Abstract:
Cloud storage drives have become very popular around the world these days. In the traditional approach to computer
forensics, the focus is on physically accessing the disks that contain the information that could contribute to the factors. Due
to the data breaches that can occur through cloud-based applications, the research proposed in this paper focuses on collecting
evidence from Windows 11 operating systems to discover and collect leftover registry artefacts from one of the major cloud
storage applications, OneDrive. This research study examined Windows 11 artefacts and found distinct artefacts when the OneDrive
program was deleted from the virtual machine and unlinked to an account. The results and lingering artefacts assist in determining
the file path for each uploaded file in OneDrive as well as the email address that was linked to it. To assist digital forensic
investigators in making an expedient determination regarding the use of cloud storage applications, a bash script was developed and
appended to the document. Its purpose is to assemble the identified and discovered artefacts that were obtained throughout the practical
simulations. Identifying the accounts and the chronology that were using OneDrive, may also be utilized as a lead to identify the attackers.