Identifying User Behavior from Residual Data in Cloud-based Synchronized Apps

Abstract: As the distinction between personal and organizational device usage continues to blur, the combination of applications that interact increases the need to investigate potential security issues. Although security and forensic researchers have been able to recover a variety of artifacts, empirical research has not examined a suite of application artifacts from the perspective of high-level pattern identification. This research presents a preliminary investigation into the idea that residual artifacts generated by cloud-based synchronized applications can be used to identify broad user behavior patterns. To accomplish this, the researchers conducted a single-case, pretest-posttest, quasi experiment using a smartphone device and a suite of Google mobile applications. The contribution of this paper is two-fold. First, it provides a proof of concept of the extent to which residual data from cloud-based synchronized applications can be used to broadly identify user behavior patterns from device data patterns. Second, it highlights the need for security controls to prevent and manage information flow between BYOD mobile devices and cloud synchronization services. Keywords: Residual Data, Cloud, Apps, Digital Forensics, BYOD