Cloud computing, where applications and data storage are provided as services to users via the Internet, is becoming more and more prevalent - and because of it, state and local law enforcement investigators are facing new challenges in obtaining evidence. Instead of the evidence being on a device that they can seize, the evidence is likely located in data centers operated by a service provider. These data centers are often not geographically easily accessible and may even be in multiple locations (and jurisdictions) across the world. The problem is particularly acute for State and local law enforcement investigators where extensive traveling to obtain evidence is not feasible. Furthermore, the volume of data kept by these service providers is so vast that it is often impractical for an investigator armed with a warrant to extract the evidence from the data centers of most service providers, even if he/she were physically present.
The most practical approach for State and local law enforcement when cloud computing has been used is to execute a warrant through the service provider’s Keeper of Records - and require the service provider to deliver the evidence.
This project augments the Cloud Signature, a tool produced on another DoJ project, that allows law enforcement investigators to quickly obtain the specifics of what to request in a warrant to a cloud application service provider. It extends it with two new tools: Forensics SteadyState, which allows the investigator to ensure his/her forensic workstation is free of previous cloud remnants and other potential forensic contaminants; and Cloud Signature Creator, which creates the cloud application signatures for Cloud Signature. All three tools have been prototyped, tested with law enforcement, and disseminated free to law enforcement.