Extending Traceability Technique to Client Forensic Investigation

The easy accessibility of stored data on the cloud storage with the use of wide range of digital devices offers both the economic and technical opportunities to its subscribers. These benefits can also be exploited by malicious users to carry out illegal activities. When such illegal activities (cybercrimes) are carried out, it is essential for digital forensic investigators to identify the malicious usages, the dynamics of the crime, identify the perpetrators or the individuals behind the crime, reconstruct the crime patterns, interpret the criminal activities and charge the personalities involved to the court of law. The sustainability of digital forensics depends on the use of appropriate technology to curb various forms of cybercrimes. During forensic investigation artificial intelligence techniques and the use of appropriate forensic tools play important roles to detect activities related to cybercrime. One of the technical challenges associated with cloud forensics investigation is the inability of forensic investigators to obtain raw data from the Cloud Service Providers (CSPs) as a result of privacy issue; this necessitates the need for client forensics. The aim of this paper is to propose a model based on traceability technique to illustrate how the extracted digital artifacts from Windows 10 and an android smartphone can be mapped and linked to the cloud storage accessed and to illustrate the patterns of the activities with 5Ws1H-based expression (what, who, where, when, why and how). The model is set out to assist forensic investigators to easily identify, track and reconstruct a post-event timeline of the activities that takes place on cloud storage with the use of client devices and thereby saves time and enhances better visualization of the crime patterns.