Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers

Research Article

Identifying Remnants of Evidence in the Cloud

Download61 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-39891-9_3,
        author={Jeremy Koppen and Gerald Gent and Kevin Bryan and Lisa DiPippo and Jillian Kramer and Marquita Moreland and Victor Fay-Wolfe},
        title={Identifying Remnants of Evidence in the Cloud},
        proceedings={Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2013},
        month={10},
        keywords={cloud computing cloud forensics digital forensics},
        doi={10.1007/978-3-642-39891-9_3}
    }
    
  • Jeremy Koppen
    Gerald Gent
    Kevin Bryan
    Lisa DiPippo
    Jillian Kramer
    Marquita Moreland
    Victor Fay-Wolfe
    Year: 2013
    Identifying Remnants of Evidence in the Cloud
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-39891-9_3
Jeremy Koppen1, Gerald Gent1, Kevin Bryan1,*, Lisa DiPippo1,*, Jillian Kramer1, Marquita Moreland1, Victor Fay-Wolfe1,*
  • 1: University of Rhode Island
*Contact email: bryank@cs.uri.edu, dipippo@cs.uri.edu, wolfe@cs.uri.edu

Abstract

With the advent of cloud computing, law enforcement investigators are facing the challenge that instead of the evidence being on a device that they can seize, the evidence is likely located in remote data centers operated by a service provider; and may even be in multiple locations (and jurisdictions) across the world. The most practical approach for an investigator when cloud computing has been used is to execute a warrant that requires the service provider to deliver the evidence. However, to do this, the investigator must be able to determine that a cloud application was used, and then must issue a warrant with reasonable scope (e.g. the subject’s username at the cloud provider, the name of the documents, the dates accessed, etc). Fortunately, most cloud applications leave remnants (e.g. cached web sites, cookies, registry entries, installed files, etc) on the client devices. This paper describes the process for identifying those remnants and parsing them to generate the data required by law enforcement to form warrants to cloud service providers. It illustrates the process by obtaining remnants from: Google Docs accessed by Internet Explorer, Dropbox, and Windows Live Mesh.