We continue our unforgetable journey to the world of cloud forensics. This time we are going to forensicate pCloud desktop application – pCloud Drive.
pCloud is a file storage and synchronization service, emerged on September 13, 2013. The service supports cloud storage, file sharing, data backup and user collaboration. As of May 2018, pCloud has over 8 000 000 registered users all over the world, so probability of facing it during a digital forensic examination is quite high.
If you still remember our last article of this series, Cloud Forensics: Box, you must remember the term “Callback File System”. If not, here is the reminder: it presents any kind of data as virtual files and folders, hiding real data location from the end-user. This time it’s not even masked, it looks like a real drive, which disappears once the user quits the app:
Figure 1. pCloud Drive
And just like with Box, you can’t create a bit-by-bit copy of this drive, but you can create an AD1 forensic container with FTK Imager, here is how to do it:
- Go to File – Create Disk Image…
- Choose Contents of a Folder
- Use P:\ as the source path
- Click Add…
- Fill-in Evidence Item Information
- Select Image Destination Folder, its name, fragmentation, compression and encryption (if nesessary).
- Click Finish and start acquisition process
Let’s look at Windows Registry artifacts related to pCloud, and start from SYSTEM located at C:\Windows\System32\config. Let’s start from evidence of execution, and look at ControlSet001\Services\bam\UserSettings\S-1-5-21-4263662546-2795938078-1341706656-1001:
Figure 2. Contents of ControlSet001\Services\bam\UserSettings\S-1-5-21-4263662546-2795938078-1341706656-1001
Let’s go further and find our virtual drive’s mount point at MountedDevices:
Figure 3. Contents of MountedDevices
Let’s go further, and look inside SOFTWARE located at C:\Windows\System32\config. If you want to find pCloud’s installation path, look at Microsoft\Windows\CurrentVersion\Installer\Folders:
Figure 4. Contents of Microsoft\Windows\CurrentVersion\Installer\Folders
Ok, let’s look inside NTUSER.DAT located at C:\Users\%USERNAME%\. We already know, that our virtual drive was mounted under P:\, but let’s imagine we don’t, Software\pCloud contents help us:
Figure 5. Contents of Software\pCloud
As NTUSER.DAT resides in user’s folder, it containes quite a lot of evidence of files manipulations, for example, this key can help an examiner to find recently accessed and modified Word documents:
Figure 6. Contents of Software\Microsoft\Office\16.0\Word\Reading Locations\Document 13
It’s important to note, that the timestamp indicates the date and time the files was last closed. Ok, let’s go further and look at file system artifacts.
First of all, you can find pCloud Sync folder under C:\Users\%USERNAME%\Documents. As you might already guessed, the contents of this folder sync with the contents of the folder with the same name on the virtual drive (mounted as P:\).
Let’s dig deeper, and go to C:\Users\%USERNAME%\AppData\Local\pCloud:
Figure 7. Contents of C:\Users\%USERNAME%\AppData\Local\pCloud
If you look at the header of data.db, you’ll notice typical hex string “53514C69746520666F726D61742033” or “SQLite format 3”. Let’s look inside the database. The most interesting tables are ‘file‘ and ‘folder‘, here is a SQL query to gather most useful information in human readable format:
Figure 8. A SQL query used to gather info from two tables of interest
But that’s not all, let’s look inside Cache folder:
Figure 9. Contents of C:\Users\%USERNAME%\AppData\Local\pCloud\Cache
Just one file, but looks interesting. If we look inside, we’ll notice, that it contains some files headers, let’s carve it using PhotoRec:
Figure 10. Carving ‘Cached’ file with PhotoRec
As you can see on the figure, we have carved 14 files, most of which are valid. These are images, videos, audio and documents. If we compare the sizes of carved files and the quantity with information we gathered from the database, we’ll realise, that we carved the files stored on the virtual drive! It’s not as easy as with Box, but it’s possible too. That’s it!