Chapter 31 — Quiz

14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band are at the bottom. Commit to an answer before you look — in the cloud, the costly mistakes are the ones you make confidently.


Multiple choice

Q1. A suspect's proprietary files were uploaded to their personal OneDrive account, which your client does not control. Which reservoir is this, and what does it require? - A) Reservoir 1 — image the endpoint - B) Reservoir 2 — collect with the client's admin credentials - C) Reservoir 3 — legal process served on the provider - D) No reservoir — the data is simply unrecoverable

Q2. Under the shared-responsibility model, which service type leaves you the least to image — no disk, no OS, only the logs and exports the provider exposes? - A) On-premises - B) IaaS (e.g., an EC2 instance) - C) PaaS (e.g., a managed runtime) - D) SaaS (e.g., Microsoft 365, Salesforce)

Q3. In a OneDrive sync database parsed with OneDriveExplorer, a file shows a status of cloud-only. What does that prove? - A) The file's full bytes are stored on this local disk - B) The file existed in this account's cloud storage even though it was never fully downloaded to this disk - C) The file was deleted from the cloud - D) The file is encrypted with SQLCipher

Q4. A Google Drive content_cache chunk begins with the bytes FF D8 FF E0. What is it? - A) A PDF - B) A ZIP / Office document - C) A JPEG image - D) A SQLite database

Q5. Which single U.S. legal instrument both compels a provider to preserve an account's existing contents and buys you time to obtain a warrant — without itself giving you the data? - A) A § 2703(d) court order - B) A § 2703(f) preservation request - C) A Rule 45 civil subpoena - D) An MLAT request

Q6. In AWS, which category of event is not logged by default, so that "did the attacker read the S3 object?" frequently has no answer? - A) Management-plane events (e.g., RunInstances) - B) Data events (e.g., S3 GetObject) - C) ConsoleLogin events - D) CreateSnapshot events

Q7. You must examine the inside of a compromised EC2 instance. Following the order of volatility, what do you capture first? - A) An EBS snapshot of the root volume - B) The instance's RAM, before stopping it - C) The CloudTrail history - D) The VPC Flow Logs

Q8. Under the Stored Communications Act, which instrument is generally required to compel the content of stored communications (the emails and files themselves)? - A) A subpoena for basic subscriber information - B) A § 2703(d) court order - C) A search warrant supported by probable cause - D) A preservation letter

Q9. A user "deleted" a Slack message, yet it appears in the workspace's compliance/Discovery export. Why? - A) Slack never deletes anything, ever, under any setting - B) Retention is set at the workspace level, so deletion removed the user's view, not the retained record - C) The export was fabricated - D) The message was recovered from the endpoint's RAM

Q10. The CLOUD Act (2018) changed the central question for reaching provider-held data from "where are the bytes physically stored?" to which question? - A) Whether the data is encrypted - B) Whether the provider has "possession, custody, or control," regardless of storage location - C) Whether the user consented - D) Whether the data is older than 180 days

True / False

Q11. Because Microsoft 365 is a managed service, you can acquire a full forensic disk image of Salesforce and Microsoft 365 the same way you image a seized laptop. (True / False)

Q12. Microsoft Teams keeps its own dedicated evidence store, separate from the rest of Microsoft 365, which you collect directly from a "Teams server." (True / False)

Short answer

Q13. Name the three reservoirs where cloud evidence lives and, in a few words each, the acquisition method for each.

Q14. Give two distinct reasons the absence of a cloud log entry is not proof that the activity never happened. (Hint: think about the retention clock and about default settings/licensing.)

---

Answer key

Q1 — C. A personal account your client does not control is reservoir 3; you cannot log in or ask nicely — you compel disclosure through legal process served on the provider (preservation letter, then subpoena/2703(d) order/warrant under the SCA). Treating it like reservoir 2 is unauthorized access.

Q2 — D. SaaS leaves only the data and configuration in your hands; there is no disk or OS you are permitted to touch, so you collect logs and sanctioned exports or you get nothing. IaaS still lets you snapshot the VM disk; on-prem you own the whole stack.

Q3 — B. A cloud-only placeholder means the metadata is on the machine but the bytes live in the cloud — proof the file existed in this account's cloud storage even though it was never fully downloaded. It says nothing favorable about the local disk holding the content.

Q4 — C. FF D8 FF is the JPEG signature. 25 50 44 46 (%PDF) is a PDF; 50 4B 03 04 (PK..) is a ZIP/Office container; 53 51 4C 69 74 65 is SQLite. The cache is carvable exactly like the headerless files of Chapter 7.

Q5 — B. A § 2703(f) preservation request compels the provider to preserve existing contents for 90 days (renewable another 90) while you obtain the warrant or order. It stops the clock; it does not hand over data. It goes out the first day.

Q6 — B. Data events (object-level S3 access, Lambda invocations) are off by default and must be explicitly enabled; management-plane events like RunInstances and CreateSnapshot are captured by CloudTrail's default event history.

Q7 — B. Memory dies at power-off; the snapshot is durable. Capture instance RAM (e.g., with avml) before you stop the instance — the order-of-volatility rule from Chapter 15 still governs even though the host is virtual.

Q8 — C. Content generally requires a search warrant on probable cause (post-Carpenter and per DOJ policy). A subpoena reaches basic subscriber info; a 2703(d) order reaches non-content transactional records; a preservation letter freezes but does not produce.

Q9 — B. Workspace-level retention means the record persists in the compliance/Discovery export even after the user deletes their own view. Theme #1 holds in the cloud: deletion removed the pointer (their view), not the data.

Q10 — B. The CLOUD Act amended the SCA so a U.S. provider must produce data within its "possession, custody, or control" regardless of where it is physically stored — making the provider's nationality and control, not the bytes' location, the question (and creating the GDPR Article 48 tension).

Q11 — False. You cannot image SaaS. There is no disk, no OS, no file system you are permitted to touch — only the logs and exports the provider exposes. Your reach is exactly the provider's telemetry.

Q12 — False. Teams has no separate store. Chat messages live in hidden folders of the participants' Exchange Online mailboxes; channel files live in the team's SharePoint site; 1:1-chat files live in the sender's OneDrive. You investigate Teams through the M365 Unified Audit Log and eDiscovery.

Q13. (1) On the endpoint — sync-client databases and browser artifacts; acquire by ordinary forensic imaging. (2) At the provider, via a tenant your client controls — audit logs and eDiscovery exports; acquire with admin credentials through APIs/portals, no third party needed. (3) At the provider, in an account your client does not control — acquire only through legal process served on the provider.

Q14. (1) Retention — every cloud log has a clock (Entra ≈30 days, M365 UAL 180 days–1 year, CloudTrail event history 90 days), so the record may have aged out and been deleted by policy. (2) Default-off / unlicensed logging — the telemetry may never have been generated at all (M365 auditing not enabled, AWS/GCP data events off by default, Salesforce Shield or Slack Enterprise Grid not licensed). Absence of a log is not evidence of absence of activity.

Scoring: 13–14 — cloud-ready; you can separate the reservoirs, choose the lawful instrument, and state retention limits without hesitation. 10–12 — solid; revisit the SCA tiers and the shared-responsibility-as-forensic-map section. 7–9 — re-read "The legal process" and "IaaS and PaaS forensics," then redo exercise Groups F and G. Below 7 — re-read the chapter index and rebuild the three-reservoir map and the anchor-case timeline before moving on.