How to Lawfully Collect and Examine Data in the Cloud

 How to Lawfully Collect and Examine Data in the Cloud

co-authored by Jean-Philippe Noat, Senior Director of Strategic Advisory Services/International, Cellebrite

In cloud data centers around the world, family photos, financial records, and emails are waiting for their owners to access them when and where they’re needed—on smartphones, laptops, tablets and computers. As people hop from device to device, they expect the data that’s “in the cloud,” including social media posts, to be available to them at any moment.

The movement toward storing data in the cloud is a boon for digital mavens who want their data to follow them around, and who don’t want to worry about hard-drive storage in their various devices. For law enforcement investigators, however, the cloud is both an investigative opportunity and a challenge: there is a wealth of data about crimes and suspects within the cloud, but also many challenges in terms of gaining access to critical information.

Frontline law enforcement officers are trained to seek out digital devices when they are interviewing witnesses and suspects, or investigating a crime scene. The data residing on devices like phones and laptops can indicate users’ locations as well as conversations with other parties who may be worth interviewing or investigating. A single text message, email, or photo can change the trajectory of an investigation.

But these days, that crucial text message or photo is likely to live in the cloud, and not on the devices that investigators collect. Data contained in online resources like social media and news websites generally originates in the cloud. In addition, privacy regulations dictate how and when investigators can gain access to a person’s data in the cloud.

At a high level, there are really only two options.

Publicly available data can be obtained without any paperwork. This is similar to what you might find from sites that scrape public records and social media for information on a person. This might be the person’s name, DOB, address, previous residences, jobs, and things they post publicly on social media (all privacy settings are set to “public”).

Anything else that is hosted by a company and is considered private information requires a search warrant issued to the cloud provider (e.g., Dropbox, Facebook, etc.). This would include items postmarked as “private” via a user’s social media privacy settings, messages, etc. Search warrants require investigators to establish “probable cause.”

While there are technology solutions that allow law enforcement officers to lawfully collect and analyze digital intelligence (DI) from the cloud, the process also requires trained investigators who understand where cloud data might be located. (Digital Intelligence is the data collected and preserved from digital sources and data types [smartphones, computers, and the cloud] and the process by which agencies collect, review, analyze, manage, and obtain insights from this data to more efficiently run their investigations.)

For officers interested in learning the basics of collecting and understanding data in the cloud, the following advice can help.

Understand the difference between public and private cloud data

There is public cloud data that can be freely collected and analyzed by investigators, and there is cloud data that requires the permission of its owner to view and collect, or requires the permission of the cloud service owner to access. Before frontline law enforcement officers make a move to access data, it’s important to know which type of data is being viewed.

Simply put, if a password is needed to access data, it’s private. If a password is not needed to access data in the cloud, it’s public. A person who creates a profile on Facebook but allows anyone to view that profile is making public content for anyone to read – including law enforcement. It’s proper to call this public data “open source,” meaning that it can be investigated without that person’s approval. Social media posts, comments on news stories, or publicly available videos on YouTube would all fall into this “public” category.

As soon as a password is required and the data can’t be viewed without that password, however, it’s private information.

In similar fashion, we need to distinguish between “private data” and “private cloud.” Private cloud is a type of cloud computing that delivers similar advantages to public cloud, including scalability and self-service, but through a proprietary architecture. Unlike public clouds, which deliver services to multiple organizations/persons, a private cloud is dedicated to the needs and goals of a single organization. We must distinguish between private data that is on the public cloud (e.g., Facebook) and private data that is on the private cloud (e.g., a single tenant environment for dedicated space on Microsoft Cloud).

Seek connected devices that can deliver instant access to cloud data

If frontline law enforcement officers have lawful access to a person’s residence or office and can collect digital devices, they may find that the social media accounts are actively up and running on those devices, without the need for a password. Or perhaps the cloud data can’t be accessed on one device because a password is needed – but since other devices may be synced with this same cloud data, the data might be available on another device that’s already logged into the account.

In these cases, the data could be viewed by investigators, as they are lawfully accessing the accounts: they are merely viewing information they have been given permission to view, or are legally entitled to view. A person of interest might delete an iMessage from an iPad, not realizing that the message could still be viewed via an iCloud account already logged in via the web, and open on a personal computer. Or a person might simply throw away a victim’s device, not knowing that the victim’s cloud data – potentially including text messages, web browser searches, and phone records – could be accessed through another device.

For these reasons, it makes sense for on-the-scene investigators to pay extra attention to devices that are turned on and are open. Digital evidence is volatile and fragile. Handling it improperly can alter it, so protocols must be followed to ensure that data is not modified during its access, collection, packaging, transfer, and storage. These protocols delineate the steps to be followed when handling digital evidence.

There are four phases involved in the initial handling of digital evidence: identification, collection, acquisition, and preservation. These procedures are also good for cloud data acquisition. If you are not sure about the protocols and procedures your organization is using, be sure to raise the issue with those higher up in the command chain or with the relevant prosecutors.

If you can’t access private cloud data, look for artifacts

Let’s say that private cloud data isn’t initially available to investigators– at least not right away. Utilizing cloud Forensics options, under the proper authorization and guidance, could help accelerate access to critical evidence. If devices can be accessed, they may still provide clues as to what exactly might be in the cloud. For example, the internal investigation of mobile devices and computers could help to identify the total number of devices involved in a case (including the models) as there is often a global unique identifier, which tells the exact device model. This may help the investigator to guess what other evidence might be missing in their case and how complex their case might be.

If device owners have used their phones, laptops, tablets, and so on to access information like social media accounts in the cloud, there may be other “artifacts” left on the device that can provide clues about the information the device user may have in their possession, or other people with which they are associating.

An example of such artifacts could be the pictures with their metadata. Looking at that kind of artifact could reveal the contact who owned the photo originally or it might list the contact used to share the pictures. It helps also to guess which device the photo was made with and if it was made with the device already handled by the investigators.

For example, during a terrorist attack investigation that Jean-Philippe was involved in, investigators were able to determine that the alleged attackers had deleted their Telegram social media accounts from their phones just a few minutes before they were arrested. More importantly, the investigators were able to prove that the alleged attackers had been using Telegram for many hours before being arrested.

In this case, instead of looking for the original app, the investigators focused their investigation on the logs of the device. Analyzing the bandwidth used in a period of time or the precise activity of the device minute by minute could reveal much more than we could imagine.

In all the situations above involving cloud data, investigators might not be able to access the precise cloud data they seek. However, they may still be able to find the evidence they need. And that evidence could help close the case.

Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back the first friday of every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.