U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Identifying remnants of evidence in the cloud

NCJ Number
305921
Author(s)
Jeremy Koppen; Gerald Gent; Kevin Bryan; Lisa DiPippo; Jillian Kramer ; Marquita Moreland; Victor Fay-Wolfe
Date Published
2013
Length
16 pages
Annotation

This paper providers instruction on identifying remnants of evidence in the cloud.

Abstract

With the advent of cloud computing, law enforcement investigators are facing the challenge that instead of the evidence being on a device that they can seize, the evidence is likely located in remote data centers operated by a service provider; and may even be in multiple locations (and jurisdictions) across the world. The most practical approach for an investigator when cloud computing has been used is to execute a warrant that requires the service provider to deliver the evidence. However, to do this, the investigator must be able to determine that a cloud application was used, and then must issue a warrant with reasonable scope (e.g., the subject’s username at the cloud provider, the name of the documents, the dates accessed, etc.). Fortunately, most cloud applications leave remnants (e.g., cached web sites, cookies, registry entries, installed files, etc.) on the client devices. This paper describes the process for identifying those remnants and parsing them to generate the data required by law enforcement to form warrants to cloud service providers. It illustrates the process by obtaining remnants from: Google Docs accessed by Internet Explorer, Dropbox, and Windows Live Mesh. (Published abstract provided)