Option A is the correct answer because CHFI v11 explicitly includes Cloud Storage Forensics , Google Cloud Forensics , Cloud Digital Evidence Analysis , and data acquisition in the cloud . In cloud investigations, logs and metadata are essential evidence sources because they help reconstruct who accessed an object, when it was accessed, and what actions were performed. For that reason, timestamps of file access and modification are the most relevant and expected contents of cloud access logs and metadata.
This aligns with standard forensic objectives of identifying unauthorized access, establishing a timeline, and preserving evidence in a defensible format. Access logs are meant to record events, not reveal highly sensitive secrets such as employee login credentials or encryption keys . Likewise, network infrastructure configuration is a different category of information and is not the primary purpose of object access logs in cloud storage.
From a CHFI perspective, cloud forensics relies heavily on event records, timestamps, metadata, and activity history to establish whether files were viewed, modified, copied, or accessed from suspicious sources. Therefore, when examining cloud storage for signs of breach activity, timestamps associated with access and modification are the strongest and most forensic-relevant answer.
