c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 3 0 4 e3 0 8

available at www.sciencedirect.com

www.compseconline.com/publications/prodclaw.htm

Digital evidence in cloud computing systems

M. Taylor a, J. Haggerty b, D. Gresty c, R. Hegarty a

a
School of Computing and Mathematical Sciences, Liverpool John Moores University, UK
b
School of Computing, Science and Engineering, University of Salford, UK
c
Post Graduate Student, Lancaster University, UK

abstract

Keyword: Cloud computing systems provide a new paradigm to the distributed processing of digital data.
Digital evidence cloud computing Digital forensic investigations involving such systems are likely to involve more complex
digital evidence acquisition and analysis. Some public cloud computing systems may involve
the storage and processing of digital data in different jurisdictions, and some organisations
may choose to encrypt their data before it enters the cloud. Both of these factors in conjunction
with cloud architectures may make forensic investigation of such systems more complex and
time consuming. There are no established digital forensic guidelines that specifically address
the investigation of cloud computing systems. In this paper we examine the legal aspects of
digital forensic investigations of cloud computing systems.
ª 2010 M. Taylor, J. Haggerty, D. Gresty & R. Hegarty. Published by Elsevier Ltd. All rights
reserved.

1. Introduction
Cloud computing involves the provision of software services
and the underlying hardware resources used as a virtualized
platform across numerous host computers connected by the
Internet or an organisation’s internal network (Treacy, 2009;
Buyya et al., 2009). Examples of commercial cloud service
providers include Amazon Web Services, Google, and Microsoft
Azure Services Platform (Mather et al., 2009) as well as open
source cloud systems such as Sun Open Cloud Platform (Sun,
2010) and Eucalyptus (Eucalyptus, 2010). There are three
generally accepted cloud service delivery models: Software as
a service (where the customer rents the software for use on
a subscription or pay-per-use model); Platform as a service
(where the customer rents a development environment for
application developers); and Infrastructures as a service (where
the customer rents the hardware infrastructure on a subscrip-
tion or pay-per-use model and the service can be scaled
depending upon demand) (Viega, 2009).
Cloud computing could in some respects be useful for
computer forensic investigations, if it was necessary to
preserve a computing environment for an investigation. The
environment could potentially be backed up and put into the
cloud for the investigators to use, whilst carrying on with the
normal course of business. However, the migrated data would
only represent a snapshot of when it was sent into the cloud.
Since in a public cloud computing system data could be stored
anywhere in the world, its dispersal could be to a country
where privacy laws are not readily enforced or non-existent. It
could therefore potentially be difficult to establish a chain of
custody for such data. A chain of custody would be taken to
start at the time that the data is preserved for analysis or is
seized. The issues in a cloud computing environment concern
access to the data prior to it being seized, and the preservation
of the data being done correctly, since due to the dynamic
nature of the operation of a cloud computer system, it would
not be possible to go back to the original state of the data. In
addition, cloud resources could be utilised during an investi-
gation to resolve computational load issues associated with
large-scale data set searches. For example, distributed
resources could search small parts of a much larger data set in
tandem to form a virtual supercomputer similar to the
approach taken by SETI (SETI, 2010). In this way, scalability
could be achieved.
Evidence is more ethereal and dynamic in the cloud envi-
ronment with non- or semi-permanent data. For example, if an

0267-3649/$ e see front matter ª 2010 M. Taylor, J. Haggerty, D. Gresty & R. Hegarty. Published by Elsevier Ltd. All rights reserved.
doi:10.1016/j.clsr.2010.03.002
 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 3 0 4 e3 0 8
application is accessed via a cloud computing system, data
traditionally written to the operating system, such as registry
entries or temporary Internet files, will reside or be stored
within the virtual environment and so lost when the user exits.
This makes evidence traditionally stored on hard drives
potentially unrecoverable. In addition, whilst the confiscation
of physical computing equipment might be relatively
straightforward, the legal process to gain access to data held in
a public cloud computing system (and one which might utilise
computing devices in different jurisdictions) is more complex
and could delay investigations where the recovery of evidence
is typically time critical. It would seem that at present, there
does not appear to be a universal method for extracting
evidence in an admissible fashion from cloud-based applica-
tions, and in some cases there might be little evidence available
to extract. Kaufman (2009) commented upon the legal issues
arising from cloud computing such as e-discovery, regulatory
compliance and auditing and their still to be determined
solutions. The European Network and Information Security
Agency (ENISA, 2010) is currently carrying out a risk assess-
ment of cloud computing with regard to the development of
technologies and legislative measures to mitigate risk.
Cloud computing service providers would not be liable for
damages or for any other pecuniary remedy or for any criminal
sanctions as a result of hosting data or applications under the
Electronic Commerce (EC Directive) Regulations 2002 and other
associated regulations, provided that the cloud computing
service provider did not have actual knowledge of unlawful
activity or information, and had no reason to suspect such
unlawful activity or information.
2. Acquisition of digital evidence in cloud
computing systems
Identifying digital evidence in a cloud computing environment
may be very complex. A public cloud (Internet based) managed
by another organisation that provides cloud computing
services is likely to be more difficult to investigate than
a private cloud (based upon an organisation’s internal
computer network) (Grossman, 2009). There are also hybrid
privateepublic clouds, where a private cloud system may load
(or off-load) data and processing into a public cloud system
depending upon the system requirements and the capacity of
the private cloud. In a cloud computing system (for example,
the open source Eucalyptus) cloud manager software provides
the entry point into the cloud for users and administrators. It
queries resources and makes high level scheduling decisions
via group manager software that gathers information regarding
virtual machine (a software implementation of a computer that
executes programs like a physical computer) execution on
specific instance managers, as well as managing the virtual
instance network. Instance manager software controls the
execution, inspection and termination of virtual machine
instances on the host computer within the cloud where it runs.
The manner in which cloud computing services operate means
that in practice, an organisation may not know where data it is
responsible for is located geographically at any particular time.
It should be noted that this may be a logical structure rather
than truly geographic. For example, the servers that provide
305
many of Yahoo’s country specific information actually reside in
the USA but appear to be locally hosted to the user. This has
recently been used to great effect by criminals based in Asia but
registering UK Web sites to sell fake branded goods (Vahl, 2009).
Vella (2009) commented that increased use of cloud
computing will undoubtedly result in jurisdictional difficulties
where data crucial to a case is stored outside the United
Kingdom. It may be necessary for governments to make
arrangements for the immediate preservation of suspect data
following a request from law enforcement agencies in order to
ensure that data does not disappear while a court decides
whether or not the data can be released to UK law enforcement.
The advice from the UK Information Commissioner’s Office
(ICO, 2010) is that data (in particular personal data) should be
encrypted prior to it being transferred to a cloud computing
services company. Both of these aspects of cloud computing
can potentially be time consuming and problematic for
a computer forensic investigation (Allan, 2005) in terms of
digital evidence acquisition. Part III of the UK Regulation of
Investigatory Powers Act 2000 requires provision of decryption
keys for the purpose of preventing or detecting crime.
In R. v. Thames Magistrates Court (2) C&E Commissioners,
Ex Part(1) Paul Da Costa (A firm) (2) Stewart Collins (2002) it
was ruled that a computer hard disk is a single storage entity
and fell within the definition of a document because it is
something ‘in which information of any kind is recorded’.
Thus a hard disk may be seized and removed provided that it
contains material which the searching officer at the time of
the search has reasonable case to believe might be required in
relation to a suspected offence or offences. The officer is not
required to extract from the hard disk just the information he
believes may be required, nor is it practicable for him to do so.
This ruling provides guidance in the case of traditional
computing systems, however in the case of cloud computing
systems, imaging data from all the computers (or even
a subset of the computers) in the cloud may not be practicable.
Some public cloud service providers may record certain
information relating to use of their services. For example
Google records information relating to use of Google Docs such
as storage usage, number of log-ins, data displayed and clicked
upon, IP address and date and time of access. Such data may be
retained by Google for short periods even after the user has
deleted the files (Google, 2010). Such data may be useful for
police computer forensic investigations and might be able to be
obtained under the UK Regulation of Investigatory Powers Act
2000 (RIPA, 2000).
2.1. Personal data accessed during a cloud computing
system forensic investigation
The UK Data Protection Act, 1998 (DPA, 1998) might apply to
computer forensic investigations that involve the analysis of
personal data stored or processed within a cloud computing
system. Thus, if an investigation of fraud was undertaken that
involved analysis of customers’ personal data, then the prin-
ciples of the Data Protection Act should be applied during the
investigation. For example, appropriate security measures
should be applied to any personal data that had to be examined
as part of the investigation. Personal data accessed as part of
the investigation should not be accessed by unauthorised
306 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 3 0 4 e3 0 8
individuals outside the investigation team. However, the main
consideration regarding personal digital data that may need to
be examined during a cloud computing system forensic
investigation is that of the different jurisdictions in which the
data of interest may be stored or processed within the cloud
(especially in non-EU countries without an appropriate level of
data protection legislation), and whether such data can be
released in a timely manner (before it may be deleted).
2.2. Monitoring of cloud computing systems during
a computer forensic investigation
The UK Regulation of Investigatory Powers Act, 2000 (RIPA)
makes it unlawful to intercept any communication in the
course of transmission without the consent of one of the parties
or without lawful authority. UK law distinguishes between the
interception of communication or traffic data (the sender and
recipient, the time and date, and the duration of transmission)
and the content of the communication. Appropriate internal
corporate authorisation would be required to ensure that any
investigation of an internal private cloud system did not breach
the Act. Investigation of a public cloud computing system
involving Internet based computing resources would require
the cloud computing services provider to provide the police (or
other agency) investigation with required digital data. However,
due to the nature of cloud computing systems operation, some
of the digital data may not be practicable to obtain.
3. Procedures used for cloud computing
forensic investigations
A private cloud computing system is for a single organisa-
tion’s internal use and it may be run by the organisation itself
or outsourced to a third party. A public cloud is managed by
another organisation that provides cloud services. Public
cloud computing systems offer publicly accessible remote
interfaces for creating and managing data. This more
dispersed architecture can have serious ramifications for the
identification of digital evidence. If a computer forensic
investigation involves a private cloud, the digital data will
reside within the organisation or within its outsourced
supplier. The key sources of potential evidence will be iden-
tifiable, such as servers, applications, and data repositories
residing within the organisational IT infrastructure. In addi-
tion, the investigating team may also have access to key
personnel identified by the investigation, such as the suspect
or system administrators. However, if the digital evidence
resides within a public cloud, it will be much more difficult to
identify. As Treacy (2009) comments, the cloud computing
environment aims to be dynamic and customizable. This is
achieved through the seamless interaction of a variety of
applications being delivered to the user as if they were
accessing just a single site or logical location. This seamless
delivery from distributed sources will make the identification
of sources of potential digital evidence, or the digital evidence
itself, much more complex. Moreover, even the existence of
data will be quite complex to identify as data is pushed further
back into the network rather than purely being delivered to
the user’s physical computing device and may only exist
within tight temporal constraints.
When digital evidence is required from a public cloud
computing system there is also the issue of continuity of service
(and level of service) for other users of the cloud services. Ideally
a computer forensic investigation should not impact upon other
cloud service users who are not the target of the investigation.
Any police computer forensic investigation should keep
within the Association of Chief Police Officers’ guidelines for
computer-based electronic evidence (ACPO, 2007). That is to
show a court, if required that the evidence produced is no more
and no less than when it was first taken into the possession of
the forensic examiner. However, the current version of the
Association of Chief Police Officers’ guidelines for computer-
based electronic evidence does not specifically address cloud
computing investigations but its principles should be main-
tained. If a cloud computing forensic investigation was to
result in a court case, then the UK Criminal Procedure and
Investigations Act, 1996 (CPIA, 1996) and amendments in the
UK Criminal Justice Act, 2003 (Part 5) (CJA, 2003) may be
relevant as they cover the legal requirements to provide both
evidence in support of a prosecution and evidence to support
a reasonable defence. The Criminal Procedure and Investiga-
tions Act, 1996 makes a specific requirement on police officers
and their agents (such as computer forensic analysts) to
provide detailed disclosure. Section 3.2 of this Act, Primary
disclosure by prosecutor, concerns digital material that came
into the prosecutor’s possession in connection with the case
for the prosecution, and would include material provided by
police officers, or their agents. This covers not just the disclo-
sure of digital material that supports the prosecution, but also
material that may undermine the prosecution and support
a defence. R. v. Hampton and another 2004 EWCA Crim 2139,
provides an example case where non-disclosure of cell-site
evidence relating to a mobile phone call occurred. Failing to
comply with the Criminal Procedure and Investigations Act,
1996 does not rule evidence inadmissible, but during the trial
the court might be directed to take into account the fact that
the defendant may not have been afforded the opportunity to
acquire evidence to defend themselves (Taylor et al., 2007). In
a cloud computing environment, due to the potentially greater
effort required to identify and examine computing devices that
had stored or processed digital data of interest to the investi-
gation, there might be limited time and resources available to
identify digital material of wider relevance than that which
specifically concerns the investigation.
An important aspect of providing digital evidence in court
concerns certifying that the computer(s) in question were
working properly at the material time. In the case of R. v. Spiby
[1991] (CLR, 1991) it was held that if an instrument (in this case
a computer) was of a kind as to which it was common
knowledge that they were more often than not in working
order, in the absence of evidence to the contrary, the courts
will presume that a mechanical instrument is in working
order at the material time. This is important and potentially
challenging in a cloud computing forensic investigation since
numerous computing devices possibly located in different
countries may have been used during a transaction. Any
computer forensic investigation carried out by a UK police
force would be subject to the codes of practice within the
 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 3 0 4 e3 0 8 307

Police and Criminal Evidence Act, 1984 (PACE, 1984) (and being used within the cloud without the knowledge of the
possibly the UK Serious Organised Crime and Police Act, 2005 accused, it might be difficult to obtain digital evidence to
(SOCPA, 2005)). support such a defence (Haagman and Ghavalas, 2005).

4. Analysis of digital evidence in cloud 5. Conclusions

computing systems
The acquisition and analysis of digital evidence from cloud
When investigating data recovered from traditional media,
computing systems is likely to be more complex than for
documents and files will typically have meta data preserved
previous types of computing systems. It may potentially be
from the original hosting system, for example data relating to
difficult to obtain digital evidence to the same standard as that
when files were created and modified. This may not be the
currently obtained from traditional server-based systems due
case in cloud computing systems. However, meta data
to the nature of the operation of cloud computing systems.
embedded within documents that had subsequently entered
Public and hybrid cloud-based computing systems might
the cloud storage could provide important clues to how the
operate across jurisdictions, which might make obtaining
data has been used and manipulated beforehand (such as
such data more complex and more time consuming. Some
change tracking in MS Word documents).
organisations may encrypt digital data before processing in
If unauthorised access or unauthorised access with intent
the cloud, which can again lead to more complexity and delay
(CMA, 1990) might be investigated in a cloud computing
in obtaining the necessary digital evidence. In the case of data
environment then digital evidence may possibly be fairly easy
stored or processed in different jurisdictions within the cloud,
to obtain from the user’s computer. However, with regard to
such delays could potentially result in data being deleted
unauthorised modification of data or programs (CMA, 1990),
before it can be made available to investigators.
unless confirmation of the modification was sent to user’s
Unless a cloud computing application provides an audit trail,
computer, or the application, systems or network software
it may be difficult to extract digital evidence in an admissible
produced an audit trail, then to prove that unauthorised
manner from such applications, and in some cases, there may
modification actually took place it might be difficult to identify
be little evidence available to extract. This might lead to either
digital evidence that modification actually took place at the
legislation requiring cloud computing service providers to keep
material time on a computing device within the cloud (espe-
audit trails (or similar records of user activity), or that prose-
cially if a public cloud computing system or hybrid cloud
cution cases may need to be based upon evidence gained
computing system is being investigated).
mainly from the user’s computer, rather than from computing
In terms of fraud or money laundering investigations
equipment within the cloud. Thus for example, if an investi-
involving cloud computing systems, financial services organi-
gation involved analysis of a Google document transaction,
sations (and some other types of organisations) might typically
then with regard to user data stored on the user’s personal
have audit trails built into their application systems (that can
computer after such a Google document transaction there
be used to provide digital evidence). However, other types of
would be cookies for user login and documents and also Google
organisations may not use such audit trails in which case it
gears may have created an SQLite database on the users
might be difficult to identify digital evidence to prove that
machine to allow the user to work offline. All these artefacts
updating of accounts (not just attempted fraud or money
stored on the user’s personal computer could provide potential
laundering) took place within the cloud. In a cloud computing
evidence, even if further digital evidence from computers in the
environment actions taken from the moment a fraud is
Google cloud could not easily be obtained.
suspected can have a profound impact on both the amount of
digital evidence available and the extent to which it will be M. Taylor (m.j.taylor@ljmu.ac.uk) School of Computing and Mathe-
acceptable in future legal proceedings. If investigation of emails matical Sciences, Liverpool John Moores University, UK; J. Haggerty
is required within a cloud computing environment then typi- (J.Haggerty@salford.ac.uk) School of Computing, Science and Engi-
cally logs of sent and received emails from the user’s computer neering, University of Salford; D. Gresty, Post Graduate Student,
could be used as evidence (unless the tampering of emails is Lancaster University; & R. Hegarty (R.C.Hegarty@2006.ljmu.ac.uk)
being investigated in which case evidence from the computing Research Student, School of Computing and Mathematical Sciences,
devices within the cloud could be required). Liverpool John Moores University, UK.
If an investigation concerned indecent images or extreme
pornography then evidence from the user’s computer of access
or downloading or storage of images could typically be obtained. references
However, organisations storing and disseminating such mate-
rial might possibly use cloud computing services in which case
the actual computing devices within the cloud storing such ACPO. Good practice guide for computer-based electronic
images might need to be determined, if this is possible. evidence version 4. England, Wales, and N. Ireland: The
Association of Chief Police Officers, http://www.acpo.police.
Tracking malware (including spyware, computer viruses and
uk; 2007.
worms and Trojan software) within a cloud computing envi-
Allan W. Computer forensics. IEEE Security and Privacy 2005;3(4):
ronment may be complex. Attempting to track down the effects 59e62.
of malware upon data or programs stored within the cloud could Buyya R, Yeo C, Venugopal S, Brobery J, Brandic I. Cloud
be very complex. Thus if a defence related to malicious software computing and emerging IT platforms: vision, hype and
308 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 3 0 4 e3 0 8
reality for delivering computing a 5th utility. Future
Generation Computer Systems 2009;25:599e616.
CJA. UK Criminal Justice Act 2003, http://www.opsi.gov.uk; 2003.
Clr. R. v. Spiby. Criminal Law Review; 1991:199.
CMA. UK Computer Misuse Act 1990, http://www.opsi.gov.uk;
1990.
CPIA. UK Criminal Procedure and Investigations Act 1996, http://
www.opsi.gov.uk; 1996.
DPA. UK Data Protection Act 1998, http://www.opsi.gov.uk; 1998.
ENISA. ENISA cloud computing risk assessment. European
Network and Information Security Agency, http://www.enisa.
europa.eu; 2010.
Eucalyptus. Eucalyptus systems, http://www.eucalyptus.com;
2010.
Google. Google Docs, http://www.google.com/google-d-s/privacy.
html; 2010.
Grossman R. The case for cloud computing. IT Professional 2009;
11(2):23e7.
Haagman D, Ghavalas B. Trojan defence: a forensic view. Digital
Investigation 2005;2(1):23e30.
ICO. Personal information online code of practice: consultation
document. UK: Information Commissioner’s Office, http://
www.ico.gov.uk; 2010.
Kaufman L. Data security in the world of cloud computing. IEEE
Security and Privacy 2009;7(4):61e4.
Mather T, Kumaraswamy S, Latif S. Cloud security and privacy:
an enterprise perspective on risks and compliance.
Sebastopol, CA, USA: O’Reilly; 2009.
PACE. UK Police and Criminal Evidence Act 1984, http://www.
opsi.gov.uk; 1984.
RIPA. UK Regulation of Investigatory Powers Act, http://www.opsi.
gov.uk; 2000.
SETI. Search for Extra-Terrestrial Intelligence, http://setiathome.
berkeley.edu; 2010.
SOCPA. Serious Organised Crime and Police Act, http://www.opsi.
gov.uk; 2005.
Sun. Sun open cloud platform. Sun Microsystems, http://www.sun.
com; 2010.
Taylor M, Haggerty J, Gresty D. The legal aspects of corporate
computer forensic investigations. Computer Law and Security
Report 2007;23:562e6.
Treacy B. Cloud computing: data protection concerns unwrapped.
Privacy and Data Protection 2009;9(3):1e3.
Vahl S. Fake websites shut down by police. BBC News, http://news.
bbc.co.uk/1/hi/uk/8392600.stm; 3 Dec 2009.
Vella P. The future of forensic computing. Criminal Law and
Justice Weekly 2009;33:1e2.
Viega J. Cloud computing and the common man. IEEE Computer
2009;42(8):106e8.