A forensic analysis of rclone and rclone's prospects for digital forensic investigations of cloud storage

Organizations and end users are moving their data into the cloud and trust Cloud Storage Providers (CSP) such as pCloud, Dropbox, or Backblaze. Given their popularity, it is likely that forensic examiners encounter one or more online storage types that they will have to acquire and analyze during an investigation. To access cloud storage, CSPs provide web-interfaces, proprietary software solutions (e.g., Dropbox client for Windows) as well as APIs allowing third-party access. One of these third-party ap-plications is rclone which is an open-source tool to access many common CSPs through a command line interface. In this article, we look at rclone from two perspectives: First, we perform a forensic analysis on rclone and discuss aspects such as password recovery of the configuration file, encryption, and JA3 fingerprints. Second, we discuss rclone as a prospect to be a forensic tool which includes its read-only mount feature and sample cases. Under the circumstances tested, rclone is suitable for forensic practi-tioners as it is open-source, documented, and includes some essential functionality frequently needed but practitioners need to be aware of the caveats.(c) 2022 The Author(s). Published by Elsevier Ltd on behalf of DFRWS This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).