Episode 3: I Beg to DFIR – The What, Where and Why of Cloud Data
Ronen Engler – Senior Manager, Technology and Innovation at Cellebrite
Heather Mahalik – Senior Director of Digital Intelligence at Cellebrite
Paul Lorentz – Senior Solutions Engineer at Cellebrite
In this episode, we are going to answer these four key questions regarding digital evidence in the Cloud:
- What does cloud data mean and where does it exist?
- Why is cloud data necessary?
- How is cloud data accessed?
- What can be gained from cloud data?
Heather will demo Cellebrite UFED Cloud, to provide an understanding of how this important tool can impact your investigation.
We will explore questions like when data goes to the Cloud, where does it actually reside?
A lot of people don’t really consider this deeply as it is casually accepted that backing up data to the Cloud is just something that is performed simply in the background. In fact, multiple servers located around the world can be involved in the distribution of cloud data.
We’ll also discover what data is actually stored: is it encrypted information, messages, locations, or all of the above? We’ll also take a look at what legal and consent protocols must be followed.
If you have data that is being backed up to a cloud server, is it being stored in a country that will allow you to access the data? Are cloud storage services even divulging the whereabouts of the stored data?
Ignoring these and other unknown factors can potentially hurt your investigation.
I was looking at the Mobile Device Forensic Analysis (MDFA) channel recently and someone was asking about Facebook Messenger. They were saying they noticed lately that this data is missing and were trying to determine how long this data had been missing.
A response was given that Facebook Messenger seems like a cloud service now as it’s not really on the device and a lot of digital forensics examiners aren’t aware of this.
In this episode, we want to make you aware of as many cloud data insights as we can. We want to make sure you realize that collecting cloud data and reaching out to access and collect it from the servers will leave traces behind.
It is not only going to leave a trace on the person’s device, but the server will know where in the world you were when you collected this information.
We want to make sure that you know what is going on, what cloud data looks like, and what to expect from data collection packages as sometimes you get a nice container of a zip file and other times you actually get what looks like an iTunes backup. You may collect things from Google and wonder if it is Google Takeout or Google cloud data? This is where you have to test, validate, and verify.
Register for the next iBeg to DFIR episode here.