Cloud and IoT Forensics: Acquisition Challenges
Published:
Questions
30
Duration
30 min
Faculty-reviewed
30
Updated
03 May 2026
About this mock
This mock drills into the two hardest acquisition surfaces in modern digital forensics — public-cloud workloads and Internet-of-Things devices — and the legal, architectural, and procedural obstacles that distinguish them from traditional disk forensics. Thirty hard questions across cloud service models (IaaS, PaaS, SaaS, FaaS) and what each layer surrenders to the investigator, deployment models (public, private, community, hybrid), multi-tenancy and data co-mingling, jurisdictional pathways for cross-border production (MLAT, the US CLOUD Act 2018, GDPR Article 48, India's DPDP Act 2023, IT Act §69 read with the 2009 Rules, the CERT-In Directions of 28 April 2022 with their 6-hour reporting and 180-day log-retention rules), the major cloud audit logs (AWS CloudTrail vs CloudWatch vs Config vs VPC Flow Logs, Azure Activity Log vs Entra ID Sign-in Logs vs Diagnostic Logs, GCP Cloud Audit Logs Admin Activity vs Data Access, Microsoft 365 Unified Audit Log retention by SKU), snapshot-based acquisition (EBS snapshot → cross-account share → forensic VPC restore), Linux memory acquisition with LiME, and the limits of memory acquisition on serverless platforms.
The IoT half covers smart-hub voice assistants and the Echo cloud-account architecture exposed by *Arkansas v. Bates* (2017), wearables and the heart-rate / step-count timeline that proved decisive in *State v. Dabate* (Connecticut, 2017), smart-camera and doorbell acquisition when JTAG is gone and the eMMC is BGA-soldered (chip-off plus companion-app plus cloud), Android and iOS companion-app forensic artefacts (SQLite, SharedPreferences, plist, OAuth tokens), connected-vehicle Event Data Recorders extracted with the Bosch CDR tool over OBD-II under 49 CFR Part 563, and the special discipline required for industrial-control SCADA networks running Modbus and OPC-UA where active scanning can disrupt physical-world processes (IEC 62443).
It is pitched at MSc and final-year BSc cyber forensics students at NFSU, LNJN-NICFS, and other Indian universities, and at FACT, UGC-NET and CHFI aspirants who need the cloud and IoT acquisition layers locked in. This is a **premium**, **hard**-difficulty mock — distractors target the misconceptions a careful student is most likely to fall into (CloudTrail vs CloudWatch vs Config; Lambda vs EC2 acquisition; MLAT vs CLOUD Act vs GDPR Article 48; Azure Activity Log vs Entra Sign-in Logs; chip-off vs JTAG when neither is straightforward).
Topics covered:
- Cloud service models (IaaS / PaaS / SaaS / FaaS) and the evidence each layer yields
- Cloud deployment models (public, private, community, hybrid) and multi-tenancy
- AWS CloudTrail, CloudWatch, Config, VPC Flow Logs; Azure Entra Sign-in / Activity / Diagnostic Logs; GCP Audit Logs Admin Activity vs Data Access; M365 Unified Audit Log
- Snapshot acquisition (EBS / managed disk / persistent disk); Linux RAM with LiME; serverless limits
- Jurisdiction: MLAT, CLOUD Act 2018, GDPR Article 48, DPDP 2023, IT Act §69, CERT-In Directions 2022, data sovereignty
- Standards: NIST SP 800-145, NIST IR 8006, NIST SP 800-201, NIST SP 800-86, ISO/IEC 27037, CSA Domain 12, IEC 62443
- IoT classes: voice assistants (Echo / Home / HomePod), wearables (Fitbit, Apple Watch, Garmin), smart cameras (Ring, Nest), connected vehicles, industrial IoT
- IoT acquisition: chip-off vs JTAG, companion-app SQLite/SharedPreferences/plist, cloud-account artefacts
- Court precedents: *Arkansas v. Bates* (Echo, 2017), *State v. Dabate* (Fitbit, 2017)
- Connected-vehicle CAN-bus, OBD-II, EDR under 49 CFR Part 563, Bosch CDR tool
Each question carries a detailed 250+ word explanation citing primary sources — NIST IR 8006 and SP 800-201, NIST SP 800-145, ISO/IEC 27037, the CLOUD Act, GDPR, DPDP 2023, the IT Act, CERT-In Directions, AWS / Azure / GCP / Microsoft official documentation, the *Bates* and *Dabate* dockets, 49 CFR Part 563, ISO 15765-4, IEC 62443, and Hassan's *Digital Forensics Basics*. Allow 30 minutes — the explanations are long enough to use as study notes by themselves.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 3 questions
NIST IR 8006 — NIST Cloud Computing Forensic Science Challenges
Final report (August 2020), challenge clusters and analysis
Open source - cited in 2 questions
NIST SP 800-145 — The NIST Definition of Cloud Computing
Section 3: Deployment Models (private, community, public, hybrid)
Open source - cited in 2 questions
Hassan, Nihad A. — Digital Forensics Basics: A Practical Guide Using Windows OS
Chapter on Android application data analysis and companion-app artefacts
- cited in 1 question
AWS Documentation — AWS CloudTrail User Guide
Concepts: management events, data events, and the CloudTrail event record format
Open source - cited in 1 question
Digital Personal Data Protection Act, 2023 (India)
Sections 7, 8, 16: legitimate uses, breach notification, cross-border transfer
- cited in 1 question
Microsoft Documentation — Microsoft Entra ID sign-in logs
Sign-in logs in Microsoft Entra ID: schema, retention, and export options
Open source - cited in 1 question
Clarifying Lawful Overseas Use of Data Act (CLOUD Act), 2018 (USA)
Public Law 115-141, Division V, amending 18 U.S.C. §§ 2523 and 2703
- cited in 1 question
Google Cloud Documentation — Cloud Audit Logs overview
Audit log types: Admin Activity, Data Access, System Event, Policy Denied
Open source - cited in 1 question
Atlam, H. F., Walters, R. J., Wills, G. B. — Internet of Things Forensics: A Review
Section on acquisition techniques for resource-constrained IoT devices
- cited in 1 question
ISO 15765-4 — Road vehicles — Diagnostic communication over Controller Area Network (DoCAN)
OBD-II J1962 connector pinout and CAN bus parameters for light-duty vehicles
- cited in 1 question
AWS Documentation — VPC Flow Logs
Flow log records: fields, default and custom v3 formats, S3 vs CloudWatch destinations
Open source - cited in 1 question
India–US Treaty on Mutual Legal Assistance in Criminal Matters, 2005
Articles 1–6 (scope, authorities, requests for assistance) and the MHA designation as the Indian Central Authority
- cited in 1 question
ISO/IEC 27037:2012
Scope and four-phase digital-evidence handling model; DEFR and DES roles
- cited in 1 question
State of Arkansas v. James Andrew Bates
Benton County Circuit Court case CR-2016-370-2 (2017) — Amazon Echo cloud-account discovery dispute
- cited in 1 question
18 U.S.C. § 2703(f) — Required preservation of evidence
Provider preservation pending lawful process; 90-day initial period, extensible by 90
- cited in 1 question
Regulation (EU) 2016/679 — General Data Protection Regulation
Article 48 — Transfers or disclosures not authorised by Union law
Open source - cited in 1 question
Cloud Security Alliance — Security Guidance for Critical Areas of Focus in Cloud Computing, v4.0
Domain 12: Incident Response (cloud-specific IR and forensics)
- cited in 1 question
CERT-In Directions of 28 April 2022 (under Section 70B(6) of IT Act 2000)
Para III: 180-day log retention; Para II: 6-hour incident reporting
- cited in 1 question
State v. Dabate (Superior Court of Connecticut, 2017)
Use of Fitbit cloud-account heart-rate and step data to contradict a defendant's timeline of events
- cited in 1 question
49 CFR Part 563 — Event Data Recorders (NHTSA)
Required data elements and the EDR triggering and recording window
Open source - cited in 1 question
RBI Notification DPSS.CO.OD No.2785/06.08.005/2017-2018
Storage of Payment System Data (6 April 2018) — RBI directive requiring in-India storage
- cited in 1 question
504ENSICS Labs — LiME (Linux Memory Extractor)
LiME README: usage, output formats, and compilation requirements
Open source - cited in 1 question
Microsoft Documentation — Audit log retention policies in Microsoft Purview
Default retention by audit tier and the Premium SKU's 1-year and 10-year extensions
Open source - cited in 1 question
AWS Documentation — Amazon EBS snapshots
Creating, sharing, and restoring EBS snapshots; cross-account sharing for forensic analysis
Open source - cited in 1 question
Information Technology Act, 2000
Section 69 read with the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
- cited in 1 question
IEC 62443 — Industrial communication networks — IT security for networks and systems
Series overview: zones, conduits, security levels for ICS forensic activity
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Cloud and IoT Forensics: Acquisition Challenges mock cover?+
This mock drills into the two hardest acquisition surfaces in modern digital forensics — public-cloud workloads and Internet-of-Things devices — and the legal, architectural, and procedural obstacles that distinguish them from traditional disk forensics. Thirty hard questions across cloud service models (IaaS, PaaS, SaaS, FaaS) and what each layer surrenders to the investigator, deployment models (public, private, community, hybrid), multi-tenancy and data co-mingling, jurisdictional pathways fo
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: hard. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Digital Forensics, FACT, NET, Mobile & Network Forensics. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Yes — 30 of 30 questions are faculty-reviewed. Each question carries a verified source citation.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.