Research Article
Identifying Remnants of Evidence in the Cloud
@INPROCEEDINGS{10.1007/978-3-642-39891-9_3, author={Jeremy Koppen and Gerald Gent and Kevin Bryan and Lisa DiPippo and Jillian Kramer and Marquita Moreland and Victor Fay-Wolfe}, title={Identifying Remnants of Evidence in the Cloud}, proceedings={Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2013}, month={10}, keywords={cloud computing cloud forensics digital forensics}, doi={10.1007/978-3-642-39891-9_3} }- Jeremy Koppen
Gerald Gent
Kevin Bryan
Lisa DiPippo
Jillian Kramer
Marquita Moreland
Victor Fay-Wolfe
Year: 2013
Identifying Remnants of Evidence in the Cloud
ICDF2C
Springer
DOI: 10.1007/978-3-642-39891-9_3
Abstract
With the advent of cloud computing, law enforcement investigators are facing the challenge that instead of the evidence being on a device that they can seize, the evidence is likely located in remote data centers operated by a service provider; and may even be in multiple locations (and jurisdictions) across the world. The most practical approach for an investigator when cloud computing has been used is to execute a warrant that requires the service provider to deliver the evidence. However, to do this, the investigator must be able to determine that a cloud application was used, and then must issue a warrant with reasonable scope (e.g. the subject’s username at the cloud provider, the name of the documents, the dates accessed, etc). Fortunately, most cloud applications leave remnants (e.g. cached web sites, cookies, registry entries, installed files, etc) on the client devices. This paper describes the process for identifying those remnants and parsing them to generate the data required by law enforcement to form warrants to cloud service providers. It illustrates the process by obtaining remnants from: Google Docs accessed by Internet Explorer, Dropbox, and Windows Live Mesh.