{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,16]],"date-time":"2026-04-16T07:02:17Z","timestamp":1776322937702,"version":"3.50.1"},"reference-count":107,"publisher":"Association for Computing Machinery (ACM)","issue":"6","license":[{"start":{"date-parts":[[2019,11,14]],"date-time":"2019-11-14T00:00:00Z","timestamp":1573689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2020,11,30]]},"abstract":"<jats:p>The challenges of cloud forensics have been well-documented by both researchers and government agencies (e.g., U.S. National Institute of Standards and Technology), although many of the challenges remain unresolved. In this article, we perform a comprehensive survey of cloud forensic literature published between January 2007 and December 2018, categorized using a five-step forensic investigation process. We also present a taxonomy of existing cloud forensic solutions, with the aim of better informing both the research and practitioner communities, as well as an in-depth discussion of existing conventional digital forensic tools and cloud-specific forensic investigation tools. Based on the findings from the survey, we present a set of design guidelines to inform future cloud forensic investigation processes, and a summary of digital artifacts that can be obtained from different stakeholders in the cloud computing architecture\/ecosystem.<\/jats:p>","DOI":"10.1145\/3361216","type":"journal-article","created":{"date-parts":[[2019,11,14]],"date-time":"2019-11-14T22:07:36Z","timestamp":1573769256000},"page":"1-38","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":57,"title":["A Systematic Survey on Cloud Forensics Challenges, Solutions, and Future Directions"],"prefix":"10.1145","volume":"52","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2608-1748","authenticated-orcid":false,"given":"Bharat","family":"Manral","sequence":"first","affiliation":[{"name":"Central University of Rajasthan, Ajmer, India"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7147-165X","authenticated-orcid":false,"given":"Gaurav","family":"Somani","sequence":"additional","affiliation":[{"name":"Central University of Rajasthan, Ajmer, India"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9208-5336","authenticated-orcid":false,"given":"Kim-Kwang Raymond","family":"Choo","sequence":"additional","affiliation":[{"name":"University of Texas at San Antonio, San Antonio, TX, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3612-1934","authenticated-orcid":false,"given":"Mauro","family":"Conti","sequence":"additional","affiliation":[{"name":"University of Padua, Padua, Veneto, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0497-721X","authenticated-orcid":false,"given":"Manoj Singh","family":"Gaur","sequence":"additional","affiliation":[{"name":"Indian Institute of Technology, Jammu, Jammu and Kashmir, India"}]}],"member":"320","published-online":{"date-parts":[[2019,11,14]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1002\/cpe.3868"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/MCC.2016.5"},{"key":"e_1_2_1_3_1","volume-title":"Proceedings of the International Workshop on Theory and Practice of Provenance (TaPP\u201911)","author":"Abbadi Imad M."},{"key":"e_1_2_1_4_1","volume-title":"Mohd Yamani Idna Idris, Suleman Khan, Eric Bachura, and Kim-Kwang Raymond Choo.","author":"Manazir Ahsan MA","year":"2018"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.compeleceng.2017.02.006"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/3264560.3264565"},{"key":"e_1_2_1_7_1","first-page":"2","article-title":"A state-of-the-art review of cloud forensics","volume":"9","author":"Almulla Sameera","year":"2014","journal-title":"J. Dig. Forens. Secur. Law"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/INTECH.2016.7845140"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/CLOUDCOMP.2015.7149635"},{"key":"e_1_2_1_10_1","volume-title":"Open Problems in Network Security","author":"Asghar Muhammad Rizwan"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICTON.2013.6602678"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/MCOM.2013.6553678"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/IC2E.2014.82"},{"key":"#cr-split#-e_1_2_1_14_1.1","doi-asserted-by":"crossref","unstructured":"James Baldwin Omar M. K. Alhawi Simone Shaughnessy Alex Akinbi and Ali Dehghantanha. 2018. Emerging from the cloud: A bibliometric analysis of cloud forensics studies. Cyber Threat Intell. (2018) 311--331. DOI:10.1007\/978-3-319-73951-9_16 10.1007\/978-3-319-73951-9_16","DOI":"10.1007\/978-3-319-73951-9_16"},{"key":"#cr-split#-e_1_2_1_14_1.2","doi-asserted-by":"crossref","unstructured":"James Baldwin Omar M. K. Alhawi Simone Shaughnessy Alex Akinbi and Ali Dehghantanha. 2018. Emerging from the cloud: A bibliometric analysis of cloud forensics studies. Cyber Threat Intell. (2018) 311--331. DOI:10.1007\/978-3-319-73951-9_16","DOI":"10.1007\/978-3-319-73951-9_16"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.14722\/sent.2014.23002"},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the India Conference (INDICON\u201911)","author":"Belorkar Abha"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.clsr.2018.05.031"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1002\/cpe.3855"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/TBDATA.2017.2683521"},{"key":"e_1_2_1_20_1","first-page":"1","article-title":"Zombies and botnets.Trends Iss","volume":"333","author":"Raymond Choo Kim-Kwang","year":"2007","journal-title":"Crime Crim. Just."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/MCC.2017.39"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2012.05.015"},{"key":"e_1_2_1_23_1","volume-title":"Retrieved on","author":"Fred Cohen Dr.","year":"2011"},{"key":"e_1_2_1_24_1","volume-title":"Retrieved on","author":"Gartner Risk Management Leadership Council","year":"2018"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1080\/00450618.2016.1153714"},{"key":"e_1_2_1_26_1","first-page":"77","article-title":"A survey about impacts of cloud computing on digital forensics","volume":"2","author":"Daryabar Farid","year":"2013","journal-title":"Int. J. Cyber-Secur. Dig. Forens."},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of the International Conference on Digital Forensics and Cyber Crime. Springer, 237--244","author":"Marco Lucia De","year":"2013"},{"key":"e_1_2_1_28_1","volume-title":"Proceedings of the International Information Security South Africa Conference (ISSA\u201911)","author":"Delport Waldo"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33962-2_13"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/MCC.2015.71"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2012.05.001"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2016.08.019"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2014.02.002"},{"key":"e_1_2_1_34_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201903)","volume":"3","author":"Garfinkel Tal"},{"key":"e_1_2_1_35_1","volume-title":"Reiser","author":"Gebhardt Tobias","year":"2013"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.4018\/jdcf.2012040103"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2013.04.006"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2013.06.010"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2009.5270298"},{"key":"e_1_2_1_40_1","volume-title":"Proceedings of the European Conference on Cyber Warfare and Security. Academic Conferences Int\u2019l Limited, 373","author":"Kebande Victor"},{"key":"e_1_2_1_41_1","volume-title":"Proceedings of the International Conference on Digital Security and Forensics. The Society of Digital Information and Wireless Communication, 23--32","author":"Victor"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1080\/00450618.2016.1194473"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/CONFLUENCE.2016.7508193"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/MNET.2016.1600051NM"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/2906149"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2016.03.005"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2013.10.006"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLC.2010.5580769"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/EUC.2010.125"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2662355"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/1755688.1755723"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2012.07.001"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/MCC.2014.69"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/1982185.1982226"},{"key":"e_1_2_1_55_1","volume-title":"Retrieved on","year":"2016"},{"key":"e_1_2_1_56_1","volume-title":"Retrieved on","year":"2018"},{"key":"e_1_2_1_57_1","unstructured":"P. Mell and T. Grance. 2014. NIST cloud computing forensic science challenges. Draft Nistir 8006 (2014).  P. Mell and T. Grance. 2014. NIST cloud computing forensic science challenges. Draft Nistir 8006 (2014)."},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-10-3325-4_5"},{"key":"e_1_2_1_59_1","volume-title":"JustCloud, and pCloud. In Contemporary Digital Forensic Investigations of Cloud and Mobile Applications","author":"Mohtasebi SeyedHossein"},{"key":"e_1_2_1_60_1","volume-title":"Proceedings of the USENIX Conference on File and Storage Technologies (FAST\u201910)","volume":"10","author":"Muniswamy-Reddy Kiran-Kumar","year":"2010"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/1713254.1713258"},{"key":"e_1_2_1_62_1","unstructured":"National Institute of Standards and Technology. 2018. Computer Forensics Tool Catalog. Retrieved from https:\/\/toolcatalog.nist.gov.  National Institute of Standards and Technology. 2018. Computer Forensics Tool Catalog. Retrieved from https:\/\/toolcatalog.nist.gov."},{"key":"e_1_2_1_63_1","first-page":"80","article-title":"Logging system for cloud computing forensic environments","volume":"16","author":"Patrascu Alecsandru","year":"2014","journal-title":"J. Control Eng. Appl. Info."},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/1655148.1655150"},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2015.03.002"},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/2498328.2500078"},{"key":"e_1_2_1_67_1","volume-title":"Retrieved on","year":"2016"},{"key":"e_1_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/TCC.2016.2535295"},{"key":"e_1_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2013.02.003"},{"key":"e_1_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2013.07.001"},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2014.09.002"},{"key":"e_1_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2867466"},{"key":"e_1_2_1_73_1","volume-title":"Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication. ACM, 62","author":"Raju B. K. S. P."},{"key":"e_1_2_1_74_1","doi-asserted-by":"crossref","unstructured":"B. K. S. P. Kumar Raju and G. Geethakumari. 2018. Timeline-based cloud event reconstruction framework for virtual machine artifacts. In Progress in Intelligent Computing Techniques: Theory Practice and Applications. Springer 31--42.  B. K. S. P. Kumar Raju and G. Geethakumari. 2018. Timeline-based cloud event reconstruction framework for virtual machine artifacts. In Progress in Intelligent Computing Techniques: Theory Practice and Applications. Springer 31--42.","DOI":"10.1007\/978-981-10-3376-6_4"},{"key":"e_1_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.05.020"},{"key":"e_1_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-13-7561-3_6"},{"key":"e_1_2_1_77_1","volume-title":"Proceedings of the International Conference on Pervasive Computing (ICPC\u201915)","author":"Rani Deevi Radha"},{"key":"e_1_2_1_78_1","volume-title":"Retrieved on","author":"Reichman Andrew","year":"2011"},{"key":"e_1_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2016.05.001"},{"key":"e_1_2_1_80_1","volume-title":"Forensic acquisition of cloud drives. arXiv preprint arXiv:1603.06542","author":"Roussev Vassil","year":"2016"},{"key":"e_1_2_1_81_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2016.01.013"},{"key":"e_1_2_1_82_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2013.02.004"},{"key":"e_1_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-24212-0_3"},{"key":"e_1_2_1_84_1","article-title":"A digital forensic framework for cloud based on VMI. DEStech","volume":"10","author":"Rui Yang","year":"2017","journal-title":"Trans. Comput. Sci. Eng. 868--878. DOI"},{"key":"e_1_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.5555\/1855533.1855536"},{"key":"e_1_2_1_86_1","volume-title":"VMSSS: A proposed model for cloud forensic in cloud computing using VM snapshot server. In Soft Computing for Problem Solving","author":"Sharmila Shaik","year":"2019"},{"key":"e_1_2_1_87_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISTAFRICA.2015.7190540"},{"key":"e_1_2_1_88_1","doi-asserted-by":"publisher","DOI":"10.1002\/sec.1688"},{"key":"e_1_2_1_89_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-07869-4_28"},{"key":"e_1_2_1_90_1","doi-asserted-by":"publisher","DOI":"10.1145\/3190617"},{"key":"e_1_2_1_91_1","doi-asserted-by":"publisher","DOI":"10.1109\/HPCSim.2015.7237027"},{"key":"e_1_2_1_92_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33338-5_1"},{"key":"e_1_2_1_93_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSUSC.2017.2687103"},{"key":"e_1_2_1_94_1","doi-asserted-by":"publisher","DOI":"10.1111\/1556-4029.13271"},{"key":"e_1_2_1_95_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.compeleceng.2016.08.020"},{"key":"e_1_2_1_96_1","volume-title":"Proceedings of the IEEE 1st International Workshop on Security and Forensics in Communication Systems. 1--7.","author":"Thorpe Sean","year":"2011"},{"key":"e_1_2_1_97_1","volume-title":"Proceedings of the Conference on Information Security for South Africa. IEEE, 1--5.","author":"Philip"},{"key":"e_1_2_1_98_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-21373-2_29"},{"key":"e_1_2_1_99_1","doi-asserted-by":"publisher","DOI":"10.1145\/2245276.2232063"},{"key":"e_1_2_1_100_1","unstructured":"Shaun Waterman. 2018. New malware works only in memory leaves no trace\u2014Cyberscoop. Retrieved from https:\/\/www.cyberscoop.com\/kaspersky-fileless-malware-memory-attribution-detection\/.  Shaun Waterman. 2018. New malware works only in memory leaves no trace\u2014Cyberscoop. Retrieved from https:\/\/www.cyberscoop.com\/kaspersky-fileless-malware-memory-attribution-detection\/."},{"key":"e_1_2_1_101_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2014.2330903"},{"key":"e_1_2_1_102_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2015.2487361"},{"key":"e_1_2_1_103_1","first-page":"1","article-title":"Towards building forensics enabled cloud through secure logging-as-a-service","volume":"1","author":"Zawoad Shams","year":"2016","journal-title":"IEEE Trans. Depend. Secure Comput."},{"key":"e_1_2_1_104_1","volume-title":"Cloud forensics: A meta-study of challenges, approaches, and open problems. arXiv preprint arXiv:1302.6312","author":"Zawoad Shams","year":"2013"},{"key":"e_1_2_1_105_1","doi-asserted-by":"publisher","DOI":"10.1109\/CloudCom.2011.66"},{"key":"e_1_2_1_106_1","first-page":"5","article-title":"SDNForensics: A comprehensive forensics framework for software defined network","volume":"3","year":"2017","journal-title":"Development"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3361216","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3361216","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:12:51Z","timestamp":1750201971000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3361216"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,11,14]]},"references-count":107,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2020,11,30]]}},"alternative-id":["10.1145\/3361216"],"URL":"https:\/\/doi.org\/10.1145\/3361216","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,11,14]]},"assertion":[{"value":"2019-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-09-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-11-14","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}