Abstract:
Cloud storage drives have become very popular nowadays for many people around the world. Understanding how to locate,
retrieve and acquire cloud-based data may be complex and time-consuming. Standard digital forensic concepts and thorough chain
of custody methods are the main discussion topics in most contemporary academic forensic publications. The traditional approach to
computer forensics emphasis physically accessing the media that houses the information that could be of factors that could contribute.
On the other hand, while working in a cloud computing environment, accessing the physical media is practically not feasible. Data for a
given client could be kept decentralized, spanning several data centers and countries, using various virtual servers and physical devices.
Due to the data breaches which can occur by cloud-based applications, this research proposed in this paper will focus on
gathering evidence from Windows 11 operating systems to discover and collect left over registry artifacts by one of the main cloud
storage applications known as OneDrive. Whereas it will imply their existence even after the unlinking and uninstalling of cloud drive
applications. This proposed research will show what type of data remnants and where it can be found using the analysis of digital
forensic investigator. Also, due to the time consuming to collect registry artifacts with their essential values, a bash script will be built
to gather registry artifacts in which will show how data is stored within Windows 11 registry.
Moreover, there will be two main approaches for this research, the first approach will be taking a snapshot of Window’s
registry after the installation and linking account into the cloud storage application to perform digital forensic investigation on the
machine to discover related artifacts in the registry. The second approach is to unlink account and uninstall OneDrive cloud drive
applications as well as restarting the machine and then take another snapshot to perform a second forensic investigation to compare
evidence gathered on the second approach with evidence gathered on the first approach