Forensic Approaches for End-to-End Encryption Cloud Storage Services: MEGA as a Case Study

Abstract

The advancement of cloud-based data storage technology allows users to conveniently access and manage files using endpoint devices without being constrained by their environment. While cloud storage services have improved the efficiency of performing our daily tasks, they have also become a medium for criminals to distribute illegal materials. Services that support end-to-end encryption (E2EE), cannot decrypt data even when it's stored on their servers, attracting users who require high security. There are some existing studies related to cloud-based services using E2EE, but they only deal with local artifacts, which makes it difficult to analyze when local devices cannot be found or when there are changes to local artifacts. This study identifies the mechanisms by which MEGA, a cloud-based file hosting service, operates to obtain user authentication, explore metadata, and collect files while applying end-to-end encryption. Furthermore, we propose a forensic investigation methodology to explore various metadata and selectively acquire cloud resources relevant to an incident through an understanding of E2EE algorithms. Also, we apply MEGA to the existing framework to suggest improving the framework that encompasses E2EE cloud-based services. The findings of this study serve as a valuable reference for dealing with cloud-based services with E2EE from the perspectives of computer security and digital forensics.