International Journal of Science, Engineering and TechnologyAuthors: Aditya Agrawal, Abhishek, Yash Ranjan Bhargav
Abstract: The rapid adoption of multi-cloud and serverless architectures has fundamentally altered how digital evidence is generated, distributed, and lost, creating significant challenges for contemporary digital forensic investigations. Current cloud forensic practices remain largely provider-specific and assume stable infrastructure, leaving investigators without reliable mechanisms to detect, preserve, and correlate volatile forensic artifacts across decentralized cloud environments. As a result, critical evidence such as execution logs, transient identifiers, and ephemeral state information is frequently incomplete, inconsistent, or legally fragile. This paper presents a provider-agnostic forensic framework designed to support systematic detection, acquisition, and preservation of digital evidence in multi-cloud and serverless deployments. The proposed approach introduces a canonical event model, cross-provider log normalization, and a coordinated snapshotting strategy to capture transient artifacts while maintaining evidentiary integrity and provenance. Event correlation is achieved through time-aligned stitching of heterogeneous logs, enabling accurate reconstruction of distributed execution timelines. A prototype implementation was evaluated across simulated multi-cloud environments incorporating serverless workloads from multiple providers. Experimental results demonstrate improved evidence completeness and correlation accuracy compared to baseline cloud-native acquisition methods, while introducing minimal operational overhead. The findings indicate that standardized, cross-cloud forensic mechanisms are both feasible and necessary, offering practical guidance for investigators and cloud service consumers seeking legally defensible forensic readiness in decentralized cloud infrastructures.
DOI: https://doi.org/10.5281/zenodo.18534789
