Collection of Evidence from the Internet: Part 2
“…our social norms are evolving away from the storage of personal data on computer hard drives to retention of that information in the “cloud,” on servers owned by internet service providers.”
—Oregon state court opinion in a criminal matter, State v. Bellar, 231 Or.App. 80, 217 P.3d 1094 (Sept. 30, 2009).
Part 1 of this series laid a foundation for a methodology for the collection of digital evidence from the Internet. That process includes evidence collection and preservation, and later presentation. This is accomplished through a process of documenting the collected evidence and verifying its authenticity by date and time stamping, hashing, and logging.
This methodology addresses the unique problem of an investigator's lack of control over the “live” data online. A newer portion of the Internet evidence collection conundrum, however, is the technology referred to as the “cloud.”
The name “cloud computing” comes from the use of a cloud as a graphical symbol to describe the Internet. The “cloud” in computing terms is generally defined as the delivery of common business applications (such as data storage, access to databases, business applications, etc) through the Internet and commonly accessed from a Web browser.
Thus the software and data for these cloud applications are stored on servers owned by a third party and not local to the user. As such, they are not under the end user's control—a key requirement in traditional network forensics, where the examiner has either physical control over the network, or can take control by installing a piece of code (referred to as an applet) on the computer to be examined.
This lack of control on the examiner's part makes collection the generally accepted problem with cloud-based evidence. Because the examiner has neither access to the physical hard drive nor control over the network, s/he will at most have access to the data through the end user's Web browser, or through a computer connected to the same network's access.
The question for the examiner then becomes, not only how to collect and document information from the cloud, but also whether the same acquisition and documentation methodology described in Part 1 can be used in the collection, preservation, and presentation of cloud-based evidence.
Certainly it is possible to document the cloud through various similar methods as described in Part 1, which include:
- Taking snapshots of the evidence.
- Videotaping what is present.
- Acquiring the data through logical acquisition, if you can access the “cloud” data as a logical drive.
- Complete documentation of the process used in the acquisition.
Cloud-based evidence can consist of logical files, including databases and document files, or data in web-based applications such as web-based e-mail. Pulling these files to a local machine for acquisition and documentation can include logical copying of the data, and then processing it into an acceptable format, either natively, or into a forensically acceptable format such as Guidance Software’s .eo1 file format.
The data set can then be hashed (digitally fingerprinted) and date and time stamped. However, in situations where there is no ability to access the data logically (as in a shared folder for simple copying from the cloud to the investigator's hard drive) the investigator can—though this is a somewhat lengthy process—simply snapshot or video record the data while scrolling through it.
Challenges to this process come from massive databases, such as customer relationship management systems, which cannot be currently copied using existing tools. The investigator may have to copy the files off to an external hard drive and then hash the files for verification. As with the general access of web based evidence, the investigator should log system activity along with his or her own actions to authenticate the overall evidence collection process.
It is also important for investigators to remember that little to no case law has been made to address the cloud specifically. Some legal processes which have been successfully used for other types of electronic evidence, such as data retrieved from cell phone service providers, may be applied here. One example: the use of a preservation letter to secure data, until a search warrant can be obtained.
The lack of legal standards for the collection of cloud-based evidence presents an additional area of concern: data stored in foreign countries. Obtaining cloud-based evidence which is physically located on a server in a foreign jurisdiction risks violating that country's privacy and criminal laws. So, regardless of where the subject of an investigation resides, investigators may now need to consult with their organization's attorneys on whether they will legally be able to obtain data potentially not stored in their jurisdiction.
Technology challenges the digital forensics investigator, but change will always be confronted with an adoption of a methodology that can standardize his or her actions. Just as cellular telephones, wireless technology, encryption, and memory analysis have expanded the electronic crime scene, added to its complexity, and pushed the limits of existing law, cloud computing is causing another step forward in digital forensics' evolutionary process. Cloud computing as a challenge will likewise be met with a standardized process, which will become another tool in the arsenal of the digital forensic examiner.
Todd G. Shipley is president and CEO of Vere Software. He has more than 25 years of experience in law enforcement: from investigating financial and computer crimes to overseeing the training of high-tech crimes investigators. Between 2004 and 2007, Mr. Shipley was the Director of Systems Security and High Tech Crime Prevention Training—and manager of the National Criminal Justice Computer Laboratory and Training Center—for SEARCH, The National Consortium for Justice Information and Statistics. Prior to joining SEARCH, Mr. Shipley served for 25 years with the Reno (Nevada) Police Department. As a Senior Detective Sergeant managing the agency's Financial and Computer Crimes Unit, he investigated serious financial offenses; developed cyber and technology crime investigative policy; and served as a liaison to other law enforcement, intelligence, and government agencies and industry bodies. During this time, he formed Nevada's first Computer Crime Investigations Unit.