The Cloud

“…our social norms are evolving away from the storage of personal data on computer hard drives to retention of that information in the “cloud,” on servers owned by internet service providers.”
—Oregon state court opinion in a criminal matter, State v. Bellar, 231 Or.App. 80, 217 P.3d 1094 (Sept. 30, 2009). 

Part 1 of this series laid a foundation for a methodology for the collection of digital evidence from the Internet. That process includes evidence collection and preservation, and later presentation. This is accomplished through a process of documenting the collected evidence and verifying its authenticity by date and time stamping, hashing, and logging.

This methodology addresses the unique problem of an investigator's lack of control over the “live” data online. A newer portion of the Internet evidence collection conundrum, however, is the technology referred to as the “cloud.”

The name “cloud computing” comes from the use of a cloud as a graphical symbol to describe the Internet. The “cloud” in computing terms is generally defined as the delivery of common business applications (such as data storage, access to databases, business applications, etc) through the Internet and commonly accessed from a Web browser.

Thus the software and data for these cloud applications are stored on servers owned by a third party and not local to the user. As such, they are not under the end user's control—a key requirement in traditional network forensics, where the examiner has either physical control over the network, or can take control by installing a piece of code (referred to as an applet) on the computer to be examined.

This lack of control on the examiner's part makes collection the generally accepted problem with cloud-based evidence. Because the examiner has neither access to the physical hard drive nor control over the network, s/he will at most have access to the data through the end user's Web browser, or through a computer connected to the same network's access.

The question for the examiner then becomes, not only how to collect and document information from the cloud, but also whether the same acquisition and documentation methodology described in Part 1 can be used in the collection, preservation, and presentation of cloud-based evidence.

Certainly it is possible to document the cloud through various similar methods as described in Part 1, which include:

• Taking snapshots of the evidence.
• Videotaping what is present.
• Acquiring the data through logical acquisition, if you can access the “cloud” data as a logical drive.
• Complete documentation of the process used in the acquisition.