When it comes to the world of forensics evidence, the cloud realm may be the most difficult of all to navigate. In fact, a 2014 report published by the National Institute of Standards and Technology identified 65 challenges for forensic investigators who uncover evidence from cloud computing.
Nine categories including analysis and training were used to classify the 65 challenges. This blog post centers around these two key categories and provides a background on related legal frameworks and procedures.
Cloud data can be divided into three categories: enterprise, public and private.
Enterprise cloud data features high levels of security tailored to business needs. Public cloud data is, of course, publicly accessible and provided by platforms like Google AppEngine, IBM Blue Cloud and Windows Azure Services Platform. With private cloud data, the cloud service and data center are owned by the individual organization.
First, it’s important to realize that traditional digital forensics and cloud forensic are not the same. What makes cloud forensics unique is the state of cloud data. It’s indefinite, constantly changing and often, very difficult to localize. The very fact that users can collaborate with each other across the globe is one of the most difficult aspects of obtaining data legally from the cloud.
As you might have imagined, private cloud data poses the most challenges for forensic investigators. Because the service is owned by the organization, there are more hoops to jump through to legally access the data.
Next, keep in mind that much of the legal framework depends on the location of the cloud data. If you’re performing an international investigation, you’ll need to follow the law for each and every country involved.
If you’re working with private cloud data, you can legally access the data with one of the following provisions:
Data stored in public cloud services also has the potential to land in several different locations, and may require working with multiple jurisdictions. In this case, it’s best to review the policies of the provider and consult the laws applying to each jurisdiction involved. However, in most cases, accessing public cloud data is more feasible than private cloud data.
As for enterprise data, always follow digital forensics procedures and techniques to obtain any data through company access. Check SLAs and ToS as well. Be sure to consult with a digital forensics expert before attempting to access any data.
When dealing with data shared by multiple users (as is often the case with enterprise cloud data), steps must be taken to safeguard the privacy of all individuals involved. This means you’ll need to follow applicable regulations before beginning an investigation.
Consent is an important provision to access private cloud data. Without consent, forensic investigators must rely on the service provider. In this case, it’s crucial to determine who owns the data: the user or provider. If the user is determined to be the actual owner, you may find your investigation bogged down and tied up for quite some time by requesting access from a provider.
In many situations, obtaining user consent is one of the quickest ways to access data legally and should be given priority whenever possible.
Regarding enterprise and public cloud data, you may find that consent from the provider is required. To do so, start by establishing its state of incorporation. This step will provide you with the jurisdiction and law to follow.
Obtaining forensic evidence from the cloud is not an easy process. As cloud services become more popular, the legal system will need to catch up and provide specific provisions for forensic investigators.
If you’re attempting to obtain data from the cloud, don’t do it alone. Instead, work with an experienced investigator to ensure that the process is accomplished legally and effectively.
Prudential Associates has conducted over 45,000 investigations during our nearly 45 years of service. To learn more about forensic investigations in Maryland, Washington DC or Virginia and how Prudential Associates may help, contact us today at (301) 279-6700.