Cybercrime, the scourge that many honest and upright citizens of the world have to endure, is costing businesses and individuals millions of dollars every year. With the number of users utilizing cloud resources increasing exponentially in recent months, the reality that unscrupulous and criminal users will also form part of that cloud community could prove a difficult hurdle to overcome for the digital forensic investigators charged with investigating cloud related crimes.

Traditional digital forensic investigative techniques have had to move at pace to maintain a level playing field with the perpetrators of cybercrime, with the methodologies and protocols adopted by investigators now mature, having been tried and tested through the courts responsible for bringing the cyber criminal to justice. The crux, therefore, of a sound investigation relies upon the digital artifacts of evidential value that have been acquired being complete, accurate, and verifiable¹. Cloud computing, however, will undoubtedly test further the resilience and resources of law enforcement agencies responsible for investigating cloud related criminal activity. This is reiterated by Gartner Consulting², who in 2008 stated:

Investigating inappropriate or illegal activity may be impossible in cloud computing. Cloud services are especially difficult to investigate because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation—along with evidence that the vendor has already successfully supported such activities—then your only safe assumption is that investigation and discovery requests will be impossible.

In the U.K., like the U.S., the burden of proof lies with the prosecution, where they must in criminal trials, prove beyond reasonable doubt that the person standing trial is guilty of the offence they are being charged with. If Gartner’s² suggestion that data stored on cloud servers is shared, however, how in the first instance can the prosecution prove beyond reasonable doubt that cross-contamination of evidential data has not occurred. CLOIDIFIN³ interviewed investigators responsible for defending clients accused of cybercrimes and found that it will be a very difficult situation for prosecuting investigators to ensure the data retrieved and presented as artifacts of evidential value are indeed complete, accurate, and verifiable¹, thus leaving a jury with potentially enough reasonable doubt to acquit the defendant.

The prediction by Gartner becomes more alarming when you consider the many locations of cloud data centers utilized for storing the colossal pools of data generated by cloud users. A cloud user’s data, stored by their respective cloud provider, could in theory be stored over several data center locations worldwide, leaving the investigator with a huge task of ensuring the artifacts of evidential value remain solid enough to process through the strict scrutiny of the courts that will be responsible for ensuring justice is served.