Research Area:  Digital Forensics
Forensic analysis of cloud artifacts is still in its infancy; current approaches overwhelming follow the traditional method of collecting artifacts on a client device. In this work, we introduce the concept of analyzing cloud-native digital artifacts–data objects that maintain the persistent state of web/SaaS applications. Unlike traditional applications, in which the persistent state takes the form of files in the local file system, web apps download the necessary state on the fly and leave no trace in local storage. Using Google Docs as a case study, we demonstrate that such artifacts can have a completely different structure–their state is often maintained in the form of a complete (or partial) log of user editing actions. Thus, the traditional approach of obtaining a snapshot in time of the state of the artifacts is inherently forensically deficient in that it ignores potentially critical information on the evolution of a document over time. Further, cloud-native artifacts have no standardized external representation, which raises questions with respect to their long-term preservation and interpretation.
Keywords:  
Author(s) Name:  Vassil Roussev, Shane McCulley
Journal name:  Digital Investigation
Conferrence name:  
Publisher name:  ELSEVIER
DOI:  10.1016/j.diin.2016.01.013
Volume Information:  Volume 16, Supplement, 29 March 2016, Pages S104-S113
Paper Link:   https://www.sciencedirect.com/science/article/pii/S174228761630007X