In recent years, the idea of cloud computing has really taken hold among many different sectors, from large and small business to private individuals. It offers convenience, savings, and a host of other benefits. However, it does provide quite a few challenges to those working in law enforcement and litigation, as it introduces an entirely new area on which computer forensics will need to focus.
Professor John Bagby, from Penn State’s College of Information Sciences and Technology, wrote a paper on the subject called “On Resolving the Cloud Forensics Conundrum.” The focus of the paper was on the ways that the law and regulations will have to work together, and change, to meet the changing world of forensics.
Traditional digital forensics is the means by which investigators are able to recover digital and electronic evidence from computers, phones, and other devices to present to the courts as evidence. Cloud forensics is in the realm of network forensics and involves investigations of real time communications networks. The cloud can prove to be more challenging than traditional computer forensics investigations, as the data is in a more nebulous state. Rather than being on a specific device, it is in the proverbial cloud, and this can make it more difficult to locate unless investigators have specific training.
Bagby has had an interest in computer forensics for decades. Over the years, he watched as companies and individuals around the world started to eschew paper records and instead moved largely toward digital. He watched in the mid to late ’90s and early 2000s as many litigators went away from the traditional paper and started to use more electronic media for storage and sharing of files and information. Bagby has been observing the changes with great interest, and has written numerous pieces on the way that the digital age, and the cloud, is changing litigation.
The cloud offers a number of benefits. It’s reliable, scalable, and easy to use. It makes collaborating with others, even if they are across the globe, fast and easy. These benefits also work well in forensics, as it can lower the cost of investigations, allow for simpler collection of electronically stored evidence, and more. While there are these and other benefits, Bagby also warns that there are dangers in the cloud. The way that the architecture is set up with many cloud systems makes it unstable, and that can make actually obtaining the evidence more difficult in many cases.
Cloud files go through updates frequently. They move to backup locations, and can go through imaging and snapshots, all of which may not accurately reflect the original version of the data. Some records of older files may not have proper preservation, as some cloud operations may not offer quality backups that actually keep versions of the older files. Another one of the drawbacks is that the files may not always show the accurate source of file changes. There’s also a possibility that they may not show the proper time of the changes either. These two elements are extraordinarily important during forensics investigations, and the doubt they could instill when trying to gather evidence could damage some cases. Sometimes, they may not even be able to introduce cloud gathered evidence because it comes from a service provider in another nation that has poor security laws. This has the potential to diminish the power of that evidence.
Bagby and other experts feel the field of forensics needs to start developing better and more consistent strategies when working on investigations with data in the cloud.