Skip to main content

Identifying Remnants of Evidence in the Cloud

  • Conference paper
Digital Forensics and Cyber Crime (ICDF2C 2012)


With the advent of cloud computing, law enforcement investigators are facing the challenge that instead of the evidence being on a device that they can seize, the evidence is likely located in remote data centers operated by a service provider; and may even be in multiple locations (and jurisdictions) across the world. The most practical approach for an investigator when cloud computing has been used is to execute a warrant that requires the service provider to deliver the evidence. However, to do this, the investigator must be able to determine that a cloud application was used, and then must issue a warrant with reasonable scope (e.g. the subject’s username at the cloud provider, the name of the documents, the dates accessed, etc). Fortunately, most cloud applications leave remnants (e.g. cached web sites, cookies, registry entries, installed files, etc) on the client devices. This paper describes the process for identifying those remnants and parsing them to generate the data required by law enforcement to form warrants to cloud service providers. It illustrates the process by obtaining remnants from: Google Docs accessed by Internet Explorer, Dropbox, and Windows Live Mesh.

This work was supported by a grant from the U.S. Department of Justice’s National Institute of Justice Electronic Crimes Research and Development program – Grant # 2011-FD-CX-K011.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others


  1. Mell, P., Grance, T.: The NIST Definition of Cloud Computing. Information Technology Laboratory (2009),

  2. Amazon, Inc.,

  3. Apple iCloud,

  4. Dropbox,

  5. Rackspace Cloud,

  6. Salesforce, Inc.,

  7. Skytap, Inc.,

  8. Microsoft Corporation, Windows Live,

  9. Google,

  10. Huawei Technologies Co., Ltd.,

  11. Cisco Systems, Inc.,

  12. Fujitsu, Ltd.,

  13. Dell, Inc.,

  14. Hewlett-Packard Development Company, L.P.,

  15. IBM,

  16. VMware, Inc.,

  17. Hitachi, Ltd.,

  18. NetApp, Inc.,

  19. Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. Cloud Security Alliance (2009)

    Google Scholar 

  20. Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy: An Enterprise Perspective on Risk and Compliance, p. 239. O’Reilly Media (2009)

    Google Scholar 

  21. Federal Information Security Management ACT (FISMA) Implementation Project,

  22. Health Information Privacy: The Health Insurance Portability and Accountability Act (HIPPA),

  23. The Sarbanes-Oxley Act,

  24. PCI SSC Data Security Standards Overview,

  25. SAS 70 Definition: Type II,

  26. Kirilov, K.: Cloud Computing Market Will Top $241 Billion in 2020. Cloud Tweaks (2011),

  27. Columbus, L.: Roundup of Cloud Computing Forecasts and Market Estimates. A Passion for Research (2012),

  28. IDC Cloud Research,

  29. Bigsey, Cloud Computing and the Impact on Digital Forensic Investigations. ZDNet (2009),

  30. Access Data FTK,

  31. EnCase Forensic v7,

  32. X-Ways,

  33. ATC P2P Marshal,

  34. ATC Mac Marshal,

  35. ATC Cyber Marshall Dropbox Reader,

  36. Gargoyle Investigator,,2

  37. NetAnalysis,

  38. JADsoftware’s Internet Evidence Finder,

  39. RedLight,

  40. Process Monitor v3.01,

  41. PCMag InCtrl5,,2817,25126,00.asp

  42. Total Uninstall,

  43. Spy Me,

  44. Jones, K.J.: Forensic Analysis of Internet Explorer Activity Files (2003),

Download references

Author information

Authors and Affiliations


Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Koppen, J. et al. (2013). Identifying Remnants of Evidence in the Cloud. In: Rogers, M., Seigfried-Spellar, K.C. (eds) Digital Forensics and Cyber Crime. ICDF2C 2012. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 114. Springer, Berlin, Heidelberg.

Download citation

  • DOI:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-39890-2

  • Online ISBN: 978-3-642-39891-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics