That one artifact: How cloud forensics reveal evidence when devices don’t
In this series, Chad Gish, CID/SISU Detective, Metropolitan Nashville Police Department shares some noteworthy cases in his extensive career where tools like Magnet Axiom were able to help close a difficult case.
The importance of acquiring cloud and social media data in criminal investigations cannot be overstated.
Sometimes there can be crucial information found that can be a determining factor in whether an arrest is made. That can subsequently mean that a dangerous person remains on the streets. We’ll walk through a real case where, because of data retrieved through cloud forensics, a previously convicted child predator was arrested and imprisoned.
A helpful tip from NCMEC
This particular case started when a cyber tip was received from the National Center for Missing and Exploited Children (NCMEC) regarding child sexual abuse material (CSAM). During the investigation, the suspect’s residence was traced through the IP address and search warrants were obtained and executed at the house.
The suspect consented to an interview and repeatedly claimed he knew absolutely nothing about CSAM originating from his residence. Numerous devices were confiscated from his home and several days and nights were dedicated to processing and analyzing the data, uncovering minimal results.
Investigators even speculated that they could have overlooked a small device at the residence, possibly concealed within a false wall, tucked away in the attic, or it might have simply been absent from the home.
Despite the wealth of evidence pointing to the crime originating from this residence, no concrete evidence was obtained from the devices to incriminate the main suspect.
Looking to cloud forensics
While there was no direct evidence found on the physical devices, they did contain some items of interest that could help with the investigation: cloud and social media accounts.
Preservation letters and search warrants were successfully executed, and one warrant return contained thousands of CSAM images and accompanying search terms. There were no specific evidentiary search terms on the physical devices, but the warrant return from a popular internet search engine unveiled thousands of unthinkable queries related to children.
The investigator working the case promptly sifted through the disturbing terms, aiming to uncover personal searches made by the suspect that could be used to tie them to the heinous activity. Fortunately, chance intervened when “FindAGrave.com” was accessed and was used to search for the grave site of the suspect’s mother. The investigator discovered the suspect accessed his personal webmail within a mere two minutes after searching for his mother’s grave. Within a short span of time, he then used the web browser to purchase tickets to an event that he was later confirmed to have attended.
Leaving no stone unturned
Was it chance or luck? No.
It was the relentless efforts of investigators, exhausting every possibility and recognizing the crucial significance of data from various sources.
During the initial interview, the suspect vehemently asserted that no one had access to his devices or account passwords—thereby locking himself into a statement. Asking the right questions during an interview and committing the suspect to a statement and timeline is paramount. Anticipating and staying ahead in the investigation is critical, as often there is only one opportunity for an interview and cloud forensics can frequently be the key to disprove a suspect’s statements.
It is typical for perpetrators involved in crimes against children to initially segregate their illicit material from personal data. Fortunately, it is also typical that they eventually become complacent and careless, eventually combining personal data with their illegal activity. When confronted with this recently discovered cloud forensics evidence, the suspect remained largely silent, only requesting his attorney.
In teaching digital forensics and incident response (DFIR), it’s essential to emphasize the significance of accessing stored data across various providers. Simply seizing physical devices is now inadequate as more and more information makes its way to the cloud. Investigators must actively pursue that evidence, as well as from other IoT (internet of things) devices, in order to retrieve all relevant information as it may be the crucial breakthrough.
See for yourself how Magnet Axiom can help
Examine digital evidence from mobile, cloud, computer, and vehicle sources, alongside third-party extractions all in one case file with Magnet Axiom. Learn more about how you can use powerful and intuitive analytical tools to automatically surface case-relevant evidence quickly and try it today.