Abstract
With the advent of cloud computing, law enforcement investigators are facing the challenge that instead of the evidence being on a device that they can seize, the evidence is likely located in remote data centers operated by a service provider; and may even be in multiple locations (and jurisdictions) across the world. The most practical approach for an investigator when cloud computing has been used is to execute a warrant that requires the service provider to deliver the evidence. However, to do this, the investigator must be able to determine that a cloud application was used, and then must issue a warrant with reasonable scope (e.g. the subject’s username at the cloud provider, the name of the documents, the dates accessed, etc). Fortunately, most cloud applications leave remnants (e.g. cached web sites, cookies, registry entries, installed files, etc) on the client devices. This paper describes the process for identifying those remnants and parsing them to generate the data required by law enforcement to form warrants to cloud service providers. It illustrates the process by obtaining remnants from: Google Docs accessed by Internet Explorer, Dropbox, and Windows Live Mesh.
This work was supported by a grant from the U.S. Department of Justice’s National Institute of Justice Electronic Crimes Research and Development program – Grant # 2011-FD-CX-K011.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Mell, P., Grance, T.: The NIST Definition of Cloud Computing. Information Technology Laboratory (2009), http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf
Amazon, Inc., http://www.amazon.com/
Apple iCloud, http://www.apple.com/icloud/
Dropbox, http://www.dropbox.com/
Rackspace Cloud, http://www.rackspace.com/cloud/
Salesforce, Inc., http://www.salesforce.com/
Skytap, Inc., http://www.skytap.com/
Microsoft Corporation, Windows Live, http://explore.live.com/
Google, http://www.google.com/
Huawei Technologies Co., Ltd., http://www.huawei.com/
Cisco Systems, Inc., http://www.cisco.com/
Fujitsu, Ltd., http://www.fujitsu.com/global/
Dell, Inc., http://www.dell.com/
Hewlett-Packard Development Company, L.P., http://www.hp.com/
IBM, http://www.ibm.com/
VMware, Inc., http://www.vmware.com/
Hitachi, Ltd., http://www.hitachi.com/
NetApp, Inc., http://www.netapp.com/
Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. Cloud Security Alliance (2009)
Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy: An Enterprise Perspective on Risk and Compliance, p. 239. O’Reilly Media (2009)
Federal Information Security Management ACT (FISMA) Implementation Project, http://csrc.nist.gov/groups/SMA/fisma/index.html
Health Information Privacy: The Health Insurance Portability and Accountability Act (HIPPA), http://www.hhs.gov/ocr/privacy/
The Sarbanes-Oxley Act, http://www.soxlaw.com/
PCI SSC Data Security Standards Overview, https://www.pcisecuritystandards.org/security_standards/index.php
SAS 70 Definition: Type II, http://www.sas70.us.com/what-is/definition-of-sas70.php
Kirilov, K.: Cloud Computing Market Will Top $241 Billion in 2020. Cloud Tweaks (2011), http://www.cloudtweaks.com/2011/04/cloud-computing-market-will-top-241-billion-in-2020/
Columbus, L.: Roundup of Cloud Computing Forecasts and Market Estimates. A Passion for Research (2012), http://softwarestrategiesblog.com/2012/01/17/roundup-of-cloud-computing-forecasts-and-market-estimates-2012/
IDC Cloud Research, http://www.idc.com/prodserv/idc_cloud.jsp
Bigsey, Cloud Computing and the Impact on Digital Forensic Investigations. ZDNet (2009), http://www.zdnet.co.uk/blogs/cloud-computing-and-the-impact-on-digital-forensic-investigations-10012285/
Access Data FTK, http://accessdata.com/products/computer-forensics/ftk
EnCase Forensic v7, http://www.guidancesoftware.com/encase-forensic.htm
X-Ways, http://www.x-ways.net/
ATC P2P Marshal, http://p2pmarshal.atc-nycorp.com/
ATC Mac Marshal, http://macmarshal.atc-nycorp.com/
ATC Cyber Marshall Dropbox Reader, http://www.cybermarshal.com/index.php/cyber-marshal-utilities/dropbox-reader
Gargoyle Investigator, http://www.wetstonetech.com/cgi-bin/shop.cgi?view,2
NetAnalysis, http://www.digital-detective.co.uk/netanalysis.asp
JADsoftware’s Internet Evidence Finder, http://www.jadsoftware.com/internet-evidence-finder/
RedLight, http://www.dfc.cs.uri.edu/redlight.php
Process Monitor v3.01, http://technet.microsoft.com/en-us/sysinternals/bb896645
PCMag InCtrl5, http://www.pcmag.com/article2/0,2817,25126,00.asp
Total Uninstall, http://www.martau.com/
Spy Me, http://www.ghacks.net/2009/03/01/software-installation-monitor/
Jones, K.J.: Forensic Analysis of Internet Explorer Activity Files (2003), http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pasco.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Koppen, J. et al. (2013). Identifying Remnants of Evidence in the Cloud. In: Rogers, M., Seigfried-Spellar, K.C. (eds) Digital Forensics and Cyber Crime. ICDF2C 2012. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 114. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39891-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-39891-9_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39890-2
Online ISBN: 978-3-642-39891-9
eBook Packages: Computer ScienceComputer Science (R0)