Chapter 31 — Exercises

Thirty problems in seven groups (A–G), mixing concept checks, hands-on labs (parse the sync database, carve the cache, pull the audit log, snapshot the volume, build the timeline, write the report, verify the hash), and the judgment questions that separate an examiner from an intruder in the cloud. Hands-on labs assume the cloud-lab setup in Appendix J — Practice Images and Lab Setup — a free Microsoft 365 Developer tenant, an AWS free-tier account you own, and a practice disk image carrying OneDrive/Drive/Dropbox artifacts. (answer in Appendix) = worked solution in Answers to Selected. ⭐ = stretch. The single discipline that governs every problem here: keep the three reservoirs — and the legal authority that governs each — rigorously separate. Collecting a tenant you control is engineering; reaching an account you do not control is law.


Group A — The three reservoirs and the shared-responsibility map

31.1 Name and define the three reservoirs where cloud evidence lives. For each, state (a) a concrete example artifact, (b) the acquisition method, and (c) whether legal process served on the provider is required. Then explain, in one sentence, why mistaking reservoir 3 for reservoir 2 is the most consequential error a new cloud examiner can make. (answer in Appendix)

31.2 Reproduce the shared-responsibility table from memory across the four service models — on-premises, IaaS, PaaS, SaaS — marking for each layer (Data, App, Runtime, OS, Hypervisor, Hardware, Network) whether the customer or the provider controls it. Then translate the table into forensic reach: for each model, state exactly what you can image. Why does "Data" stay in the customer column in all four columns, and what does that single fact guarantee you can always at least try to collect?

31.3 ⭐ Practitioners call cloud forensics "log-centric." (a) Explain what changes when the disk is no longer the primary evidence and the logs are frequently the entire case. (b) State the reflexive question a cloud examiner asks the moment they are engaged, and why it must be asked in the first hour rather than the first week. (c) Contrast this with the acquisition reflex on a seized laptop, where the disk is the evidence and logs are a supplement.

31.4 Distinguish reservoir 2 from reservoir 3 with two short scenarios of your own: one where the data is lawfully collectible with administrative access and no subpoena, and one where the identical type of data requires process served on the provider. (a) State the one fact that decides which reservoir you are in (hint: it is about ownership of the account/tenant, not about the kind of data). (b) Why does getting this wrong risk both suppression of evidence and personal criminal liability for the examiner? (c) A single workstation has a corporate OneDrive and a personal OneDrive signed in side by side. Explain how one physical disk can hold artifacts from two different reservoirs at once, and what that means for which findings you may report from the endpoint versus which require legal process.


Group B — Endpoint sync artifacts: where the cloud touches the ground

31.5 Draw the OneDrive artifact map for a single user from memory. Name the files under ...\AppData\Local\Microsoft\OneDrive\settings\Business1\ and under ...\logs\Business1\, and state what each gives you. Specifically: which file is the sync database, which file maps an account to its cid, which file de-obfuscates the activity logs, and what <cid>.dat.previous is — and why that single extra file is "a gift the documentation never advertises." (answer in Appendix)

31.6 Lab — parse the OneDrive sync database. On your practice image, extract the Personal account's <cid>.dat (and .dat.previous) to a working folder and record the SHA-256 of each before you touch them. Run OneDriveExplorer against the .dat and export the CSV. (a) Report one file whose status is cloud-only and one whose status is available. (b) State precisely what a cloud-only entry proves about the user's account — and the one thing it does not prove about the local disk. (c) Diff the .dat tree against the .dat.previous tree: name one file that appeared or vanished between the two generations, and explain why that delta is itself evidence. (d) Corroboration drill: name two independent sources you would cite alongside the sync database to confirm a load-bearing finding (e.g., "this file existed in the user's OneDrive"), applying the "one artifact is a lead, three that agree is a finding" rule from Chapter 16 — Windows Forensics.

31.7 A file in the OneDrive logs\ folder has the extension .odlgz and begins with the bytes 1F 8B 08 00 00 00 00 00. (a) Identify the container format from the first two bytes and state what byte 08 specifies. (b) Name the research tool you would use to parse the de-obfuscated ODL operation logs, and name the file in the logs\ directory whose contents that tool needs to reverse the string obfuscation. (c) Name three operation types you expect ODL logs to record, and explain why "file uploaded, with a timestamp and the function that ran" is more useful in an exfiltration case than the sync database alone.

31.8 Google Drive for Desktop stores its catalog in metadata_sqlite_db, which begins with these sixteen bytes: 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00. (a) Decode the bytes to ASCII and confirm the file type. (b) The two bytes at offset 16 are 10 00; read big-endian, compute the database page size in decimal. (c) Name the column/flag in this database that records deleted files, and tie it to the book's first theme. (d) State why you query a hashed, extracted copy of this database and never the file on the evidence image. (answer in Appendix)

31.9 Lab — carve the content cache. Google's content_cache\ directory holds chunked file content with no names and no extensions. You pull three chunks and read their first bytes:

chunk_A:  FF D8 FF E0 00 10 4A 46 49 46 ...
chunk_B:  25 50 44 46 2D 31 2E 37 ...
chunk_C:  50 4B 03 04 14 00 06 00 ...

Identify the file type of each chunk from its signature, state which Part II skill (Chapter 7 — File Carving) you are applying, and explain in one sentence why the content cache is, in effect, "a pile of headerless files waiting for the carving skills you already have." Which chunk could be either a modern Office document or a plain ZIP, and how would you disambiguate?

31.10 ⭐ Dropbox stores info.json, host.db, and a set of .dbx databases (config.dbx, filecache.dbx, deleted.dbx). (a) Which of these is plaintext and reliable, and what two facts does it give you fastest? (b) Modern Dropbox encrypts the .dbx files — name the encryption library and the OS facility that protects the key. (c) Explain why, on a dead-box image with no logged-in context, you generally cannot read filecache.dbx, and connect this precisely to the problem owned by Chapter 29 — Encrypted Device Forensics. (d) Write the one honest sentence you would put in a report rather than pretending you decrypted it.


Group C — Browser artifacts: the webmail and web-app trail

31.11 List the cloud-relevant stores in a Chrome/Edge profile and what each contributes to a cloud case: History, Network\Cookies, Cache\Cache_Data\, Local Storage\leveldb\, IndexedDB\, and Service Worker\CacheStorage\. Which store holds the user's authenticated session and OAuth tokens, how are those values encrypted, and where does the decrypting key live? Why does that key location make this the same pattern you met in Chapter 29? (answer in Appendix)

31.12 A user accessed Gmail and Outlook on the web with no sync client installed. (a) Which browser stores can hold cached message bodies for offline use, and what storage format do they use (and how does it differ from SQLite)? (b) Explain the forensic payoff: how can you read message content even when you have no lawful access to the live mailbox? (c) Give the data-recovery angle: when is this same cache the only surviving copy of a message, and what do you do with it? (d) Name the four filenames you expect inside a LevelDB directory (*.ldb, *.log, plus the two control files), and explain why a LevelDB store can retain a "deleted" record until the next compaction — connecting it to the book's first theme.

31.13 ⭐ While analyzing a browser profile in a corporate IP-theft matter, you decrypt a cookie store and recover a live OAuth bearer token for the suspect's personal Gmail. (a) State exactly what you may lawfully do with that token (document) and what you may not (replay/log in), and name the U.S. statute the latter likely violates. (b) Where does your authority to examine come from, and why does a personal, out-of-scope account stay out of scope "no matter how easy the token makes it"? (c) Tie your answer to the sixth theme — the human cost is real — in one sentence a jury would understand.


Group D — API-based collection from a tenant you control

31.14 Microsoft 365's Unified Audit Log (UAL) is the backbone of tenant-side collection. (a) Name five operations you would hunt in a file-exfiltration case and three you would hunt in a business-email-compromise case. (b) For each AuditData JSON record, name four fields that build a timeline. (c) State precisely what MailItemsAccessed proves and — just as important — what it does not prove. (answer in Appendix)

31.15 Lab — pull and preserve the UAL. Against your practice M365 tenant, run a Search-UnifiedAuditLog for one custodian over a 30-day window, restricted to FileDownloaded,FileUploaded,AnonymousLinkCreated,SharingInvitationCreated,FileDeleted, and export to CSV. (a) Write the exact cmdlet you ran. (b) The instant the export lands, compute its SHA-256 and write the chain-of-custody line — query, tenant identifier, authenticated principal and role, UTC timestamp, tool and version, record count, and hash. (c) A week later opposing counsel asks you to prove the file is unaltered: state the command you run, what you compare, and what a matching hash does and does not prove. Compare your reasoning to the imaging chain of custody in Chapter 5 — The Forensic Process.

31.16 Two caveats bound everything the UAL can do. (a) State the retention windows for standard (E3) versus E5 licensing, and what the ten-year option requires. (b) Explain "it must have been enabled," and why an older or reconfigured tenant may have no retroactive log to search. (c) Given both caveats, justify why the very first action in any M365 case is a race against the retention clock — and what concrete step (covered in Group G) you take on day one to stop that clock for your own tenant.

31.17 ⭐ Entra ID (formerly Azure AD) sign-in and audit logs are the heart of an account-compromise investigation. (a) Name four fields a sign-in record provides that let you spot a suspicious authentication. (b) State the default retention and why mature organizations stream these logs to a SIEM. (c) Name the API surface you query programmatically. (d) Construct a two-line sign-in pattern that would make you suspect a compromised account (think geography and timing), and name the second cloud source you would correlate it against to confirm what the attacker then did.

31.18 Google Workspace mirrors Microsoft with different names. (a) Distinguish Google Vault from the Admin SDK Reports API — which gives content and which gives activity logs? (b) Name the single Drive audit event that "wins exfiltration cases," and say in plain English what it captures. (c) State the typical retention of the Drive audit log in the admin console and where organizations send it for longer history. (answer in Appendix)


Group E — SaaS forensics: Slack, Teams, Salesforce

31.19 Slack exposes more than one collection surface, gated by license tier. (a) Distinguish the Audit Logs API, a standard export, and the Discovery API — what does each return, what format, and which requires Enterprise Grid? (b) A user "deleted" a message that nonetheless appears in a compliance export. Explain why, citing the book's first theme and the fact that retention is set at the workspace level rather than by the user. (c) Name the API scope an Audit Logs API token needs and the endpoint it calls. (d) Why is message_deleted recorded as a tombstone event, and what investigative value does a tombstone carry even when the message body is not in the audit log itself?

31.20 Microsoft Teams "has no separate evidence store at all." (a) Where do Teams chat messages physically live (name the hidden mailbox substructure), and where do files shared in a channel versus in a 1:1 chat live? (b) Given (a), name the two M365 mechanisms through which you actually investigate Teams, and two UAL operations specific to Teams activity. (c) Explain to a client, in one sentence, why "image the Teams server" is not a request anyone can fulfill. (d) A custodian deleted a 1:1 chat message; explain where it may still be recoverable and why, tying it to the same retention principle that preserves a deleted Slack message.

31.21 ⭐ A departing salesperson is suspected of exporting the customer list from Salesforce. (a) Distinguish the Setup Audit Trail from Shield Event Monitoring, and state which one would record a bulk report export. (b) Name the specific event you would look for. (c) The organization never licensed Shield. State the honest finding, and connect it to the fifth theme — and to the broader lesson that in SaaS forensics, what you can collect was decided before your investigation began, by which licenses the organization bought. (d) What single recommendation do you make to the client for the future?


Group F — IaaS and PaaS: control plane, data plane, snapshots

31.22 Define the control plane and the data plane for an IaaS investigation, and give the log source for each across AWS, Azure, and GCP. (a) State which plane is logged on by default and which usually is not, and explain why "did the attacker read the S3 bucket / GCS object?" so often has no answer. (b) Name two data-plane log sources besides object-access events (think network and storage) and the one investigative question each answers. (c) AWS CloudTrail "event history" is free for 90 days but limited; explain what configuring a Trail to an S3 bucket adds in both duration and scope. (answer in Appendix)

31.23 Lab — read a CloudTrail record. From this management-event record, extract every investigative fact and state what the event accomplished:

{
  "eventTime": "2026-06-15T03:42:11Z",
  "eventName": "CreateSnapshot",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.47",
  "userIdentity": { "type": "IAMUser", "userName": "svc-backup",
                    "accessKeyId": "AKIAEXAMPLE12345" },
  "requestParameters": { "volumeId": "vol-0a1b2c3d4e5f6a7b8" },
  "responseElements": { "snapshotId": "snap-0f1e2d3c4b5a69788" }
}

Then explain why, when an attacker runs StopLogging, DeleteTrail, or PutEventSelectors, those calls themselves appear in CloudTrail — and tie it to the book's third theme about the absence of a trace being itself a trace.

31.24 Lab — acquire a cloud volume. Put the AWS EBS forensic-acquisition steps in the correct order and justify the two ordering decisions that matter most: (1) isolate the instance, (2) image the attached volume with dc3dd ... hash=sha256, (3) capture instance RAM with avml before stopping it, (4) create an EBS snapshot, (5) in an isolated forensic account, create a volume from the snapshot and attach it. (a) Why memory before snapshot? Cite the order-of-volatility rule from Chapter 15 — Live Response and Triage. (b) Why an isolated account? (c) After imaging, you run sha256sum i-0abc_disk.raw; what do you compare it against, and why does the downloaded image now qualify for "every technique in Parts II and III"?

31.25 ⭐ Counsel asks, "Did the intruder exfiltrate the contents of the customer-pii S3 bucket?" CloudTrail shows the intruder's AssumeRole and ListBuckets, but data events were never enabled on that bucket. (a) Explain why the management-plane log cannot answer the question. (b) Write the finding in a single defensible sentence that neither overclaims nor dismisses the real risk. (c) Name two other data-plane sources (besides CloudTrail data events) that might still bear on the question.


31.26 The Stored Communications Act sets a tiered standard. (a) Match each instrument — subpoena (§ 2703(c)(2)), 2703(d) court order, search warrant — to the category of data it compels (basic subscriber info / non-content transactional records / content). (b) State what a § 2703(f) preservation request does and does not do, how long it lasts, whether it is renewable, and why it is the first action in any third-party-data case. (c) Explain why a provider's law-enforcement portal and published guidelines matter operationally — what happens to malformed process, and what a transparency report tells you before you draft anything. (answer in Appendix)

31.27 ⭐ A civil litigant in a trade-secret case wants a former employee's personal Gmail content and proposes to subpoena Google directly. (a) Explain why the SCA generally bars the provider from disclosing content to a civil litigant even under a Rule 45 subpoena. (b) State where the litigant actually obtains that evidence instead. (c) Explain why this rule pushes corporate eDiscovery so hard toward reservoir 2 and toward compelling individuals to produce their own accounts. (d) Why is "knowing which door is even legally open" half of cloud-evidence work?

31.28 For each scenario, name the lawful instrument and the chief practical risk: (a) a U.S. provider storing the target emails in a Dublin data center; (b) an EU company, EU-resident data, U.S. investigator; (c) a foreign provider with no U.S. presence. Reference the CLOUD Act, GDPR Article 48, executive agreements, and MLAT as appropriate, and explain the quiet tragedy in which "the way you got it" or "how long it took" defeats an otherwise winnable case.

31.29 Lab — build the cloud timeline and write the finding. You have collected the following for j.rivera, the browser-tab variant of anchor case #2. Assemble a single sourced, chronological timeline (UTC) with the artifact named in brackets after each line, explicitly marking the reservoir-3 gap and the lawful instrument needed to close it. Then write a two-to-three-sentence Findings paragraph that a competent cross-examiner could not impeach, keeping finding and inference rigorously separate and asserting no motive. (answer in Appendix)

Sign-in to corporate M365 from 203.0.113.47 (home city) ... Fri 18:35   [Entra sign-in log]
FileDownloaded ×4 from SharePoint TurbineHousing library ... Fri 18:39   [M365 UAL]
Upload of 4 .sldprt to PERSONAL OneDrive begins ............ Fri 18:44   [endpoint ODL log]
Personal-OneDrive sync completes (files now "cloud-only") .. Fri 18:51   [endpoint <cid>.dat]
AnonymousLinkCreated on corporate TurbineHousing_v7 ........ Fri 18:51   [M365 UAL]
Contents of the personal OneDrive account .................. (not collected) [reservoir 3?]

31.30 Progressive project — the cloud-evidence layer. Add this chapter's evidence to your Forensic Case File. (1) Map the three reservoirs for your case: which endpoints carry sync clients or webmail (R1), which tenants your subject organization controls (R2), and which accounts belong to third parties (R3); for each, write the lawful collection method. (2) Collect endpoint cloud artifacts from your verified image — OneDrive <cid>.dat/.dat.previous/ODL, Google metadata_sqlite_db and content_cache, Dropbox info.json/.dbx, and browser History/Cookies/IndexedDB — parsing with OneDriveExplorer, odl.py, the SQLite CLI, and a LevelDB reader, and hashing every extracted file into your chain-of-custody worksheet (Appendix F). (3) Collect the tenant telemetry you are authorized to reach (a Search-UnifiedAuditLog, Google Reports API, or CloudTrail query), export it, hash it immediately, and record the query/principal/role/UTC. (4) Draft the reservoir-3 step: the § 2703(f) preservation request (or, in a civil matter, the litigation-hold/production approach), noting the provider's law-enforcement-portal requirements and the retention window you are racing. (5) Add a sourced cloud timeline to the case file, every entry tied to a specific artifact and every reservoir-3 gap marked with the instrument needed to close it. List the files you extracted and their hashes in your submission; you will merge this into the master timeline in Chapter 21 — Timeline Analysis and fold it into the report in Chapter 26. The capstone in Chapter 38 assembles everything.


Self-check. You have mastered this chapter when, handed a case that lives in the cloud, you can name which of the three reservoirs each piece of evidence sits in, choose the lawful acquisition method for each without blurring engineering and law, and state — before you promise an answer — whether the provider even logged what you need and whether the retention clock has already run. If you can parse a OneDrive <cid>.dat and read a cloud-only flag as proof a file lived in the cloud, pull and hash a Unified Audit Log with a defensible chain of custody, reconstruct an attack from CloudTrail even after the attacker deleted the snapshots, and write a finding that names its reservoir-3 gap and the warrant that would close it — then you are ready for Chapter 32 — Malware Forensics, where the question shifts from where the data lives to what the adversary ran.