Cloud storage services allow users to store their data online and remotely access, maintain, manage, and back up their data from anywhere through the Internet. Although this storage is helpful, it challenges digital forensic investigators and practitioners in collecting, identifying, acquiring, and preserving evidential data. This research proposes an investigation scheme for analyzing data remnants and determining probative artefacts in a cloud environment. Using the Box cloud as a case study, we collect the data remnants available on end-user device storage following the accessing, uploading, and storing of data in the cloud storage. The data remnants are collected from several sources, such as client software files, Prefetch, directory listings, registries, browsers, network PCAP, and memory and link files. Results indicate that the collected data remnants are helpful in determining a sufficient number of artefacts about investigated cybercrimes.