Cloud IR differences: no physical access, evidence is in logs (CloudTrail, activity logs), snapshots for disk forensics, API calls as primary evidence source, evidence preservation via log export to immutable storage.
Cloud forensics: enable all logging before you need it. Export logs to S3 with object lock (WORM) immediately. Take EBS snapshots for disk analysis. API call logs show exactly what an attacker did. Cloud providers have shared responsibility for preservation — request CSP assistance for serious incidents.