Browsing History Databases
When examining the browsing history databases (e.g. index.dat) of a system, references to "https://www.amazon.com/clouddrive/api" followed by a specific query to the Cloud Drive are good indications that the system has interacted with an Amazon Cloud Drive. The query issued will vary based on the operation carried out (upload, download, deletion, etc.). For example, the following is a URL that an examiner may find in a system's browsing history after a file has been uploaded to an Amazon Cloud Drive using only a web browser:
As you can see, there is potentially useful information available from this URL, such as the file name, customer ID, and type of operation. However, based on my research, a more complete source of information regarding file uploads and other Cloud Drive activity is available from the browser cache files stored on a system. Nevertheless, analysis of a system's browsing history database will at least give the examiner an idea as to whether an Amazon Cloud Drive was accessed from the system.
The most significant evidence that I've found of a user's interaction with a Cloud Drive when using only a web browser is found in the browser cache files. There are specific cache files related to different operations carried out on the Cloud Drive, such as uploads and deletions. Further, there are two types of deletions within an Amazon Cloud Drive: recycling and "permanent" deletion. Deleting a file within the Amazon Cloud Drive web interface sends the file to the "Deleted Items" folder/area of the Cloud Drive, which functions very much like the Recycle Bin on a Windows system. If the file is then deleted from the "Deleted Items" area, it is no longer accessible to the user within the Cloud Drive interface. The type of deletion that takes place via web browser can be distinguished through analysis of the browser cache.
Although the relevant cache files that I've found have been in plain text, analysis of these individual files can get messy and time consuming. To illustrate, the screenshot below is one particular type of cache file that is helpful when examining a system used to interact with an Amazon Cloud Drive.
|Example ACD browser cache file|
To ease the burden of an examiner having to manually extract this information, I've written a Perl script called acdCacheParse.pl that accepts the path to a directory containing cache files and parses information from each relevant cache file identified by the script. The type of information that can be harvested from browser cache files includes: file name, object ID, amazon customer ID, file creation date, file last updated date, cloud path, file size, the file's MD5, and the type of operation (upload, recycle, or permanent deletion).
When running acdCacheParse.pl against a directory containing browser cache files from a system and redirecting the output to a CSV file, you will be presented with a table of information associated with Amazon Cloud Drive activity. For example, you may see something similar to the screenshot below.
|Example output from acdCacheParse.pl|
AcdCacheParse.pl is available for download here.
For more detailed coverage of Amazon Cloud Drive forensics, please see my Digital Investigation article on the topic.