| Research work | Cloud service | Devices used | Model | Data extraction | Tools used |
| Lee et al. [3] | iCloud | Windows system, MacBook system, iPhone, iPod | iCloud investigation model | Application installation history, synced apps, plist, sync location | No tool is used. Use of encase tool is suggested. | Oestreicher [4] | iCloud | MacBook Pro Mac OS X 10.9 | Data acquisition from cloud | Synced apps, application path, creation time, modification time, access time, MD5 hash values | Forensic toolkit imager, VisualDiffer v.1.5.7 | Canseco et al. [5] | Box, iCloud | Windows 7 × 64 system | Forensic tool-MONOCLE | Registry, disk logs, Windows logs | Volatility framework | Teing et al. [6] | Symform | Windows 8.1, Mac OS X 10.9.5, Ubuntu 14.04.1, iOS 7.1.2, Android KitKat 4.4.4 | Investigation model for cooperative storage cloud service | Directory listings, record files, cache database, system log files, synced files, deleted files, thumbnail cache, browser artifacts, memory analysis, event logs, registry files, link files, network logs | FTK imager v3.2.0.0, Autopsy 3.1.1, Volatility 2.4, SQLite browser v3.4.0, Wireshark v1.10.1, Browsing History View v1.60, plist explorer v1.0, Windows Event Viewer v1.0 | Teing et al. [7] | BitTorrent sync v2.x | Windows 8.1, Ubuntu 14.04.1, Mac OS X 10.9.5, iOS 7.1.2, Android 4.4.4 | Forensic process for peer-to-peer (p2p) cloud | Directory listings, plist file, log files, synced data, network data, IP address, URLs, memory analysis, browser data | FTK imager v3.2.0.0, Autopsy 3.1.1, Volatility 2.4, SQLite browser v3.4.0, Wireshark v1.10.1, plist explorer v1.0 | Teing et al. [8] | CloudMe | Windows 8.1 Professional, Ubuntu 14.04.1 LTS, Mac OS X Mavericks 10.9.5 | Artifact analysis of desktop and mobile devices using cloud services | Cache database, plist files, synced files, registry, log files, user information, timestamp, Web browser artifacts, memory analysis, config files | FTK imager v3.2.0.0, Autopsy 3.1.1, Volatility 2.4, SQLite browser v3.4.0, plist explorer v1.0, Windows File Analyzer 2.6.0.0, Browsing History View v.1.60 | Teing et al. [9] | Syncany 0.4.6-alpha | Windows 8.1 Professional, Ubuntu 14.04.1 LTS, Mac OS X Mavericks 10.9.5 | Enabled big data storage forensics | Property list files, event logs, system logs, user profiles, memory analysis, network analysis, synced files, upload and download files, browser artifacts | FTK imager v3.2.0.0, Autopsy 3.1.1, Volatility 2.4, SQLite browser v3.4.0, Windows File Analyzer 2.6.0.0, NTFS log tracker | Gomez-Miralles and Arnedo-Moreno [10] | iCloud | Devices running iOS v7 and 8 | Security, trust, anti-forensic | Wi-Fi log, network traffic, preload apps, hardware state, system logs, browser data, iCloud synced data, media files | Lockup, jailbreak tools |
|
|