An Italian public prosecutor opens an investigation into a ransomware attack targeting local healthcare infrastructure. Technical analysis identifies clear attack vectors and digital footprints linked to specific infrastructure. As the investigation progresses, jurisdictional complexity becomes apparent: server logs are stored in a Dublin data center, user metadata resides on U.S.-based servers, and stolen credentials are traded on an underground forum hosted in the Seychelles. A technically routine investigation now spans multiple jurisdictions, each governed by distinct legal frameworks, procedural rules, and sovereignty requirements.

cover

This scenario reflects the core challenge of modern cloud forensics. Evidence no longer resides in a single physical location with a clear jurisdictional anchor. Instead, it is distributed across global infrastructure where traditional forensic methods confront the realities of international law.

When the crime scene has no address

Cloud forensics has emerged as a distinct discipline precisely because the traditional approaches to digital investigation break down when applied to cloud environments. The NIST Cloud Computing Forensic Reference Architecture, published in July 2024 as Special Publication 800-201, identifies three structural reasons why cloud forensics cannot simply be treated as classical digital forensics deployed in a different environment.

The first reason is the inherent volatility of evidence in cloud systems. In traditional forensics, when an investigator seizes a physical server, the data remains intact until imaged. The acquisition window spans days or even weeks. In cloud environments, the window shrinks to hours. Virtual machines can be terminated, storage volumes deleted, and logs rotated with alarming speed. The default log retention period across many cloud providers is ninety days, after which evidence simply ceases to exist unless specifically preserved.

The second challenge is multitenancy, which renders traditional physical imaging impossible. When multiple customers share the same physical infrastructure, creating a bit-by-bit copy of a storage device would expose other tenants’ data, raising severe privacy and legal concerns. Investigators must rely on logical extractions through APIs, accepting a fundamentally different evidentiary foundation than what courts have traditionally expected from digital forensics.

The third structural difference is the divorce between investigative authority and data location. A prosecutor in Milan might have full authority to investigate crimes under Italian law, but that authority stops at the border. When the data lives in a data center in Dublin, the investigation becomes subject to Irish law, European regulations, and the policies of the cloud service provider. This separation creates what forensic practitioners describe as a jurisdictional labyrinth, where the path to evidence is blocked by legal walls that no technical skill can breach.

These challenges mirror many of the issues faced in mobile forensics, where investigators must contend with encrypted storage, logical acquisition methods, and evidence that exists partially on the device and partially in cloud-linked accounts. The mobile forensics community has developed workflows for these constraints, but cloud forensics introduces an additional layer of complexity through the involvement of multiple legal jurisdictions that simply do not exist in the mobile context.

The CLOUD Act and how jurisdiction follows the provider

The legislative landscape shifted dramatically in 2018 when President Trump signed the Clarifying Lawful Overseas Use of Data Act, known as the CLOUD Act, as part of the Consolidated Appropriations Act. The law emerged from a pivotal case, United States v. Microsoft Corporation (2013–2018), where a New York court ordered Microsoft to produce emails stored in a Dublin data center. Microsoft challenged the warrant, arguing that U.S. law enforcement authority did not extend to data stored on foreign soil. The case reached the Supreme Court, which vacated it in April 2018 after the CLOUD Act rendered the original warrant moot.

The U.S. legislature resolved the conflict with a clear, unambiguous choice. Under the CLOUD Act, jurisdiction follows the provider, not the data. If a U.S.-based service provider holds the data, American authorities can demand it regardless of where the physical servers sit. This represents a fundamental assertion of extraterritorial jurisdiction that has rippled through the global legal community.

The tension becomes immediately apparent when this American law collides with European privacy regulations. Article 48 of the GDPR establishes that any transfer of data to a third country authority requires an international agreement in force, typically a mutual legal assistance treaty (MLAT). A simple foreign warrant or subpoena does not suffice under European law. The data controller must have both a legal basis for processing and an appropriate transfer mechanism, as the EDPB and EDPS spelled out in their 2019 joint response on the CLOUD Act, which concluded that compliance with a unilateral foreign order does not constitute a valid transfer mechanism under European law.

The CLOUD Act does provide a pathway through executive agreements that streamline cross-border data requests between trusted partners. As of April 2026, only two such executive agreements are operational: one with the United Kingdom signed in October 2019 and entered into force in October 2022, and another with Australia finalized in January 2024. Negotiations with the European Union have been ongoing, but no agreement has been reached. This creates what many legal scholars describe as an impossible compliance position for cloud service providers.

I explored this conflict in detail in my analysis of the AWS European Sovereign Cloud, where the technical infrastructure promises European sovereignty while the legal reality remains tethered to U.S. jurisdiction. A provider operating under U.S. law cannot simply ignore a lawful CLOUD Act order without facing contempt charges and substantial penalties, yet complying with such an order for data stored in Europe potentially violates GDPR Article 48. The customer who paid for sovereign cloud services finds their data accessed by a foreign government, precisely the scenario that European data protection law was designed to prevent.

Budapest and Brussels building the multilateral response

Recognizing that unilateral assertions of jurisdiction were creating more conflict than cooperation, international bodies began developing multilateral frameworks to address cross-border evidence acquisition. Two parallel instruments have emerged, each taking a different approach to the same fundamental problem.

The Second Additional Protocol to the Budapest Convention on Cybercrime (CETS 224) was adopted on November 17, 2021, and opened for signature in Strasbourg in May 2022. This instrument introduces four key mechanisms that represent a significant evolution in international cybercrime cooperation. First, it enables direct cooperation with service providers without routing every request through traditional MLAT channels, which can take months or even years to process. Second, it establishes accelerated cross-border preservation, often described as a “freeze-before-lose” mechanism, allowing authorities to quickly preserve evidence before it disappears. Third, it formalizes joint investigation teams that span multiple jurisdictions. Fourth, it creates emergency procedures for time-sensitive situations where waiting for standard procedures would result in the loss of critical evidence.

The critical limitation, as of April 2026, is that the protocol requires five ratifications to enter into force. Only three countries have completed the process, including Hungary which deposited its instrument on February 5, 2026. The protocol sits tantalizingly close to becoming operational, yet the gap between adoption and entry into force leaves investigators in a legal limbo.

The stalled ratification is not an accident. The United States and Canada, two countries whose cooperation would give the protocol real operational weight, have signed but not ratified. For U.S. officials, the protocol’s direct-cooperation provisions raise questions about consistency with domestic constitutional protections. For Canada, the process is entangled in broader debates about surveillance oversight. Their absence means that the instrument is, for now, primarily a framework among European and smaller Council of Europe member states, precisely the jurisdictions least likely to be the source of the problem.

Parallel to the Council of Europe’s efforts, the European Union developed its own instrument: the e-Evidence Regulation (EU 2023/1543). This regulation introduces the European Production Order (EPOC), which can be transmitted directly to service providers through the eEDES system. The European Commission adopted the technical specifications for this system on July 28, 2025, paving the way for implementation. The regulation enters into force on August 18, 2026, and it carries teeth. Providers that fail to comply face fines of up to 2% of their worldwide turnover, a penalty substantial enough to focus any boardroom’s attention.

The Eurojust analysis of the Second Additional Protocol emphasizes that these tools are not merely administrative conveniences. They represent a fundamental rethinking of how cross-border evidence acquisition should work in an era where data knows no borders. The traditional MLAT system, designed in an era of paper documents and physical evidence, simply cannot keep pace with the speed at which digital evidence appears and disappears.

The relationship between these two frameworks remains complex. The Budapest Protocol aims for global participation, including countries outside the European Union. The e-Evidence Regulation applies specifically to EU member states and providers operating within the European market. In theory, they should complement each other. In practice, providers may find themselves navigating both frameworks simultaneously, each with its own procedures, timelines, and compliance requirements.

The chain of custody problem in cloud evidence

While legal frameworks struggle to keep pace with technology, a more fundamental technical problem threatens the evidentiary value of cloud forensics: the chain of custody in an environment where the investigator never physically touches the evidence. In traditional forensics, the chain of custody is established through a clear narrative. The investigator seized the device, created a forensic image in a controlled environment, and maintained continuous possession or documented transfer of the evidence. The judge can see the physical object and understand how it moved through the investigative process.

Cloud forensics breaks this model entirely. The evidence is never physically touched by the investigator. It is extracted through API calls, downloaded from provider portals, or provided through automated systems. Each step in this process introduces questions that defense counsel will inevitably raise in court.

The absence of physical imaging means that investigators must rely on logical extractions through provider APIs. The provider becomes the gatekeeper of evidence integrity. If the provider’s systems are compromised, if their logging is inadequate, or if their processes lack transparency, the evidentiary foundation weakens. The investigator depends entirely on the provider to maintain the integrity of evidence before acquisition even begins.

Timestamp volatility presents another critical challenge. Cloud systems generate massive volumes of log data, but the default retention period across major providers is typically ninety days. After that window closes, the evidence is gone forever. Even within that window, timestamp drift across distributed systems can create evidentiary conflicts. A log entry timestamped in Dublin might reflect a different moment than the same event recorded in Virginia, and reconciling these differences requires technical expertise that many courtrooms struggle to evaluate.

Data at rest encryption adds another layer of complexity. Cloud providers encrypt customer data using keys that they control. Without those keys, the evidence is cryptographically locked. Providers generally cooperate with lawful requests, but the technical architecture means that the provider, not the investigator, holds the practical power to reveal or withhold evidence. This creates an uncomfortable dependency that traditional forensics never faced.

The metadata that accompanies cloud evidence often lacks a physical counterpart that can be examined and verified. In a traditional forensic image, the file system structure provides context that helps establish authenticity. In cloud extractions, the metadata is provided by the same entity that holds the data, creating a circular trust relationship that skeptical defense attorneys can readily challenge.

Emerging solutions point toward blockchain-based registries that create immutable records of forensic operations. The NIST SP 800-201 published in July 2024 contemplates such approaches, where each step in the forensic process is recorded in a distributed ledger that cannot be retroactively altered. The technology exists, but the absence of internationally shared standards means that a blockchain record created by Italian investigators might not be recognized as reliable evidence in a German courtroom or an American federal court.

For practitioners navigating these challenges, the DFIR tools list I maintain includes several utilities designed specifically for cloud evidence acquisition, though none can fully resolve the structural limitations of investigating infrastructure you do not control.

Digital sovereignty vs. global cooperation in cloud forensics

The jurisdictional labyrinth of cloud forensics reveals a profound paradox that sits at the intersection of digital sovereignty and global cooperation. European digital sovereignty initiatives, such as the AWS European Sovereign Cloud and similar offerings from other providers, aim to protect European citizens’ rights by ensuring that data stays within European legal jurisdiction. The GDPR, the proposed AI Act, and various national data localization laws all reflect a desire to maintain control over digital assets and the investigations that touch them.

Yet this very sovereignty creates an unintended beneficiary: ransomware groups and other cybercriminal organizations that deliberately structure their infrastructure across hostile jurisdictions. When every state can deny access to data within its territory, criminal organizations gain a powerful shield. The REvil case illustrated this vividly. During Operation GoldDust in 2021, Europol coordinated law enforcement from seventeen countries in a sweeping action against the ransomware group. The operational infrastructure was successfully disrupted across multiple jurisdictions. However, the core operators sitting in Russia remained beyond reach, protected by a jurisdiction that declined to cooperate with Western law enforcement requests.

The paradox is clear. Strong digital sovereignty protects citizens from foreign surveillance and unauthorized data access, which is a legitimate and important goal. However, the same legal barriers that protect privacy also protect those who exploit the cloud’s borderless nature for criminal purposes. Every mutual legal assistance treaty takes months to process, every jurisdictional dispute creates delays, and every conflict between laws like the CLOUD Act and GDPR creates loopholes that sophisticated adversaries can exploit.

For investigators and enterprises operating in this environment, certain best practices have emerged from the field. The preservation request should be the very first act of any investigation involving cloud evidence. Once triggered, providers are legally obligated to preserve relevant data, preventing the ninety-day retention clock from expiring while legal procedures unfold. Every acquisition must be documented with SHA-256 hashes and digital signatures that comply with eIDAS Regulation (EU) 910/2014, creating a cryptographic trail that can withstand courtroom scrutiny. ENISA’s Guidelines on Assurance Levels for Digital Signatures provide a practical framework for calibrating which signature level is appropriate depending on the evidentiary standard required in the target jurisdiction.

Organizations should also evaluate architectural choices that enhance their control over evidentiary integrity. Customer-managed encryption keys (CMEK) and bring-your-own-key (BYOK) architectures ensure that the cloud provider cannot access data in plaintext even when compelled by lawful order. While these architectures do not prevent the provider from handing over encrypted data, they ensure that the evidentiary value depends on the organization’s cooperation, not just the provider’s compliance.

The jurisdictional labyrinth of cloud forensics does not yet have a complete solution. The threads are being woven together, with the e-Evidence Regulation entering into force in August 2026 and the Second Additional Protocol to the Budapest Convention needing just two more ratifications to become operational. These instruments will not eliminate the complexity, but they provide structured pathways through a landscape that has been governed more by ad-hoc arrangements and conflicting national laws than by coherent international frameworks.

What remains clear is that technical forensic skill alone is no longer sufficient. The modern cloud forensics investigator must understand not only API calls and log analysis, but also the intricate dance of international law, mutual legal assistance treaties, and the evolving conflict between digital sovereignty and global cooperation. The crime scene may have no address, but the law is learning to follow the evidence anyway.