Getting to the Bottom of the Cloud -- File Syncing Forensics

BSidesCharm 2016

Presented by: Matt Harvey
Date: Sunday April 24, 2016
Time: 11:10 - 12:00
Location: Track 1

Cloud-based services are one of the biggest trends in IT over the past decade, and file sharing/sync is one of the most popular such applications. These applications are widely used in organizations and companies, sometimes with official sanction and sometimes not. Either way, there are security concerns and implications, including insider data theft, intruder data exfiltration, and accidental over-sharing. To assist with investigating incidents, these client apps leave behind various records of files added, deleted, updated, downloaded, etc.

The talk will cover the forensic artifacts associated with a number of popular file sharing/sync services and what can be determined from them. I will also be demonstrating Unbox, a set of Python scripts to search Windows-based computers for artifacts associated with cloud-based file share/sync services and create a timeline analysis of events associated with these services.

Matt Harvey

Matthew Harvey has twenty years of IT industry experience across a wide variety of roles. With Anchor Technologies, he performs security assessments, incident response, and penetration tests for mid-sized firms in the mid-Atlantic region. Matt also served as an Army officer in the infantry and military intelligence fields for a total of 12 years. Matt earned his Master's degree in Computer Systems Management from the University of Maryland University College and holds multiple industry certifications. He is an experienced consultant, trainer, and presenter specializing in making complex technical topics clear and compelling for all audiences.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats