Cloud forensic investigation


New Member
Dec 3, 2018
Hi everyone.

I need your opinion regarding with what are the most challenges of cloud forensic? Can anyone share any experience or opinion regarding with cloud forensic. Because currently I am doing my research regarding with challenges of cloud forensic investigation. Please help. Thank you.


New Member
Oct 22, 2018
Greater Chicago Area
It really depends on what you are trying to do with the data, the cloud storage provider, how the accounts are configured (personal, work, shared, etc), and other factors. Also, are you trying to do forensics on files found locally on a custodian’s computer (found in a cloud storage's sync folder) or are you going for files that are currently in the cloud and you need to preserve them?

One issue you may encounter is when trying to download files stored in the cloud is instances where files may be shared with the custodian (read only access or edit) but not owned by them. Depending on the service, it may or may not allow you to download these files.

Another thing to consider is that the metadata may be stripped and the timestamps updated to the time that the file was uploaded to the cloud service. It may be possible to download a “changelog” or see a list of what changes were made to the file for each edit but this isn’t always available.

You will also want to check what devices the custodian synced with the accounts as there may be offline (older) copies of the files located on other devices which could be beneficial to your investigation.

Methods of accessing the files is also something to consider. Will you have to use a sync client for the provider to download your own copy of the files? If so, you need to make sure that your workstation is clean so you don’t cross contaminate data. Can you download the files directly from the browser? You will want to do a comparison between the downloaded files and what is seen in the browser to ensure that you have everything as some files may not be able to be downloaded with the custodian’s access. Depending on the storage service, you may be able to use some forensics tools like F-Response but you will also want to ensure that you are getting everything that is seen in the browser.

There are other things to consider but this will at least give you a place to start.

Let me know if you have any other questions.


Experienced Member
Oct 23, 2018
Great point @tinna01, date/timestamps need to have particular attention paid to them -- and not all collection tools operate the same in this regard

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu