What are two unique challenges in cloud forensics compared to on-prem?

In cloud forensics, where data lives and who controls the access to it drive most of the investigation constraints. The best way to capture the unique challenges is to see how data governance, access, and logging change once you move from on‑prem to cloud environments. Data residency and multi-tenant realities create two big hurdles. Data residency means the actual location of data can span geographic regions and jurisdictions. This affects how you acquire evidence, what legal permissions you need, and whether certain data can be collected or shared across borders. Multi-tenant environments add another layer: resources are shared among many customers, so data isolation and potential co-mingling of data complicate evidence collection, consent, and chain of custody. You must ensure you’re only capturing relevant data while maintaining the privacy and rights of other tenants. Limited direct access to storage is a practical constraint that doesn’t exist in most on‑prem setups. In the cloud, you don’t own the hardware or storage devices, so you rely on the cloud provider’s interfaces, APIs, and export options to obtain data. This can slow acquisitions, restrict live analysis, and complicate attempts to image or snapshot systems in the exact state you need. Vendor logging is another core factor. Logs are controlled by and stored within the cloud provider’s environment, not your own devices. Access to those logs depends on the provider and their retention policies, and logs may be incomplete, delayed, or gated behind permissions. You may also have to navigate encrypted logs and privacy protections, making it harder to reconstruct activity without the provider’s cooperation. Together, these aspects—where data resides and how it’s shared across tenants, the limited direct access to underlying storage, and the dependency on provider-managed logs—create cloud-forensics challenges that aren’t present in traditional on‑prem environments.