DEF CON Forum Site Header Art


No announcement yet.

Discovering Cloud File Storage Artifacts

  • Filter
  • Time
  • Show
Clear All
new posts

  • Discovering Cloud File Storage Artifacts

    Title: Discovering Cloud File Storage Artifacts

    Organizational data is rapidly moving to the cloud, but it's not always intentional. The shift from on-premise data storage to the cloud constitutes a significant challenge and risk to the modern enterprise. The use of cloud file storage applications is on the rise for both consumer and business systems, which results in interesting data and metadata siting on endpoints. In this talk, we'll examine the large footprints of popular cloud file storage applications such as OneDrive and Box - learning what information can be enumerated from each cloud file storage solution. In some scenarios, data can be carved out from cache, restoring sensitive documents no longer on an endpoint.

    Attendees will:

    - Understand why it's critical to investigate cloud file storage applications during an incident
    - Learn what files are available to examiners during an incident (e.g. local, cloud, deleted, and cached)
    - See what kind of cloud file storage user activity can be audited
    - Be introduced to two scenarios of unauthorized data transfer to investigate
    - Be introduced to where and how different cloud file storage applications log
    - Learn how to examine incidents with suspected data exfiltration using corporate issued and person cloud file storage use

    The slides and labs will take a deep dive into Microsoft OneDrive, Google Drive, Dropbox, Box, and Citrix ShareFile to first understand what is known about the applications and artifacts left behind, then move into hands-on labs to analyze registry keys, log files, and other traces left behind by the applications.




    Speaker(s): Michael Wylie

    Location: Cloud Vlg


    Event starts: 2020-08-08 15:30 (03:30 PM) PDT (UTC -07:00)

    Event ends: 2020-08-08 17:30 (05:30 PM) PDT (UTC -07:00)

    For the most up-to-date information, please either visit, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-08T05:43 (UTC).
    August 8, 2020 15:30
    August 8, 2020 17:30
    Cloud Vlg
    Last edited by aNullValue; August 8, 2020, 00:20.