Investigating files in the ‘cloud’

As more and more of users store data in the ‘cloud’, what is the process for investigating digital evidence that does not reside on the user’s hardware? Can these files be acquired using forensic software and what is the admissibility of such electronic evidence used in this way?

The problems associated with this kind of investigation are numerous. As the computer analyst does not retain physical control of the media or the network, there are issues with the chain of custody. Who owns the data and what is the expectation of privacy as a customer? Cloud computing is touted as the next major step change in the way that organizations plan, develop and enact their IT strategies. However, where computer forensics is concerned, cloud computing has not been thoroughly considered in terms of its forensic readiness.

Digital evidence is defined as: “Any information of probative value that is either stored or transmitted in a digital form”. Electronic evidence includes files stored on a computer hard drive, file fragments or data items stored in memory, or information transmitted over a network. Electronic evidence in the ‘cloud’ presents many complications over its conventional counterpart.

The ACPO guidelines for electronic evidence are particularly relevant when considering ‘cloud’ computing. They are most difficult to satisfy, due to the remoteness of cloud data-centers. The search and seizure guidelines describe how investigators should prepare for the search and record all details of the investigation scene. Data storage media should then be cloned or imaged, as described below before the analysis can commence. Analysis is usually conducted at the physical level were disk partitions are examined and then at the logical level on a file by-file basis. Clearly this is not an option in the case of ‘cloud’ storage.

With regards a virtual environment from a cloud service provider, the forensic analysis can be performed in the same way as it would on a client premises. The customer is the only one with access to the virtual machines themselves. The ACPO guidelines can be adhered to in principle which, but clearly there are limitations where access to the physical media is not available.

Cyber Security

Find out how you can strengthen your cyber security. Call us today for advice on how to protect your information systems.

+44(0) 29 2010 0982