NorthSec 2021

Forensicating Endpoint Artifacts in the World of Cloud Storage Services
2021-05-21, 13:25–13:55, Main stream

In this presentation, I will discuss the key forensic artifacts that can be used whenever DFIR professionals encounter cloud storage services into the host such as OneDrive, GoogleDrive, Box and Dropbox. These are all essentials especially when the attacker or insider threat leverage these services to exfiltrate data. I will also show how to perform data acquisition to get these artifacts in forensically sound manner.


Today we are embracing the benefits and advantages of having cloud storage in most environments especially now when everyone is working work from home and data transmits from one place to another by the use of cloud storage services such as one drive, box, dropbox & google drive. There are a couple of artifacts on the endpoint side that gives us the ability to see the bigger picture when these cloud services are being used to perform data exfiltration and any malicious actions. In short, cloud storage data can be more accessible on the local device and can contain files and metadata distinctly different than the current cloud repository. I'm going to show how to perform data acquisition on these cloud storage applications installed in endpoint and what are those metadata and evidence that we can extract from the forensics standpoint.


Workshops only: Would you like to stream the workshop to an additional (passive) audience? – no Have you given this talk/workshop before? If yes, please provide details and/or slides/video.

No

Renzon Cruz, a Filipino security professional living in Dubai who works as Digital Forensics & Incident Response in a FinTech company based in the UK. He previously worked as Senior Security Consultant as part of a National Cyber Security Agency in Doha, Qatar. Prior to working in Dubai, he was also assigned as Sr. Security Analyst & Incident Responder and was also a previous college instructor at New Era University, Philippines. He was also accepted to various international conferences as a speaker such as BSides Vancouver (2019), BSides London (2019), BSides Doha (2020), and ROOTCON Hacking Conference (2020). He is also a co-founder, course developer, and instructor of GuideM, a real-world cybersecurity training center based in the Philippines. He also holds different certifications such as GCFA GCFE, GCIH, eCTHP, eCDFP, eJPT, CFR. He is mainly interested in defensive strategy, threat hunting, digital forensics, and incident response, malware analysis, adversary simulation.

This speaker also appears in: