This paper providers instruction on identifying remnants of evidence in the cloud.
With the advent of cloud computing, law enforcement investigators are facing the challenge that instead of the evidence being on a device that they can seize, the evidence is likely located in remote data centers operated by a service provider; and may even be in multiple locations (and jurisdictions) across the world. The most practical approach for an investigator when cloud computing has been used is to execute a warrant that requires the service provider to deliver the evidence. However, to do this, the investigator must be able to determine that a cloud application was used, and then must issue a warrant with reasonable scope (e.g., the subject’s username at the cloud provider, the name of the documents, the dates accessed, etc.). Fortunately, most cloud applications leave remnants (e.g., cached web sites, cookies, registry entries, installed files, etc.) on the client devices. This paper describes the process for identifying those remnants and parsing them to generate the data required by law enforcement to form warrants to cloud service providers. It illustrates the process by obtaining remnants from: Google Docs accessed by Internet Explorer, Dropbox, and Windows Live Mesh. (Published abstract provided)
Popular TopicsLaw enforcement Evidence Cloud computing
- What's Hiding in the Text? Analyzing Sexual Assault Police Narratives for "Signaling"
- An Evaluation of Simulation vs. Classroom-Based Implicit Bias Training to Improve Police Decision Making and Enhance the Outcomes of Police-Citizen Encounters
- Data Preparation for Crime Travel Demand Modeling (CrimeStat IV: A Spatial Statistics Program for the Analysis of Crime Incident Locations, Version 4.0)