Ahmed Abdulghani Ali, Farhan Khalid, Ninggal Mohd Izuan Hafez, Alselwi Ghadir
School of Computer Science and Informatics, Faculty of Computing, Engineering and Media, De Montfort University, Leicester LE1 9BH, UK.
School of Computer Science and Engineering, University of New South Wales, Sydney, NSW 2052, Australia.
Sensors (Basel). 2024 Dec 27;25(1):106. doi: 10.3390/s25010106.
Most current research in cloud forensics is focused on tackling the challenges encountered by forensic investigators in identifying and recovering artifacts from cloud devices. These challenges arise from the diverse array of cloud service providers as each has its distinct rules, guidelines, and requirements. This research proposes an investigation technique for identifying and locating data remnants in two main stages: artefact collection and evidence identification. In the artefacts collection stage, the proposed technique determines the location of the artefacts in cloud storage and collects them for further investigation in the next stage. In the evidence identification stage, the collected artefacts are investigated to identify the evidence relevant to the cybercrime currently being investigated. These two stages perform an integrated process for mitigating the difficulty of locating the artefacts and reducing the time of identifying the relevant evidence. The proposed technique is implemented and tested by applying a forensics investigation algorithm on Sync.com cloud storage using the Microsoft Windows 10 operating system.
当前大多数云取证研究都集中在应对取证调查人员在从云设备中识别和恢复工件时遇到的挑战。这些挑战源于各种各样的云服务提供商,因为每个提供商都有其独特的规则、指南和要求。本研究提出了一种分两个主要阶段识别和定位数据残余的调查技术:工件收集和证据识别。在工件收集阶段,所提出的技术确定云存储中工件的位置并收集它们,以便在下一阶段进行进一步调查。在证据识别阶段,对收集到的工件进行调查,以识别与当前正在调查的网络犯罪相关的证据。这两个阶段执行一个集成过程,以减轻定位工件的难度并减少识别相关证据的时间。所提出的技术通过在使用Microsoft Windows 10操作系统的Sync.com云存储上应用取证调查算法来实现和测试。
