Is there any consensus on how to handle this kind of data in an investigation? Should we be writing a Production Order to send to Facebook etc to retrieve the data? Seize all suspect devices that could access the online account? Log into the account and change the password, preventing further changes being made by the suspects? We're looking to document best practices regarding this kind of situation and I was hoping to get a better idea of what other departments do. Assuming the warrant is written in such a way to authorize our pursuit of the data, what steps should we follow to acquire it?
Some things you need to think about first before going through the hassle of the Cloud data. Do you have authority to search? Does your warrant allow you to access the accounts and change data, such as the password? If the data contains evidence of a crime, lets say on line documents that are needed to show the user defrauded someone. Who do you serve the warrant to? Online data, such as web based Google drive, serving a warrant to Google, however where the data is stored? Identifying where it is stored cannot be done. Google cannot tell you where the data resides because it is everywhere. Google has in it's datastore located throughout the world, so sending a Warrant to seize data, from their storage center is not in just one location.