The lack of control on the examiner's part makes collection the generally accepted problem with cloud-based evidence. Because the examiner has neither access to the physical hard drive nor control over the network, s/he will at most have access to the data through the end user's Web browser, or through a computer connected to the same network's access.
The question for the examiner then becomes, not only how to collect and document information from the cloud, but also whether the same acquisition and documentation methodology used for other internet evidence can be used in the collection, preservation, and presentation of cloud-based evidence.
Certainly it is possible to document the cloud through various similar methods, which include:
- Taking snapshots of the evidence.
- Videotaping what is present.
- Acquiring the data through logical acquisition, if you can access the “cloud” data as a logical drive.
- Complete documentation of the process used in the acquisition.
From: Collection of Evidence from the Internet: Part 2 by Todd G. Shipley