Cloud and IoT Forensics: Acquisition Challenges

This mock drills into the two hardest acquisition surfaces in modern digital forensics — public-cloud workloads and Internet-of-Things devices — and the legal, architectural, and procedural obstacles that distinguish them from traditional disk forensics. Thirty hard questions across cloud service models (IaaS, PaaS, SaaS, FaaS) and what each layer surrenders to the investigator, deployment models (public, private, community, hybrid), multi-tenancy and data co-mingling, jurisdictional pathways for cross-border production (MLAT, the US CLOUD Act 2018, GDPR Article 48, India's DPDP Act 2023, IT Act §69 read with the 2009 Rules, the CERT-In Directions of 28 April 2022 with their 6-hour reporting and 180-day log-retention rules), the major cloud audit logs (AWS CloudTrail vs CloudWatch vs Config vs VPC Flow Logs, Azure Activity Log vs Entra ID Sign-in Logs vs Diagnostic Logs, GCP Cloud Audit Logs Admin Activity vs Data Access, Microsoft 365 Unified Audit Log retention by SKU), snapshot-based acquisition (EBS snapshot → cross-account share → forensic VPC restore), Linux memory acquisition with LiME, and the limits of memory acquisition on serverless platforms.

The IoT half covers smart-hub voice assistants and the Echo cloud-account architecture exposed by *Arkansas v. Bates* (2017), wearables and the heart-rate / step-count timeline that proved decisive in *State v. Dabate* (Connecticut, 2017), smart-camera and doorbell acquisition when JTAG is gone and the eMMC is BGA-soldered (chip-off plus companion-app plus cloud), Android and iOS companion-app forensic artefacts (SQLite, SharedPreferences, plist, OAuth tokens), connected-vehicle Event Data Recorders extracted with the Bosch CDR tool over OBD-II under 49 CFR Part 563, and the special discipline required for industrial-control SCADA networks running Modbus and OPC-UA where active scanning can disrupt physical-world processes (IEC 62443).

It is pitched at MSc and final-year BSc cyber forensics students at NFSU, LNJN-NICFS, and other Indian universities, and at FACT, UGC-NET and CHFI aspirants who need the cloud and IoT acquisition layers locked in. This is a **premium**, **hard**-difficulty mock — distractors target the misconceptions a careful student is most likely to fall into (CloudTrail vs CloudWatch vs Config; Lambda vs EC2 acquisition; MLAT vs CLOUD Act vs GDPR Article 48; Azure Activity Log vs Entra Sign-in Logs; chip-off vs JTAG when neither is straightforward).

Themes covered:

• Cloud service models (IaaS / PaaS / SaaS / FaaS) and the evidence each layer yields
• Cloud deployment models (public, private, community, hybrid) and multi-tenancy
• AWS CloudTrail, CloudWatch, Config, VPC Flow Logs; Azure Entra Sign-in / Activity / Diagnostic Logs; GCP Audit Logs Admin Activity vs Data Access; M365 Unified Audit Log
• Snapshot acquisition (EBS / managed disk / persistent disk); Linux RAM with LiME; serverless limits
• Jurisdiction: MLAT, CLOUD Act 2018, GDPR Article 48, DPDP 2023, IT Act §69, CERT-In Directions 2022, data sovereignty
• Standards: NIST SP 800-145, NIST IR 8006, NIST SP 800-201, NIST SP 800-86, ISO/IEC 27037, CSA Domain 12, IEC 62443
• IoT classes: voice assistants (Echo / Home / HomePod), wearables (Fitbit, Apple Watch, Garmin), smart cameras (Ring, Nest), connected vehicles, industrial IoT
• IoT acquisition: chip-off vs JTAG, companion-app SQLite/SharedPreferences/plist, cloud-account artefacts
• Court precedents: *Arkansas v. Bates* (Echo, 2017), *State v. Dabate* (Fitbit, 2017)
• Connected-vehicle CAN-bus, OBD-II, EDR under 49 CFR Part 563, Bosch CDR tool

Each question carries a detailed 250+ word explanation citing primary sources — NIST IR 8006 and SP 800-201, NIST SP 800-145, ISO/IEC 27037, the CLOUD Act, GDPR, DPDP 2023, the IT Act, CERT-In Directions, AWS / Azure / GCP / Microsoft official documentation, the *Bates* and *Dabate* dockets, 49 CFR Part 563, ISO 15765-4, IEC 62443, and Hassan's *Digital Forensics Basics*. Allow 15 minutes — the explanations are long enough to use as study notes by themselves.