Cloud forensics: In a lawsuit, can your cloud provider get key evidence you need?

Any business that anticipates using cloud-based services should be asking the question: What can my cloud provider do for me in terms of providing digital forensics data in the event of any legal dispute, civil or criminal case, cyberattack or data breach?

It's going to be different for every provider, according to the industry insiders and legal experts who discussed this topic during a panel session at the recent RSA Conference. And complicating cloud-based forensics is that the high-tech industry is still scratching its collective head over basic requirements, some of which are being pounded out now in the Cloud Forensics Working Group at the National Institute of Standards and Technology (NIST).

[ MORE: Getting forensics data off smartphones, tablets can be tough, experts say

MORE: Using forensics to deeply understand the security impact of iOS and Android in the enterprise ]

"In cloud, we're still struggling with definitions," said Steven Teppler, partner at the Sarasota, Fla.-based law firm Kirk-Pinkerton PA in its information governance and electronic discovery practice. "This causes problems for attorneys. We may not get answers that are complete because we don't know what to ask."

Teppler, who spoke on the panel, said the focus for any lawyer is on obtaining cloud forensics evidence which will lay a foundation for admissibility under the law that a jury can weigh, based on the "provenance" of the information -- the who, what and where of the data. He also noted the process known as "legal discovery" to collect information in any dispute is always constrained by time and expense.

The reality is that "anyone can be sued," said Teppler, and if served with a complaint, it may be necessary to speak with your cloud provider to ensure that information can be preserved "in a consumable fashion" that can be used by the opposing party. This adds up to the need to make a "good-faith effort" that has IT people speaking with corporate lawyers to make forensics-based information available.

The world today is populated with "lots of little clouds," noted Christopher Day, chief security architect and senior vice president of secure information services at Verizon Terremark, speaking on the panel. These can be roughly construed as infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) vendors.

Day said Terremark uses an IaaS cloud based on VMware virtual machines (VMs). In the event that Terremark got a served a warrant by law enforcement, Terremark has procedures in place to "get them the image they want," Day said. "We have to show we haven't messed up the image."

Terremark would know if a virtual machine "suddenly disappeared" because it's tracked as part of the billing process, said Day. He added that Terremark would always tell the customer if the cloud provider got a subpoena related to them unless law enforcement asked Terremark not to share that information.

Josiah Dykstra, a doctoral candidate about to graduate from the University of Maryland, Baltimore County, who has made cloud forensics a focus of his study, spoke on the panel about what he's finding out in his research.

"Big providers can't keep pace with the number of cases they get," Dykstra said. There's little that's "built in" today to help cloud providers in a multi-tenant environment through processes such as obtaining firewall logs to deliver to law enforcement or attorneys asking for them. "Cloud providers want law enforcement to do it themselves," said Dykstra, noting Amazon, for instance, has no incentive to expand cloud forensics capabilities unless it's possible to make money from it.

Eric Hibbard, chief technology officer, security and privacy, at Hitachi Data Systems, agreed that cloud providers "really don't want to get into this" and a deep level of cloud forensics remains somewhat unusual. He acknowledged cloud providers would rather hide behind explanations such as "we don't keep that, we don't do that."

If a judge orders that certain evidence be obtained, and it happens to be in a cloud service, the court may hold a hearing with witnesses from both sides arguing how easy it is to obtain it, Hibbard pointed out. And if a virtual-machine image is provided, it may lead to more questions, such as is the email trail missing.

And if there is some suspicion that a cloud provider was hacked, perhaps due to some vulnerability, recourse is probably going to be difficult in terms of getting digital forensics.

"It's a 'best effort' and all that," said Day, noting that "individual cloud VMs get popped all the time." There have been known to be exploits in which a compromised VM could allow the attacker to get access to the underlying hypervisor. There's a lot of concern about memory and traffic but "you may not know how the intruder got in" and the forensics on it can be "dodgy," he acknowledged. But Terremark can do preservation of VMs through network storage. Some customers -- mostly government agencies -- are very concerned about what data might remain on drives and put specifications in contracts to be informed that drives are securely destroyed.

When asked if a criminal who knows a subpoena is coming might in theory be able to completely wipe his own traces, Day said, "Not directly." But what cloud-service providers do to try and preserve digital evidence varies widely across the industry, according to Dykstra. In the end, some take drives and shred them and some may throw them away in dumpsters.

Encryption plays a dual role in a cloud service. It can make data more secure for the customer but harder for law enforcement to get if the cloud service provider doesn't require the customer to provide an encryption key for it. Sometimes law enforcement will attempt to brute force decrypt, and other times law enforcement has been smart enough to ask for data residing in memory, said Day.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Join the CSO newsletter!

Error: Please check your email address.

Tags terremarksecurityCloudCyberattackcloud computinginternetcloud forensicsrsaNational Institute of Standards and Technology

More about Amazon Web ServicesBaltimoreHitachi AustraliaHitachi DataHitachi Data SystemsHitachi Data SystemsIDGPinkertonRSATechnologyVerizonVerizonVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts