Acquiring digital evidence from the Cloud with authenticated tokens

As Scott McNealy, former CEO of Sun Microsystems, once said: we are moving out of the Ice Age, the Iron Age, the Industrial Age and the Information Age to the Participation Age. You get on the Net and you do stuff. You message, you blog, take pictures, publish, transact — you are participating on the Internet, not just viewing stuff. There’s so much to what we have on our mobile devices when we are connected to the Internet, because it connects us to so many other servers and we are constantly exchanging data.”

The volume of data created, captured and replicated keeps growing exponentially.

International Data Corporation (IDC) has released a report on the ever-growing datasphere, saying that the global datasphere will grow from 33 zettabytes in 2018 to 175 zettabytes by 2025, with as much of the data residing in the cloud as in data centers. (One zettabyte equals one trillion gigabytes, or 10 to the 21st power).

At the same time, Cisco said: Since 1984 over 4.7 zettabytes of IP traffic have flowed across networks, but that is just a hint of what is coming. By 2022, more IP traffic will cross global networks than in all prior “internet years.” In other words, more traffic will be created in 2022 than in the first 32 years since the internet started.” (An exabyte is 1 billion gigabytes.)

Data has become critical to all aspects of human life; it’s changed how we’re educated and entertained, and it informs the way we experience people, business, and the wider world around us. However, working on extracted data from the cloud brings its own challenges.

In many cases, when crimes are committed chances are there is relevant evidence on any mobile phones involved. The types of evidence found on mobile devices are not only limited to device memory, or SD cards. Instead, sometimes the relevant artefacts are not digitally present on the physical device seized — they are in the cloud.

The process of carrying out mobile phone extraction is well understood in most investigations. But what is a cloud extraction?  And how does it work?

What is cloud extraction?

Mobile cloud extraction is the ability to access, extract, analyze and retain data stored in the Cloud, a term widely used to refer to the storage of data remotely, from applications or devices, typically on a third company’s servers. Popularly used examples include Dropbox, Slack, Instagram, Twitter, Facebook and Google apps.

How does it work?

Certain mobile applications do not store all, or indeed any content created by the user on the handset itself. Instead, as the operator uses these apps, a live connection is established to the online service in question, and the user-generated content is made available to the device live, through a cellular or WiFi data connection. Many smartphone applications adopt a hybrid approach, with only recently accessed or recently created content being cached on the handset memory, and all other user-created content being stored on the service’s servers elsewhere in the world and accessed as required. Perhaps you have seen this phenomenon when attempting to launch one of these apps on a device in Airplane Mode? Only a subset of the user’s entire data history is retained on the phone and visible without a connection to the service.

To this end, it becomes clear that more useful data is technically available if we can legally and effectively access that full set of remotely held content directly from the service in question. Even where access to online storage is offered by service providers, the process by which a forensic examiner might acquire all that data is very different to a traditional forensic examination targeting a tangible device in the lab.

Even where access to online storage is offered by service providers, the process by which a forensic examiner might acquire all that data is very different from a traditional forensic examination targeting a device in the lab.

If an investigator attains the account credentials of a suspect, they may be able to log in to gain access to the account and begin recovering relevant data. Certain other features such as security warnings and two-factor authentication may make this hard, if not impossible, for the investigator – even when they have account credentials and legal authority to proceed.

Enter the Cloud tokens sometimes recovered by XRY when mobile phone examinations are performed. Mobile applications nowadays do not require the user to enter User ID & password to login on every occasion when the app is launched. This is seen as an unnecessary hassle for users, so an automatic authentication is preferred after the user has provided credentials on at least one occasion. Equally, it is regarded as poor security practice to store the account credentials on the handset (although this does happen with certain apps).

Instead, very frequently, smartphone apps save a file on the device which effectively acts as a time-limited certificate, indicating that this user has authenticated himself, and that for a following set duration, connections from this device are to be accepted as valid by the online service. This certificate, or token, is used to identify the user automatically.

XRY can decode and provide certain of these tokens when performing a handset extraction, and using these tokens, data can be recovered from Cloud- based storage centers like Facebook, Dropbox, Snapchat, Twitter, and others. Here’s how that works:

We at MSAB are often asked by our customers: ‘How do I extract the tokens?’

The answer is that XRY provides them for you automatically as part of a device extraction!

There is a higher chance you will successfully recover tokens from a physical dump, a rooted Android, or on iOS, either when iTunes backup encryption is enabled or when the device is jailbroken. Once you have the relevant token, this may act as the key to supplementing the wealth of data recovered from the handset with data from a remote source. Now it’s not just about what resides on the device, but what does not reside on the device.

Accessing the token from the extraction:


In performing the handset extraction, XRY automatically notes tokens used to access one of MSAB’s supported Cloud services and incorporates these into a distinct .xry file in the case folder. For clarity, at this point no connection to an online service has been made. The .xry file created is essentially free of data except for the token, which may be used to establish connection to an online service and download user information.

It is possible that more than one token for the same online service exists on a given handset, and if this is the case, XRY will parse these into separate, ‘empty’ .xry files ready to receive data from the online service. Note that in the above screenshot, two tokens were recovered for Facebook from the same handset. At least one of these may grant access to the account if tested.

Note that you do not require an XRY Cloud license to extract a Cloud token from a handset, but you do need an XRY Cloud license to use that token as a key to extract data from the Cloud account.

Your smartphone extraction does not feature a token?

Not every extraction will necessarily yield a token for an online service. However, if investigators are independently able to find the username(s) and password(s) of the individual in question, it is possible to manually create a token suitable for an attempt at a clean Cloud account extraction using XRY Cloud Extraction.

Creating tokens with known Username and Password:



Contact us

If you would like to request a quote or learn more about our products, contact sales

If you have a general question, let us know here and we will reach out to you as soon as possible.

"*" indicates required fields