I always get a kick out of the CSI shows on network television. They depict a world where very clever sleuthing using forensic science uncovers some clue that puts the bad guy away. I also, watch the reality TV versions of real criminal investigations where the cops have to wait 10 years for the phone to ring before they are able to catch the culprit, because somebody turns the person in.

The reality is that those charged with solving crimes who use modern forensics science have a challenge on their hands when it comes to the digital world. Not that digital evidence is an ineffective crimes solving tool to convict those who are guilty. It’s the fact that the technology is constantly shifting. It’s getting damned hard for CSI unit computing geeks to keep up.

NIST published a draft report for public review that summarizes 65 challenges that cloud computing poses to forensics investigators. These are the people who uncover, gather, examine and interpret digital evidence to help solve crimes.

The report, entitled NIST Cloud Computing Forensic Science Challenges, was prepared by the NIST Cloud Computing Forensic Science Working Group. This is an international body of cloud and digital forensic experts from industry, government, and academia.

What’s happening now is that we’re no longer storing much of our data on laptops, smart phones, or tablets. Now, our data actually exists on remote cloud-based systems. So, grabbing somebody’s phone to gather evidence will only lead to finding that the good data is stored remotely, and most often is inaccessible without a series of warrants for particular cloud providers or back-end servers. Good luck if the data is stored out of the country.

The characteristics that make cloud computing so compelling also create challenges for forensic investigators who must track down evidence in the ever-changing cloud computing world. Laws have yet to be tested, and cloud providers are not going to lie down when the police come calling. They will meet privacy expectations of their customers to the best of their abilities.

Moreover, borders make things even more difficult. It’s clear that criminals are going to hide data in cloud providers within countries that are less likely to pony the data up when the federal officials come a calling. Think Swiss bank accounts, but for data. Somebody will certainly exploit that emerging demand, and you’ll have to deal with the laws of the country where the data is physically stored.

Technical challenges abound, and are outlined in the NIST report. However, almost all intersect with legal and organizational issues. The 65 challenges that the working group identified are divided among nine categories including: Architecture, data collection, analysis, standards, training, and “anti-forensics” (such as data hiding and malware).

This is an old problem with a new focus. As highlighted in this 2011 article,

“Over time, the use of digital evidence in criminal and civil matters will continue to expand. Cloud providers and customers need to set up their infrastructures to meet these lawful requests or face fines and other legal repercussions. Furthermore, they need to do so without violating local privacy laws or accidentally giving away competitive secrets.”

The demands of cloud forensics could prove costly as lawsuits and investigations become commonplace. Indeed, a study by McKinsey & Company found that electronic discovery requests were growing by 50% annually. This is mirrored by a growth in e-discovery spending from $2.7 billion in 2007 to $4.6 billion in 2010, according to a Socha Consulting LLC survey.

The law continues to evolve in this area. Test cases will certainly drive how the law treats cloud computing. However, most US courts have made it clear that they want those with the data to take steps to retain it, and turn it over to officials when a warrant is served.

“In the U.S., courts are becoming insistent on the need for systems to gather and preserve digital evidence. In early 2010, Judge Shira Scheindlin imposed sanctions on 13 parties that neglected to meet discovery obligations. She wrote, ‘Courts cannot and do not expect that any party can meet a standard of perfection. Nonetheless, the courts have a right to expect that litigants and counsel will take the necessary steps to ensure that relevant records are preserved when litigation is reasonably anticipated and that such records are collected, reviewed and produced to the opposing party.’”

Of courses, these issues were most evident in the recent IRS e-mail scandal, where the head of the IRS claimed that e-mails were lost due to a hard drive crash. It seems that the IRS erases backups every six months so they claim that the e-mails are gone. Perhaps Gmail would have been a better option?

The real fear is that criminal organizations will get good at leveraging cloud computing as an effective way to hide criminal activity. They have the most to gain, and the most to lose. I suspect that these organizations have already figured out that it’s not safe to keep data locally, considering that the police will grab the devices and computers first when raided. Indeed, their approach will likely be to keep the data remote, and only load portions of it within the user interface when needed, storing nothing locally that could cause real damage.

However, I don’t think there will be issues with the guy who kills his wife for the $10,000 dollar insurance policy, which is pretty much the theme of ID Discovery shows on cable TV. Those types of cases are not likely to hide evidence in the clouds proactively, but I’m sure there will be cases where they do.

The criminal activity that occurs within some corporations could be another story. As enterprises get good at cloud-based security, they could also get good at hiding evidence of a crime in the clouds. Even with the data retention laws that require that e-mail and other electronic records be retained for a reasonable amount of time, I suspect that we’ll have issues where cloud-based resources contain evidence of insider trading, IP theft, patent violations, and so forth. Those looking to leverage that data for legal discovery or evidence of a crime will find that the doors to those clouds are locked up tight, and there is no key for them.

So, how do you solve the issues with cloud computing and legal forensics? Most will suggest that you enact laws that compel cloud providers to cough up the data when requested. However, US laws end at the US borders. Simply selecting an overseas cloud provider with strict privacy policies that supports local laws will mean nothing goes to the authorities without your say-so. I guess many will seek international agreements, but that will take years, if it’s even possible.

The NSA scandal has not made this any easier. Most countries are taking a very stern approach when it comes to data protection and privacy with the US government in mind. This makes hiding things in foreign clouds that much easier, and the legal paths to getting access to that information not at all clear.

I suspect that these issues will grow substantially as the legal test cases begin to emerge. Those charged with gathering forensic evidence could be in a very tough position, given the characteristics of the technology, the lack of legal precedence, and the fact that cloud computing spans countries with very different laws.

NIST is doing the right thing, in terms of bringing up this problem before it becomes a real issue. At its core, there are no simple solutions. However, it will be an interesting area to watch over the next few years.