Cloud Forensics

View Research Poster

Problem

Cloud computing, where applications and data storage are provided as services to users via the Internet, is becoming more and more prevalent - and because of it, law enforcement cyber forensics investigators are facing new challenges in obtaining evidence. Instead of the evidence being on a device that they can seize, the evidence is likely located in a data center at a service provider that is often not geographically easily accessible. In fact, the data may be stored in multiple physical locations (and jurisdictions) across the world. The problem is particularly acute for law enforcement investigators where extensive traveling to obtain evidence is not feasible. Furthermore, the volume of data kept by these service providers is so vast and the data is so complex that it is often impractical for an investigator armed with a warrant to extract the evidence from the data centers of most service providers, even if he/she were physically present.

Solution

The most practical approach for law enforcement cyber forensics investigators is to execute a warrant through the service provider’s Keeper of Records that requires the service provider to deliver the evidence. This mitigates the issues of having to travel to remote and multiple physical locations, and issues of needing to understand data formats to find the evidence in vast data storage centers. This is developing the Cloud Signature tool to allow investigators to quickly search for cloud application remnants on devices (computers, phones, iPads, etc) seized from suspects. These remnants include data found in file system data structures, cached web sites, cookies, index.dat entries, registry entries, and several other places on devices used by the suspect. The Cloud Signature tool will collect and present data that is necessary to form a preservation letter and warrant to the cloud service providers that meets 4th Amendment restrictions on scope. This includes information such as the cloud applications used, usernames at the service provider, dates and times that the cloud applications were used, and cloud application document names involved. The resulting tool will be released free to law enforcement from the University of Rhode Island and will be made available to be licensed by commercial companies who wish to distribute it and support it.

Support

This research is being supported by the National Institute of Justice.