Cloud Forensics Is Here To Stay… But It Has A Dark Side

Data collection has always been an important first step of any legal investigation. Before the digital age, this could mean dusting a crime scene for fingerprints, or finding bits of the perpetrator’s DNA from some stray hairs.

Now, digital forensics technologists are on a never-ending quest to keep up with our ever-evolving digital landscape. Over the course of the 2010s, one technological development cast a bigger shadow than most. You probably know it as “The Cloud.”

It wasn’t that long ago that the cloud seemed like a mystical enigma. Many people were hesitant to make the migration for fear of security risks. Even as more users got accustomed to cloud backups with their personal technology, enterprise technology lagged behind. In more recent years, that’s changed. Anymore, it’s virtually impossible for a legal team to face a case where there isn’t relevant data in the cloud. So how does that reshape that initial data collection phase?

Why The Cloud Is Unavoidable

At one point, the cloud seemed optional. It was a nice bonus feature that allowed you to easily access your data from any device with an internet connection.

Now, the cloud is our default. Unless a user goes out of their way to avoid it, they’re using it. There are several reasons contributing to this.

For one, devices don’t come with the same local storage they used to. Anymore, a new laptop has less local storage than a new mobile device.

To make matters worse, we’re also creating more data. According to Statista, the total amount of data created, captured, copied, and consumed globally reached 64.2 zettabytes in 2020 (approximately 58.4 billion TB). In 2011, it was just 5 zettabytes.

That’s a 1,284% increase in data vs. when Apple first rolled out iCloud, a staggering figure considering we’re already talking about units as large as zettabytes. According to Statista’s projections, the number is expected to climb up to 181 zettabytes by 2025.

10 years ago, we communicated almost exclusively through email and text messaging. Now, we also have numerous social media channels, collaboration platforms like Slack and Teams, and other direct messaging apps such as WhatsApp, all of which exist alongside conventional texting and email. Many of these platforms make it easier than ever to send larger files such as photos and videos. As our communication channels multiply and multimedia messages become second nature, our need for data storage skyrockets.

The cloud has become the tech industry’s way of doing more with less. Users still get all the data storage they need to account for their changing habits without having to remember which of their six flash drives they saved that last document to. As James Whitehead, Contact Discovery’s Associate Director of Digital Forensics points out, the cloud has also reshaped user expectations.

“Anymore, we require access to our data at a moment’s notice on the device of choice,” Whitehead says. “The cloud allows for that but it also blurs the line between data ownership, and raises questions about what activities we can attribute to which users.”

Cloud usage has also become less dependent on a user’s preferred devices.

“Apple mobile devices were considered low hanging fruit with the multiple methods of backup and fairly easy collection workflows,” says Whitehead. “Androids on the other hand are an unwieldly bunch where the model, chipset, and encryption state affect what if any data can be collected from the device. Enter GoogleOne, Goolge’s answer to iCloud, which provides similar backup functionality to iCloud for Androids!”

With Apple, Microsoft, and Google all following a similar trajectory of essentially forcing users onto the cloud, it’s hard to imagine anyone participating in our modern digital world while opting out of the cloud. That means legal teams can’t opt out either.

The Dark Side = Automated Data Management

As the cloud has taken over, so has something else: Automated Data Management. Rather than nagging users to go through their devices and decide what to delete, devices can just… delete stuff themselves. Users don’t mind because hey, everything’s still on the cloud, ready to be re-downloaded at a moment’s notice if the user so desires. We love that we don’t have to remember to back our devices up, and we love not having to make tough choices about which of our 1,392 dog pictures is cute enough to earn our precious local storage.

As a new automatic cloud backup is created, old ones are overridden. That makes it harder for forensics practitioners to hash out what was done by humans and what was done by machines.

“The algorithms are more efficient in finding stuff to override,” Whitehead says, pointing out that forensics teams often can only access the most recent backup, but not earlier backups. That makes it harder to pinpoint when exactly a particular piece of data was deleted, and what motive a user might’ve had for that deletion.

“Generally we want to attribute an action to a human, i.e. they deleted this data to obscure the investigation,” says Whitehead. “With automated management, data is routinely deleted by the system during normal use. This process is fairly rapid, and the more someone uses their phone, the faster these deletions happen.”

In other words, not only does automated data management make it harder to find that proverbial needle in a haystack, it means that failing to find a needle doesn’t necessarily implicate anyone the way it would if ALL data deletions were human choices.

So What Does All This Mean For Me?

In short, that you must act fast. One of the biggest challenges of our new cloud-based digital ecosphere is that it essentially turns our data into ticking time bombs. At a physical crime scene, you have to dust for prints before the maid comes. Otherwise, the case goes cold. Well, automated data management features mean now we have digital maids that routinely come in and clean up our data. If we want that data, we have to collect it before it’s gone.

Remember those 64.2 zettabytes from 2020? That same study also reports that just 2% of the data produced and consumed in 2020 was saved and retained into 2021. If you do think there’s valuable information out there, you can’t just assume it’ll be there forever.

The good news is that most of these automated features can be disabled, and a good litigation hold protocol will ask parties to do just that. By looping in forensics staff early on in an investigation, you can make sure that all IT teams at all relevant organizations have disabled any automated deletion features that could sabotage your investigation downstream.

Kyle Rittenhouse Trial Highlights Importance of Technology Expert Witnesses

Earlier this week, a jury heard closing arguments in the trial of Kyle Rittenhouse. Rittenhouse rose to national prominence in August 2020 after allegedly shooting three people at a Wisconsin protest, two of whom died, the third injured. Now, he stands trial for those alleged crimes.

One unexpected curveball: whether or not the prosecution should be allowed to use an iPad to zoom in on footage that allegedly shows Rittenhouse at the scene of the crime. The defense argued that when one uses the pinch-to-zoom feature available on Apple devices, it alters the footage:

“It uses artificial intelligence, or their logarithms, to create what they believe is happening,” said defense attorney Mark Richards. “So this isn’t actually enhanced video, this is Apple’s iPad programming creating what it thinks is there, not what necessarily is there.”

NOTE: Many publications that have published this quote allege that the defense meant “algorithms” rather than “logarithms.”

Prosecution insisted such alterations don’t happen, and that zooming is no different than putting a magnifying glass over a printed photograph. Judge Bruce Schroeder initially said the prosecution would have to bring in an expert to confirm this, otherwise they’d have to use the raw footage taken from a wider angle.

James Whitehead is the Associate Director of Digital Forensics at Contact Discovery and has served as a digital forensics expert witness on forensic issues.

“I think as we see AI evolve, a new breed of validation questions may arise as the computer begins to generate life like images of events and people that do not exist,” says James Whitehead, Contact Discovery’s Associate Director of Digital Forensics, who has testified as an expert witness in other trials. “There’s an entire industry of applications… that leverage or skew the underlying digital photography [so we can] create panda face versions of ourselves.”

While the panda face apps might be an extreme example, Whitehead was also quick to clarify that the fact these apps exist doesn’t automatically mean the raw data is unreliable.

 “These apps function because the underlying digital image is trustworthy as is the underlying technology,” he said. It’s perhaps paradoxical that as technology gets better, it almost becomes harder for people to trust it.

In court, Judge Schroeder admitted to not having a very good understanding of technology. “I know less than anyone in the room here I’m sure about all this stuff,” he said.

It’s easy for people who live and breathe tech to think that pinch-to-zoom is a standard feature that everyone is familiar with, but then… should that matter? How often laypeople use certain technology isn’t necessarily a good standard for whether or not that technology should be admissible in court.

If a judge knows they don’t understand a topic as Schroeder admits he doesn’t understand pinch-to-zoom technology, it does make some sense to err on the side of caution. Once a jury has seen evidence, the judge can’t change that if they later learn that evidence was unreliable. When judges know they’re out of their depth, deferring to experts before they make a call is quite reasonable.

“The fact finders are a diverse group of individuals,” says Whitehead.  “We must remember that education of the fact finder isn’t a factor to be lightly regarded. The rules of evidence have evolved over the years as has the evidence. It’s still good practice to explain what you are leveraging and why it matters. If evidence or story is technical in nature, [it’s best to] have an expert on standby who can assist with the explanations.”

At the end of the day, criminal trials aren’t about what the Twitterverse thinks; they’re about what judges and juries think. Whether or not the prosecution should need an expert to confirm the validity of pinch-to-zoom footage is beside the point if a judge says they do.

Later in the trial, Judge Schroeder had a change of heart and said the jury could consider the enlarged footage, however he wasn’t shy about expressing his skepticism for it.

 “You’re basing this extremely important segment of the evidence on something that I’m really queasy about,” Schroeder said. “I’m not going to give an instruction on it, but I’ve made my record on the high risk that I think it presents for the case.”

So what can other legal teams learn from this ruling?

For one, that just because technology seems commonplace, that doesn’t mean a judge will understand the ins and outs of the technology well enough to confidently make a ruling on its admissibility. Whitehead says people might be surprised at how often judges expect expert testimony for technology end-users might consider commonplace.

“Technology is wasted on the young, like naps and kindergarten,” he said. “Judges are often removed from the [supposedly] commonplace setting for which our matter may hinge.”

Be ready to defend any part of your case involving technology, and yes, that may even mean expert testimony when you don’t agree expert testimony is needed. In this case, Schroeder initially put the burden of proof on the party that presents that evidence, not the party trying to disqualify evidence. Could that open the door for other teams to cast doubt on opposition’s evidence even if they don’t have their own experts? After this tech debate in such a highly publicized trial, some attorneys that would’ve otherwise thought they can’t get evidence thrown out might try anyway. Even if evidence is ultimately admitted, a drawn out debate about its reliability could still shape jurors’ perceptions of that evidence. Having expert testimony at the ready can potentially prevent such a debate.

Another thing most legal teams know, but this case reinforces: don’t be overly reliant on one “smoking gun” if you can help it. Perhaps the prosecution will be able to get a conviction based on evidence besides their pinch-to-zoom footage. Only time will tell. The one constant of the legal world is that as much as we try to predict it, it remains unpredictable. You never know which evidence could be disqualified, so finding multiple “smoking guns” makes for a stronger case.