Cloud Forensics

Cloud Forensics

What is Cloud Forensics?

Cloud forensics is the application of digital forensics science on the Internet to recover online evidence. What kind of evidence can attorneys and investigators expect to be collected for review?

Digital forensic examiners collect cloud evidence from social media sites like Facebook, Instagram, Twitter, YouTube, LinkedIn, Snapchat, Pinterest, etc. The evidence they recover may be posts, media, comments, reviews, likes, hashtags, etc.  Examiners also collect email, attachments, calendars, and contacts from webmail like Gmail, Yahoo!, Outlook, AOL, Zoho, and ProtonMail. Last, they collect documents, media, and other files from cloud storage and backup providers like Google Drive, Microsoft OneDrive, Dropbox, Apple iCloud, Box, Amazon Drive, etc. And two of these providers store evidence synched from 99% of smartphones in use today.

Cloud evidence is full of metadata. Metadata is data about the data. In an Instagram account cloud metadata might be the date and time stamp a post or comment was created. Or the name or user identifier of the Instagram user. Or the status of a post or comment as live or deleted. It may also be the GPS coordinate with the exact location showing where the photograph was snapped or the video was recorded.

Mobile Evidence Moves to the Cloud

In the U.S. roughly 55% of us use iPhones, and 45% use Android smartphones. Therefore, everyone in the U.S. has either an online Apple iCloud account or a Google account, and many of us have both. Why is that?  Most iPhones connect to the user’s iCloud account. And most Android smartphones connect to the user’s Google account.

Why do smartphones connect to their manufacturer’s cloud accounts? There are four basic reasons.

  • Sharing data with the user’s other devices (tablet, laptop). And his or her family members.
  • Storage and data management reasons. The user can backup data, messages, photos, and video to the unlimited capacity of the connected cloud account.
  • Security and privacy reasons. The cloud provides a safe administrative interface for protecting the user’s smartphone and then finding or wiping its precious data when lost.
  • Financial reasons to include using the smartphone as a credit card (e.g. Apple Pay and Google Pay) to manage purchases from app stores.

Digital forensic examiners collect evidence from online, cloud accounts like Apple’s iCloud and Google for lawyers’ clients. Increasingly it’s a plan “B” for challenging litigation and investigations. Often smartphones, tablets, and laptops are destroyed, damaged, lost, or encrypted with a forgotten password. Backups of digital device evidence from the cloud, when forensically recovered, have the power to save a lawyer’s case.

Today cloud evidence plays an important role in litigation and investigations equal to data recovered from digital devices. Cloud evidence is rapidly becoming “best evidence” for civil and criminal cases and is admissible in federal and state courts across the U.S.

What are Cloud Evidence Sources?

Cloud Evidence Sources

Direct cloud evidence sources are subscribers’ cloud accounts managed by Internet Service Providers, ISPs. They are preserved like any other electronically stored information usually with a preservation letter or litigation hold. Digital forensic examiners collect them using professional cloud forensic tools. ISPs will produce them on request by subscriber consent, subpoena, or court order. Often digital forensic examiners analyze subpoena returns from ISPs.

Webmail was the first cloud-based evidence source. AOL and Yahoo! Mail followed by Google Gmail and Microsoft Hotmail were the pioneers. Today every local ISP offers webmail. Microsoft developed Office 365 for the cloud and Google did the same for Workspace.

Social media emerged next in the cloud. Myspace and Facebook were first, but now Instagram, Twitter, LinkedIn, Pinterest, Reddit, and many others are discoverable.

Users began sharing documents, files, and folders in the cloud using Dropbox, the first popular offering, which was followed by Google Drive, Microsoft OneDrive, Box, and many others. Users share photographs online using Flickr, iCloud Photos, Google Photos, Amazon Photos, and many others which are forensically collected today.

Specialty cloud accounts abound for local community (Foursquare, Nextdoor, Yelp, Meetup), for dating (Tinder, OKCupid,, Bumble), and for professional networking (LinkedIn,, Scribd, WordPress, Blogger).

Cloud accounts exist for collaboration between companies and for employees and contractors within larger enterprises (Google Workspace, Office 365, SharePoint, Slack, Trello, Basecamp). Cloud accounts are often collected today instead of traditional email servers.

And evidence from new wearable devices, fitness trackers, and smart speakers can be collected from their users’ cloud accounts. These include Fitbit, Amazon Alexa, and Google Home (Google Assistant).

Collecting Social Media and Blogs

Digital evidence posted on social media and blogs publicly available on the Internet has great potential to support investigations with new facts and insights. Digital forensic examiners collect it from sites like Facebook, Instagram, Twitter, WordPress, and Blogger using professional cloud forensics tools and download tools provided by cloud services. They authenticate evidence by recording foundation for admissibility in court. Foundation includes metadata like site name, web address, date and time stamp, Internet Protocol (IP) address, geolocation (latitude/longitude), and one or more hash codes to record digital signatures of the publicly facing evidence collection.

Legal authority by subpoena, court order, or consent is unnecessary to collect publicly facing, online digital evidence in pursuit of investigations. Viewing or collecting publicly accessible online content for represented and unrepresented parties is fair game ethically. Oregon Ethics Opinion 2013-189 states it is comparable to reading a book or magazine article which the rules of professional responsibility do not prohibit lawyers or their nonlawyer agents from doing.

Consider popular public Facebook evidence and its potential for admission as one or more exceptions to the hearsay rule. Also its propensity to reveal character evidence and produce evidence deemed credible by the trier-of-fact.

  • Party Admissions – Facebook’s Posts, Comments, Friends, Friends of Friends, Friend Requests, Pokes.
  • State of Mind – Facebook’s Status Updates with date and time stamps.
  • Character Evidence – Facebook’s Photos, Videos, Likes, Apps.
  • Credible Evidence – Facebook’s Posts, Comments, Friends, Friends of Friends, Friend Requests, Pokes, Contact Info, Places.

Forensics for Private Clouds

Digital forensic examiners collect private cloud evidence with legal authorization using subscriber supplied or court ordered cloud account credentials from individuals, groups, or institutions.

Private evidence collections go beyond the limited scope of publicly available online evidence. Examiners recover stored email (webmail) from them. They also recover direct messages, aka DMs, which are private text messages between parties or correspondents. Facebook stores both email and direct messages (Facebook Messenger). Instagram, Twitter, Pinterest, LinkedIn, and Google all store direct messages besides publicly facing cloud evidence. Another group of cloud accounts store only direct messages (iCloud’s iMessages, WhatsApp, Snapchat, Telegram, Viber, and others).

The news here for lawyers is twofold.

  1. Email recovery is now as likely from a private cloud account as it is from a computer or server.
  2. Text message recovery is now as likely from a private cloud account as it is from a smartphone or tablet.

Cloud Forensics Collections

Carney Forensics collects evidence from web-based, online, cloud accounts, for clients like yours as a plan “B” for challenging litigation and investigations. Often cell phones, tablets, and laptops are destroyed, damaged, lost, or encrypted with a forgotten password. So backups of device data from the cloud, when forensically recovered, have the power to save your case. Today cloud forensics plays an important role in litigation and investigations equal to data recovered from digital devices. Therefore, cloud evidence is rapidly becoming “best evidence” for civil and criminal cases like yours.

Carney Forensics uses world-class cloud forensics tools to collect digital evidence from private cloud accounts subscribed to by individuals, groups, or institutions. We always obtain legal authorization conferred by a subpoena, court order, or party consent before undertaking cloud forensics collections. These cloud forensics tools also collect publicly available evidence from social media accounts like Facebook, Twitter, and Instagram. They support your investigations with new facts and insights. Legal authority is unnecessary for public investigations because the evidence is available to everyone.

Cloud Forensics for Storage Services and Apps

Whatever digital online evidence your client or opposing party may possess or control in the cloud, we have the tools to collect it forensically. We collect online evidence from over one hundred unique cloud services or providers.

For instance, we recover cloud evidence from global Internet Service Providers (ISPs) like Google, Apple, Microsoft, Amazon, and Samsung. We forensically collect documents and other digital content from cloud storage services like Dropbox, Google Drive, iCloud Drive, Microsoft OneDrive, Box, and others.  And we recover messages from cloud-based apps like WhatsApp, Snapchat, Hangouts, Slack, Skype, Telegram, Viber, Twitter, Instagram, and Pinterest. Last, we recover messages from many multiplayer online gaming environments.

Cloud Forensics for Google Workspace and Microsoft Office 365

We support electronic discovery for civil litigators by collecting traditional digital documents and email evidence from your client or opposing party. Carney Forensics collects the most popular corporate cloud providers including Google’s Workspace, formerly G Suite. We also collect evidence from Microsoft’s Office 365, SharePoint, and Teams. And we recover critical audit logs from Google Workspace and Microsoft Office 365. Audit logs verify when and by whom documents were created, modified, and downloaded. This critical information often lays the foundation for material cloud evidence upon which your case may turn in summary judgment motions and trials.

Cloud Forensics FAQs

What is Cloud Forensics?

According to NIST:
Cloud forensics is the application of digital forensics science in cloud computing environments.

Technically, it consists of a hybrid forensic approach (e.g., remote, virtual, network, live, large-scale, thin-client, thick-client) towards the generation of digital evidence.

Organizationally, it involves interactions among cloud actors (i.e., cloud provider, cloud consumer, cloud broker, cloud carrier, cloud auditor) for the purpose of facilitating both internal and external investigations. Legally it often implies multi-jurisdictional and multi-tenant situations.

According to Darshik Jariwala:
Cloud Forensics is cross-discipline between Cloud Computing and Digital Forensics. Cloud Forensics is actually an application within Digital Forensics that oversees the crime committed over the cloud and investigates it. Cloud computing is based on a huge network, which spreads globally. Hence, Cloud Forensics is said to be a subset of Network Forensics. The basic technique remains as the forensic investigation of a network.

Can cloud accounts be collected for evidence from connected cell phones?

Generally, yes.  Even if the phone is damaged or lost, cloud examiners can collect large amounts of evidence, sometimes exceeding that which is available on the connected cell phone.  Cloud collection requires legal authority and proper authentication credentials to access the cloud evidence.

Are geolocation data and GPS coordinates stored in cloud accounts?

Yes. An Apple iCloud account, if connected to the iPhone, stores photographs and videos captured with its camera.  Those photos and videos usually contain embedded geolocation data in the form of GPS coordinates.  Also, iPhone app data is stored in the connected iCloud account and often includes GPS device locations.  Think about Apple Maps and other iPhone navigation apps.

Google accounts also store photographs, videos, and app data for connected Android smartphones.  Google Maps is a popular app with GPS coordinates.  But Google accounts support another avenue to harvest GPS data.  The Google Timeline for connected Android apps is stored in the cloud account and records the Google Location History for places the phone has visited for years.

How much does it cost to recover, examine, and produce evidence from an online cloud account?

In the majority of legal cases, the examiner can recover and analyze the evidence from an online cloud account like Google, Apple iCloud, or Facebook and generate forensic tool reports for the legal team’s review for an average cost of $2,000 to $3,000. Each cloud account takes approximately 5 to 7 hours of lab time. Factors that go to cost include how much storage capacity the cloud account has, and how many hours of analysis are needed. Also, how accessible the online cloud account evidence is given the need for credentials like user names, correct passcodes, two-factor authentication, or data decryption. Last, a critical factor is how many cloud forensic tools are required to analyze the material evidence upon which the dispute will turn, especially deleted or hidden evidence.