Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


Cloud computing and digital forensics are emerging fields of technology. Unlike traditional digital forensics where the target environment can be almost completely isolated, acquired and can be under the investigators control; in cloud environments, the distribution of computation and storage poses unique and complex challenges to the investigators. Recently, the term “cloud forensics” has an increasing presence in the field of digital forensics. In this state-of-the-art review, we included the most recent research efforts that used “cloud forensics” as a keyword and then classify the literature into three dimensions: (1) survey-based, (2) technology-based and (3) forensics-procedural-based. We discuss widely accepted standard bodies and their efforts to address the current trend of cloud forensics. Our aim is not only to reference related work based on the discussed dimensions, but also to analyse them and generate a mind map that will help in identifying research gaps. Finally, we summarize existing digital forensics tools and the available simulation environments that can be used for evidence acquisition, examination and cloud forensics test purposes.


ACPO. (2014). Good Practice Guide for Computer-Based Electronic Evidence, Ocial released version. (Retrieved Jul 21, 2013 from http://www.7safe.com/electronicevidence/ACPO guidelinescomputer evidence.pdf)

Al Fahdi, M., Clarke, N., & Furnell, S. (2013). Challenges to digital forensics: A survey of researchers practitioners attitudes and opinions. In Information Security for South Africa.

Almulla, S., Iraqi, Y., & Jones, A. (2013). Cloud forensics: A research perspective. In 9th International Conference on Innovations in Information Technology (IIT) (pp. 66-71).

AmazonEBS. (2014). Elastic Block Store. (Retrieved Mar 04, 2014 from http://aws.amazon.com/ebs/)

AmazonEC2. (2014). Elastic Compute Cloud. (Retrieved Mar 04, 2014 from http://aws.amazon.com/ec2/)

AmazonS3. (2014). Simple Storage Service. (Retrieved Mar 04, 2014 from http://aws.amazon.com/s3/)

Apache. (2014). OpenStack. (Retrieved Mar 04, 2014 from https://www.openstack.org/)

Barrett, D., & Kipper, G. (Eds.). (2010). Virtualization and forensics: A digital forensic investigator's guide to virtual environments. Elsevier.

Belorkar, A., & Geethakumari, G. (2011). Regeneration of events using system snapshots for cloud forensic analysis. In Annual IEEE India Conference (INDICON) (pp. 1-4).

Birk, D., & Wegener, C. (2011). Technical issues of forensic investigations in cloud computing environments. In Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE) (pp. 1-10).

Bloom, B. H. (1970). Space/Time trade-os in hash coding with allowable errors. Communications of the ACM, 13 (7), 422-426.

BonFire. (2014). BonFire. (Retrieved Mar 04,2014 from http://www.bonfire-project.eu/services)

Calavera, D. (2014). VMwatcher. (Retrieved Mar 04, 2014 from https://github.com/calavera/vm-watcher)

Carrier, B. (2014). Sleuth kit Hadoop. (Retrieved Mar 04, 2014 from http://www.sleuthkit.org/tskhadoop/)

Chandy, M., & Lamport, L. (1985). Distributed snapshots: determining global states of distributed systems. ACM Transaction of Computer Systems, 3 (1), 6375.

Chung, H., Park, J., Lee, S., & Kang, C. (2012). Digital forensic investigation of cloud storage services. Digital Investigation, 9 (2), 81-95.

CloudSim. (2014). The Cloud Computing and Distributed Systems. (Retrieved Nov 27, 2014 from http://www.cloudbus.org/cloudsim/)

CSA. (2009). Security Guidance for Critical Areas of Focus in Cloud Computing. (Retrieved Mar 04, 2014 from https://cloudsecurityalliance.org/csaguide.pdf)

Delport, W., & Olivier, M. (2012). Isolating instances in cloud forensics. In IFIP International Conference Digital Forensics (pp. 187-200).

Dykstra, J., & Sherman, A. (2011). Understanding issues in cloud forensics: Two hypothetical case studies. Digital Investigation, 2011 (3), 19-31.

Dykstra, J., & Sherman, A. (2012). Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digital Investigation, 9, Supplement, 90-98.

Dykstra, J., & Sherman, A. (2013). Design and implementation of FROST: digital forensic tools for the OpenStack cloud computing platform. Digital Investigation, 10 ,87-95.

Emulab. (2014). Emulab. (Retrieved Mar 04, 2014 from https://www.emulab.net/)

EnCase. (2014). Guidance Software. (Retrieved Jun 05, 2014 from http://www.guidancesoftware.com/forensic.htm)

Eucalyptus. (2014). Eucalyptus Systems, Inc. (Retrieved Mar 04, 2014 from https://www.eucalyptus.com/)

FTK. (2014). Forensics tool kit (FTK) computer forensics software. (Retrieved Jun 05, 2014 from http://accessdata.com/products/computer-forensics/ftk)

George, E., & Mason, S. (2011). Digital evidence and cloud computing. Computer Law and Security Review, 27 , 524-528.

GetData. (2014). Virtual Forensics Computing. (Retrieved Mar 04, 2014 from http://www.virtualforensiccomputing.com/)

Grispos, G., Storer, T., & Glisson, W. (2012). Calm before the storm: The challenges of cloud computing in digital forensics. International Journal of Digital Crime and Forensics, 4 , 2-11.

Haeberlen, T., & Dupr, L. (2012). Cloud computing: Benets, risks and recommendations for information security (Tech. Rep. No. 2). Heraklion, Crete, Greece: European Union Agency for Network and Information Security.

Hale, S. (2013). Amazon cloud drive forensic analysis. Digital Investigation, 10 (3), 259-265.

Hegarty, R., Merabti, M., Shi, Q., & Askwith, B. (2011). Forensic analysis of distributed service oriented computing platforms. In 12th Annual PostGraduate Symposium on the Convergence of Telecommunications, Networking and Broadcasting.

Hooper, C., Martini, B., & Choo, K. (2013). Cloud computing and its implications for cybercrime investigations in Australia. Computer Law and Security Review, 29 (2), 152-163.

ISO/CSA. (2014). Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing : Cloud Security Alliance. (Retrieved Feb 06, 2014 from https://downloads.cloudsecurityalliance.org/initiatives/imf/Mapping-the-Forensic-Standard-ISO-IEC-27037-to-Cloud-Computing.pdf)

Jawale, N., & Narayanan, A. (2011). Organisational preparedness for hosted virtual desktops in the context of digital forensics. In 9th Australian Digital Forensics Conference, (pp. 65{75).

Kangarlou, A., Eugster, P., & Xu, D. (2009). Vnsnap: Taking snapshots of virtual networked environments with minimal downtime. In IEEE/IFIP International Conference on Dependable Systems Networks DSN (pp. 524-533).

Marangos, N., Rizomiliotis, P., & Mitrou, L. (2012). Digital forensics in the cloud computing era. In IEEE Globecom Workshops (GC Wkshps) (pp. 775-780).

Martini, B., & Choo, K. R. (2012). An integrated conceptual digital forensic framework for cloud computing. Digital Investigation, 9 (2), 71-80.

Marturana, F., Me, G., & Tacconi, S. (2012). A case study on digital forensics in the cloud. In 2012 International Conference on Cyber Enabled Distributed Computing and Knowledge Discovery (CyberC) (pp. 111-116).

Microsoft. (2014). Microsoft Expression Encoder 4. (Retrieved Mar 04, 2014 from http://www.microsoft.com/en-us/download/details.aspx?id=18974)

Mishra, A., Matta, P., Pilli, E., & Joshi, R. (2012). Cloud forensics: State-of-the-art and research challenges. In 2012 International Symposium on Cloud and Services Computing (ISCOS) (pp. 164-170).

Mulazzani, M., Schrittwieser, S., Leithner, M., Huber, M., & Weippl, E. (2011). Dark clouds on the horizon: Using cloud storage as attack vector and online slack space. In Proceedings of the 20th USENIX Conference on Security.

NIST. (2004). Digital Data Acquisition Tool Specication. (Retrieved Mar 12, 2014 from http://www.cftt.nist.gov/Pub-Draft-1-DDA-Require.pdf)

NIST. (2014a). Guide to Integrating Forensics Techniques into Incident Response. (Retrieved Jun 05, 2014 from http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf)

NIST. (2014b). NIST Cloud Computing Forensics Science Challenges. (Retrieved Jun 29, 2014 from http://csrc.nist.gov/publications/drafts/nistir-8006/draft nistir 8006.pdf)

OpenNebula. (2014). OpenNebulla. (Retrieved Mar 04, 2014 from http://opennebula.org/about/)

OShaughnessy, S., & Keane, A. (2013). Impact of cloud computing on digital forensic investigations. In Advances in Digital Forensics (pp. 291-303).

Patrascu, A., & Patriciu, V. (2013). Beyond digital forensics: A cloud computing perspective over incident response and reporting. In 8th International Symposium on Applied Computational Intelligence and Informatics (SACI) (pp. 455-460).

Quick, D., & Choo, K. R. (2013). Forensic collection of cloud storage data: Does the act of collection result in changes to the data or its metadata? Digital Investigation, 10 (3), 266-277.

Rackspace. (2014). Rackspace. (Retrieved Mar 04, 2014 from http://www.rackspace.com/)

Reilly, D., Wren, C., & Berry, T. (2010). Cloud computing: Forensic challenges for law enforcement. In International Conference for Internet Technology and Secured Transactions (ICITST) (pp. 1-7).

Riverbed. (2014). Wireshark. (Retrieved Mar 04, 2014 from http://www.wireshark.org/)

Ruan, K. (2013). Cybercrime and cloud forensics: applications for investigation processes. Information Science Reference.

Ruan, K., Carthy, J., Kechadi, T., & Baggili, I. (2013). Cloud forensics denitions and critical criteria for cloud forensic capability: An overview of survey results. Digital Investigation, 10 (1), 34-43.

Ruan, K., Carthy, J., Kechadi, T., & Crosbie, M. (2011). Cloud forensics: An overview. In Advances in Digital Forensics VII (pp. 16-26).

Sang, T. (2013). A log based approach to make digital forensics easier on cloud computing. In Third International Conference on Intelligent System Design and Engineering Applications (ISDEA) (pp. 91-94).

Sibiya, G., Fogwill, T., & Venter, H. (2013). Selection and ranking of remote hosts for digital forensic investigation in a cloud environment. In Information Security for South Africa (pp. 1-5).

Spyridopoulos, T., & Katos, V. (2011). Requirements for a forensically ready cloud storage service. International Journal of Digital Crime and Forensics (IJDCF), 3 (3), 19-36.

Srivastava, A., & Giffin, J. (2014). Tamper-resistant, application-aware blocking of malicious network connections. (Accessed 04-03-2014)

Summon. (2014). SpringShare. (Retrieved Feb 22,2014 from http://www.serialssolutions.com/en/resources/detail/introducing-summon-2.0-discovery-reinvented)

Taylor, M., Haggerty, J., Gresty, D., & Lamb, D. (2011). Forensic investigation of cloud computing systems. Network Security, 3 , 4-10.

Thanh, T., Mohan, S., Choi, E., Kim, S., & Kim, P. (2008). A taxonomy and survey on distributed file systems. In Fourth International Conference on Networked Computing and Advanced Information Management (NCM08) (pp. 144-149).

Thorpe, S., Ray, I., Grandison, T., & Barbir, A. (2012). Cloud log forensics metadata analysis. In 36th IEEE Annual Computer Software and Applications Conference Workshops (COMPSACW) (pp. 194-199).

Vomel, S., & Freiling, F. C. (2012). Correctness, atomicity, and integrity: Dening criteria for forensically-sound memory acquisition. Digital Investigation, 9 (2), 125-137.

Wolthusen, S. D. (2009). Overcast: Forensic discovery in cloud environments. In Fifth International Conference on IT Security Incident Management and IT Forensics(IMF) (pp. 3-9).

Xen. (2014). XenAcess Library. (Retrieved Mar 04, 2014 from http://code.google.com/p/xenaccess/)

Xway. (2014). X-way Software Technology AG. (Retrieved Mar 04, 2014 from http://www.x-ways.net/)

Zargari, S., & Benford, D. (2012). Cloud forensics: Concepts, issues, and challenges. In Third International Conference on Emerging Intelligent Data and Web Technologies (EIDWT) (pp. 236-243).

Zawoad, S., & Hasan, R. (2012). I have the proof: Providing proofs of past data possession in cloud forensics. In International Conference on Cyber Security (CyberSecurity) (pp. 75-82).


To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.