What is everyones experience of cloud forensics based on local device evidence? I was messing around with examining the browser cache following actions with Dropbox via chrome and found that a massive amount of actions are cached (picture content, document snapshots etc). I just wondered if anyone had done anything in the area or has experience of it. I guess, is this the sort of information needed to then proceed to acquire legal authority to seek access to accounts?
I guess it really depends on what you mean by "cloud forensics".
When I was with Terremark, before they were purchased by Verizon, "cloud forensics" was easy…pause the offending VM, copy off the file where memory was copied to and the .vmdk file, and begin analysis.
We did a lot of these investigations, particularly where stolen credit cards were used to purchase and stand up servers; our business process usually detected the fraudulent purchase within an hour, and the investigations usually revealed that the perpetrator had booted the server, logged in, and taken a look around before logging out; response was such that no staging had been done.