±Forensic Focus Partners
New Today: 1
New Yesterday: 5
±Follow Forensic Focus
· TSFIC 2015 – Recap
· TDFCon 2015 – Recap
· Acquiring Windows PCs
· Evidence Acquisition and Analysis from iCloud
· TSFIC 2015 – Myrtle Beach 31st May – 3rd June
· Forensics Europe Expo 2015 – Recap
· Capturing RAM Dumps and Imaging eMMC Storage on Windows Tablets
· TDFCon 2015 – Middlesbrough 15th May
· Electronic Voiceprints: The Crime Solving Power of Biometric Forensics
Dropbox / the cloud, legal issue
In this scenario in the UK I am executing a search warrant on the private premises, encountered a PC turned on, on the screen I can see that the user is connected to a “generic” cloud storage. I can see files inside the cloud, although they are not physically reside on the computer.
So the question is : CAN I ACQUIRE THOSE FILES USING FORENSIC SOFTWARE FROM THE SUSPECT’S COMPUTER WHEN IT IS CONNECTED TO THE CLOUD THERE AND THEN, OR SHALL I SEEK THE DATA USING SPOC and (In reality wait weeks to get it).
(In short: In the UK ,Single Point of Contact advises and assists in all aspects of investigations relating to communications data, liaising with communication service providers)
It would be great to receive exhaustive opinions from legal and practical side and maybe someone have some court rulings about admissibility of such evidence obtained in that way?
Opinions from different countries outside EU are welcomed
- In what way this would be different from a "user folder" on a Corporate server (with the actual server machine being in the same building)?
- In what way this would be different from a "user folder" on a Corporate server (with the server being in another location, but within the same country/legislation)?
- In what way this would be different from a "user folder" on a Corporate server (with the server being in another location situated in another country/legislation)?
- How would you behave in the case (which existed long before the term "cloud" became in use) of a FTP folder/storage on the suspect's site hosted by an internet provider? (with the same duality between "local" and "foreign" Internet provider location)
- How would you behave in the case (as well existing long before the term "cloud" became in use and much more common than a FTP hosting) of a WebMail box? (with the same duality between "local" and "foreign" Internet provider location)
- How exactly would you "download" or "access" the Cloud Storage from the suspect switched on and connected PC "USING FORENSIC SOFTWARE" without compromising the integrity of the local PC?
- How exactly is the search warrant worded (for the part relating to data and storage)?
- In theory there is no difference between theory and practice, but in practice there is. -
- Senior Member
This typically requires that the user is already logged on to the account at the time the search is being conducted.
Here's the wording in our criminal code:
487 (2.1) A person authorized under this section to search a computer system in a building or place for data may
(a) use or cause to be used any computer system at the building or place to search any data contained in or available to the computer system;
(b) reproduce or cause to be reproduced any data in the form of a print-out or other intelligible output;
(c) seize the print-out or other output for examination or copying; and
(d) use or cause to be used any copying equipment at the place to make copies of the data.
I should probably add that there is no criminal case law yet, and it's probably not the best practice. The general rule for everything is "When in doubt get another warrant and do it the safe way".
There is some civil case law on this however: eBay Canada Ltd. v. M.N.R., 2008 FCA 348,  1 FCR 145
Here's an excerpt that gets to the point:
 In my view, Justice Hughes made no reversible error in concluding on the facts before him that the information sought was not “foreign-based information”; even though stored on servers outside Canada, it was also located in Canada because of its ready accessibility to and use by the appellants.
This case has been cited several times, one example is in X (Re), 2009 FC 1058,  1 FCR 460. This case reiterates the principle that "information may notionally reside in more than one place":
 In CSIS (Re), above, at paragraph 54, Justice Blanchard held that “[n]o other basis under international law” had been put before him to warrant displacing the principles of sovereign equality, non-intervention and territoriality. CSIS had argued that customary international practice as it relates to intelligence gathering operations in a foreign state constituted an exception to principles of territorial sovereignty. I would observe again that the application before Justice Blanchard contemplated intrusive activities in foreign jurisdictions [portion deleted by order of the Court] that are not being sought in the present application. Subsequent to the decision of Mr. Justice Blanchard, the Federal Court of Appeal has observed that information may notionally reside in more than one place: see eBay Canada Ltd. v. M.N.R., 2008 FCA 348 (CanLII), 2008 FCA 348,  1 F.C.R. 145.
- Senior Member
It boils down to the fact that the cloud service does not own the files, the user do.
You may wanna explore that direction with some lawyers in your country, preferably before you run into such a situation in real life.
- Senior Member
The whole point of this post was to find out how we should act in such scenarios. As at the moment in the UK I would use the SPOC to acquire data from the cloud but this is becoming more and more problematic and time consuming.
Anyone from Asia, AU, USA on how this is being done there ?
(luckily, I found copies of the files stored locally!)
In your search of the main house you find a set of keys indicating an offsite barn. (offsite as in it has a different address than the main house.)
Can you enter the offsite barn? Can you search the offsite barn?
In the USA you would have to get a new warrant.
For the US, look at ECPA.
Last edited by jhup on Mon Jan 05, 2015 12:45 pm; edited 3 times in total
- Senior Member