Data Forensics in the Cloud: Litigation Awareness

By: Steven A. Wolf, CPA, CFE, CFF & Matthew E. Druckman, CPA, CFF, CIRA

Introduction to Cloud Computing

Cloud computing continues to radically change the way information technology services are created, delivered, accessed and managed. Experts agree that cloud computing has the potential to become one of the most transformative developments in the history of computing, following the footsteps of mainframes, minicomputers, PCs and smartphones[1] (Perry et al., 2009).

Questions continue to evolve, such as:

  • What impact will the cloud have in digital forensics and data discovery?
  • Will third-party cloud service providers (“CSPs”) have potential liability with respect to providing data security, data integrity, storage retrieval, and data retention and preservation services?
  • How will cloud computing affect how forensic investigations are conducted, and how will parties in litigation identify and produce electronically stored information (“ESI”) under the Federal Rules of Civil Procedure, Rule 34 (“Rule 34”)?

Traditionally, the forensic accounting expert and e-discovery counsel has had physical control of the network data, or has installed code to the network to develop a forensically sound environment when responding to discovery requests or performing data analytics.

Regardless of the medium used to store electronic data, companies and their legal counsel should be aware of the opportunities and risks of utilizing CSPs to manage data. From all accounts, it appears that there is an ever-increasing corporate demand to utilize CSPs for maintaining and managing data. As a result, understanding the advantages and potential risks of these providers’ ability to effectively store, manage, and retrieve data when responding to enforcement inquiries or litigation discovery requests under Rule 34 is critical.

Federal Rules of Civil Procedure

According to Rule 34(E), the responsibility of a party to produce ESI that is maintained in the cloud by a third-party CSP appears to be no different than ESI stored on the responding party’s own network or back-up media. Therefore, companies that maintain their corporate books and records in the cloud through a CSP should have the same concerns about preservation, exfoliation and security as they should when keeping the data “in-house.”

According to Rule 34(E), unless otherwise stipulated or ordered by the court, these procedures apply to producing documents or electronically stored information:

(i)           A party must produce documents as they are kept in the usual course of business or must organize and label them to correspond to the categories in the request;

(ii)         If a request does not specify a form for producing electronically stored information, a party must produce it in a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms; and

(iii)       A party need not produce the same electronically stored information in more than one form.

The Cloud as a Storage Medium

Not long ago, the majority of a company’s books and records were in paper form located in file cabinets, which were eventually moved off-site for storage in a warehouse managed by a third-party service provider. This evolved as computers became more commonplace and companies maintained ESI on their own network using backup tapes to ensure that lost or corrupt data could be recovered. And now we find ourselves in the cloud, which in its simplest sense is an outsourced storage medium that companies use to manage ESI efficiently.

Forensics methodologies of gathering and securing documentary evidence apply to electronic data whether it exists on a hard drive in your laptop, a backup tape at a warehouse down the street, or in the cloud spread across multiple servers across the globe.

A traditional setup would require backup of all the data on physical media such as DVDs, portable HDDs and the like, for use by people involved in forensics. A traditional setup may also ask that systems cease temporarily so that images of hard drives can be secured and records are not changed while forensics is being completed.

Thus, if the cloud is simply an outsourced storage medium that companies now use to manage their data in an efficient manner, has anything really changed with respect to data preservation?

Considerations when Planning for Discovery Requests

Conventional wisdom suggests that cloud computing has little adverse impact on the way data is managed but offers many advantages when responding to discovery requests, as compared to a corporation that maintains its ESI on its own network server. In addition, CSPs offer companies unlimited storage space and significant cost savings in their information technology infrastructure investment and ongoing monitoring protocols.

There is little argument that cloud computing and software-as-a-service (SaaS) platforms, among others, have created a paradigm shift in enterprise technology and IT as a whole. Companies of all sizes—public and private—seeking to reduce storage costs and improve overall efficiency and integration with partners are increasingly turning to the Cloud to house information and run essential business functions outside of a brick-and-mortar environment.

Forensic data professionals and e-discovery counsel can help their clients navigate the most effective course of action when planning for, and responding to, litigation discovery requests. At the beginning of all new client engagements, one important step for attorneys to take is to define the client’s computing environment, and its use of social networking and cloud-based products such as SymantecCloud (formerly MessageLabs) and Rackspace for email retention, Facebook and Twitter, Wikis and blogs, video and file sharing sites and private social networks.

Below are some basic attributes and essential characteristics of cloud computing:


With respect to litigation and discovery requests that entail collection, review and production of ESI maintained within cloud-based solutions, legal counsel and e-discovery service providers hired to work with these clients now have critical considerations to address:

  • Issues of persistency, data retention, data recovery and accessibility are paramount.
  • Where is the data, how do we access it, and who owns it?
  • How is data archived and retained, and does a disaster recovery plan exist?
  • What are the changes in data formats and are there new sources of data?
  • What are the best ways to handle Privilege reviews and production?
  • Will e-discovery service providers, forensic consultants and IT departments need to search, organize and produce electronic files that are outside of the realm of the company’s internal computing environment?
  • What challenges will be faced in regard to document retention schedules and litigation holds in systems not under the company’s direct control?
  • E-discovery techniques will need to advance to accommodate the challenges of highly-dynamic user-generated content.
  • Are there heightened security concerns and exfoliation risks when outsourcing data storage?

Other considerations are a new cost paradigm to extract data from the cloud. What is considered to be reasonable in terms of document requests, the format of delivery of the data and documents, and who shall bear the costs of obtaining the data from the systems? The courts continue to address these complex issues.

Digital and Cloud Forensics

Computer forensics involves identifying, preserving, analyzing and reporting on electronic evidence using methods acceptable in courts of law among many jurisdictions. Forensic accountants, investigators and attorneys will growingly seek to recover and analyze data that is stored in the cloud by third-party CSPs. It is important that forensic investigators and attorneys leading an investigation take the necessary steps to properly request and secure corporate data nestled in the cloud.

Digital forensics is the application of science to the identification, collection, examination and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data[2]. Cloud forensics can be considered a subset of network forensics[3] (DFRWS, 2001). However, cloud computing is based on broad network access. In practice, cloud forensics will follow the main phases of the network forensic process, but enjoy customization for each cloud computing environment.

Cloud Computing Industry is in its Infancy

Since cloud computing as an industry is still in its early stages of development, there are areas of the service that cause concern:

  • The industry has yet to establish a well-defined forensic capability;
  • CSPs are not yet able to ensure the robustness and suitability of their services in support of the rigorous production standards required in business disputes and criminal investigations;
  • Loss of data control is one of the major security challenges in the cloud[4]; and
  • CSPs outsource services to other parties that expand the scope of potential data sources of forensic investigations sometimes exponentially.

Other forensic investigation challenges relate to multi-jurisdiction and multi-tenancy uses of cloud resources under the various deployment models currently in use. Sophisticated collaborations between the CSP and the customer, between multiple tenants sharing the same resources, or among domestic and/or international law enforcement agencies are required in many cloud forensics cases.

While the advantages to cloud computing mostly accrue to the business operations of a company, when faced with producing or preserving documents the on-demand characteristics of cloud computing should theoretically facilitate identification and production in compliance with a preservation letter, or other legal mandate to preserve an environment. Some of the most common benefits of cloud computing for forensics include:

  • Ability to create a near instant, on-demand backup of an environment that can be easily  expanded or contracted;
  • Easy replication of environments and processes on backup servers as clouds are always on-demand services;
  • Cloud backup servers can be used by investigators to analyze and reconstruct data without interfering with normal business operations carried out on main servers;
  • Forensics personnel may access larger amounts of data using a single interface and therefore be able to conduct more complete and verifiable investigations; and
  • Cloud computing and cloud storage always involve the creation of irrefutable activity logs by both the consumer and the cloud service provider.

Challenges and Pitfalls

While companies have successfully reduced infrastructure spending on hardware and software, and proportionally scaled down the IT support team, they are still experiencing difficulty responding to discovery requests in a timely fashion when litigation or government investigations strike. While it is very affordable and streamlined to send the data out to the cloud, many of the providers are not set up appropriately. On the other hand, it  may not be part of their business model to send data back in a timely and efficient manner.

Most shocking to some customers is how expensive it can be to get their data back. Prime examples include cloud-based email retention and archiving solutions. In addition, most complex commercial litigation cases involve extensive queries applied to archived emails. The costs and time incurred to comply with these requests are sometimes enormous.

The various combinations of cloud services and deployment models can cause the cloud customer to face the most daunting challenge of having decreased access and control over its forensic data. Access to forensic data varies dependent on the cloud model employed.

Many CSPs do not provide services or interfaces for the customers to gather forensic data. Decreased access to forensic data means the cloud customer generally has no control or knowledge over the exact physical location of their data, and may only be able to specify a location at a higher level of abstraction, typically as an object or container identifier. CSPs may intentionally hide the location of data from customers to facilitate data movement and replication. Moreover, there is often a lack of defined terms of use in the Service Level Agreement to enable general forensic readiness in the cloud.


When choosing a cloud computing service provider, a company needs to understand the CSPs’ ability to effectively store, manage and retrieve its data. It is imperative that companies fully understand the Service Level Agreement they enter into with a CSP. They should consult with forensic minded experts to ensure that the terms of the SLA meet their anticipated needs, if the company becomes involved in litigation or an investigation requiring production of ESI.

Forensic data professionals and e-discovery counsel can assist clients in negotiating terms of the SLA with the CSP to ensure the capability exists for appropriately responding to discovery requests under Rule 34 when the time comes.

[1] Perry, R., Hatcher, E., Mahowald, R.P., Hendrick, S.D. (2009) Cloud platform drives huge time to market and cost savings. IDC.

[2] Kent, K., Chevalier, S., Grance, T., Dang, H. (2006) NIST Guide to Integrating Forensic Techniques into Incident Response. NIST.

[3] Digital Forensic Research Workshop [DFRWS] 2001 A Road Map for Digital Forensic Research.

[4] Cloud Security Alliance [CSA] 2009 Security Guidance for Critical Areas of Focus in Cloud Computing V2.1.