Time to take cloud cover

The forensic challenges associated in a cloud computing environment

By Mark St. Peter

With familiar iconic brands saturating the airwaves with messaging that touts the benefits of “The Cloud,” it is tough to miss the fact that cloud computing is becoming an increasingly popular and prominent presence in our social, professional and technological lives. At home and at work, the convenience and appeal of cloud computing is changing the way many people use, consume, and store information.

For better or for worse, cloud computing is also changing the way in which trial attorneys and other legal professionals engage with digital information in a legal/discovery context. For attorneys who have spent years adapting to the legal and technical challenges of electronic discovery, cloud computing presents a host of new and important differences. Cloud computing affects the way we collect, preserve, and analyze electronically stored information (ESI).

Cloud formation


Exactly what is the “cloud” and how does it work? While not all cloud-based services work exactly the same way, and there are a range of different service models and deployment methods within the broad category of cloud computing, the basic characteristics of all cloud-based systems feature some manner of on-demand network access to configurable resources that can be rapidly provisioned with minimal management effort. Essentially, cloud computing is the “lease” of computing power managed by
another party.

The advantages to this setup are clear: users do not have to invest in and maintain expensive computers, servers and routers and other pricey equipment. Instead, they can simply log in and pay to store or access data as needed, leaving the management—and the nuts and bolts infrastructure—to an outside party. But while this might be a convenience for most users, the structure of this kind of service forces the legal community to confront a range of complicated data and evidentiary issues.

Mostly cloudy

The biggest issue that cloud computing poses for attorneys—and subsequently for the electronic evidence specialists and computer forensics experts they rely on—is that many of the traditional computer forensic methods are difficult or impossible to use when information is stored on the cloud. Hard drive imaging and the analyses of deleted files or file fragments is not possible, and computer settings and registry information (such as login dates, passwords, etc.) are usually inaccessible. Without those tools, gathering ESI and analyzing digital evidence becomes more of a challenge.

In addition to limiting traditional avenues of e-Discovery, the cloud also presents a number of its own unique forensic considerations and complications:

Volatile storage

Cloud environments are moved and reconfigured frequently. This limits the amount of computer settings and cached information that can be preserved, collected and examined.

Geographic variance

Attorneys need to be aware of potential legal and jurisdictional issues that may come up as a result of the fact that cloud servers can (and often are) based virtually anywhere. Don’t assume that the cloud environment you want to have examined is in the United States: often they are operated out of Europe or Asia; regions which have very different computer privacy laws and different restrictions on what can and cannot be searched without proper authorizations.

Logical access

The ability to examine the cloud environment will be limited by the scope of the login ID and password that you are granted. Legal and technical professionals need to be conscientious about ensuring that their login credentials facilitate proper access to “see” all of the potentially relevant information.

Multi-tenant structure

Cloud environments typically group several user environments onto one physical piece of equipment or infrastructure configuration. Oftentimes, those users are completely unrelated to each other. This opens up a range of complications, primarily liability concerns. All collection efforts should remain confined to the targeted user.

Stormy weather

The structural issues outlined above create unique obstacles that must be accommodated when engaging in cloud forensics. Physical access to the computer is one of the biggest hurdles, but there are also a number of issues that need to be taken into account when analyzing metadata (data about data—in other words, information about the nature of a computer file, not the content of the file itself). One of the most important is the fact that dates do not necessarily reflect the date of the user activity, and may instead reflect the movement of files onto the cloud.  It all needs to be taken in context.

Additionally, attorneys and ESI experts need to appreciate the fact that, unlike in traditional computer forensics, they are almost always only looking at one section of the entire computing environment. Information that might otherwise be contained within a single computer or single file server may be spread among multiple hard drives and servers. Another issue is one of access: in a cloud environment, investigators will usually not have access to log files or a computer’s registry. Even where/when access is possible, the registry on a cloud server contains information that can mean very different things than that same data from a locally accessible server or PC computer

Raincoats and umbrellas

From an attorney’s perspective, understanding the limitations of electronic discovery and digital evidence gathering in a cloud context is an important first step. But what proactive steps can they take, and what other avenues are available? First, remember that examination of the “client” (the computer used to access the cloud) is still available, and may offer some important clues or evidence. Some popular social websites like Facebook have introduced the ability to download a page or a segment of data stored within the user’s pages or “walls,” which can be a treasure trove of information.  Also, it is important to note that many popular web-based email services (Yahoo!, Hotmail and Gmail, for example) can be accessed and acquired using communication protocols such as IMAP and POP that work outside of the cloud. Make sure that your forensic examiner is experienced in the use of these interfaces and techniques to do so.

In terms of general principles, attorneys should remember that no cloud environment is the same: each is configured differently and can be changed or reconfigured quickly. As a result, no single approach is absolute: cloud computing and the associated environments are an emerging technology, and the rules and restrictions change from one environment to the next. It is also important to remember that information in a cloud environment is not under your direct control, but rather that of the cloud provider. This means that forensic collection and examination almost always needs to be conducted in a cooperative manner with the operator of the cloud environment. Additionally, the possession of data by a third party may be subject to legal challenges and subsequent attempts to gain access.

Long-range forecast


Cloud computing is not going anywhere. On the contrary, it is likely to become much more prevalent in the years ahead. As more and more businesses and individuals store data on the cloud, the legal community needs to adapt accordingly, continue to educate themselves about the potential issues that this trend raises, and structure their electronic discovery efforts and their legal strategies accordingly. If nothing else, attorneys need to understand the critical importance of these issues that can make or break a case or a client relationship. Attorneys would be wise to rely on the experience and expertise of computer forensics experts, who are adept at navigating the complex technical, forensic and legal/evidentiary issues that may not be immediately obvious. Attorneys who educate themselves and who stay informed with regard to emerging issues will not only know when to call in the experts, will likely discover that they can direct a ray of figurative sunshine into even the cloudiest corners of virtual space.

————————

Mark St. Peter is managing director of Southfield-based Computing Source. To learn more about Computing Source, visit computingsource.com or call (248) 213-1500.