Authors: Vassil Roussev, Ph.D. (University of New Orleans), Shane McCulley
DFRWS EU 2016
Abstract
Forensic analysis of cloud artifacts is still in its infancy; current approaches overwhelming follow the traditional method of collecting artifacts on a client device. In this work, we introduce the concept of analyzing cloud-native digital artifactsedata objects that maintain the persistent state of web/SaaS applications. Unlike traditional applications, in which the persistent state takes the form of files in the local file system, web apps download the necessary state on the fly and leave no trace in local storage. Using Google Docs as a case study, we demonstrate that such artifacts can have a completely different structureetheir state is often maintained in the form of a complete (or partial) log of user editing actions. Thus, the traditional approach of obtaining a snapshot in time of the state of the artifacts is inherently forensically deficient in that it ignores potentially critical information on the evolution of a document over time. Further, cloud-native artifacts have no standardized external representation, which raises questions with respect to their long-term preservation and interpretation.