Home Articles Cloud Forensics: pCloud Drive

Cloud Forensics: pCloud Drive

0
0
770

We continue our unforgetable journey to the world of cloud forensics. This time we are going to forensicate pCloud desktop application – pCloud Drive.

pCloud is a file storage and synchronization service, emerged on September 13, 2013. The service supports cloud storage, file sharing, data backup and user collaboration. As of May 2018, pCloud has over 8 000 000 registered users all over the world, so probability of facing it during a digital forensic examination is quite high.

If you still remember our last article of this series,¬†Cloud Forensics: Box, you must remember the term “Callback File System”. If not, here is the reminder: it presents any kind of data as virtual files and folders, hiding real data location from the end-user. This time it’s not even masked, it looks like a real drive, which disappears once the user quits the app:

Figure 1. pCloud Drive

And just like with Box, you can’t create a bit-by-bit copy of this drive, but you can create an AD1 forensic container with FTK Imager, here is how to do it:

  1. Go to¬†File ‚Äď Create Disk Image‚Ķ
  2. Choose Contents of a Folder
  3. Use P:\ as the source path
  4. Click Add…
  5. Fill-in Evidence Item Information
  6. Select Image Destination Folder, its name, fragmentation, compression and encryption (if nesessary).
  7. Click Finish and start acquisition process

Let’s look at Windows Registry artifacts related to pCloud, and start from SYSTEM¬†located at C:\Windows\System32\config. Let’s start from evidence of execution, and look at¬†ControlSet001\Services\bam\UserSettings\S-1-5-21-4263662546-2795938078-1341706656-1001:

Figure 2. Contents of ControlSet001\Services\bam\UserSettings\S-1-5-21-4263662546-2795938078-1341706656-1001 

Let’s go further and find our virtual drive’s mount point at¬†MountedDevices:

Figure 3. Contents of MountedDevices

Let’s go further, and look inside SOFTWARE¬†located at C:\Windows\System32\config.¬†If you want to find pCloud’s installation path, look at¬†Microsoft\Windows\CurrentVersion\Installer\Folders:

Figure 4. Contents of Microsoft\Windows\CurrentVersion\Installer\Folders

Ok, let’s look inside NTUSER.DAT located at C:\Users\%USERNAME%\. We already know, that our virtual drive was mounted under P:\, but let’s imagine we don’t,¬†Software\pCloud contents help us:

Figure 5. Contents of Software\pCloud

As NTUSER.DAT resides in user’s folder, it containes quite a lot of evidence of files manipulations, for example, this key can help an examiner to find recently accessed and modified Word documents:

Figure 6. Contents of Software\Microsoft\Office\16.0\Word\Reading Locations\Document 13

It’s important to note, that the timestamp indicates the date and time the files was last closed. Ok, let’s go further and look at file system artifacts.

First of all, you can find pCloud Sync folder under C:\Users\%USERNAME%\Documents. As you might already guessed, the contents of this folder sync with the contents of the folder with the same name on the virtual drive (mounted as P:\).

Let’s dig deeper, and go to¬†C:\Users\%USERNAME%\AppData\Local\pCloud:

Figure 7. Contents of C:\Users\%USERNAME%\AppData\Local\pCloud

If you look at the header of data.db, you’ll notice typical hex string “53514C69746520666F726D61742033” or “SQLite format 3”. Let’s look inside the database. The most interesting tables are ‘file‘ and ‘folder‘, here is a SQL query to gather most useful information in human readable format:

Figure 8. A SQL query used to gather info from two tables of interest

But that’s not all, let’s look inside Cache folder:

Figure 9. Contents of C:\Users\%USERNAME%\AppData\Local\pCloud\Cache

Just one file, but looks interesting. If we look inside, we’ll notice, that it contains some files headers, let’s carve it using PhotoRec:

Figure 10. Carving ‘Cached’ file with PhotoRec

As you can see on the figure, we have carved 14 files, most of which are valid. These are images, videos, audio and documents. If we compare the sizes of carved files and the quantity with information we gathered from the database, we’ll realise, that we carved the files stored on the virtual drive! It’s not as easy as with Box, but it’s possible too. That’s it!

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Load More Related Articles
  • Cloud Forensics: Box

    It seems we really enjoy forensicating desktop apps for cloud services. Last week we start…
  • Cloud Forensics: Analyzing MEGASync

    Nowadays almost everybody have an account at this or that cloud service. Dropbox, One Driv…
  • Windows 10 Time Rules

    Timestamps play a very important role in many digital forensic examinations, so it’s…
Load More In Articles

Leave a Reply

Your email address will not be published. Required fields are marked *