Besides the possible legal problems about authorization to access the cloud database, I see also potential problems in the way it is accessed and the actual validity of the data retrieved.
I mean, for all we know the particular local good, helpful guys may have a limited access to the database and some info (that may actually be inside the database records) may not be accessible through the employee's login/credentials.
In other words, once given that the power of seizure covers the foreign hosted data, and that consequently data retrieved is valid in the case, it seems to me like there is no way to prove (or disprove) that the retrieved data is "the whole story" or "a mere fragment" of it.
jaclaz
What cloud solution can be accessed outside of the cloud, that is, outside itself and without using it's interface without undue burden?
What cloud solution can be accessed outside of the cloud, that is, outside itself and without using it's interface without undue burden?
I am not saying that is possible, but as I see it it looks a lot like if you need to do forensics on a local database file, on, let's say, a Vista running PC with a few limitations wink
- you cannot re-boot the PC to any other OS
- you cannot have Administrator access
- you cannot disable UAC and run "your" programs
- you cannot access hard disk sectors
I would presume that anything "zapped" from the database file would not be found.
In the case of cloud data I would think that a "top" level account to access the data with AND a signed affidavit (or the equivalent) by the actual responsible of the data keeping "warehouse" to validate the data integrity are an additional suggested step.
Not much, but still something more than a "good helpful" (implied "lower grade") employee lending you his laptop.
jaclaz
I would presume that anything "zapped" from the database file would not be found.
Kevvie Fowler who wrote the book "SQL Server Forensics" gave a quick workshop here at the College as part of our network forensics course and showed how to recover deleted (or modified) database entries from a SQL server. It's been a few months, but if I recall all that was needed was remote admin access privileges.
Very nice to be able to prove that an entry had been modified, say when it happened, and get the old data back…
Having said that, doing it with "cloud" type tools may be quite a different ball game.
Kevvie Fowler who wrote the book "SQL Server Forensics" gave a quick workshop here at the College as part of our network forensics course and showed how to recover deleted (or modified) database entries from a SQL server. It's been a few months, but if I recall all that was needed was remote admin access privileges.
Yep.
That's why I said that IF you don't have enough credentials THEN you cannot find zapped data
…with a few limitations
- …
- you cannot have Administrator access
- …
I would presume that anything "zapped" from the database file would not be found.
jaclaz
If you have access to the employee's computer which has authorisation to be connected to the cloud. Surely it can be argued that the cloud is simply an extension of that employees computer and when the data transaction of connecting is taken place the communication ends on the computer of the employee who is in your juristiction.
For right or for wrong my idea but it is very messy