Enhancing Digital Investigations With Cloud-Based Evidence

Matt: Hello everyone. My name is Matt Melton. I am a business development manager on our justice and public safety team at Amazon Web Services, or AWS, also known as the Amazon cloud. We’re gonna talk today about something that is near and dear to my heart, which is how you can manage your digital investigations on the cloud.

I wanna first off thank Magnet for having me and inviting us here today and really seeing the importance of this topic, and really get the opportunity to talk to you about what we’re seeing in the public safety space, how cloud is changing the public safety community and the opportunity that’s there for managing digital investigations and digital evidence and addressing really what I see as some key challenges for the agencies that I work with and speak to.

So, you know, here at Amazon, our focus is starting from our customers and working backwards. We have built our entire business, whether it’s our retail business or our cloud computing business on focusing on what the key customer challenges are, and then working backwards to find a solution that actually meets a need.

And one of the main challenges I spend a large part of my time running around the country, going to conferences, speaking to chiefs, sheriffs, investigators about what their problems are, and one of the things that keeps coming up over and over again is the challenge that comes with managing digital forensics and digital evidence. There’s a massive amount of data, and we’re only creating more and more of this data that is necessary to store and manage, and storing it on premise just becomes a challenge, right?

Not only that, but you have data that’s coming from multiple different places. Whether it’s those extracts that are coming from your cell devices, whether it’s the call data records coming from the cell phone companies, whether it’s tips and leads coming in from your community, or your records management system. Data’s coming from all over the place, getting a handle on all that data and then connecting the dots on it is a huge problem.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


And then we’re talking about digital investigations, especially with the amount of digital forensic data that are being produced from these devices, you need a lot of processing power. Doing that, and I’ve talked to agencies that are buying gaming computers and going through them like candy because of the amount of power that’s required to process this information.

So, what’s the solution? And I actually think the cloud can be a big solution, particularly Amazon Web Services. So, we’re gonna talk a little bit about that today and I wanna start by kind of giving you an overview for those of you that have not really…aren’t really familiar with the cloud, aren’t really familiar with AWS, who we are, what we do.

So, Amazon Web Services was founded because we got very good at running a very large IT infrastructure to support amazon.com. So what we did was we decided to offer as a service.

Fast forward 15, 16 years later, we developed a huge cloud infrastructure that builds services dedicated to supporting both IT environments, as well as executives throughout the world. Whether it’s commercial industry, whether it’s major governments and now more than ever, justice and public safety.

So, not only are the things that you’re doing…pretty much every time you leave your agency in the cloud, whether it’s anything on your cell phone, whether it’s your online banking, whether it’s any streaming service, basically you name it: Netflix, Amazon Prime, Disney+, all run AWS. So it’s become an intractable part of our lives.

And I’m seeing that happen more and more in public safety. So, you talk about (and we’ll look at this a little bit later) but the FBI runs on AWS. Many of the three letter intelligence agents run AWS, and more and more applications are running in AWS.

And you can see here, this is what we are focused on at AWS, is identifying what the key mission systems are for justice and public safety, whether that’s 911 emergency response, fire and EMS, law enforcement, courts and corrections, and making sure that agencies have good options for cloud hosted or cloud enabled offerings, because it’s becoming harder and harder to manage that on premise infrastructure.

So, you can see here, I think this is a really key piece of why I think it’s important, as you’re thinking about cloud, because we are thinking about you. Now, we have invested…when I joined AWS four years ago, it was really just two of us. Ryan Reynolds, our justice and public safety leader, and I looking at this market and just four short years you could see the investment that Amazon AWS has made in supporting public safety.

We have dedicated subject matter experts and 911 emergency response that are previous practitioners. We have former law enforcement practitioners, including Scott Montgomery, who was an officer with Bellevue police department for 12 years, Jeremy Slavish, who ran the biometrics division at the Michigan state police.

And then we have a number of technology experts, including CJIS professionals to help our customers and our partners understand the CJIS security policy and how cloud fits in, and make sure from a technology standpoint, we are doing everything we can to with our engineering teams to make sure that our next generation of offerings are gonna meet the needs of law enforcement and public safety.

So, here’s what we see as the four keys to being successful within the public safety mission. And in the first I’ll highlight as partners. Cloud is hard to consume for a lot of agencies, and I’m sure many of you are in the boat where you just don’t have very robust information technology teams that can build and manage applications on their own.

So, this is where we’re focused on working with folks like Magnet, who are the thought leaders and the innovators in the digital forensics and digital investigation space and helping them adopt cloud and helping marry them up with the customers that have those specific needs. So, partners become a really critical part of our agency’s cloud journey.

The other three that I’ll highlight and I think most important, which we’ll talk about first is security, right? Without security, there would be no ability for law enforcement and public safety to leverage the cloud. And that same goes true for any of the agencies I talked about earlier, whether that’s highly regulated banking industry, international organizations or federal or local law enforcement. So, we’ll talk a little bit about security.

The other key piece, especially as agencies adopt more mission critical systems is that reliability and network component, right? Those systems need to stay up, they need to be available 24/7 so that when incidents happen, my folks both in my command center at my agency, as well as the folks that are out deployed into the field have access.

So, having a reliable solution and then having the network to support it are also as critical. So these are the things that we are thinking about.

So, diving into security a little bit, we have this thing that we like to call the shared responsibility model. So for us, like I said, security is job zero. We need to make sure that we are enabling our partners and customers to adopt the best security posture possible.

So that means we have built cloud infrastructure to support that. We have built very highly secured facilities that are monitored, that have state of the art surveillance, and then we have put hardware within those data centers that support the highest amount of cyber security as well.

So, we build our own hardware in house, everything down to the chip: the chip, the hypervisor, the servers, racks, all built by agents. What we wanna do is make sure we know for a fact that this meets the needs of our customers. And we’ll talk a little bit about one of our key approaches to this is zero trust.

So, being able to ensure that you can build applications where you don’t rely on AWS or Amazon to hire the right people, those people should not be able to see any of your data and we’ve enabled it so that anybody that’s either physically present in our data centers or working on our services and applications do not have access.

However, that’s a shared responsibility because, say I’m hosting a website, I don’t wanna lock that down to the outside world, I don’t want nobody…I don’t want everybody not to be able to see it or access it. So, that’s why we give our partners and our customers the tools to manage the security of their own applications.

So AWS handles the infrastructure, the security of the cloud. It’s you and the vendors that you work with that are responsible for handling the security in the cloud. So, whether that’s configuring the network properly, ensuring you have robust identity and access management, turning on two factor authentication, making sure that you’re only using services with FIPS 140-2 endpoints, especially if you need to be compliant to the CJIS security policy.

So, we provide all the tools, we’ll even provide some guidance, but ultimately it’s up to you and your vendors to ensure that you are leveraging the services that we provide to the best capability to meet the needs…the security needs that you have.

So, talking about how we’re meeting the security needs of our customers. We have…AWS is built as a series of regions (we’ll talk about that in a little bit and how those are designed), but we have purpose built our gov cloud regions: we have two, one in the west and one in the east that are designed to handle the most stringent security requirements of US government agencies.

So, things like ITAR, standards like NIST. We’ve built these data center regions staffed by US persons on US soil to meet those needs. And as you’re thinking about highly secure workloads, like CJIS, and GovCloud is the first place you want to look. Because what it does is it enables you to build applications that are compliant to the CJIS security policy and go beyond that threshold of the security requirements that are built within the CJIS security policy.

Just real quick, I know many of you are probably concerned with CJIS. We are the only cloud provider that can provide CJIS compliant applications in all 50 states. And this all goes back to what we talked about with the zero trust security model. We have built our hardware and software to make it so that our personnel do not have access to criminal justice or any other data, as long as you’re locking down the applications in an appropriate way.

And that is very unique, it’s very unique to AWS. And I think it’s critically important as we’re talking about some of these digital forensics workloads, where you’re dealing with highly sensitive information, highly sensitive data, you do not wanna risk anybody that does not have a need to know or need an ability to see, to have access to that data.

Bear in mind, the CJIS security policy and CJIS is actually a division of the FBI. It’s also a building in Clarksburg, West Virginia. With CJIS, it’s basically the governing compliance regime that governs all this data that’s being shared from the FBI, including the National Crime Information Center (NCIC) and all of the biometrics information.

That information, much of it, sits on AWS today. The FBI has made a decision to move to AWS for many of the reasons I’m highlighting here today to move that information. So all of that data when you’re accessing it, and you’re being responsible for protecting it, realize that the FBI trusts AWS with that data.

Great. We talked about security, the next thing I wanna kind of talk about is that availability and reliability piece. And so when we talk about an AWS region, we’re not just talking about a single data center. Some other cloud providers, when they talk about a region, will talk about a single data center. A region is actually a cluster of data centers.

So, again, talking about that GovCloud West, GovCloud East. GovCloud West, both of them have three availability zones, each availability zone you can think of it as a cluster region. So, typically at least three data centers. So, you have three AZs with at least three data centers, you’re talking about if you’re storing your data, it’s being replicated nine plus times.

And this…our availability zones are designed to be highly fault tolerant, withstand a massive loss of critical infrastructure, they have excess bandwidth between them. They’re built across flood plains, they’re independently powered. So, if you’re hosting data in a region and one of those data centers loses power, or there’s a flood or an earthquake, your data is gonna stay there, and more importantly, you’re gonna even be able to still access your application.

So, when we talk about cloud, don’t just think about, “hey, I’m just putting it offsite on a data center somewhere else.” Think about how we are architecting and how you are building solutions that are designed to persist no matter what the outcomes of floods or disasters or hurricanes or any other unforeseen incidents.

And that’s what makes it so powerful. When I go and decide to host my data, I choose which region that ensures the data providence and the ability for that data to only reside within that region. Particularly if within those GovCloud regions, which are physically and logically separated from all other regions, you can ensure that data’s not leaving that region, particularly going overseas or anything. And you’re actually able to verify that with some of our tools to enable you to see that traffic.

So, we talked a little bit about the availability zone design. I think it’s a key differentiator and key if you’re thinking about hosting digital forensics workloads and digital investigations workloads in the cloud. You can ensure that that data is not 1) you’re not gonna lose it, 2) you’re gonna be able to access it 24/7, as long as you have a dedicated network connection.

So, that leads me to my last conversation, which is the network. This is particularly relevant within digital investigations and digital forensics. I get this question a lot, because you get a lot of data, and that is a lot of data that is traversing from a device and an on-premise system into the cloud. And we continue to look for ways to build reliable, redundant, robust enough connections to AWS so that you can ensure that you’re able to transfer that large amount of data.

When you’re talking about uploading a large amount of data, there’s other options, we have what are called our snow family, which basically gives you a…we will mail you a hardware device that is encrypted, that you can then mail back and have it uploaded in the cloud.

But we also have ways to create a dedicated and persistent connection. And AWS, this includes our direct connect, our AWS direct connect, which gives you a dedicated fiber connection that connects right into one of our centers and rides AWS fiber into our cloud, so you are not relying on the private internet.

Other options for those that can’t afford, that we’re looking at ways to create redundant backups, whether that’s dual ISPs, or over the air. We have our…we’re partnering with Dejero. Dejero builds a nifty little device that has SIM cards for each of the for each of the major carriers and will connect to the best signal. So, you can ensure that if your internet connection goes down, you still have that over the air connection to access that data and access those critical applications.

So, we continue to think about this. We continue to look for ways. We’d love to answer any questions you guys have either after this or offline to talk about what might be best for your agency.

So with that, that’s all I wanted to talk about today. Just to reiterate some key points: 1) AWS is committed to the public safety community. We are continuing to invest resources: time, people and money to supporting them. And the last four years that I’ve been here, public safety has really started to adopt the cloud, particularly AWS in real ways.

And I would venture to guess, if you go back and talk to your departments, look at the applications you’re using, many of which are already hosted in the cloud. And one of the things that I’m starting to see is the need for those digital investigations and forensics labs to start being hosted in the cloud. Because of that security, because of that reliability, because of that highly scalable infrastructure. You basically have unlimited computing power in the cloud.

So, the days of buying gaming laptops to support these workloads and having to throw them away and buying new ones every couple months are shortly gonna be over. Because you have unlimited capacity at your fingertips and whatever you need.

And this cloud is…with AWS, we are trusted by the FBI. We have a number of digital investigations and forensics workloads happening, both at the federal and the state and local level because of that zero trust security policy, because we do not have access on our side and you can ensure that that data is going to be secure and it’s going to be protected. And it’s only gonna be seen by those that need to see it.

So, with that I’d love to open it up to questions and we’ll be there to answer any questions that you guys have, but I really appreciate the time today and thanks again to the Magnet team for, really, the opportunity to speak and for an awesome conference. Hope to see you guys in person someday. Thank you very much.

Leave a Comment