This research paper provides a case study for approaching the digital forensics process on a cloud service platform.

1. Study of Digital Forensics on Google Cloud Platform
Group 6
Aaron Sanders
Casey Aniceto
Samuel Borthwick
Department of Computer and Information Technology, IUPUI
CIT 56200 - Mobile and Network Forensics

2. 1
Executive Summary
This report provides an analysis of Google Cloud Platform’s Compute Engine Services
and an evaluation of the forensics process performed in a cloud environment. Furthermore, this
report takes a look into the challenges and potential obstacles of performing the forensics process
in a cloud environment and how that differs from a traditional setting. For research, a user case
was put together where a user has been identified to distribute malicious code to capture and
store users’ private credit card information. Methods of analysis started by building a virtual
machine that was hosted on the Google Cloud Platform, creating remote connections using the
SSH window, and installing the Debian Linux Chrome Remote Desktop. Following this, a vmdk
image was created using the disks feature in the Google Cloud Platform to transfer an exact bit
for bit copy of the cloud for investigation. The vmdk image was then transformed into a raw dd
image using FTK -Imager and then uploaded to Autopsy for forensic analysis.
To verify that the vmdk image was a bit for bit replica of the raw image, a computed hash
value in MD5 was obtained showing the images were an exact match, maintaining the integrity
of the data. The results of the Autopsy showed two key pieces of evidence through the cloud
forensics process. First, there was a main.html document that had fillable form data to retrieve
people’s personal information. The second piece of evidence included a crdhost virtual machine
image that contained a data.csv file that captured multiple user’s personal information. The
inspiration behind the crime was to get users of crdhost HTML web applications to provide their
personal and financial information for it to be stolen.
Based on the research of this report, it is recommended that:

3. 2
● Objectives of investigation are outlined to approach the process objectively
● Tools the investigator is using are compatible with the cloud service being
investigated
● Investigator take advantage of utilities provided by the cloud service
● All steps taken are documented to show transparency and credibility
Problem Statement and Case Study
With further advancements in cloud computing technology leading to adoption growth
seen at consumer and enterprise levels, Google Cloud Platform, Microsoft Azure, and Amazon
Web Services have become the host of many major applications. Looking ahead to the next 10
years, 451Research states “More than 90% of organizations will be using some form of the
cloud, with the balance of IT deployment tipping toward off-premises within two years. At the
same time, organizations are pursuing more deliberate cloud and hybrid-cloud strategies.
(MacDonald, 2018)” With cloud platforms becoming a convenient utility for many, those who
desire to commit computer-related crimes have also gained interest in the technologies. With
cloud computing advancing, digital investigations challenges have emerged requiring
investigators to understand the crucial impacts it has on forensic tasks. The discovery of new
methods and tools related to conducting a digital investigation in a cloud environment is in need
to cope with various cloud scenarios.
For this research project, we will be studying Google Cloud Platform’s Compute Engine
services. In our case, a user has been identified to distribute malicious code to capture and store
users’ private credit card information. An IP address has been detected and was used to discover
it’s potentially running on the Google Cloud Platform in its Council Bluffs, Iowa server. Tools
and Methods must be uncovered to collect evidence and maintain its integrity. The possibility of

4. 3
collecting server logs/data, if it exists, should be discussed since it would be a good indicator to
detect the possibilities of other suspects/leads in the case.
Literature Review
Data security and privacy information challenges in cloud computing
Data security and privacy information challenges in cloud computing is an analysis in the
cloud computing environment. Cloud computing has special characteristics that must be
considered when analyzing security architecture. According to Weiwei Kong, “the cloud can be
viewed as a shared resource, so we cannot guarantee that other sharers are not dangerous. In
other words, we cannot confirm the legitimacy of other resources (Weiwei Kong, 2018)”.
researchers also discuss whether the cloud provider may be able to modify or delete the data in
the cloud. This affects the integrity of the data before evidence collection has even taken place
because the evidence has now been tampered with. There must be an understanding that the
information in the cloud should be kept intact with no alterations with the cloud provider and a
cloud forensics team to ensure that no evidence or data has been tampered with. Any alterations
to the cloud should be documented and notification should be sent out to the digital forensics
team. The paper discusses potential security approaches that can be utilized to combat the
security concerns of cloud computing. The use of a private cloud is owned and operated by an
organization. The private cloud model provides the solution against the repudiation that the data
stored on the cloud is from the cloud computing owner. The use of encryption on the cloud
resource to provide a higher level of security for the integrity of the data being stored on the
cloud is another possible solution. Using encryption ensures that the data cannot be viewed or
altered without the proper encryption keys to access the data. The problem that cloud forensics

5. 4
investigators will have with the mentioned solution is that the encryption will also prevent
investigators’ access to the data they are trying to collect.
What is “Cloud”? It is time to update the NIST definition?
What is “Cloud”? Is it time to update the NIST definition, is an article about the structure
of a cloud environment. According to Christine Miyachi, “Amazon Web Services (AWS) was
one of the first companies to use the word “cloud” in their product advertising (Miyachi, 2018)“.
The cloud is a fairly new term and the resources and services provided by cloud service
providers have grown. The National Institute of Standards and Technology (NIST) defines cloud
computing “[as] a model for enabling ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned and released with minimal management effort or
service provider interaction” (National Institute of Standards and Technology, 2011). NIST
defined the cloud as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and
Infrastructure-as-a-Service (IaaS). Software-as-a-Service provides the use of an application to a
consumer on the cloud platform. The application was accessed either by a client interface like a
web browser or program. Platform-as-a-Service uses the cloud infrastructure of a customer
created application using features like programming languages, libraries, services, and tools
supported by the cloud service provider (Miyachi, 2018). Additionally, Miyachi indicated that
Infrastructure-as-a-Service provides computational processing, storage, networks, and other
computing resources where a customer can access. The customer does not manage or control the
cloud infrastructure but has control over the operating systems, storage, and applications.

6. 5
A new model that is being created is for cloud computing builds on the preexisting NIST
definitions of the cloud. The model integrates the NIST definitions into a layered framework.
Figure 1. An updated model of cloud computing
According to Miyachi, the introduction of a new cloud framework will require that cloud
forensic practices need to be updated as well (Miyachi, 2018). Using the figure above we see that
there are a few new additions to the cloud services such as Foundational PaaS. Miyachi
summarized that this new service will store objects in the cloud which may change how the
evidence collection process is done (Miyachi, 2018). This is important to note because as these
new services are developed the need for best practices and standardized processes for cloud
forensics will need to also be developed as well. According to Miyachi, “IT departments across
the world are using SaaS to provide their employees with enterprise applications (such as email,
storage, and word processing applications) as well as to provide customers with applications,
such as package tracking for a logistics firm or catalog and shopping cart for an eCommerce

7. 6
firm. This means that cloud forensics investigators will need to work with cloud service
providers more often to collect evidence in the forensics process.
The State-of-the-Art Forensic Techniques in Mobile Cloud Environment
The State-of-the-Art Forensics Techniques in Mobile Cloud Environment is about mobile
cloud forensics. According to Muhammad Faheem, “Mobile Cloud computing is a combination
of two new emerging information technology worlds (Muhammad Faheem, 2015)”. The use of
smartphones has made access to mobile cloud resources widely available to areas of the world
that could not before. With the increase and growth of the smartphone cloud service providers of
mobile cloud computing are expanding their capabilities to meet these new demands. There are
many advantages to the use of smartphones in today’s mobile world that their predecessors such
as a laptop have trouble competing against like device size, battery life, and weight. Faheem
states, “Mobile devices are capable of performing a collection of functions that ranges from a
simple voice call to the complex functions of a personal computer (Muhammad Faheem, 2015)”.
Faheem quotes the International Data Corporation (IDC), “In the latest survey, IDC
announced that the worldwide Smartphone market raised 25.3% in the second quarter of 2014, it
is a new quarterly record of 301.3 million shipments (IDC) (Muhammad Faheem, 2015)”. With
the rapidly growing interest in using smartphones to connect to the internet the use of mobile
cloud computing resources is also growing. With more people accessing the internet and using
the cloud with their smartphones the opportunity to conduct unlawful activities is also present.
According to Faheem, “It is vital to extracting the forensic evidence from the cloud and the third-
party application providers in addition to that of traditional mobile devices (Muhammad Faheem,
2015)”. The success of the evidence collection of mobile applications hosted on the cloud is

8. 7
going to be done not on the tools to analyze the evidence but the rate at which the forensic
process is executed. The time it takes to gather all the evidence could be the determining factor
in which the right evidence is collected because so many users may be accessing the mobile
cloud application that data may be altered before investigators have captured what is needed in
real-time. According to Faheem, “Current forensic tools and technologies require improving data
examination speed as it involves a vast amount of digital data (Muhammad Faheem, 2015)”.
There are many barriers to the execution of the forensic process when I come to mobile cloud
technologies. To overcome these challenges better processes for achieving identification and
preservation of data corresponding to suspects of crimes using mobile cloud technologies must
be addressed.
Cloud Computing Reference Architecture and Its Forensic Implications: A Preliminary Analysis
This paper is an analysis of the forensic implication of cloud computing. This is a look at
the responsibilities of individuals of the cloud environment in the cloud forensics investigation.
The paper provides feedback and input for integrating cloud forensics considerations in cloud
architecture. According to Keyun Ruan, “digital forensics has historically been an “after-after-
thought” whereas security has been an “after-thought” whenever new technologies emerge. This
could be one of the reasons why today’s cybercrime causes an annual loss of 750 billion Euros in
Europe alone, according to new statistics released by Interpol (Keyun Ruan, 2013)”.
Figure 2

9. 8
Figure 2. Cloud Actors and Segregation of Duties
Above is a figure of cloud actors and their respective roles in the forensics process. Here
we see that each section of the cloud provider has internal responsibilities. Beyond the cloud
service provider, the domain is the cloud has four roles: the cloud consumer, auditor, broker, and
carrier. In the cloud provider domain, the provider is accountable for the reinforcement of the
security and privacy of the cloud services.
According to Ruan, “Forensic artifacts for the hardware layer include hard disks, network logs,
router logs, etc. This layer also includes data center artifacts such as access records, facility logs,
activity logs, interior and exterior camera footage, biometrics records, visitor records,
organization chart and contact information, etc. Gaining access to actual physical data centers
and carrying out an on-site investigation can be too costly or even impossible in most cases
(Keyun Ruan, 2013)”.

10. 9
Access to the hardware layer of the cloud service can be very troublesome to both the
investigators and the cloud service provider. The alternative in this situation is to create a mutual
trust relationship with the cloud service provider and the investigative law enforcement team
with remote access to conduct forensics through the cloud service provider. This paper discusses
scenarios in which forensics roles and responsibilities to the process are examined.
Search Warrant Process for Cloud
Part of the challenge of performing forensics on cloud computing is the process of getting
a search warrant. In particular, the legal system often has difficulty keeping up with law
enforcement in recognizing new technologies (Cauthen, 2014). According to John Cauthen in his
article “Executing Search Warrants in the Cloud,” executing law enforcement searches in a cloud
computing environment presents a two-fold problem. First, there is very little and in some cases
no data about a computer user that is found in a single geographic area. This presents a major
challenge because most search warrants being done today reference a particular location, which
then narrows the scope that forensics can be performed. This disconnect here comes from the
fact that many lawyers and judges do not have a strong understanding of how digital forensics
works. Many assume all digital evidence is stored on a single hard drive similar to that of a filing
cabinet. However, this is not the case for most large businesses and government enterprises,
where computer users are generally connected to a network that serves as a terminal to a much
larger networking system. Items such as emails and files can be viewed using the computer, but
the majority of files are maintained on another computer located elsewhere. Because of this, if an
investigator merely searches a user’s computer, very little data will be able to be found because
any records of importance will be stored on other network computers.

11. 10
In cases of cloud computing, files are stored not just on the corporate network, but also
throughout the internet. In general, users of cloud services rent from a provider who maintains
data storage facilities. These facilities may be regionally located or spread out over multiple data
centers across multiple countries. The problem here is finding where the data is physically
stored, as even the administrator may not know which data is physically stored where. The
storage of data also can be complicated as some data will be encrypted. Figure 3 gives a
summary view of best practices for dealing with different types of stored data:
Figure 3. How Data is stored?
To navigate around these artificial barriers, search warrants can be served under US code
2703 which covers transactional records such as payments and emails and does not require as
much geographic specificity. According to Cauthen, another potential solution is “The

12. 11
investigator could consider combining two search warrants-one on the computer owner for the
location being searched under Rule 41 and one on the cloud provider under Code 2703 for the
content to which the computer is connected (Cauthen, 2014).” Under this method, the
investigator must have a high-level understanding of how to operate the database and formulate
queries, as the queries need to comply with the search warrant. Figure 4 displays a the best
practices based on circumstance:
Figure 4. Where is the Data?
Acquiring Forensic evidence from Cloud Infrastructure
Acquiring forensic evidence from cloud computing services leads to a variety of challenges
both legally and technically (Dykstra, 2020). Seizure and obtaining digital artifacts are the initial
steps in the forensic process. When obtaining evidence, remote investigators may collect the
evidence directly from the source of origin, or service providers may deliver it. Both scenarios
require a different set of technical solutions. According to Josiah Dykstra in his publication,
Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and

13. 12
evaluating tools, trust, and techniques, a key element of the forensics process is maintaining
transparency and trust throughout the process. Because most judges and people in the jury will
not have high-level knowledge of the highly technical aspects of forensics such as the tools for
extracting evidence, they have to decide if they trust the integrity of the methods used by the
investigator. Figure 5 outlines the 6 layers of Cloud followed by the cumulative trust that must
be placed into each layer:
Figure 5. 6 Layers of IaaS Cloud
Dykstra outlines that currently, law enforcement asks the cloud service provider for data after a
search warrant or subpoena is issued. The provider then executes the search to collect data and
returns it to law enforcement. Since law enforcement is not overseeing how the provider is
collecting the data, they are putting a large amount of trust in the integrity of the service provider
to return accurate results. Furthermore, the jury must trust that the technician performing the
search queries is ethical and also competent.
Two of the widely used tools in performing forensics include EnCase Enterprise and
AccessData FTK (Dykstra, 2020). Dykstra and his team deployed both of these tools in running
experiments using various cloud models including AWS and IAAS Cloud to get a better idea of
the advantages and disadvantages of both tools. Both EnCase and FTK performed at comparable
levels as shown in Figure 6. Notice that each tool also has various levels of trust that are
required.

14. 13
Figure 6. Results of experiments
Following the analysis Dykstra stated the following conclusion:
“Our recommendation for the forensic acquisition of IaaS cloud computing is the
management plane. This option offers the most attractive balance of speed and control with trust.
We encourage cloud providers to make forensic data available to users in this way, and we have
begun an implementation to do so. While EnCase and FTK successfully returned evidence, we
do not recommend using them for remote forensics in the cloud because too much trust is
required. (Dykstra, 2020)”
Cloud-Based Data Collection & Analysis
The white paper titled “Cloud-Based Data Collection & Analysis” written by Joseph
Remy of the National White Collar Crime Center (NW3C) aims to cover the best practices
associated with conducting forensic cloud investigations and extracting data from cloud-based
services. The emergence of cloud computing has made storing data directly on devices
increasingly impractical. As cloud computing storage has overtaken storing data locally, it has

15. 14
become a heavy target for performing a criminal activity. According to Remy, collecting Cloud-
Based Data presents the following challenges (Remy, 2020):
1. Reliance on the user to download their data and turn it over for analysis
2. The use of forensic software to analyze cloud backup files
3. The process of dealing with cloud service providers to access their data
Not only are users often unavailable, but they are also rarely willing to consent to give
investigators data without legal action in the form of a warrant. Targeting data from victims
seeking justice or individuals seeking to prove their innocence may be a more effective strategy,
as they may be more willing to turn over their data without the need for a warrant. Under the
United States Constitution, a search warrant must particularly describe the location that is to be
searched. This is very challenging when dealing with cloud-based data because the physical data
could have multiple locations ranging all around the world. To navigate around this investigators
must often cite the Clarifying Lawful Use of Overseas Data (CLOUD) Act of 2018 which gives
US law enforcement the ability to collect cloud-based evidence from US-based tech companies
for crimes that either occur on US soil or involve US citizens.
According to Remy, it is important to know how much data is needed before conducting
your search (Remy, 2020). The Stored Communications Act of 1986 does not require a search
warrant for data past 180 days. Such cases where data past 180 days is required generally
consists of child exploitation cases, homicides, and narcotics tracking. When performing
forensics analysis over the cloud, Remy stresses that it is important to authenticate your
evidence. Because cloud data is so volatile, it can easily be edited or deleted. The most effective
way of doing this is to correlate cloud data with data found on synced devices such as mobile

16. 15
phones, tablets, or laptops. Showing these connections between the pieces makes for a stronger
timeline and better case, particularly when the subject has multiple devices. The user can also
authenticate the data; however, this is challenging due to the vast amounts of data that are
generally stored in devices.
Cloud Providers legal and Jurisdiction Findings
The cloud environment, by its nature, is multi-jurisdictional. Google for instance now has 19
data centers around the globe with 11 in the United States, 5 in Europe, 2 in Asia/Pacific, and
one in South America (Miller, 2019). Although a data center is in a foreign country, it is not
guaranteed sovereignty, taking into account the ability of the cloud service provider to backup
data to any data center they own (James & Szewczyk, 2017). Elaborating further on the matter,
the location of the data center that houses the data of a suspect machine could also affect how it
can be treated locally. The United States Act “Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001”, allows a
government agency to access stored data without being subjected to the limitation of a search
warrant (ACT, 2001). Even though this Act applies to data stored within the United States, it
highlights an attempt at legislation that allows the digital forensic practitioner to legally access
cloud-based data. Although, collecting data stored in a cloud environment is still a daunting task
as to when data is scattered across multiple data centers across multiple jurisdictions at any given
time. The simplest answer to address jurisdiction concerns is to look at the state of incorporation
or headquarters for the cloud provider since currently, there appears to be no right answer. For
some providers, the big ones, in particular, an address and sometimes serving a subpoena on a

17. 16
website are appropriate routes to take. (David Willson, 2013) If necessary, it is ideal to compel
providers to gather and turn over data to you since it’s unlikely you’ll be given access to dig
around servers and figure out what you need to collect. When an examiner is attempting to
acquire digital evidence without the proper permissions or warrants, their evidence could be
rendered useless with an injunctive order of a motion and the examiner is considered committing
a prosecutable crime themselves. (Spectre Intelligence, 2019) According to the federal rules of
evidence, 47 CFR 14.42, evidence ‘in the defendant’s possession, custody, or control’ is
considered permissible. In one of the first public cases regarding the issuance of a warrant
specifically for cloud services, it has been indicated that the courts have granted the exclusive
privilege for digital evidence acquisition on cloud services platforms as early as 2011. (Spectre
Intelligence, 2019) In the 2017 case, Williams v. Angie’s List, an Indian court founded that
cloud data belonged and was under the control of the defendant.
“evidence before the Court demonstrates that Angie’s List and Salesforce have a
longstanding contractual relationship and that the background data is recorded ‘for’
Angie’s List as part of the ordinary course of their business relationship. Even while end-
users such as Angie’s List ‘ordinarily’ do not access such data, the evidence demonstrates
that they can do so upon asking. In fact, the most compelling fact before the Court is that
Angie’s List, despite dragging its feet and protesting vociferously, were actually able to
retrieve and produce one year of the background data, collected for Angie’s List as part
of its use of Salesforce’s sales platform, to Plaintiffs in discovery. The fact that Angie’s
List has already produced one-third of the requested data, coupled with the evidence
demonstrating the relationship between Angie’s List and Salesforce, compels the

18. 17
conclusion that Angie’s List has a ‘legal right to obtain’ the discovery sought.”
(eDiscovery, 2017)
This case has set a precedent of common law that cloud data is within the defendant’s
possession, custody, and control despite it not being physically with them. Given that a
defendant could be using a cloud service whose data is spread across multiple data centers in
multiple jurisdictions, given the rights given to the defendant over their cloud data and access
granted to the examiner, data can be captured and recorded despite location and jurisdiction.
Cloud Forensics as a Service
Conceptually, digital forensics investigative practices remain when examining a cloud
environment, although, for cloud computing, there is an added complexity that brings many new
challenges.
Data Collection: Every cloud provider uses its deployment models in which making it difficult to
generalize data collection processes. (Saurav & Raymond, 2016)
Loss of Data: Improper shut down of virtual machines may lead to loss of important data and
corrupt applications.
Access to network devices: All the network devices are virtualized in a cloud environment so it
is difficult to get physical access to hardware devices, load balancers, and firewalls. (Saurav &
Raymond, 2016)
Early Forensics Investigations: Current cloud platforms lack forensics-aware applications that
collect data for forensic analysis. (Saurav & Raymond, 2016)

19. 18
Current investigation practices involve the analysis of data on a standalone forensics machine.
Although we were working with a virtual machine on Google’s IaaS which works logically like a
machine making collecting data/evidence easier, cloud platforms provide many platforms, and
Software services provide almost no feasible data collection process. With cloud computing
becoming more accessible, perhaps there should be some sort of Digital Forensics as a Service
product being offered by cloud platforms. As concluded in Saurav Nanda and Raymond A
Hansen’s writing titled “Forensics as a Service: Three-tier Architecture for Cloud-based Forensic
Analysis,” “Cloud providers, as of now, do not extensively support forensic-based analysis.” In
their writing, they explore creating a “Forensics as a Service” product that has the same services
like SaaS, PaaS, and IaaS of cloud architectures. “FaaS components are completely accessible by
the FaaS team members, who can provide all forensic information to the customer on demand.
(Saurav & Raymond, 2016)” Whenever there is an incident reported for a forensics investigation,
a request is made of the suspect’s identification and services being used then an automated data
collection process will be performed gathering all relevant data including access logs to keep
track of all changes made to the data collection so the integrity can be maintained, long-term and
volatile storage device, and any information regarding running processes. All the gathered data
would then be handed over to examiners which they will perform analysis on. Investigators
would be given the option to investigate the cloud or their standalone local machine while giving
them control over resources including CPU, Memory, and Storage on demand. This would save
investigators valuable time and resources while also creating another pay as you go service
offered cloud platforms. (Saurav & Raymond, 2016) In which those in the research community
of forensics and cloud computing should come together to research more and develop forensics
tools in the cloud such as a Digital-Forensics as a Service Platform. The platform would be able

20. 19
to generate revenue as a pay as you go model while investigators will be able to perform forensic
analysis more efficiently.
Forensics Process
As stated in the problem/case study, an IP address has been detected on an online store,
this computer has been suspected of collecting customer private information and credit card
information. For this next portion of the paper, we would like to dedicate this to our forensics
process. We hope to discuss each phase of our process including the identification, preservation,
collection of evidence, examination, and analysis of evidence, and finally, present our findings.
Identification
After noticing odd behavior on their online store, the IT team conducted a brief internal
investigation and discovered the following IP address 23.251.149.22. With this IP address, they
can complete an IP address lookup with an IP Lookup tool on the site:
https://www.iplocation.net/ip-lookup.

21. 20
Figure 7. IP-Lookup tool screenshot #1
Figure 8. IP-Lookup Return Results

22. 21
The two pictures above show how the IP-Lookup tool is used. In the first screenshot,
Figure 1, we see how we enter the detected IP address. In the second screenshot, Figure 2, we
show the results. Although we cannot confirm the accuracy of this IP-Lookup tool the site states
the following:
“The Geolocation lookup tool provided on this page is an estimate of where the IP
address may be located. The data come from a few IP-Based Geolocation providers, and
their accuracy varies depending on how quickly they update their database when changes
occur. Since many Internet users are getting their dynamic IP addresses from their ISP,
and most ISPs serve their customers in multiple regions causing Geolocation lookup to be
accurate to the region they serve. For example, AT&T in the United States serve their
customers in the entire USA and the accuracy may be limited to the Country level. Other
ISPs may be serving smaller areas, and some ISPs create subnetworks to serve their
customers in smaller regions. For this reason, the IP-based Geolocation will be about
99% accurate at the country level while the accuracy of State and City may be at a much
less accurate level somewhere around 50% range (Location, 2018)”.
With the information found in the returned results, we can find that the location of the computer
is possibly in Council Bluffs, Iowa and the ISP and Organization is Google LLC. Google also
hosts a data center in Council Bluffs, Iowa which leads us to believe that this computer is
potentially hosted on Google’s Cloud Platform. With this information, we have probable cause
to begin the process of getting a warrant to get access to this machine on Google’s server.

23. 22
Figure 9 displays a United States federal warrant which is needed to seize and search
evidence. “Today both law enforcement and the legal system face a new challenge--digital
evidence distributed in the cloud. Technology requires investigators to change their methods
from traditional passive searches to a new model focused more on live recovery (Cauthen,
2014).” To acquire data from Google Cloud, law enforcement must first file a warrant. The
challenge here is what geographic to file the warrant, as the physical data could be stored in
multiple places all over the world. The Clarifying Lawful Use of Overseas Data (CLOUD) Act
of 2018 gives US law enforcement the legal tool required, with court authorization, to collect
cloud-based evidence from US-based tech companies, fo crimes that occur on US soil that
involve US citizen, even if the data is stored on servers that are physically located in other
countries (Remy, 2020).
Figure 9. Federal Warrant

24. 23
Once a warrant was issued, the cloud services platform then sent us the data that was
requested in compliance with the warrant. It is important to have a Google Cloud Platform
Certified Expert on the investigative team, as the format of the data turned over may be in a non-
traditional format that needs to be translated. Since law enforcement is not the one responsible
for retrieving data, a great deal of trust has to be placed upon the cloud-based technician, which
presents a risk.
After access was granted to the forensics team, we began to look into what resources
were being used with the suspect account and machine.
Figure 10. Google Cloud Platform Compute Engine VM Instances
In Figure 10, we are in the Google Cloud Platform’s Compute Engine services. Google
Compute Engine is an IaaS service that allows users to launch virtual machines on demand. We
can also see from Figure 4 that a user launched a virtual machine instance with the suspect IP

25. 24
Address, 23.251.149.22, with the name “crdhost.” This machine may be the host of customer
private information. After clicking on crdhost we can see more details about the machine.
Figure 11. VM instance details #1
Figure 12. VM instance details #2

26. 25
In Figure 11, we can see detailing about the VM instance of the instant id, machine type,
CPU platform, hosting zone, and the time of creation which is October 20th, 2020. In Figure 12,
we can see the Network interface, firewalls, Boot disk information concerning the OS which is
Debian Linux, and the storage which is a standard persistent disk with 10 GB.
Figure 13. VM instance details monitoring #1
Figure 14. VM instance details monitoring #2

27. 26
Figure 15. VM instance details monitoring #3
In Figures 13, 14, and 15, when can view the monitoring of the VM showing network activity,
CPU Utilization, Disk activity, and more. With this monitoring information, we have an idea of
how active this machine is and decide the best actions for shutting down or keeping the machine.

28. 27
Figure 16. VM Instance View Logs Option
Figure 17. Logs Explorer with completed search
Looking more closely into the options we have with the VM instance, in Figure 16, we
see that we have the option to Start / Resume the instance, stop the instance, Reset the instance,
Delete the instance, view the network details, create a new machine image, view logs, and view

29. 28
monitoring. After clicking on view logs, we are placed on the Logs Explorer of Google Cloud
Platform. Since we know the VM instance was created on October 20th, 2020, we can run a
query starting from that data to today which yields us the results found in Figure 17. These
results can also be downloaded for further analysis into CSV or JSON format.
Figure 18. Logs being downloaded into JSON
With the downloaded logs, we found details as to who the individual’s email created the project,
and the instance was seen in Figure 19.

30. 29
Figure 19. Downloaded JSON log

31. 30
Figure 20. Log showing user, casey_aniceto, being created
Preservation
Moving into the preservation stage, we now want to discover a method we can use to
obtain a copy of the suspect machine while preserving the data’s integrity. Since we know that
the VM instance uses a standard disk, we view it by clicking “Disks” in the storage section. Once
we’re on the Disks page of our project, seen in Figure 21, we can see that the disk being used by
the suspect machine both share the same name “crdhost.” We also see in Figure 15, that we can

32. 31
create an instance, create a snapshot, clone the disk, and delete the disk. For our needs, we need
to create an image of the disk which is exportable.
Figure 22. Disks on Google Cloud
After clicking on the “Create Image”, as seen in Figure 23, we can start naming our image,
selecting the source which is the suspect disk, and choose to keep the instance running when
creating the image. An important thing to note when deciding to keep the instance running which
isn’t recommended, it can’t guarantee the integrity of the image and it may be corrupted.
Although we are aware of the risk that comes with keeping the instance running, since we can
see that disk throughput is low in Figure 6, we will leave the instance running as we have a low
risk of corrupting the image.

33. 32
Figure 23. Creating an Image
Figure 24. Creating an Image

34. 33
Figure 25. Image is Created
Once our image is created, we can see that in Figure 25, we have the option to edit the
image, Delete the image, create an instance with the image, or export the image. We want to
move the image to a local machine for examination and analysis, so we will need to export the
image. In Figure 26-1, we are going to export the image in the VMDK file format to the storage
we created for forensics purposes within the project.

35. 34
Figure 26-1. Exporting Image
After the image has successfully been exported, in Figure 26-2, we can view it in the “Image
export history” tab when viewing all of our images.
Figure 26-2. Image Exported

36. 35
To finally download the image, we navigate to the folder/storage bucket we exported it
to. We can view the folder in the Storage service of Google Cloud Platform, once in the folder
we can view our image which we titled “forensics_image_20201106;” this can all be seen in
Figure 20. Clicking the action buttons on the image, we have the option to download it to our
local machine.
Figure 27. Downloading Image
Seizure and Collection
The chain of custody was established by creating a case for the image file in Autopsy.
Once this case was created all investigated material was stored in this file. Had this file been
created in a real investigation law enforcement environment this data would have been protected
in ways such as encryption of the file or some other security measure.

37. 36
Figure 28. Autopsy Case
The image above provides detailed information on the case such as the case name, case number,
created date, case directory, case type, database name, examiner information, name, phone, and
email address. The case information was used by the Autopsy’s analysis to store the results of
the investigation on the image obtained from the Google Cloud Platform of crdhost virtual
machine.
The process in which the image was uploaded into Autopsy for investigation was
depicted in the figure below. The data source selected to upload the image was a disk image or
VM file. This was chosen because the vmdk image obtained from the Google Cloud Platform
was a virtual machine file.

38. 37
Figure 29. Autopsy Disk Image or VM File.
After the selection of the data source was completed the path of the selected data source was
chosen. This is where the path of data being uploaded to Autopsy to run analysis was chosen.
The time zone of the investigated evidence was selected which was GMT - 5:00
America/Indianapolis. The sector size was left on default to auto-detect. The results of these
options can be seen in figure 30.

39. 38
Figure 30. Autopsy Data Source.
Hash values could have been placed inside the select data source option windows but we did not
have the MD5 hash values at the time of the execution. We did make note of this important
integrity check feature and made some adjustments later to incorporate these findings into the
investigation.

40. 39
The new data source was added for investigation but we received critical errors in the
upload of the vmdk image data. The critical error encountered was that the data failed to be
added. The results of this error can be found in figure 31.
Figure 31. Autopsy Failure.
The error could be further examined by clicking on the view log button depicted in Figure 24.
Once the button was clicked another window popped up with more information about the failure
of the add data source found in figure 32.

41. 40
Figure 32. Autopsy Failure log.
The error that occurred while Autopsy was ingesting the image was that the file system type
could not be determined with a sector offset of 0. This occurred because the vmdk file was not
able to be uploaded onto Autopsy in this fashion. After researching the error extensively the
resolution for overcoming the problem was the conversion of the host vmdk image into a raw
image. To convert this file we need to use another forensics tool to utilize the data format
change. This operation was completed using the tool FTK imager.

42. 41
Figure 33. FTK Imager
FTK imager was used to create a raw image of the vmdk image. The above screenshot shows
that the data is being processed and created.
Figure 34. FTK Imager Verify Results

43. 42
The image above is a screenshot of the completion of the vmdk image file converted into
the raw image file format. Using FTK Imager the comparison results of the file are displayed in
multiple forms such as MD5 Hash, SHA1 Hash, and Bad Block List to identify if the conversion
was done properly. Looking at the MD5 Hash values we discovered that both the computed hash
value and the report hash values are a match. The same could be identified with the results of the
SHA1 hash values. The Bad block list identified that there were no bad blocks found on the
image of the raw image.
Figure 35. Results
The results of the raw image were found on the USB that the raw image was saved to. Figure 35
is a representation of all the file partitions of the raw image that were created using FTK Imager.
Once the image process was completed, we needed to move to an analysis of the image to move
the investigation onward. Utilizing the new raw image in Autopsy utilizing the steps previously
discussed we were able to start the analysis process.
The process of analyzing the raw image resulted in the identification of all the volumes
created on the USB. As shown in figure 36, the data source of the image 20201106 had vol1,
vol4, vol5, vol6, and vol7 for analysis. Each of these volumes was a sector of the virtual machine
of crdhost. Other important information found in the beginning stage of the process of the
analysis showed that there were 22136 images found on this data. 126 audio files were identified.
18071 archived files were present on the raw image. 46 database files were found using Autopsy

44. 43
on the data source. There were 377 HTML documents, 4 Office files, 15 PDFs, 791 plain text
documents, and 4 .bat files.
Figure 36. Data Sources

45. 44
Examination and Analysis
Throughout the HTML files found in Autopsy, we were able to discover the HTML
document main.html that had been used to store user information. Through this document, we
identified that the application data retrieved from the web page was the first name, last name,
date of birth, address, credit card number, and 3-digit pin.

46. 45
Figure 37. Screen capture of the HTML document is used to capture the user’s personal
information.
Upon further investigation using Autopsy, we were able to identify a data.csv file. In this file, we
found the associated information from the main.html document with users’ information. As
shown in figure 38 we can see that this information was being recorded on crdhost and that the
user’s information was being stored not secure. This was exactly what our investigation was
charged to prove that the virtual machine in the Google Cloud Platform was utilizing a web
application to steal people’s information.
Figure 38. Screenshot of the data.csv file that stores the user’s personal information.

47. 46
Results
We identified that the system was on a google server by tracking down the IP using an IP
address lookup web tool. By identifying that the system was being operated on the Google
platform we were able to contact Google and request access to the suspected system with a
federal warrant. This resulted in our forensic investigative team to gain access to the Google
Cloud Platform Compute Engine of the virtual machine in question. Utilizing the elevated
platform on the Google Cloud Platform the virtual machine was identified as crdhost with the
internal IP address of 10.128.0.3 and external IP address of 23.251.149.22 matching what was
found on the Geolocation web application. Upon further investigation, we were able to gain more
information about the crdhost virtual machine directly. The information found about the virtual
machine was the day and time the virtual machine was created, instance id, the remote access
protocol, log information, network information, and system-specific information.
Crdhost had a CPU platform of an AMD Rome and a virtual hard drive space of 10 GiB.
Crdhost was found to have a Debian Image. The type of disk was standard persistent disk and
encryption of the virtual machine was Google managed. Looking at the VM instance monitoring
dashboard we were able to obtain the CPU utilization and network byte dashboard data of the
virtual machine. We found that the first-day crdhost was created on October 21st
, 2020 was a
high CPU utilization using up to 40% of the CPU capacity of the virtual machine with two other
high points in CPU utilization were October 28th
, 2020 and November 7, 2020. Network traffic
was also the highest on the crdhost on October 21st
, 2020 when the virtual machine was first
created. While traversing the Google Cloud Platform we were able to come across logs of

48. 47
crdhost. We were able to generate logs of the longevity of the virtual machine’s existence. What
we were able to obtain from the logs was a histogram from the logs that were captured.
The Google Cloud Platform log utility allowed us to see specific events that were
captured such as the updating of keys for a user, adding a user to the google-sudoers group, and
other key moments in the operation of the crdhost. We were able to download the logs from the
crdhost to take a deeper analysis of log information. Our findings in the export of the logs into a
JSON file type were that the user aarsande was added to the google-sudoers group which is an
elevated user privilege role on the virtual machine. We were able to identify a user account for
the crdhost that was created for the user casey_aniceto. Using the Google Cloud Platform Image
feature we were able to create a vmdk image of the virtual machine crdhost. Once the image was
created, the image was exported and saved to an investigator’s personal computer to run further
analysis on the image. A case was created using the software Autopsy for the investigation under
the case name of GCP 20201106, case number 20201106, date created 2020/11/09 21:30:40
EST, and case type single-user case. The Examiner of the case was Casey Aniceto.
We uploaded the downloaded vmdk image to Autopsy for investigation but continuously
encountered errors with processing the investigation into the crdhost image file. The error that
we received was “Failed to add data source (critical errors encountered). Click below to view the
log.” Upon further review, the error that occurred was Cannot determine file system type (Sector
offset: 0). Through a review of multiple online sources, we found that the vmdk image was not
going to work in the Autopsy application. We deferred our efforts in the investigation of the
image until we could be sure that the image could be investigated using the forensics analysis
tool Autopsy. We uncovered that the vmdk image would need to be converted to a raw image to
continue the investigation. We used FTK imager to convert the vmdk image of the crdhost into a

49. 48
raw image that could be uploaded into Autopsy for analysis. To prove that the raw image was an
exact image of the vmdk image a computed hash value in MD5 was obtained showing that both
the vmdk and the raw image were an exact match. This proved that the integrity of the data was
intact. Once the file was converted, we opened our case on the investigation and added the new
raw image file. The raw image file worked as intended and the analysis with Autopsy had been
complete. We were able to complete the analysis of the image and the results of those findings.
The results of the Autopsy analysis captured two main pieces of evidence through the
cloud forensics analysis. There was a main.html document that had fillable form data to retrieve
people’s personal information such as first name, last name, date of birth, address, credit card
number, and 3-digit pin. This was the web page used to steal user’s information. The main.html
file was located on the directory of mynewuser within the desktop of the user’s profile. The
other evidence found on the crdhost virtual machine image was a data.csv file that had captured
multiple users’ personal information. This was also located on the mynewuser profile on their
desktop. This demonstrated that the web application was working and capturing user data. The
motive of the crime was to get users of crdhost HTML web applications to provide their personal
information and credit card data to steal.
Conclusions
In conducting the cloud forensic process there were a great number of things learned
from this research. Learning how to build a virtual machine that was hosted on the Google Cloud
Platform was very interesting because hosting a virtual machine instance required a lot of
intricate steps. We learned that using the compute engine instance utility on the Google Cloud
Platform allowed us to build the virtual machine but creating remote connections to the virtual

50. 49
machine was a more technically challenging task. The process to create remote connections
included using the SSH window that was connected to the virtual machine instance to update the
package manager and install -wget functions. From here we downloaded the Debian Linux
Chrome Remote Desktop installation package and ran the installation. We then had to decide
what kind of system desktop environment we wanted to use for conducting the cloud forensic
process so the virtual machine instance and decided on a Cinnamon. We chose a Cinnamon
environment because it was a full-featured traditional desktop environment where we could
focus on the forensic process of the cloud rather than try and use a lightweight desktop and not
have all the tools and utilities we needed to make the cloud forensic process executable.
Once the virtual machine and all remote user accounts were created we learned a lot
about the Google Cloud Platform utilities that helped us conduct the forensic process such as the
compute engine utility, disk feature, images feature, monitor VM feature, and other tools that
were hosted on the Google Cloud Platform compute engine. Utilizing these on-demand features
from the Google Cloud Platform allowed us to concentrate on the virtual machine more intensely
because our attention was not drawn away to evaluate what open source tools could we use to
interface with the Google Cloud Platform virtual machine instance. Instead, we could utilize the
Google Cloud Platform utilities to retrieve important and impactful information to help move the
cloud forensic process forward. Using the disks feature in the Google Cloud Platform compute
engine we were able to create a vmdk image of the virtual machine and transfer that exact bit for
bit copy to a local forensics investigator’s computer to conduct the rest of the forensics process.
One important thing that was learned about this from the forensics investigators’ perspective is
that if you pursue making a disk image of the virtual machine you have access to this will alert
the Google Cloud Platform virtual machine owner because Google will send a monetary charge

51. 50
for the process of creating an image. So, creating the image should be done knowing this can
occur and can ultimately alert the owner of the virtual machine that it is being copied.
After downloading the vmdk image we tried to utilize the software Autopsy to investigate
the image but there were setbacks. We were unable to upload the vmdk image as a disk image or
VM file using Autopsy, but we did find a workaround to analyze the image data. We had to
transform the vmdk image to a raw dd image format using the software FTK Imager. Once we
completed this format change of the vmdk image to raw data we were able to upload the image
onto Autopsy and continue the forensics process. We were then able to retrieve information that
initially alerted our team to the cloud forensic investigation and we proceeded to document our
findings in this report. The major takeaway from conducting the cloud forensic process was that
when utilizing the cloud service provider’s platform, you may have some utilities that can be
used to help in the forensic process. While we didn’t initially have a solid idea of how this
research experiment on conducting the forensics process on the cloud, we achieved our goal of
turning up evidence that can be used as admissible evidence in the court of law.
Recommendations
Our recommendations for conducting the cloud forensics process is to first establish what
the objectives of the investigation are. For our research experiment, our objectives were to
establish a virtual environment, conduct the forensics process, and gather evidence that would be
relevant to the case. When you establish the case objectives upfront, you are more likely to
approach the process more objectively. Learn about the cloud service providers’ utilities and
features because these tools offer the investigative team the opportunity to use tools that were
built for the cloud service providers’ services. Make sure that the tools you are going to conduct

52. 51
the forensic process are compatible with the cloud service that you are investigating because like
us you will be looking for ways to change the format of an image to proceed with the
investigative process. This can save you time and the risk of damaging the image when trying to
make the image in a compatible format to the forensics software. Document everything! To be
successful in the investigation everything that you do or try needs to be documented so that the
process can be repeated. This adds to the credibility of your investigation and also provides the
evidence to back up your claims in the investigation.
Future Work
While advances continue in cloud forensic, the challenges still impede investigations in
the cloud. Current investigation practices involve the analysis of data on a standalone forensics
machine. Although we were working with a virtual machine on Google’s IaaS which works
logically like a machine making collecting data/evidence easier, cloud platforms provide many
platforms, and Software services provide almost no feasible data collection process. As
mentioned in our literature review regarding jurisdiction, the task of collecting data in multiple
jurisdictions is a daunting task, while many states and countries operate under their laws, there
still isn’t a good answer as to how to collect data from multiple jurisdictions in an effective
manner. Since cloud computing is such a big area of technology today, there should perhaps be a
cloud forensics certification created, this certification would allow practitioners to gain the
knowledge needed to conduct investigations and learn new technologies.
Large cloud platforms such as Google and AWS should begin efforts to create a FaaS
product for handling incidence reports on their platforms. As mentioned in our literature review,
this service will save investigators valuable time and resources when conducting investigations.

53. 52
Although services such as Google and AWS grants users a decent amount of rights to their data,
during forensics investigation regarding services that are not stored logically, it’s very difficult to
navigate and collect data.
With there being many public and private cloud service providers, in many jurisdictions,
providing many services, perhaps there should be some guidelines and compliance requirements
created to operate. With these guidelines, there would be required data models that were agreed
upon in the scientific community.
With cloud computing being more and more a major area of technology, perhaps those in
the digital forensics and cloud computing communities should come together and create a
certification for cloud forensics. For the certification, investigators would learn skills needed to
investigate efficiently by studying jurisdiction laws and challenges and cloud platforms such as
AWS, GCP, and Microsoft Azure. This certification would be useful for many digital forensics’
teams.
These areas of cloud forensics should be further research if cloud computing is becoming
more important in today’s age of technology. With cloud forensics already being daunting for
investigators, it would benefit many in the digital forensics community if more work is being
done in these areas.

54. 53
Exhibit

55. 54
References
AccessData. (2020, 11 23). FTK Imager. Retrieved from AccessData:
https://accessdata.com/products-services/forensic-toolkit-ftk/ftkimager
ACT, U. P. (2001, 10 26). UNITING AND STRENGTHENING AMERICA BY PROVIDING
APPROPRIATE TOOLS REQUIRED TO INTERCEPT AND OBSTRUCT TERRORISM (USA
PATRIOT ACT) ACT OF 2001. Retrieved from
https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf
Austin, D. (2019, 07 19). Cloud Data is Within Defendant’s Possession, Custody and Control,
Court Rules: eDiscovery Case Law. Retrieved from EDiscovery Daily Blog, Cloudnine:
www.ediscovery.co/ediscoverydaily/electronic-discovery/cloud-data-within-defendants-
possession-custody-control-court-rules-ediscovery-case-law/
Autopsy Digital Forensics. (2020, 11 05). Autopsy. Retrieved from Autopsy:
https://www.autopsy.com/
Bill West, D. C. (2019, 06 20). How Are Cloud Computing and Data Centers Related? Retrieved
from connectria.com: https://www.connectria.com/blog/how-are-cloud-computing-and-data-
centers-related/
Cauthen, J. (2014, October 07). Executing Search Warrants in the Cloud. Retrieved November
02, 2020, from https://leb.fbi.gov/articles/featured-articles/executing-search-warrants-in-the-
cloud

56. 55
David Willson, A. a. (2013). Legal Issues of Cloud Forensics. Retrieved from Global
Knowledge:
http://www.mcrinc.com/Documents/Newsletters/201402_Legal_Issues_of_Cloud_Forensics.pdf
David Lillis, Brett A. Becker, Tadhg O’Sullivan and Mark Scanlon(2016). Current Challenges
and Future Research Areas for Digital Forensic Investigation. In CDFSL Proceedings 2016
Retrieved from: https://markscanlon.co/papers/CurrentChallengesAndFutureResearchAreas.pdf
Debian. (2020, 11 23). Debian. Retrieved from Debian: https://www.debian.org/
Dykstra, J., & Sherman, A. (2012, August 02). Acquiring forensic evidence from infrastructure-
as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Retrieved
November 02, 2020, from
https://www.sciencedirect.com/science/article/pii/S1742287612000266
Federal Bureau of Investigation. (2020, 11 23). Cyber Crime. Retrieved from FBI:
https://www.fbi.gov/inv0estigate/cyber
Google. (2020, 11 01). Google Cloud. Retrieved from Google Cloud:
https://cloud.google.com/gcp/?utm_source=google&utm_medium=cpc&utm_campaign=na-US-
all-en-dr-bkws-all-all-trial-e-dr-1009135&utm_content=text-ad-lpsitelinkCCexp2-any-DEV_c-
CRE_133492393327-
ADGP_Hybrid%20%7C%20AW%20SEM%20%7C%20BKWS%20%7C%20US%20%7C%20e
n%20%
James, M., & Szewczyk, a. P. (2017). Jurisdictional Issues in Cloud Forensics. Retrieved from
https://www.cscan.org/openaccess/?id=362

57. 56
Keyun Ruan, J. C. (2013). Cloud Computing Reference Architecture and Its Forensics
Implications: A Preliminary Analysis. Institute for Computer Sciences, Social Informatics and
Telecommunications Engineering, 1-21.
Location, I. (2018, December 20). How accurate is IP-based Geolocation Lookup? Retrieved
from iplocation.net: https://www.iplocation.net/geolocation-accuracy
Miller, R. (2019, 12 03). Google Building More Data Centers for Massive Future Clouds.
Retrieved from datacenterfrontier.com: https://datacenterfrontier.com/google-building-more-
data-centers-for-massive-future-
clouds/#:~:text=The%20search%20leader%20is%20expanding,and%20one%20in%20South%20
America.
Miyachi, C. (2018). What is “Cloud”? It is time to update the NIST definition? IEEE Cloud
Computing, 1-6.
Muhammad Faheem, T. K.-K. (2015). The State of the Art Forensic Techniques in Mobile Cloud
Environment: A Survey, Challenges, and Current Trends. International Journal of Digital Crime
and Forensics, 1-19.
National Institute of Standards and Technology. (2011, September 28). SP 800-145 The NIST
Definition of Cloud Computing. Retrieved from NIST:
https://csrc.nist.gov/publications/detail/sp/800-145/final#pubs-abstract-header
Paul Henry, Jacob Williams, and Benjamin Wright. The sans survey of digital forensics and
incident response. In Tech Rep, July 2013.

58. 57
Remy, J. (n.d.). White Paper: Cloud-Based Data Collection & Analysis: A NW3C Best Practices
Guide. Retrieved November 02, 2020, from https://www.magnetforensics.com/resources/cloud-
data-collection-analysis-nw3c/
Saurav, N., & Raymond, H. (2016). Forensics as a Service: Three-tier Architecture for Cloud-
based Forensic Analysis. Retrieved from academia.edu:
https://www.academia.edu/27421815/Forensics_as_a_Service_Three_tier_Architecture_for_Clo
ud_based_Forensic_Analysis?auto=download
Search and Seizure Warrant. (2013). Retrieved November 24, 2020, from
https://www.uscourts.gov/forms/law-enforcement-grand-jury-and-prosecution-forms/search-and-
seizure-warrant
Simou, S., Kalloniatis, C., Gritzalis, S., & Mouratidis, H. (2016, 11 08). A survey on cloud
forensics challenges and solutions. Retrieved from Wiley Online Library:
https://onlinelibrary.wiley.com/doi/full/10.1002/sec.1688
Spectre Intelligence. (2019, 12 23). Federal Rules of Evidence and How it Applies to Cloud
Forensics Examinations. Retrieved from Spectre Intelligence:
https://www.spectreintel.com/federal-rules-of-evidence-and-how-it-applies-to-cloud-forensics/
Weiwei Kong, Y. L. (2018). Data security and privacy information challenges in cloud
computing. International Journal of Computational Science and Engineering, 215-218.
Retrieved from International Journal of Computational Science and Engineering.

59. 58