Identifying remnants of evidence in the cloud

Abstract

With the advent of cloud computing, law enforcement investigators are facing the challenge that instead of the evidence being on a device that they can seize, the evidence is likely located in remote data centers operated by a service provider; and may even be in multiple locations (and jurisdictions) across the world. The most practical approach for an investigator when cloud computing has been used is to execute a warrant that requires the service provider to deliver the evidence. However, to do this, the investigator must be able to determine that a cloud application was used, and then must issue a warrant with reasonable scope (e.g. the subject’s username at the cloud provider, the name of the documents, the dates accessed, etc). Fortunately, most cloud applications leave remnants (e.g. cached web sites, cookies, registry entries, installed files, etc) on the client devices. This paper describes the process for identifying those remnants and parsing them to generate the data required by law enforcement to form warrants to cloud service providers. It illustrates the process by obtaining remnants from: Google Docs accessed by Internet Explorer, Dropbox, and Windows Live Mesh.