Ask any forensic examiner and they will tell you that nothing is ever truly deleted. So the question becomes, “Can you delete information from the Cloud?” As someone who has conducted many Cloud storage forensic examinations, my immediate answer would be no. Online data storage services such as Google Drive, Dropbox, OpenDrive, and Drive HFQ File Manager offer their services to the public and promise to keep your data safe and accessible to you. In efforts to protect your data, they use servers that are continuously backed-up. These servers store multiple revisions of your data as snapshots in time. But what about other parties who may want access to your data, like government agencies, investigators, and attorney’s?
I recently read “Dropbox’s Government Data Requests Principles” and from the language they used led me to believe the government is making some overly broad subpoena requests. So, as much as you would like to think you deleted your online drive or Cloud storage account, more than likely, a number of revisions prior to your deletion still exist. Subpoena’s and Cloud Storage Forensics may not be needed if you are using a free account and/or save your password to your web browser. Have you actually read the service level agreement that’s associated with that free online storage account? You know you didn’t. Perhaps their policy for paid and unpaid subscribers determine how long after you delete your account that they actually keep your data. They would have to safeguard against accidental or malicious deleting of data, wouldn’t they?
In addition to what can be subpoenaed, there are now a number of software tools like Internet Evidence Finder (IEF) by MagNet Forensics that make parsing and decrypting online storage data very easy for anyone conducting Cloud storage forensics. We are currently testing their software. In our case, our subject copied work product to a thumb drive from a co-workers computer, then copied the stolen material to “the Cloud”. In that moment he instantly linked his very clandestine operation to his USB drive and his Google drive user account. He’s essentially a subpoena away from criminal charges as well as civil penalties that include our fee’s.
So the questions become: “Do you have your head in the clouds with regards to what your are sharing online? Are you backing up your mobile device, computers, servers and digital images to the Cloud? Are you saving personal and financial files that you would not want accessible to others online? Are the files you are copying to the Cloud encrypted or at least password protected? Are you aware a judge can order you to provide the password for your online account as well as password protected files? Are you willing to sit in jail and incur the cost of a Cloud storage forensic examiner to decrypt each and every file? How good is the password you are using for you online storage account? Are you using the same password for other accounts? Are you aware that your browser or phone may have added your password(s) to its dictionary file? Cloud storage forensic experts will undoubtedly use dictionary files to crack your passwords.
Here’s an example from our case files that will drive the point home. I was recently asked to conduct a forensic on an iPhone 5s pursuant to a wrongful termination lawsuit. Upon arrival, the iPhone greeted me with a “Hola” and I instantly knew the phone was wiped and restored partially to factory. This was done remotely by the employer. Currently there is no way to conduct a physical image of the phone and I don’t want to create a new logical account on the device that we had to return to the employer. I was at a dead end, right? Not so fast, as I skipped through the setup screens I noticed the phone eventually asked my clients personal iCloud account password and partially displayed his account email address (x…….@yz.com). My client had not realized he was backing up his phone to… wait for it….. “the Cloud”. Despite the companies efforts to wipe the employee phone remotely, they failed by allowing the employee to use their own personal account to back up their phone to iCloud. All that was needed was to restore that backup to a new iPhone 5s was for me to document the process and create an image of the new phone that was restored from the Cloud. This could also be followed up by a subpoena to validate that it was restored from the iCloud. Though a mobile forensic data collection was not needed, the mobile forensics examiners expertise was. Had this client not hired us, that data could have been lost forever. So do you think that company would deem the cloud safe for their data in that example?