According to the CHFI v11 Cloud Forensics objectives , logs and metadata are among the most critical sources of digital evidence in cloud-based investigations. Unlike traditional on-premises systems, investigators often do not have direct access to physical storage in cloud environments. As a result, service-provider-generated logs and metadata become primary evidence artifacts .

Cloud service logs typically record user authentication events , including login timestamps, user IDs, authentication methods (such as passwords or MFA), IP addresses, session durations, and access outcomes (success or failure). Metadata associated with cloud storage objects further provides information such as file creation time, modification time, access time, ownership details, sharing activity, and access permissions . Together, these artifacts allow investigators to reconstruct who accessed the cloud data, when it was accessed, and what actions were performed , which is essential for attribution and timeline analysis.

While logs and metadata may sometimes indirectly hint at device or location information, CHFI v11 emphasizes their primary forensic value as evidence of authentication and access activity , not encryption algorithms or physical whereabouts. Encryption mechanisms are typically abstracted and managed by the cloud provider, and determining physical location is not a reliable or guaranteed outcome of log analysis.

Therefore, in cloud storage forensics, logs and metadata are chiefly used to analyze user authentication and access behavior , making Option D the correct and CHFI-verified answer.