Dropbox Forensics

McCurdy, A. (2013). Dropbox Forensics (MSc ASDF Dissertation). Edinburgh Napier University (Macfarlane, R., Buchanan, W.).



As the threat of cyber attacks grow daily, the need for improved security policies within organisations becomes ever more important. While falling short of total internet lock down, many organisations are nowadays restricting the types of data allowed to pass into and out of their networks. Restrictions are being placed on the types and sizes of email file attachments that are allowed, and so users are moving to portable and easily acquirable personal USB storage devices. As a result, system administrators have had to introduce additional methods of disabling the use of such devices. Methods that have been adopted include the disabling of computer USB ports or introducing safe havens whereby only designated organisation approved USB devices can be used. Undeterred, many a user has in turn adopted cloud storage due in part to its low cost, ease of use and ease of access. Files can now be easily imported from and exported to personal cloud space outside the organisations network, by-passing all existing network security. This contravenes typical corporate security policies, with IBM who regard the technology as a threat, having "recently banned its 400,000 employees from using Dropbox" [102]. This introduces a new dilemma to a system administrator. The use of cloud storage applications within the organisation must be detected and ultimately their use prevented. Currently not single monitoring system exists to assist the systems administrator in their task.
This dissertation describes the development and evaluation of such a monitoring system designed specifically to detect the Dropbox client and corresponding data traffic. The system provides the system administrator with a graphical interface and integrates with the Snort Intrusion Detection System engine which many organisations make use of. The system was created in Microsoft Visual Studio IDE using Microsoft C#.NET programming language. The application was developed specifically for the widely used Microsoft Windows platform. In order for the system to operate as required, it required a list of Dropbox specific items to search for. These items are held in a collection of configuration files, which can be modified by the user to provide flexibility and allow the system to evolve. The files are included as part of the overall system and are the results of a series of tests that are outlined in the document. These tests identified key artefacts that the Dropbox client introduces to client machines upon installation in both the directory structure and Windows registry. The monitor system also allows the system administrator to scan for Dropbox specific network traffic using rule sets designed specifically for the Snort engine. These rule sets can also be modified by the system administrator if required.
[Read More]


Areas of Expertise

Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.

Associated Projects