For many examiners and investigators ‘The Cloud’ is complicated, complex, and challenging.
Our new Demystifying the Cloud: Webinar Series will showcase different approaches to utilizing cloud data sources in your digital investigations, including open-source intelligence collection and warrant return analysis. We’ll also explore the implications and benefits of incorporating cloud computing technology as part of your digital investigation infrastructure.
In this blog, we’ll be breaking down the analysis of different cloud sources into distinct investigative approaches, sharing workflows and discussing different points of access, as well as tips and tricks to help all of your cloud investigations be more successful.
Understanding Different Aspects of Cloud Investigations
When simplifying cloud investigations, the first challenge to overcome is understanding the different aspects of cloud investigations. As Jessica Hyde, points out:
“Cloud investigations can mean so many things to different people, it can mean the investigation of data that is stored cloud-side, it can be an investigation of a cloud provider, or it can be investigations that are performed in the cloud meaning that the actual processing and analysis is done in Cloud sources. It’s important to consider these all as separate different types of cloud investigations.”
In this series, our examiners Jessica Hyde, Trey Amick, Kim Bradley, and Steve Gemperle, will be exploring a lot of these different facets to help examiners in the field approach investigating cloud data that’s stored via cloud sources, and some approaches to leveraging the capabilities of cloud-hosted software applications to streamline investigations.
Explore How Open-Source Cloud Data Can Help Your Investigations
Investigating data that’s stored in the Cloud can be a spectrum of approaches — ranging from open-source intelligence (OSINT) investigations, to cloud account investigations of participating individuals who disclose their login credentials (more often from victims and witnesses than suspects), to obtaining and analyzing warrant returns from cloud service providers to gain access to the accounts of suspects.
While it may seem like OSINT investigations could be less fruitful when pursuing tech-savvy suspects, Steve Gemperle notes that there’s a surprising amount of data that’s published and publicly available, both in terms of the volume and the sensitivity of the posts: “In a lot of cases, criminals want people to see what they’re doing. From individuals posting ‘brag’ videos of robberies, thefts, and muggings, posted to SnapChat, Instagram, and Facebook stories.” In some cases, human vanity is a key driver in being able to break a case. Plus, as Kim Bradley suggests, OSINT data should be collected (or cloud data collected via live acquisition), because “it’s the most up to date version of an accounts posts or tweets or activities on a particular platform. Often times, we can see that data on a device, such as a mobile device, or even on a work station, but the most up to date version of what that account has actually posted or the activity that has occurred on that account is going to be from that Open source intelligence data that’s been posted on the internet.”
Getting Data from Consent-Based Investigations
Moving beyond publicly available information to the investigation of cloud accounts, this doesn’t always mean that warrants or examining warrant returns are necessary. A lot of excellent data can be obtained by way of consent-based investigations.
As Trey Amick points out, the cloud accounts of both victims and potential witnesses are valuable at the outset of an investigation:
“Even though you want to get the suspect’s account data, so you can prove that the suspect was ‘behind the keyboard,’ at the outset of an investigation, a cooperative victim or witness can give you a lot of valuable data. You can get both sides of conversations, collect shared information and media, etc. It can also give you a suspect’s username, email address, and other leads to pursue the person of interest via OSINT strategies.”
Plus, gaining access to these accounts can be done quickly, because they can be accessed through the consensual disclosure of the user’s login credentials.
Working with Victims and Witnesses
It’s important to be clear with victims and witnesses. Kim Bradley suggests:
“The best way to work with victims and suspects is to explain how the collection is going to occur, how it’s going to be used, and how the data will be used. By explaining to folks that you’ll be able to potentially help them faster, rather than waiting for a warrant to be signed, and then a request to be made to that cloud service provider. It’s much faster if they’re willing to share their credentials so you can collect that data immediately.”
Then, once more details are collected about the suspect (e.g., usernames, emails, images, etc.), investigators can go back to the strategies that are available to all examiners, and use that data to launch an OSINT investigation, or as Kim calls it, a “Social Autopsy” to search for the suspect’s public facing social media data.
Even with the availability of public data and data acquired via consent, pursuing and obtaining warrants to acquire the data from an uncooperative suspect’s account is necessary at times, depending on jurisdictional considerations and local legislation.
The complications associated with warrant returns, and other legal concerns, leads some examiners to be ‘cloud hesitant’ more broadly. To overcome cloud hesitancy and to be able to work with and/or educate local legal experts, Jessica Hyde highly recommends, “learning and skilling up on different aspects of cloud forensics. This could include analysis of data in the cloud or utilizing cloud resources to perform analysis.” And, when it comes to actually doing collection, she recommends working with your attorney general’s office or legal counsel, while also reading about how these acquisitions take place.
Resources to Help Your Cloud Investigations
While overcoming cloud challenges can seem daunting, examiners don’t have to tackle these challenges all on their own. There are a lot of great resources on the Magnet Forensics resource to support examiners with their cloud acquisitions, whether it be for acquisitions from cloud software service providers such as Google and Facebook, or cloud infrastructure providers such as Microsoft Azure or AWS.
Even our own experts like Jessica Hyde seek out those opportunities to grow their knowledge and skills, whether it be from traditional resources or beyond: “A great place I’ve found for this is a cloud guru or mentor, or the free courses from each of those vendors. Each of the cloud vendors tend to allow you to spin up test accounts in order to try and learn about the environments. There are also additional trainings by both Magnet Forensics and SANS New Enterprise Cloud course.”
The need to push beyond the hesitancy to examine cloud data, to pursue warrant returns, or to explore cloud logs in cloud environments is only increasing. At the end of the day, there’s a lot of unexamined data that’s being left on the table currently.
“At a crime scene or during the search of a suspect’s premises, I would never leave a 15GB USB drive or hard drive behind, so why would examiners leave a 15GB Google account unexplored?” Especially considering, as Jessica Hyde suggests, “It is important for examiners to look at cloud sources because in many instances that’s where the only data resides.”
Keep an eye out for the next blog in this series, which will focus on the benefits and implications of moving your lab to the cloud.