Abstract:
Smart phones are powerful minicomputers characterized by high performance, large memory capacity and enhanced applications that enable various ways of communication. They are widely used for other purposes besides making phone calls, for instance browsing the internet, reading and responding to emails, road navigation, editing documents, video conferencing, playing music, taking videos and photo, to mention but a few.
The problem at hand is that forensic investigators often encounter difficulty in identifying service providers, accounts credentials like username and passwords and cloud data remnants. This can be provided by the seizure and analysis of data contained in smart phones such as Android devices. There is an emerging trend where criminals use cloud computing to propagate and perform acts of crime like child pornography, which puts into perspective the importance of the study in acquisition of sound forensic tools and techniques that will ensure evidence is admissible before a court of law.
The project was intended at expounding on the following research questions. Firstly, what were the cloud data remnants on a smart phone and where are they located in current Android versions? Secondly, how can these cloud data remnants be forensically acquired from a smart phone? The third question looks into the forensic implication of accessing and downloading cloud data from Google Drive™, Dropbox™ and One Drive® on a Smart phone.
The project explored ways of collecting data from cloud storage accounts with the help of browsers and client software, the use of forensics software thereafter performing a comparison with the original evidence files with the use of a digital forensics framework.
The key findings from the acquisition included log files, the downloaded files and memory captures of some files resident on the clients.
In conclusion, the experiments established that no modifications were made during the process. Notable though was the change of timestamps which should be considered in the assumptions of creation, modification and access times associated with files downloaded via client software.
v
Recommendations are that the relevant organs in Kenya should gazette laws for the utilization of digital forensics tools for the admissibility of evidence in court of laws. The current evidence act (Republic of Kenya, 2014) does not clearly define the method of acquiring digital evidence or the open source and licensed tools to be utilized, though it explicitly states that electronic records are admissible court.
Future studies can incorporate use of licensed forensics software to retrieve evidential data from new Android versions like Marshmallow. The national government should also initiate activities for the drafting of national mobile forensic guidelines to govern the acquisition of data remnants with the use of approved software.