The JustCloud URLs visited, along with the date and the UTC time of browsing were found in WebCacheV01.dat.The full name and the email address of the created account along with "justcloud" word in %LocalAppData%\Microsoft\Internet Explorer\Recovery\Last Active\{056F2E5F-67E5-11E4-9717-000C29B56A39}.dat and %LocalAppData%\Packages\windows_ie_ac_001\AC\INetCache\X SEVJ9WJ\account [1].htm.

Registry
The URL of the visited webpages and the date and the UTC time of browsing respectively in TypedURLs and TypedURLsTime keys.

Memory
The "justcloud" word and the email address of the created account were observed in the collected vmem file.

Browser related files
In %LocalAppData%\Mozilla\Firefox\Profiles\[Random Name].default\cache2\entries, the following files were indicating justcloud.comwas browsed:  FC83C509516A560D495BCDD9C0C0025E0BB16907 Information regarding cookies and histories were found in cookies.sqlite,places.sqlite,and permissions.sqlite.The date and the UTC time of visiting were retrieved from the two first files.

Memory
The "justcloud" word and the email address, the name, and the password of the created account Browser files.History and Cookies files contained information about visited JustCloud's URLs with the date and the UTC time of browsing.Shortcuts, Top Sites, Favicons, Current Tabs, and Current Session all located in %LocalAppData%\Google\Chrome\User Data\Default also pointed to justcloud.com.
Memory.The installation filename and its storing path, the name and the email address of the created account, the date and the time of account creation were observed in the memory.Client application files.In %ProgramFiles%\JustCloud\Database, the following files of forensic interest were identified:  mpcb_settings.dbcontained the email address and the computer name used to log in. mpcb_backup_conf.dbincluded the name of the files that were browsed to be backed up.
Also in %ProgramFiles%\JustCloud\log, the below key files were found:  BACKUP.logcontained a history of created backups along with the date and the time. LICENCE.logincluded the number of days that the account had been created and the name of the account. APPLICATION.logcontained the date and the time of executing the program. DOWNLOADER.log included the details of a download failure during downloading sample files. ONLINE_FOLDER.log contained the names of downloaded files.
MFT, Pagefile.sys,and unallocated.These contained the installation filename and JustCloud.exe.NTFS log.The installation filename and JustCloud.exewere observed in $LogFile.Prefetch folder.CONSENT.EXE-65F6206D.pf,JUSTCLOUD_SETUP.EXE-3C2F187F.pf,AgRobust.db,JUSTCLOUD.EXE-A4042D73.pf,RUNDLL32.EXE-125D4518.pf, and TASKENG.EXE-5BAF290C.pflocated in %SystemRoot%\Prefetch\ included either the installation filename or JustCloud.exe.Layout.ini in the same path contained both mentioned files.Windows events.An event regarding JustCloud's backup service was located in the System log.Link Files.Four relevant lnk files were found: From our experiments, we determined that JustCloud does not allow the uploading of files with an invalid extension and users attempting to do so will be presented with an error message -"Failed: The remote server returned an error: (403) Forbidden.".Recorded MD5 checksums showed that, the contents of sample files, with the exception of file13.dll,were preserved by this CSSP.Similar to the findings presented in Section 3.2, we were not able to restore ADS from file13.dll.Metadata of file12.docwere not altered.The values of Created, Modified, and Accessed fields were changed to the date and the time of downloading.

Observations: Uninstalling JustCloud's Application Program
Memory.With the exception of not able to locate the email address of the account, the investigation result of the vmem file was the same as Section 4.2.

Memory
The email address and the password of the account (see Figure 17), the names of downloaded files and the storing path Browser related files The URLs of JustCloud with the date and the UTC time of visiting in cookies.sqliteand places.sqlitelocated in %AppData%\Mozilla\Firefox\Profiles\[Random Name].default\.The name of downloaded files in WebCacheV01.datand V01.log (see Figure 18).

MFT and NTFS log
The name of downloaded files

Memory
The device name and the name of downloaded files with the path of storing Browser related files History and Cookies files contained information about visited JustCloud's URLs as well as the date and the UTC time of browsing.History Provider Cache, Cookies-journal, Shortcuts, Top Sites, Top Sites-journal, Favicons, Favicons-journal, Preferences, Current Tabs, Last Session, and Current Session all located in %LocalAppData%\Google\Chrome\User Data\Default also pointed to justcloud.com.The name of the downloaded files were seen in %LocalAppData%\Google\Chrome\User Data\Default\Cache\data_1 MFT, NTFS log, and paging file They contained the names of downloaded files

Other files
The name of downloaded files in %ProgramData%\Microsoft\Windows Defender\Support\MpWppTracing-11202014-101334-00000003ffffffff.bin Respecting the integrity check, the same result as Section 3.4 was obtained.

Observations: Browsing and downloading from JustCloud's iOS app
In \Apps\JustCloud\Documents, a file named syncfolder.indexcontained the name of the sync folder and its files.Files located in \Apps\JustCloud\Documents\datacache downloaded files with different names were observed.In \Apps\JustCloud\Library\Preferences, a file contained account's user's email was located.

Observations: pCloud's account created in using IE the respective browsers
We were able to recover various information associated with the creation of the pCloud's account using the respective browserssee Tables 18 to 20.  74.120.8.14 on port 80 and 74.120.8.14, 74.120.8.6, 74.120.8.144, and 74.120.8.13The last two files also contained the email address.Unallocated space "pcloud" word and the email address of the created account Table 20: Recovered artefacts associated with the creation of the pCloud's account using GC.

Memory
The email address and the password of the registered account (see Figure 19) Browser related files
Memory.The email address of the account, the email address of the person who was invited to have access to the shared URL, the message of the invitation, and the share title were observed in vmem file.
Client application files.In %LocalAppData%\pCloud\data.db, information regarding the synced files were observed.The file was in SQLite format and contained 25 tables that described files properties and folder names of synced data.For instance, as depicted in Figure 20, the file table contained filenames and their creation and modification date and time in Unix-Numeric format.Also in the hashchecksum table, SHA1 hash values of synced files were recorded where their values matched with the original files' checksum.
Figure 20.The file table that contains filenames and their creation and modification date and time By using Autopsy, the invited email and the invitation message were found in the same file.We also observed the invited email in data.db-wallocated in the same path.

Other files
The name of the downloaded file in $Extend\$UsnJrnl:$J.
We determined that the MD5 checksum of sample files, except file13.dll,were not altered after downloading.However, we were not able to restore ADS from file13.dll.Metadata of file12.docsuch as Authors value remained the same as the original file.It was also observed that Modified value of downloaded files was the date of uploading.The values of Created and Accessed fields were, on the other hand, changed to the date and the time of downloading.In this research, we located and described various artefacts of forensic when SpiderOak, JustCloud, and pCloud were used with IE, Fx, and GC browsers, client application, and mobile application on Windows machines and iOS devices.The recovered artefacts include email addresses, the ID, and the name of the created account and the name of the uploaded and downloaded files.Our findings also suggested that user's credentials could be recovered from memory, and the checksums of sample files after being downloading from investigated CSSPs remained identical to the original.However, we noted that none of the investigated CSSPs could prevent the timestamp and the alternate data streams (ADS) of files from being changed.Our findings also indicated that metadata of the doc file examined in this study was not altered which could be another piece of useful information in forensic investigation.
Future work would extending our work to examining machines running Linux and other less popular operation systems.

Figure 1 .
Figure 1.Overview of Windows-based Experiments

Figure 2 .
Figure 2. The email address of the created account

Figure 5 .
Figure 5.The username and the email address of SpiderOak's account

Figure 8 .
Figure 8. Account's password in memory of VM-W13 Figure 9.The username and the device name in the collected vmem file from VM-W16

Figure 13 .
Figure 13.Cache.db-walcontaining some details of the account and created backups and syncs

Figure 14 .
Figure 14.The name of the registered account along with account creation date and time in vmem file of VM-W11

Figure 16 .
Figure 16.For downloading JustCloud used googleapis.com Figure 19.The email address and the password of the created pCloud account in VM-W9's vmem file

Figure 21 .
Figure 21.The invited email address in a json file

Table 8 :
Recovered artefacts associated with the creation of the SpiderOak's account DAT, and ntuser.dat.LOG1.The latter was located in %UserProfile%.

Table 9 :
Recovered artefacts associated with downloading from SpiderOak using IE

Table 10 :
Recovered artefacts associated with downloading from SpiderOak using Fx

Table 13 :
Recovered artefacts associated with the creation of the JustCloud's account

Table 15 :
Recovered artefacts associated with downloading from JustCloud using IE Location Recovered artefacts Network traffics As shown in Figure 16, for downloading, JustCloud transferred the user to http://capsa.storage.googleapis.com.Connections were made with IP addresses 23

Table 16 :
Recovered artefacts associated with downloading from JustCloud using Fx.

Table 18 :
Recovered artefacts associated with the creation of the pCloud's account using

Table 21 :
Recovered artefacts associated with downloading from pCloud using IE URLs with the date and the UTC time of browsing in cookies.sqliteand places.sqlitelocated in %AppData%\Mozilla\Firefox\Profiles\[Random Name].default\The name of the downloaded file in places.sqliteand its moz_annos table The email address of the account, the shared folder name, access permissions, and the recipient in some files located in

Table 23 :
Recovered artefacts associated with downloading from pCloud using GC