How to Legally Use Forensic Evidence from Cloud

What You Need to Know About Current Online Fraud Trends
October 12, 2015
Social Media Investigation: What is It, and Why Do You Need One?
November 6, 2015
Show all

How to Legally Use Forensic Evidence from Cloud

When it comes to the world of forensics evidence, the cloud realm may be the most difficult of all to navigate. In fact, a 2014 report published by the National Institute of Standards and Technology identified 65 challenges for forensic investigators who uncover evidence from cloud computing.

Nine categories including analysis and training were used to classify the 65 challenges. This blog post centers around these two key categories and provides a background on related legal frameworks and procedures.

The Three Types of Cloud Data

Cloud data can be divided into three categories: enterprise, public and private.

Enterprise cloud data features high levels of security tailored to business needs. Public cloud data is, of course, publicly accessible and provided by platforms like Google AppEngine, IBM Blue Cloud and Windows Azure Services Platform. With private cloud data, the cloud service and data center are owned by the individual organization.

Legal Framework and Procedures

First, it’s important to realize that traditional digital forensics and cloud forensic are not the same. What makes cloud forensics unique is the state of cloud data. It’s indefinite, constantly changing and often, very difficult to localize. The very fact that users can collaborate with each other across the globe is one of the most difficult aspects of obtaining data legally from the cloud.

As you might have imagined, private cloud data poses the most challenges for forensic investigators. Because the service is owned by the organization, there are more hoops to jump through to legally access the data.

Next, keep in mind that much of the legal framework depends on the location of the cloud data. If you’re performing an international investigation, you’ll need to follow the law for each and every country involved.

If you’re working with private cloud data, you can legally access the data with one of the following provisions:

  • Article 32
  • Court approval of the virtual presence concept
  • Warrant issued by a judge
  • Agreement to access provided by either party

As for public cloud data, part of the difficulty lies in that many cloud providers have not established a protocol for cloud forensics. Only some have begun to incorporate this information in their service-level agreements and terms of use.

Data stored in public cloud services also has the potential to land in several different locations, and may require working with multiple jurisdictions. In this case, it’s best to review the policies of the provider and consult the laws applying to each jurisdiction involved. However, in most cases, accessing public cloud data is more feasible than private cloud data.

As for enterprise data, always follow digital forensics procedures and techniques to obtain any data through company access. Check SLAs and ToS as well. Be sure to consult with a digital forensics expert before attempting to access any data.

When dealing with data shared by multiple users (as is often the case with enterprise cloud data), steps must be taken to safeguard the privacy of all individuals involved. This means you’ll need to follow applicable regulations before beginning an investigation.

A Word About Consent

Consent is an important provision to access private cloud data. Without consent, forensic investigators must rely on the service provider. In this case, it’s crucial to determine who owns the data: the user or provider. If the user is determined to be the actual owner, you may find your investigation bogged down and tied up for quite some time by requesting access from a provider.

In many situations, obtaining user consent is one of the quickest ways to access data legally and should be given priority whenever possible.

Regarding enterprise and public cloud data, you may find that consent from the provider is required. To do so, start by establishing its state of incorporation. This step will provide you with the jurisdiction and law to follow.

Obtaining forensic evidence from the cloud is not an easy process. As cloud services become more popular, the legal system will need to catch up and provide specific provisions for forensic investigators.

If you’re attempting to obtain data from the cloud, don’t do it alone. Instead, work with an experienced investigator to ensure that the process is accomplished legally and effectively.

Prudential Associates has conducted over 45,000 investigations during our nearly 45 years of service. To learn more about forensic investigations in Maryland, Washington DC or Virginia and how Prudential Associates may help, contact us today at (301) 279-6700.