Digital forensics of self-hosted cloud storage systems (e.g., Nextcloud) suffers from fragmented analysis of client-side and server-side evidence, lacking a systematic, integrated framework. Method: This paper proposes the first extended forensic framework deeply integrating cloud-native APIs, combining device monitoring, automated RESTful API acquisition, log parsing, and metadata reconstruction to enable cross-platform, reproducible, multi-source evidence collection. Crucially, cloud APIs are embedded at the core of the forensic workflow to enable spatiotemporal correlation between client activities and server states. Contribution/Results: An open-source toolchain, validated in real-world Nextcloud deployments, generates structured, time-ordered forensic outputs. The framework significantly improves investigative efficiency, reproducibility, and scalability—addressing a critical gap in digital forensics for self-hosted cloud storage.

Self-hosted cloud storage platforms like Nextcloud are gaining popularity among individuals and organizations seeking greater control over their data. However, this shift introduces new challenges for digital forensic investigations, particularly in systematically analyzing both client and server components. Despite Nextcloud's widespread use, it has received limited attention in forensic research. In this work, we critically examine existing cloud storage forensic frameworks and highlight their limitations. To address the gaps, we propose an extended forensic framework that incorporates device monitoring and leverages cloud APIs for structured, repeatable evidence acquisition. Using Nextcloud as a case study, we demonstrate how its native APIs can be used to reliably access forensic artifacts, and we introduce an open-source acquisition tool that implements this approach. Our framework equips investigators with a more flexible method for analyzing self-hosted cloud storage systems, and offers a foundation for further development in this evolving area of digital forensics.