Investigation Model for Locating Data Remnants on Cloud Storage

  • Khalid Abdulrahman
  • Abdulghani Ali AhmedEmail author
  • Muamer N. Mohammed
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 866)


Cloud storage services allow users to store their data online and remotely access, maintain, manage, and back up their data from anywhere through the Internet. Although this storage is helpful, it challenges digital forensic investigators and practitioners in collecting, identifying, acquiring, and preserving evidential data. This research proposes an investigation scheme for analyzing data remnants and determining probative artefacts in a cloud environment. Using the Box cloud as a case study, we collect the data remnants available on end-user device storage following the accessing, uploading, and storing of data in the cloud storage. The data remnants are collected from several sources, such as client software files, Prefetch, directory listings, registries, browsers, network PCAP, and memory and link files. Results indicate that the collected data remnants are helpful in determining a sufficient number of artefacts about investigated cybercrimes.


Forensic science Digital forensic Cloud storage Cybercrime investigation Box cloud Evidence collection Data remnants Artefacts 



Funding support provided by the Ministry of Higher Education in Malaysia (No. RDU160106).


  1. 1.
    Messmer, E.: Cloud forensics: in a lawsuit, can your cloud provider get key evidence you need? Netw. World (2013). Last Accessed from
  2. 2.
    Montelbano, M.K.: Cloud Forensics. Champlain College (2013)Google Scholar
  3. 3.
    Ahmed, A.A.: Investigation approach for network attack intention recognition. Int. J. Digit. Crime Forensics (IJDCF) 9(1), 17–38 (2017)CrossRefGoogle Scholar
  4. 4.
    Ahmed, A.A., Khay, L.M.: Securing user credentials in web browser: review and suggestion. In: 2017 IEEE Conference on Big Data and Analytics (ICBDA). IEEE, pp. 67–71 (2017)Google Scholar
  5. 5.
    Ahmed, A.A., Kit, Y.W.: MICIE: a model for identifying and collecting intrusion evidences. In: 2016 12th International Conference on Signal-Image Technology and Internet-Based Systems (SITIS). IEEE, pp. 288–294Google Scholar
  6. 6.
    Ahmed, A.A., Li, C.X.: Locating and collecting cybercrime evidences on cloud storage. In: 2016 International Conference on Information Science and Security (ICISS). IEEE, pp. 1–5 (2016)Google Scholar
  7. 7.
    Ahmed, A.A., Li, C.X.: Analyzing data remnant remains on user devices to determine probative artifacts in cloud environment. J. Forensic Sci. 63(1), 112–121 (2018)CrossRefGoogle Scholar
  8. 8.
    Quick, D., Choo, K.K.R.: Dropbox analysis: data remnants on user machines. Digit. Investig. 10(1), 3–18 (2013)CrossRefGoogle Scholar
  9. 9.
    Quick, D., Choo, K.K.R.: Google drive: forensic analysis of data remnants. J. Netw. Comput. Appl. 40, 179–193 (2014)CrossRefGoogle Scholar
  10. 10.
    Chung, H., Park, J., Lee, S., Kang, C.: Digital forensic investigation of cloud storage services. Digit. Investig. 9(2), 81–95 (2012)CrossRefGoogle Scholar
  11. 11.
    Taylor, M., Haggerty, J., Gresty, D., Hegarty, R.: Digital evidence in cloud computing systems. Comput. Law Secur. Rev. 26(3), 304–308 (2010)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Khalid Abdulrahman
    • 1
  • Abdulghani Ali Ahmed
    • 1
    Email author
  • Muamer N. Mohammed
    • 2
  1. 1.Faculty of Computer Systems & Software EngineeringUniversiti Malaysia PahangKuantanMalaysia
  2. 2.State Company for Internet ServicesThe Ministry of Communications of IraqBaghdadIraq

Personalised recommendations