Skip to main content

Identifying Remnants of Evidence in the Cloud

  • Conference paper
Digital Forensics and Cyber Crime (ICDF2C 2012)

Abstract

With the advent of cloud computing, law enforcement investigators are facing the challenge that instead of the evidence being on a device that they can seize, the evidence is likely located in remote data centers operated by a service provider; and may even be in multiple locations (and jurisdictions) across the world. The most practical approach for an investigator when cloud computing has been used is to execute a warrant that requires the service provider to deliver the evidence. However, to do this, the investigator must be able to determine that a cloud application was used, and then must issue a warrant with reasonable scope (e.g. the subject’s username at the cloud provider, the name of the documents, the dates accessed, etc). Fortunately, most cloud applications leave remnants (e.g. cached web sites, cookies, registry entries, installed files, etc) on the client devices. This paper describes the process for identifying those remnants and parsing them to generate the data required by law enforcement to form warrants to cloud service providers. It illustrates the process by obtaining remnants from: Google Docs accessed by Internet Explorer, Dropbox, and Windows Live Mesh.

This work was supported by a grant from the U.S. Department of Justice’s National Institute of Justice Electronic Crimes Research and Development program – Grant # 2011-FD-CX-K011.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Mell, P., Grance, T.: The NIST Definition of Cloud Computing. Information Technology Laboratory (2009), http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf

  2. Amazon, Inc., http://www.amazon.com/

  3. Apple iCloud, http://www.apple.com/icloud/

  4. Dropbox, http://www.dropbox.com/

  5. Rackspace Cloud, http://www.rackspace.com/cloud/

  6. Salesforce, Inc., http://www.salesforce.com/

  7. Skytap, Inc., http://www.skytap.com/

  8. Microsoft Corporation, Windows Live, http://explore.live.com/

  9. Google, http://www.google.com/

  10. Huawei Technologies Co., Ltd., http://www.huawei.com/

  11. Cisco Systems, Inc., http://www.cisco.com/

  12. Fujitsu, Ltd., http://www.fujitsu.com/global/

  13. Dell, Inc., http://www.dell.com/

  14. Hewlett-Packard Development Company, L.P., http://www.hp.com/

  15. IBM, http://www.ibm.com/

  16. VMware, Inc., http://www.vmware.com/

  17. Hitachi, Ltd., http://www.hitachi.com/

  18. NetApp, Inc., http://www.netapp.com/

  19. Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. Cloud Security Alliance (2009)

    Google Scholar 

  20. Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy: An Enterprise Perspective on Risk and Compliance, p. 239. O’Reilly Media (2009)

    Google Scholar 

  21. Federal Information Security Management ACT (FISMA) Implementation Project, http://csrc.nist.gov/groups/SMA/fisma/index.html

  22. Health Information Privacy: The Health Insurance Portability and Accountability Act (HIPPA), http://www.hhs.gov/ocr/privacy/

  23. The Sarbanes-Oxley Act, http://www.soxlaw.com/

  24. PCI SSC Data Security Standards Overview, https://www.pcisecuritystandards.org/security_standards/index.php

  25. SAS 70 Definition: Type II, http://www.sas70.us.com/what-is/definition-of-sas70.php

  26. Kirilov, K.: Cloud Computing Market Will Top $241 Billion in 2020. Cloud Tweaks (2011), http://www.cloudtweaks.com/2011/04/cloud-computing-market-will-top-241-billion-in-2020/

  27. Columbus, L.: Roundup of Cloud Computing Forecasts and Market Estimates. A Passion for Research (2012), http://softwarestrategiesblog.com/2012/01/17/roundup-of-cloud-computing-forecasts-and-market-estimates-2012/

  28. IDC Cloud Research, http://www.idc.com/prodserv/idc_cloud.jsp

  29. Bigsey, Cloud Computing and the Impact on Digital Forensic Investigations. ZDNet (2009), http://www.zdnet.co.uk/blogs/cloud-computing-and-the-impact-on-digital-forensic-investigations-10012285/

  30. Access Data FTK, http://accessdata.com/products/computer-forensics/ftk

  31. EnCase Forensic v7, http://www.guidancesoftware.com/encase-forensic.htm

  32. X-Ways, http://www.x-ways.net/

  33. ATC P2P Marshal, http://p2pmarshal.atc-nycorp.com/

  34. ATC Mac Marshal, http://macmarshal.atc-nycorp.com/

  35. ATC Cyber Marshall Dropbox Reader, http://www.cybermarshal.com/index.php/cyber-marshal-utilities/dropbox-reader

  36. Gargoyle Investigator, http://www.wetstonetech.com/cgi-bin/shop.cgi?view,2

  37. NetAnalysis, http://www.digital-detective.co.uk/netanalysis.asp

  38. JADsoftware’s Internet Evidence Finder, http://www.jadsoftware.com/internet-evidence-finder/

  39. RedLight, http://www.dfc.cs.uri.edu/redlight.php

  40. Process Monitor v3.01, http://technet.microsoft.com/en-us/sysinternals/bb896645

  41. PCMag InCtrl5, http://www.pcmag.com/article2/0,2817,25126,00.asp

  42. Total Uninstall, http://www.martau.com/

  43. Spy Me, http://www.ghacks.net/2009/03/01/software-installation-monitor/

  44. Jones, K.J.: Forensic Analysis of Internet Explorer Activity Files (2003), http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pasco.pdf

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Koppen, J. et al. (2013). Identifying Remnants of Evidence in the Cloud. In: Rogers, M., Seigfried-Spellar, K.C. (eds) Digital Forensics and Cyber Crime. ICDF2C 2012. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 114. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39891-9_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-39891-9_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-39890-2

  • Online ISBN: 978-3-642-39891-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics