13.1 Introduction

The Cloud can be considered “a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services)” (Mell and Grance 2011). In the context of digital forensics, this could mean that, for example, a given collection of illicit material is stored on the servers of a cloud provider or across multiple cloud providers. Bear in mind that the cloud provider's country of operation does not necessarily allow conclusions about the geographic location of one or more of its servers, which could be hosted in multiple countries – not to mention that the original cloud provider may have subcontracted its services to other providers (Nishawala 2013). This means in practical terms that the illicit material stored by the suspect is literally scattered in the clouds, for all intents and purposes regarding gaining access to it. It may as well be, from the perspective of law enforcement, which may possibly be required to identify the various locations, issue specific and separate requests for mutual legal assistance, and then hope for a swift response from the various jurisdictions contacted (Dykstra 2013).

The challenges include, in order of the discovery of a suspect/suspected activity, first the identification of the use of cloud services for storage. This could be something obvious, such as a Dropbox account that is prominent on the desktop, or a Google Drive icon, even though provided by the manufacturer of the device; but it could also be a less obvious solution that is not immediately considered, such as using an e‐mail account to store data in, for example, unsent messages or drafts. If the use of cloud storage is suspected and a specific provider is identified, the next challenge is the location of any stored material and its identification. If the suspect does not cooperate, the challenges increase – to such an extent that non‐cooperation by a suspect as regards the provision of passwords has been made a criminal offense in a very pragmatic manner in some locations.

Basically, if or when the cloud provider has been identified, the need for cooperation from the provider is essential. This may involve a non‐judicial means such as a simple request for information: some providers are open to this, while others require – and even pride themselves in not divulging any information about suspected clients in the absence of – a court order to do so. Cloud providers often overwrite their own data, or may remove it without involving law enforcement if it breaches their own terms and conditions, so speed is of the essence in the identification of suspected cloud storage – which as a first step would be followed by a preservation order, forbidding the provider to delete or remove any content. As a follow‐up or at the same time, an order is issued for the production of information regarding all activity of the client, together with a request for access to or provision of the material stored by the suspect.

During cybercrime investigations in a data‐dense environment such as the Cloud, investigators are frequently sent to data centers to collect evidence from computer hosts located within these data centers. In an increasing number of cases, it is becoming difficult to locate the data center where the computer host the investigator is interested in is running. While it is common to reach out to the hosting provider and ask for the data center’s address, there are situations in which it is not possible to contact the hosting provider ahead of time. There are also several reasons why a hosting provider cannot be trusted with the details of the involved computer host. For instance, an Internet service provider (ISP) could inform the user of the computer host prior to the investigator’s arrival. The user could then alter or remove evidence before the investigator collects or intercepts it. These so‐called non‐law‐enforcement‐friendly ISPs require a different approach.

So far, most of the research on cloud forensics has focused on challenges, theory models, forensic services, and process or forensic frameworks (Plunkett et al. 2015). There is very little research on data acquisition in the Cloud. Therefore, in this chapter, we tackle challenges related to forensic acquisition and analysis of artifacts in the Cloud. We first discuss different legal perspectives related to cloud service providers and data storage. Next, we describe how to locate the data center where the computer host the investigator is interested in is running. We also propose an efficient approach to tackling this challenge: a new three‐phase guideline that builds on known techniques and combines them with investigative techniques. Finally, we show the forensic acquisition and analysis of a popular cloud storage platform: Amazon Web Service S3. The preliminary result is promising and provides useful suggestions.

13.2 Background

13.3 Data Center as a Source of Evidence

Investigators often find themselves on their way to data centers to collect relevant forensic evidence on Internet‐connected hosts. Based on the IP address, many of these hosts can be pinpointed to a data centers' physical address (Nicolls et al. 2016). Contacting the involved hosting provider is usually enough to get the address details of the data center. Data centers are facilities where computer systems are housed and data is stored. Governments, universities, and large businesses typically have their own data centers. Commercial data centers provide hosting of websites and storage of large quantities of data. Nowadays, data centers are also used to provide cloud services, such as cloud storage or cloud computing. A data center can be as big as a large factory. A large data center consumes as much energy as a small town (Mittal 2014).

Data centers are complex facilities. Since they need power, cooling, and connectivity, a lot of infrastructure needs to be in place. Modern data centers allow for redundancy on all these aspects. Furthermore, a typical computer system in a data center is no typical desktop PC; most of the time, it is a 19‐inch‐wide server system. These server systems can have server‐specific hardware like SAS‐hard drives. A server can be connected to the power grid by one or more power supplies; it connects to the Internet or network with one or more network cables. Servers can host one operating system or several at the same time. Servers can also be interconnected to form clusters. These interconnected server systems can also connect to each other across the Internet to share resources for cloud services. The server systems are located in racks, which can hold over 40 server systems each.

Not every hosting provider can be trusted. These non‐law‐enforcement‐friendly ISPs cannot be contacted ahead of time. This could mean that the hosting company is not yet known to law enforcement, and therefore no objective assessment is available based on experience with the hosting company. After a first encounter with such a hosting company, it may be considered a trusted hosting provider from then on. Sometimes the hosting provider is the subject of the investigation or is thought to inform customers about law enforcement contacting the hosting provider about a specific host. This poses the risk of the customer being able to alter or remove evidence from the involved host. Such bulletproof hosts are non‐law enforcement Friendly ISPs and require a different approach by law enforcement. They cannot be contacted ahead of time because of the chance they will contact their customers prior to the arrival of law enforcement officials. Investigators tend to use other methods like traceroute and WHOIS queries to find the location of the data center involved, but these have proven to be less accurate than required.

The term non‐law‐enforcement‐friendly ISP is sometimes used in combination with the term bulletproof host (BPH) (Bernaards et al. 2012). These BPH companies willingly provide services to Internet criminals to facilitate activities like hosting child pornography, e‐mail spamming, and distribution of malware. The term non‐law enforcement friendly ISP can also mean to a law enforcement officer that there is no knowledge yet about how cooperative the ISP is. So, it doesn't necessarily mean that the ISP is willingly facilitating criminals. A different example of a non‐law enforcement friendly ISP is when an ISP is very hesitant to cooperate with law enforcement and insists on informing customers if law enforcement asks questions about them. This could be due to a transparency policy, or out of political motivations. Sometimes the term non‐law‐enforcement‐friendly ISP is used for one specific occurrence, like WikiLeaks. The same ISP may be considered law enforcement friendly during other encounters.

13.4 Cloud Service Providers: Essential Requirements, Governance, and Challenges

We need to establish the status of cloud providers and the circumstances in which they operate. Equally relevant is the constantly changing nature of their operating environment, the changes that are ongoing as well as those that are coming, and the varying legislation they face. Once we have fully understood the scope and strategies in which cloud providers operate, we can then assess the similar environment for law enforcement – which will then lead to an analysis of where there are joint needs as well as competing ones. We then try to assess which needs will prevail.

13.5 Cloud Storage Forensics

(Quick et al. 2014) describe their research on forensic analysis of different cloud storage providers such as Dropbox, Google Drive, and Microsoft Skybox. They used Windows‐based virtual machines (VM) as their test machines and examined the random access memory (RAM) using the VM's memory file instead of live acquisitions of memory. They also used a control VM as a base. The researchers downloaded client‐side apps to interface with the cloud storage. These apps are designed to interact with the cloud storage and would leave artifacts such as registry entries, specific log files, and folders created on the computers. The research showed artifacts left by the client software. There were also artifacts of cloud storage activity found in the user folder AppData. Authors also examined Internet history. They used the Internet Explorer, Mozilla Firefox, and Google Chrome web browsers when they did not use a client‐side app. Information about the use of cloud storage was found in the index.dat files and temporary Internet files. URLs were located, referencing transactions of cloud storage. Unencrypted passwords were located in the RAM analysis of Skybox. The authors found that crucial evidence might be stored in a cloud storage account that is not available on the computer itself. They addressed collecting evidence from cloud storage directly. Their first step is to understand the focus of the investigation. The second step is to have determined legal authority to gain access to the cloud storage in question. The third step is to identify the cloud storage account, such as Dropbox. The fourth step is the actual collection of the evidence. They discuss using a VM on a host machine with Internet access, to protect any host from any malware. Using a packet‐capture tool such as Wireshark captures traffic between the VM and server. They suggest using a screen‐capture tool to video‐record the process. Then, download the files onto the VM, and pause the VM. In step five, the researchers conduct the analysis of the VM and packet captures. Step six reports the findings. The seventh step is to complete the backup files and reports.

(Roussev et al. 2016) discussed the traditional acquisition of data on a client‐side computer. They acknowledge that using only client‐side data could leave out critical data. Their research used an alternative approach of acquiring evidence on the cloud storage side by using an application program interface (API). They indicate that APIs are well documented and used by many application developers. They created a prototype called Kummodd, with a command‐line tool and a graphical user interface (GUI) mode. The user's credentials (username and password) are still required to gain access to the cloud storage. A Python script uses the API to communicate with the cloud storage drive. Directly accessing the cloud storage drive gives access to the metadata to ascertain the contents by downloading them. The tool will also show revisions of files and download them. The authors acknowledge that this is a logical acquisition of files. Roussev et al. 2016 believe that this is a forensically acceptable way to acquire evidence without physical acquisition and is justified by the current storage developments. The cloud side could have data divided up onto different servers or, with the invention of solid‐state drives (SSDs), use wear leveling (overwriting unallocated space) that makes recovering deleted data difficult.

Hale (2013) did research on Amazon Cloud Drive (ACD). Note that ACD is a different service than Amazon Simple Storage Service (AS3). AWS is a storage service for the Internet that provides a web services interface so that users can store files and access them, whereas ACD is a consumer frontend that the user needs an Amazon account to access; there is also a pricing difference (Head in the Cloud 2014). ACD is closer to cloud storage, similar to Dropbox. Hale's research was done using a web‐based interface and the desktop application for ACD. ACD is marketed as an online MP3 player and storage system. An Amazon account is created, and the account credentials are used to access the storage. According to (Hale 2013), the browsing history files were the most forensically rewarding and left artifacts showing how the user interacted with the web‐based interface. Hale found within the web browser cache a specific file with useful information. The cache files that are the server response to getInfoById are issued after an upload or delete operation. The content of the cache files begins with the text getInfoByIdResponse, followed by a number of fields: File Name, Object ID, Amazon Customer ID, File Creation Date, File Last Updated Date, Cloud Path, File Size, and MD5. Hale's findings show that artifacts are left from a web‐based interface and can show dates and times of file transfers. As would be expected, numerous persistent artifacts were located when the desktop application was used. Artifacts were found in the registry and the application‐specific file AdriveNativeClientService.log.

13.6 Case Study 1: Finding Data Centers on the Internet in Data‐Dense Environments

During investigations in a data‐dense environment such as cloud computing, cybercrime investigators are frequently sent to data centers to collect evidence from computer hosts located in those data centers. It is becoming increasingly difficult to locate the data center where the computer host of the interest is running. While is it common to reach out to the involved hosting provider to ask for the data center’s address, there are situations in which it is not possible to contact the hosting provider ahead of time.

Law enforcement investigators are known for their experience with wiretaps to collect evidence. Although wiretapping could be an option, successfully wiretapping a server in a data center cannot be done without cooperation of the entity and access to the data center.

There are several reasons why a hosting provider might not be trusted with details of the involved computer host. For instance, an ISP might inform the user of the involved computer host prior to the investigator’s arrival. This user could then alter or remove evidence before the investigator could collect or intercept it.

Non‐law enforcement friendly ISPs require a different approach. Typically, an investigator will try to perform an online query like a WHOIS and/or a traceroute to find information about the host's physical location. These techniques have a relatively low rate of success. To address this problem of finding the (geo)location (Tillekens et al. 2016) of the involved data center, this chapter will propose a method for law enforcement members that increases the success rate of finding the correct data center location significantly, up to 80%.

During the research, the techniques currently used were evaluated, together with other techniques found during the research. The evaluation focuses on several indicators, including accuracy and usability for law enforcement. Data analytics are performed on the results of both a questionnaire as well as the geolocation techniques currently used by European law enforcement.

Based on the results, a new three‐phase guideline is introduced, which builds on known techniques and combines them with investigative techniques. The preliminary result is promising and provides useful suggestions for when the data center cannot be accurately pinpointed. The recommended three‐phase guideline is more accurate and tailored for law enforcement purposes.

The following approach is used:

1. To allow for better insight in the techniques used by law enforcement, a questionnaire is completed by the digital investigators.
2. The results of this questionnaire are combined with the results of the literature survey to formulate an overall state of the art of the most promising geolocation techniques for law enforcement.
3. The most promising techniques are then reviewed using mostly publicly available tools and resources. The review is done using the target IPs from a test set. The test set contains IPs that are already geographically located by their owners.
4. A new procedure is proposed and tested using the same method involving the combination of the most accurate techniques.

13.6.2 Three‐Phase Approach

In this section, we introduce a new procedure. It uses combinations of the techniques just reviewed and tries to minimize the amount of data that must be gathered. Overall, this new method should be faster and easier to deploy than gathering all the data from the six techniques just described and combining them into an end result. It is a three‐phase guideline involving: (i) data gathering; (ii) answering questions based on the gathered results; and (iii) making choices.

13.6.2.1 Phase One: Data Gathering

The gathering of the required data is performed first. To avoid unnecessary online queries, first a check is performed to see if the target IP has been queried before. The following steps are performed:

1. Query the RIPE stat web page or RIPE API to collect this info: country, autonomous system number (ASN), AS‐name, prefix, Inetnum: netname, Inetnum: descry, Reverse DNS: PTR record, BGPlay: AS‐numbers closest to target ASN (up to three), and Registry browser: tech‐c (https://stat.ripe.net).
2. Query police databases for the following: target IP address location, target IP block location(s), if available the corresponding date time(s), and if available the connected entity and its address details.
3. Perform RIPE Atlas measurements using the web page or API for traceroute. Try to use probes of the same of target ASN or its closest peers, probe(s) that uses the minimum number of hops to the target, a probe that has the minimum RTT to the target, geocoordinates of these probes, the FQDN of the penultimate hop, and the ASN of the penultimate hop.
4. Perform hop‐naming analysis to obtain the domain name of the host and hints in the FQDN referring to the location of the hops.
5. Query peeringDB.com to obtain routing information for finding the web page of the ASN and extract peer facilities of the target ASN.
6. Perform online open source intelligence (OSINT) queries to obtain the following: hits on “AS‐name” and “data center” and information on the hop hints found. Visit the website of the entity of the last‐known hop for the data center location info, visit the website of the host used by the target for data‐center location information, and visit the website running on the target IP (anonymously) for data‐center location information.
7. Analyze all results, including looking for same or similar address records; mark them as validated where applicable, converting found addresses to geocoordinates where necessary, compare found geocoordinates, and plot them on a map, for instance using Google Maps.
8. Compare the results with online records of data from different online sources such as http://www.datacentrumgids.nl/overzicht/nederland, www.datacentermap.com, http://www.telewiki.nl/Lijst_van_datacentra_in_Nederland_op_volgorde_van_plaatsnaam, http://map.ring.nlnog.net, Google Maps, and Yellow Pages.
9. Generate an overview of obtained results, including target IP, owning entity including contact details, country of the target IP, police records, top‐x list of most‐probable locations of data centers including validation scores, and the degree of separation between the target IP and the suggested data center.

13.6.2.2 Phase Two: Answering Questions Based on the Gathered Results

By answering four questions, this guideline aims to help the user make the right decisions in phase three of the guideline (Figure 13.1). The answers are specifically relevant to law enforcement to do the following:

• Help to determine if they can claim jurisdiction.
• Shed light on previous encounters with law enforcement.
• Find multiple validations of the result, which is preferred. It tells us that when different sources/techniques come up with the same result, the result is of a higher level of accuracy than if the result was provided by one source.
• Provide insight into whether further research or action is required to locate the target.

With the obtained data, the following questions need to be answered:

1. Is the target IP located in this country?
2. Was the target IP visited before by law enforcement?
3. Is the location of the target IP validated?
4. Need extra options to locate host?

13.6.2.3 Phase Three: Making Choices About What to Do Next

Depending on the outcome of the previously answered questions, decisions can be made:

1. If Yes, proceed with question 2. If No, consider sending a legal request for assistance to the involved country.
2. If Yes, this gives the highest level of validation. See if the location was visited recently and what the level of cooperation was. This knowledge could also change the status from non‐law enforcement friendly to law enforcement friendly. If No, proceed to question 3.
3. If Yes, consider visiting the data center to perform digital forensics. If No, proceed to question 4.
4. If Yes, the best option is to try to repeat step 3 from phase one for the cities where the suggested data centers are located. Redoing steps 6 and 8 of phase one to get a more detailed measurement could follow this step.

Although this new method is not flawless in pinpointing a single data center, it can serve additional purposes. For instance, if it cannot tell the exact location of the needed data center, it could still reduce the number of possible data centers to a workable amount. This could mean that digital investigators could visit two or three data centers at the same time to allow for control over the possible loss of evidence. This method could also give investigators indicators of which entity to contact for more information about the target IP. For instance, if the IP belongs to a client of a shady reseller, this reseller has most likely rented servers from a third party. This third party, an ISP, has its servers running in a data center belonging to another entity. The owner of this data center could be then contacted and asked for more information on the IP range, without revealing the target IP itself.

13.7 Case Study 2: Cloud Forensics for the Amazon Simple Storage Service

Cloud storage services are often free to customers. The customer just needs to sign up with an e‐mail and will receive a limited amount of available storage space on the Cloud. This is considered cloud computing. Cloud computing is a shared collection of configurable network resources, such as networks, serves, storage, applications, and services. Customers can log in to the cloud service via a web browser and upload or download files. Customers can also increase storage space. The cloud service providers (CSPs) provide servers and storage space. To ensure service, CSPs maintain data centers around the world (Ruan et al. 2011). Data may not necessarily be located in just one place; and the location of the company headquarters does not necessarily mean data is stored there. This adds a level of jurisdiction. In the United States, for example, one state's law enforcement agency may have to have a federal law enforcement agency produce a subpoena or search warrant because the “data” resides across state lines.

In a cloud investigation, there is the client side, the CSP side, and the matter of law (whether the investigator / digital forensic examiner [DFE] has the right to search and seize). The client side is the traditional type of computer/digital forensics, where the investigator has access to the suspect's computer or mobile device (Faheem et al. 2015). The device is at a physical location, and jurisdiction is relatively easy to show. The device in question contains artifacts. This client approach has worked well in the past, but files are no longer in a persistent state on the client side and have shifted to being web‐app based and leaving little trace (Roussev and McCulley 2016). Jurisdiction needs to be addressed. This is not an attempt to give legal advice in any form; it merely reflects the difficulties of multi‐jurisdiction investigations and difficulties encountered when dealing with cloud computing. As mentioned before, CSPs use servers and data centers not centrally located or confined to one location.

An example of this difficulty is seen with Amazon Web Services (AWS). With AWS, the user can select where they would like their data stored. The corporate headquarters may not necessarily be the location of the data. CSPs intentionally hide the location of the data from customers to facilitate movement and replication.

Another scenario would be for the investigator to connect to the Cloud and download files with the user's credentials. This lends a question of legal authority. If the user gives consent freely and willingly to search the account, then the investigator can connect and download the contents. However, if the user does not give consent, then the investigator would need some kind of legal authority to connect to the cloud storage/account with the user's credentials and download data.

There is also the possibility the owner of the cloud account will cooperate and give full authority for a search. If the investigator can gain access to an account in their jurisdiction, they can intercept the communication.

13.7.2 Findings and Analysis

The first VM started with the base VM clone. IE 11 was used to search for images or videos of Minions. A video of the Minions movie trailer was downloaded to the desktop of the first VM. Images of Minions were downloaded to the desktop of the first VM. IE11 was used to log in to the AS3 account. Four image files and the .mp4 file were uploaded to the AS3 bucket minionswi.

When examining the first VM, it was clear the Minion files had been saved onto the VM desktop. Temporary Internet files contained the images in question. The Internet history showed a connection to AS3. IE changed after the introduction of IE 10; prior to IE 10, history resided in the index.dat file. The biggest change was that now IE used an extensible storage engine (ESE) named WebCacheV01.dat and the folder WebCache, plus other files (transaction logs) that work together (Malmstrom and Teveldal 2013). When using a web browser to access AS3, there is a web page for the login credentials.

Information regarding files was located in a WebCache log in the V01.log (path: Users/RCRAIG/AppData/Local/Microsoft/Windows/WebCache/V01.log). The ETag (md5Hash) of the Minion files was recorded. The temporary Internet files of the Minions could have been created by the Google search for such images, normal web‐browsing activity, and may not have been directly related to the AS3 account. Links were found with the Etag, filename, and file path pointing to the AS3 web URL. There was also a reference to the date and time in this artifact.

The second VM would give a better idea what was created just by viewing the files using IE 11 but never downloading the images of Minions. Using Autopsy 4, artifacts were indeed found from viewing through the web browser. V01.logs correlated with the Minion images.

To begin the activity of the user on the second VM, we went to the AS3 console using IE 11, on 15 June 2016 at 4:31 p.m. (UTC‐5). Once logged in, minionswi was opened. The video in the bucket, 518752464_2.mp4, was opened. It automatically downloaded and was opened in the default player, Windows Media Player. At 4:38 p.m. (UTC‐5), each file in the bucket was opened to view. All the viewing was done through the web browser. The files were viewed in this order: Beefeater.jpg, cornerpicture.jpg, download.jpg, napoleanic.jpg, th2P068ZMZ.jpg, th4Z9C28AE.jpg, thCA0PWCAL.jpg, and thCaS1V76V.jpg. The file napoleonic.jpg was downloaded to the desktop. Analysis of the second VM showed activity in the V01.log. A record of the V01.log is shown in Figure 13.2.

This record correlates with the viewing of the image napoleanic.jpg. The relevant portions are highlighted. Note the URL path is the same as the link in the bucket. The blue highlighted data is an actual link to the file. This was compared to the download link in AS3 in an open browser. The paths of the bucket were the same, but when the link was created, the date and time indicate when the link is created in view/open or download. To make it clearer, when a user wants to view a file or download a file, they need to right‐click the file. The user can choose to open the file or download it. When they choose Open, the link is created and opens in a new window of the browser. When Download is chosen, the user needs to Save Link As and select where to save the file. There is reference to a date and time, 20160615T213912Z. This time appears to be in UTC‐0. The viewing of this image correlates with the time period 15 June 2016 at 4:38 p.m. (UTC‐5). There is also a reference to the ETag, and it is the correct ETag for that file. This record also corresponds to the creation of the temporary Internet file napoleanic.jpg. Even the MD5 hash value is the same as the ETag. The image is viewed and is cached in the temporary Internet files. The RAM file was searched for the MD5 hash value in text. Records were found in the RAM that appear to be the same as found in the V01.log (Figure 13.2). Similar findings were located that detail the same information regarding viewing of the other files in question. The napoleonic.jpg file was also downloaded onto the desktop. A link file also shows it located on the desktop. The file in question was downloaded at the approximate modified, accessed, created (MAC) date and times.

The /AppData/Roaming/Microsoft/Windows/IEDownloadHistory/container.dat file did not contain information regarding the download.

A third VM was created, called Browse_Deleted. In this scenario, a user logged in to the AS3 using the web browser and viewed the files bunchofminions.jpg, th2P068ZMZ.jpg, and twominions.jpg in the bucket “minions.” The web‐browser history was also deleted. This activity was done to see what artifacts were left. The three files viewed were located in unallocated space. The files th2P068ZMZ.jpg, bunchofminions.jpg, and twominions.jpg had the original MD5 hash values. Shown in Figure 13.3 is the file information of the files located in unallocated space. Since the three files were found in unallocated space, there was no filename.

Even though there was an attempt to delete the Internet history, references were found in the WebCache folder in a log. This was consistent with a previous test that showed viewing of a file through AS3 using the web browser. Looking closely, the file length listed for the entries is the correct file size.

13.7.2.1 Collecting Evidence via Internet

CloudBerry Drive is able to mount an AS3 account as a read‐only network drive. To do this, an investigator/examiner must have the user's credentials (username and password). Using CloudBerry Drive also requires the access key and secret access key to be known. With these keys, anyone can log in to the buckets, so a user could share buckets with others. Logging in to the AS3 account with the users credentials, an investigator could find the access key but not a secret access key. This creates a problem. A user can only have two access keys at one time. In order to gain access, a new access key and secret access key will need to be created. If only one set is made, an additional one can be created. If two are made, the oldest key could be deleted and a new set created. This is all done through the web browser and is located in the AWS console (Figure 13.4).

For testing, CloudBerry v2.0.1.6 was installed on an examination computer with Internet access. The evidence file was verified successfully. MD5 hash values were compared with the files in minionswi, and the hashes were the same. One thing of note that has not been mentioned is that AS3 has the option to turn on or off versions of files. If a file is deleted, AS3 does save an older version. When the option is on, deleted files can be viewed when using the web browser interface. CloudBerry Drive did not see these older versions when the option was on or off. That could be important if the user of the account has tried to delete evidence.

13.8 Conclusion

The usage of cloud storage for criminal purposes is well known and will most likely not end. The eradication of crime is a noble cause, yet not one that seems to be a realistic prospect, without any intention of entering into a philosophical discourse on human nature and societies. The fact that criminals and crime and their methods will continue to evolve in pace with and take advantage of technological development and innovations is equally acknowledged. In this chapter, we discussed aspects related to data acquisition in cloud computing platforms. We also showed an efficient approach to locate the data center where the computer host of interest to investigators is running. In addition, we described a forensic acquisition and analysis of Amazon Web Service, one of the most popular cloud storage platforms.

Obtaining data stored on cloud storage is problematic. The cross‐jurisdictional nature of the CSP creates issues, and no specific laws deal with cloud storage. Existing laws are used and may not be the most useful. There is still a dependency on the CSP complying and providing the contents of cloud storage. Further research would have to be done on how a folder is treated when it is uploaded to AS3. In addition, the number of non‐law enforcement friendly ISPs is increasing over time. Further research into this phenomena is advised, including the advice to better report encounters with non‐law enforcement friendly ISPs. In addition, more intrusive methods can be explored: for example, wiretaps on upstream connections (Schut et al. 2015), not for content, but only for IP addresses, might also help to improve on results.

References

1. Bernaards, F., Monsma, E., and Zinn, P. (2012). Hightech Crime: Crime Image Analysis. Driebergen: Korps Landelijke Politiediensten.
2. Dykstra, J. (2013). Seizing electronic evidence from cloud computing environments. In: Cybercrime and Cloud Forensics: Applications for Investigation Processes (ed. K. Ruan), 156–185. Hershey: IGI Global.
3. Faheem, M., Kechadi, M.‐T., and Le‐Khac, N.‐A. (2015). The state of the art forensic techniques in mobile cloud environment: a survey, challenges and current trend. International Journal of Digital Crime and Forensics 7 (2): 1–19.
4. Fuchs, C. (2013). Privacy and security in Europe. The Privacy & Security Research Paper Series, No. 6.
5. Goncharov, M. (2015). Criminal Hideouts for Lease: Bulletproof Hosting Services. Irving: TrendLabs.
6. Grispos, G., Storer, T., and Glisson, W.B. (2012). Calm before the storm: the challenges of cloud computing in digital forensics. International Journal of Digital Crime and Forensics 4 (2): 28–48.
7. Hale, J.S. (2013). Amazon Cloud Drive forensic analysis. The International Journal of Digital Forensics & Incident Response 10 (3): 259–265.
8. Hiller, J. (2015). Civil Cyberconflict: Microsoft, cybercrime and botnets. Sanata Clara High Technology Law Journal 31 (2): 163–214.
9. In Re Grand Jury Proceedings the Bank of Nova Scotia. (1984). United States of America, Plaintiff‐appellee, v. the Bank of Nova Scotia, Defendant‐appellant, 740 F.2d 817 (11th Cir.).
10. Head in the Cloud (2014). Amazon S3 and Amazon Cloud Drive: what's the difference? https://web.archive.org/web/20140608040735/http://www.headinthecloudstorage.com/amazon‐ec2‐and‐s3‐whats‐the‐difference.
11. Malmstrom, B. and Teveldal, P. (2013). Forensic analysis of the ESE database in Internet Explorer 10. Bachelors thesis: School of Information Science, Computer and Electrical Engineering, Halmstad, Sweden.
12. Mell, P. and Grance, T. (2011). The NIST definition of cloud computing. National Institute of Standards and Technology.
13. Mittal, S. (2014). Power management techniques for data centers: a survey. Technical report. https://pdfs.semanticscholar.org/c389/9a699ecd188e658374c861b3b21e80c364e4.pdf (accessed July 2017).
14. Nicolls, V., Le‐Khac, N‐A., Chen, L. et al. (2016). IPv6 security and forensics. The 6th IEEE International Conference on Innovative Computing Technology, Dublin, Ireland, August 2016.
15. Nishawala, V.N. (2013). Subcontracting in the Cloud. Pillsbury Global Sourcing. http://www.sourcingspeak.com/2013/06/subcontracting‐in‐the‐cloud.html (accessed May 2017).
16. Plunkett J., Le‐Khac N‐A., and Kechadi, M‐T. (2015). Digital forensic investigations in the Cloud: a proposed approach for Irish law enforcement. 11th Annual IFIP WG 11.9 International Conference on Digital Forensics (IFIP119 2015), Orlando, Florida, 26–28 January 2015.
17. Quick, D., Martini, B., and Choo, K.R. (2014). Cloud Storage Forensics. Waltham, MA: Syngress.
18. Roussev, V. and McCulley, S. (2016). Forensic analysis of cloud‐native artifacts. The International Journal of Digitl Forensics & Incident Response.
19. Roussev, V., Barreto, A., and Ahmed, I. (2016). Forensic acquisition of cloud drives. In: Advances in Digital Forensics XII (ed. G. Peterson and S. Shenoi), 5–8. Springer.
20. Ruan, K., Carthy, J., Kechadi, T. et al. (2011). Cloud forensics. IFIP Advances in Information and Communication Technology 361: 35–46.
21. Ryder, Steven and Le‐Khac, N‐A. (2016). The end of effective law enforcement in the cloud? To encrypt, or not to encrypt. The 9th IEEE International Conference on Cloud Computing, San Francisco, CA USA, June 2016.
22. Schut, H., Farina, J., Scanlon, M. et al. (2015). Towards the forensic identification and investigation of cloud hosted servers through noninvasive wiretaps. The 10th International Workshop on Frontiers in Availability, Reliability and Security (FARES 2015), Toulouse, France, August 24–28, 2015.
23. Tillekens, A., Le‐Khac, N‐A., and Pham‐Thi, T‐T. (2016). A bespoke forensics GIS tool. IEEE International Symposium on Mobile Computing, Wireless Networks, and Security, Nevada, USA, Dec 2016.