Legal Issues of Cloud Forensics – Part 3

forensics133958124What Tools and Techniques Are Available for Compelling Information?

1. Preservation Letters and Litigation Holds

Once you determine your cloud provider and the location of its headquarters or state of incorporation, immediately issue a preservation letter or litigation hold. A litigation hold “is a temporary suspension of the company’s document retention destruction policies for the documents that may be relevant to a lawsuit or that are reasonably anticipated to be relevant.”[1] This can also be used to induce the provider

to begin collecting data normally destroyed on a monthly, weekly, or even daily basis. A company must preserve data or evidence when it has notice or reason to believe that the data or evidence is relevant to litigation or should have known that the data or evidence may be relevant to potential litigation.[2] The litigation hold or preservation letter provides that necessary notice.

When issuing the letter or hold, it is very important to attempt to define, in as much specificity as possible, the data or information you are seeking and in what form or format, that is “its original format.” A provider, to make its own life easier, may just copy the data to a drive or other storage unit and provide it to you. The format you receive it in may not be the original format, and you will not likely receive a chain of custody or documents describing the particular collection techniques used unless you dictate what you are looking for and how.

2. Federal Rules of Civil Procedures and Subpoenas

Assuming you were able to request or compel the provider to preserve data, but you have not been successful in compelling cooperation in collecting data, the following Federal Rules of Civil Procedure (FRCP) and subpoenas may be applicable and some of the few tools available in our scenario. Remember, in this scenario your focus is not criminal prosecution.

FRCP Rule 34 allows you to submit a request to preserve data and may even allow you to collect and inspect data. FRCP Rule 45 allows you to specify in a subpoena the form or forms for collection of electronically stored information (ESI). However, FRCP Rules 26 and 37 could play against your efforts by limiting what the provider must produce and what is considered reasonable at the time. These rules are briefly summarized below.

Each state uses its own rules of civil procedure, and many were crafted after the FRCP. So in many jurisdictions, rules may be similar. As practitioners from many different jurisdictions are likely to read this paper, we will focus on the FRCP. Also, in the interest of brevity, this paper will not delve into whether you should use state or federal rules. Suffice it to say, if you can cleanly claim all interested parties and information are within your state jurisdiction, then lean toward state civil procedure rules, although many other factors should be reviewed as well.

Per FRCP Rule 34, one party may request from another who is in possession or control of cloud data that the holder “produce and/[or] permit the requesting party or its representative to inspect, copy, test, or sample the…items in the responding party’s possession, custody, or control.”[3]

Assuming your litigation hold or preservation letter was followed and effective, this rule could enable you to see and/or collect exactly what you need or, at the very least, request the information from the provider.

FRCP Rule 34(b)(2)(E), titled “Producing the Documents or Electronically Stored Information (ESI),” specifically states:

Unless otherwise stipulated or ordered by the court, these procedures apply to producing documents or electronically stored information:

(i)    A party must produce documents as they are kept in the usual course of business or must organize and label them to correspond to the categories in the request;

(ii)   If a request does not specify a form for producing electronically stored information, a party must produce it in a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms….

FRCP Rule 45 (a)(1)(C), titled “Combining or Separating a Command to Produce or to Permit Inspection; Specifying the Form for Electronically Stored Information,” states:

A command to produce documents, electronically stored information, or tangible things, or to permit the inspection of premises may be included in a subpoena…or may be set out in a separate subpoena. A subpoena may specify the form or forms in which electronically stored information is to be produced.

(a)(3) Issued by Whom. The clerk must issue a subpoena, signed but otherwise in blank, to a party who requests it. That party must complete it before service. An attorney also may issue and sign a subpoena as an officer of:

(A) A court in which the attorney is authorized to practice….

Now, before you get too excited, let’s take a look at FRCP Rules 26 and 37.

FRCP Rule 26(b)(2)(B), titled “Specific Limitations on Electronically Stored Information (ESI),” states:

A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost. On motion to compel discovery or for a protective order, the party from whom discovery is sought must show that the information is not reasonably accessible because of undue burden or cost. If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause, considering the limitations of Rule 26(b)(2)(C). The court may specify conditions for the discovery.

Finally, FRCP 37(e) states that a party may be relieved of its duty to preserve if the data is “lost as a result of the routine, good faith operation of an electronic information system.”

All is not lost though. Forensics requires a lot of out-of-the-box thinking, just as much of cybersecurity does. For instance, cloud providers keep much data for billing purposes, and this data can be very valuable. “Cloud providers likely retain information regarding when resources are provisioned and de-provisioned for billing purposes.” [4]

[1] Definitions,

[2] Zubulake v. UBS Warburg, 220 F.R.D. 212, at 216 (S.D.N.Y. 2003).

[3] Forsheit, Tanya, “Legal Implications of Cloud Computing — Part Four (E-Discovery and Digital Evidence),” Information Law Group, (November 27, 2009),

[4] Josiah Dykstra and Damien Riehl, “Forensic Collection of Electronic Evidence from Infrastructure-as-a-Service Cloud Computing,” XIX Rich. J. L. & Tech. 1, available at:

Reproduced from Global Knowledge White Paper: Legal Issues of Cloud Forensics

In this article

Join the Conversation