How can cloud data accelerate forensic investigations?

Cloud data represents a virtual goldmine of potential evidence for forensic investigators. Together with mobile device data, cloud data sources often present critical connections investigators need to solve crimes.

However, there are a number of challenges that investigators face when it comes to data retrieval from the cloud.

The overarching challenge is private data in the cloud. Private data in the cloud, as the term suggests, is private user data (i.e. data that the user has actively chosen to refrain from sharing publically) and there is, for good reason, a significant amount of ‘red tape’ that surrounds private user data. But what happens when the user in question is suspected of committing a crime?

To add to this, more and more data is being stored in the cloud as many companies, and indeed individuals, look to virtual methods of data storage, with enhanced flexibility and ease of access.

This also correlates with the amount of users now on social media and with 38 million social media users in the UK – a staggering 59 per cent of the population – it is evident that during a criminal case, investigators simply cannot afford to neglect social data that is inevitably stored in the cloud.

Out of the 38 million UK social media users, 30 million of them (79 per cent) are using social media on their mobiles, which further highlights the importance of mobile phones in the retrieval of crucial evidence in criminal investigations.

Investigators need to be able to access this data when it is of paramount importance to a criminal investigation. The problem is that investigators may need to go to the service provider if they don’t have the permissions or capabilities to access the username and password to request this data, which can take time.

If you’re an investigative force requesting private data in the cloud from a company located in the same country as the investigation is taking place then it can take a few weeks to a few months to obtain this data. However, if you’re requesting the data from another country, bearing in mind the investigation is taking place in Europe, when most of the world’s major service providers are based in the US, then it can take up to a year to retrieve the data.

The time that it takes to request data relevant to a particular criminal case is a challenge in the sense that the actual timeline of an investigation is extremely important to the outcome of the case. The retrieval of evidence needs to be executed in the shortest possible time to ensure that nothing is missed in the evidence gathering process, and to ensure that the investigative team doesn’t run out of time when retrieving evidence.

There is also an issue with the records production rate of the cloud service providers due to the limited resources that these companies have to handle the large number of requests from law enforcement. In the UK, during the first half of 2014, Facebook and Google’s response rate was 70 per cent, while Twitter’s response rate was only at 40 per cent.

Another challenge is that of forensic data preservation. It is of vital importance that the case team retrieves and handles all private data sources with the upmost care and consideration. In the case of extracting evidential data from the cloud, investigators should feel confident that the information that was extracted from the cloud service provider is authentic, traceable and thus defensible in court.

However, the problem of accessing private cloud data in a timely manner for criminal investigations can be rectified with the use of mobile forensic technology. When a mobile phone is seized in criminal investigations, law enforcement can use technology such as the UFED Cloud Analyser, to access private-user cloud data by utilising login details that have been extracted from the mobile device of the suspect or victim. This private-user cloud data is extracted under the appropriate legal authority, be it a search warrant, written consent, or other authority as defined by legal counsel in the relevant jurisdiction.

The investigative process when using such technology to retrieve private-user cloud data involves a five step process:

  1. Seize the mobile device and begin a forensic extraction of data
  2. Decode cloud services login information from the extracted forensic copy of the device
  3. Forensically preserve private user data using login information from the mobile device or manually provided credentials
  4. Analyse and report data from different cloud data sources in a unified format
  5. Deliver data to additional relevant law enforcement and justice officials

The analysis and reporting of retrieved data in a unified format is a very significant step in this process. The data that is retrieved has to be understood by a range of investigators and legal personnel, many of who may not be well-versed in mobile forensic data retrieval.

This data may also have to be presented in a courtroom, where a jury might be present that will have to understand and digest the data that is being put in front of them. Again, the data must be in a format that can be understood easily so that people with little or no understanding of mobile data forensics can easily make a decision based on the evidential data that has been displayed to them.

The importance of cloud data in so many areas of everyday life means that law enforcement agencies simply must consider the pool of evidence that is stored in the cloud during criminal investigations. A failure to contemplate this data could easily result in missed opportunities to convict, and during live investigations the consequences could be far worse.

The ever-increasing use of mobile phones to conduct criminal activity in correlation with the vast numbers of social media users worldwide, is a clear indication that criminal investigators must be equipped with the latest technology to timely retrieve cloud data and react to all types of criminal; who use and abuse different channels to exercise their criminal activity.

Shahaf Rozanski, Director of Forensic Products at Cellebrite.