Learn how to use ChatGPT technology for workplace investigations. Join Case IQ and Microsoft for the webinar.

#Article

Digital Evidence in the Cloud: A Challenge for Investigators


Digital Evidence in the Cloud: A Challenge for Investigators

A new environment requires new knowledge, new skills and new ways of thinking

Posted by on

Until recently, getting digital evidence was a matter of identifying which devices held it, preserving it and performing forensics on the devices to extract the information. And while this wasn’t as simple as it sounds, advances in forensics were making it more and more difficult for criminals to hide their communications. But device-based data storage is becoming a thing of the past, and experts predict that this will pose some serious challenges for digital forensics.

“We’re experiencing a fundamental change in forensics,” says Walt Manning, a former law enforcement officer and investigator, and founder of Techno-Crime Institute, a coaching and consulting business. “With the cloud, with BYOD and mobile devices, and some other trends that I see coming in the near future, I think the challenges for digital forensics are only going to get much larger.”

With so much information being stored in the cloud, there's an online element to almost every investigation and finding and preserving evidence on the web has become critically important.

Conducting online investigative research using open source intelligence? You'll find an extensive list of live OSINT links in the article: 101+ OSINT Resources for Investigators

Devices as Portals

Manning foresees mobile devices, such as tablets, becoming low-value - even giveaway - items, used to access content but not to store it.

Manning predicts the demise of traditional device-based forensics. “I think what you’re going to see in the future is an extension of the Kindle model... Amazon doesn’t really make any money on the Kindle devices themselves and that’s why they keep the price point lower than other tablets... because they’re not selling the device, they’re selling the content and the advertising and that’s where they make the money,” says Manning.

“So if you continue that trend with the cloud, and all of your content and all of your revenue is coming from that or advertising, then how much processing capacity for a device do you really need? How much data storage do you need? You might need memory sufficient for streaming, but what else do you need on that device other than a nice screen resolution?” Manning foresees mobile devices, such as tablets, becoming low-value - even giveaway - items, used to access content but not to store it.

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

Evidence in the Cloud

“Now what does that do for forensics?” he asks. “Where’s your evidence? Where’s your data? It’s in the cloud. So I see forensics moving more 'cloud-centric' and there are very few forensic tools today designed to work in the cloud environment,” he says.

In addition to a dearth of tools for cloud-based forensics, Manning cites the lack of forensic practitioners with the knowledge and experience needed to work in the cloud environment as a looming problem.

One of the initial challenges is the ability to protect and preserve data in the cloud. “Every cloud environment can be different. You have virtual machines now, you have containerized apps and you’re going to have to have forensics practitioners and e-discovery practitioners who are going to need to know how to go in and identify their data and to be able to preserve it in all these various cloud platforms,” says Manning.

He also questions our capability of protecting metadata in a virtual environment. Is a snapshot the same as a forensic image in the cloud?, he asks. There are so many unknowns, that the future of forensics is wide open.

Virtual Storage

A lot of the old traditional evidence and artifacts that we always got from traditional forensics are gone.

“We may have to completely change all of our best evidence rules because it doesn’t work anymore. You can’t go in and seize a server - a physical server in a cloud environment - take it down, take it back to the lab, make a forensic image as we traditionally have done and get evidence,” he says. “Because that physical server has multiple virtual machines running simultaneously, maybe for different clients, and when you shut that down that virtual machine ceases operation. Where’s your evidence?”

While the digital evidence may still exist on some type of storage mechanism that saves the data state of that virtual machine at that moment in time, Manning questions the data’s integrity. “There’s no more deleted files recovery. There are no more artifacts from operating systems because the cloud doesn’t require it. A lot of the old traditional evidence and artifacts that we always got from traditional forensics are gone,” he says.

In the new world of cloud-dominant storage, digital evidence recovery is experiencing unprecedented change. And this is only the beginning. New policies, tools and techniques will be key in maintaining the ability to preserve and recover the data needed to catch and prosecute tomorrow's criminals.

Want to learn more about evidence? Read 15 Types of Evidence and How to Use Them.