Could there ever be a Forensic Search of the Cloud?

I was at a Friends of eDiscovery gathering in the Midwest last week.  This is a group aimed at providing local forums to discuss the eDiscovery conundrum, and to determine local standards of care in the eDiscovery workflow.

At one point, the discussion turned to forensic collection, and whether it is required in all cases.  Of course, no one thought that it is always necessary, but in the ensuing discussion, someone wondered whether we would begin to see forensic collections from Cloud service providers.  As a (and perhaps the only) Cloud service provider in the room, I made the point that we had not seen 3rd party requests for forensic collection and did not see a future where we would permit forensic collection from our servers.  (I should also note that by ‘forensic collection,’ I mean a bit-by-bit copying of a drive, not merely a defensible collection.)

Without even touching on the Stored Communications Act (18 U.S.C. §§ 2701 to 2712) and its applicability to Cloud computing providers, the very nature of the Cloud computing business model argues against there even being ESI that would need a forensic collection to access it.  To a large degree, this is due to the distributed, multi-tenant nature of the model.

In essence, Cloud computing providers build an infrastructure (as actual machines or as an application) and rents out parts of it to people/organizations as they need it and customers’ data is distributed across that infrastructure.  As any information is deleted, the storage space or computing power is automatically and immediately reclaimed so it can be placed in use by someone else.  So there would be nothing for a forensic collection to gather that a routine collection would not gather.

If, by chance, some information remained on abandoned Cloud territory, the distributed nature of storage in the Cloud would render that information horribly expensive to gather.  To be able to reconstitute data into a meaningful format, the collection would have to be done on ALL of the provider’s servers (within a given geography, if the data for the client in question were so limited).  This would take the already-high cost of hard drive restoration and multiply it many times over.

All this is not to say that there will NEVER be a situation where a forensic collection from a Cloud provider could be appropriate, but that’s only because never is such a long time.  But because the of the low likelihood of finding unique information in a forensic collection and the high cost of such a collection, never seems pretty close to the mark.