co-authored by Ryan Parthemore, SaaS Evangelist, Cellebrite
Law enforcement officers are understandably nervous about letting evidence out of their sight, or beyond the reach of a locked evidence cabinet. If there’s the slightest hint that evidence has been accessed by unauthorized people, or tampered with in any way, a carefully constructed case against a suspect could end up tossed out of court. For these reasons, law enforcement agencies have been slow to join the cloud and software-as-a-service (SaaS) revolution that has transformed so many organizations.
Here’s a primer on the cloud, should you need the basics. Instead of paying for more and more on-premise storage (that is, storage on computer hard drives), organizations are choosing to store data “in the cloud.” This means the data isn’t physically stored on a computer within an office or agency; it “lives” on servers owned by global technology companies such as Amazon and Google. The data can easily be accessed via a web browser. If you’ve used Google Drive or Dropbox to view and download files, then you’ve been using the cloud via these SaaS solutions.
The data-storage issue for law enforcement has been given urgency by the growing use of bodycams. The video from bodycams has to be stored and accessed somewhere, and the volume of footage means that “somewhere” usually isn’t within the law enforcement agency – it’s in the cloud. Many bodycams are sold by manufacturers that also offer cloud storage, because they know customers are unable to benefit from the bodycams without it.
The dangers of storing digital evidence on physical computer drives
Keep in mind that law enforcement investigators and digital forensic examiners already know about the value of cloud data when building cases against suspects. They know to look at suspects’ social media accounts for evidence, and are familiar with the process of serving these social media providers with evidence preservation letters while they seek search warrants for the cloud data.
So why the slower adoption of cloud storage for digital evidence? Law enforcement officers love the warm and fuzzy feeling they get about placing evidence into a 9-by-12 envelope, sealing it up with evidence tape, and putting it behind a locked door with a camera and a fire suppression system to protect it.
But in law enforcement, digital evidence has traditionally been stored on USB flash drives, which were not designed for long-term storage. Such drives aren’t used in corporate settings because IT departments understand the limitations of this technology – not to mention the security dangers of a tiny device that could be lost, damaged, or stolen easily.
Many in law enforcement really latched onto USB drives because they were inexpensive, portable, and readily available. But there’s no guarantee that years from now, the digital evidence will be available – the flash drives are usually only warranted for two years. Flash memory often lacks the durability to ensure the availability of the evidence it contains at trial.
It’s worrisome to think that data could disappear, but it’s even more upsetting to think about data being copied or appropriated by people who have no right to view it. This is particularly important in cases involving child sexual abuse material (CSAM). It’s not only evidence, but also contraband, so it must be managed with the utmost care.
Imagine the pitfalls of storing CSAM evidence on a thumb drive. There’s the concern about re-victimizing children, should the evidence fall into the wrong hands. As we said, a thumb drive is meant to be portable, so as it moves from an officer’s computer to a forensic lab and back to another law enforcement agency, the potential for loss or theft is very real.
Then there’s the concern about altering the evidence with each successive download-and-save process. A common approach is to download the evidence from its source to a USB drive, then copy that evidence to an external hard drive to be stored in a secure evidence room. This follows through the discovery process as well, because if a prosecutor needs the evidence, another copy will be made. When the prosecutor needs to deliver evidence to the defense, they make a copy again.
The result is that you now have several uncontrolled and unmanaged copies of evidence. In addition, you have to worry about defense attorneys poking holes in our case because the data has changed in subtle ways. Images in copies might have different time stamps, allowing an attorney to claim that the evidence doesn’t belong to their client. Even a single bad sector on the portable media could affect the hash value critical to proving evidence authenticity. Further, as various stakeholders review evidence, possibly add their own tags or create subsets, the possibility of numerous copies in unknown states of revision grows. A single truth of digital evidence is required.
The cloud as a force multiplier
Now let’s consider the evidence-storing process using cloud storage. There aren’t nearly as many steps, because there is no need to make copy after copy – or to use external hard drives. It is the single truth required for transparency and defensibility in investigations. Once the evidence is securely stored in the cloud, we can share it with all stakeholders via a secure web link, regardless of where the stakeholders are located. That’s why the cloud can be considered a force multiplier: It saves time, secures evidence, and allows investigators to solve crimes faster.
Another reason the cloud is a force multiplier is because you can leverage the computing resources available in the cloud that are not available on the investigator’s desktop computer. You can perform a web review of the digital evidence, such as the data extraction from a device. It doesn’t matter if you’re using a laptop that doesn’t have a lot of horsepower: The cloud provides the computing power to process the images and deliver them to the web.
By storing evidence in the cloud, you also make it easier to track who has access to the evidence and who has viewed it. Knowing that someone has or has not used their ability to access evidence is valuable – in addition to knowing when they accessed it and from which IP address. The same management principles are not possible with the traditional methods of storing and copying digital evidence. Law enforcement is intimately familiar with the chain of custody related to physical evidence; who moved what, where, and when. Digital evidence is held to the same rules of evidence so it is critical to prove who had access and what did they do with that access. The alternative is risking the admissibility of evidence necessary to ensure justice.
Protection for data—and people
Cloud-based evidence solves a root problem for investigators, which is connectivity and accessibility. It’s a boon for investigations that cross jurisdictions and agencies. The cloud makes evidence shareable with other stakeholders such as prosecutors, while preserving and tracking access – in other words, keeping data more secure than it would be with a physical drive. Most importantly, cloud storage helps protect victims. When victims have already been harmed, you want to limit the harm with the most secure evidence storage and management you can find.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media.