Enhancing cloud forensic investigation relationships between law enforcement and local cloud service providers: Oman as a case study

The development of criminal activities has consistently forced the evolution of investigative methods. Forensic sciences, including digital forensics, have been challenged by rapid technological developments, especially through the cloud computing revolution. Acquisition, integrity, and preservation of digital evidence is complicated in a cloud context owing to the technology's dispersed and dynamic nature. Additionally, the relationship between Cloud Service Providers (CSPs), as the incident first responders, and Law Enforcement Agencies (LEAs), who own the investigation processes, is multifaceted and highly governed by complex factors, including data protection laws. This PhD research is unique in that it presents one of the first empirical studies to offer a better understanding of the uncertainty in the relationship between CSPs and LEAs during forensic investigations in cloud computing environments (cloud forensics). This thesis produces a holistic and heuristic framework that enables a theoretically-based description and analysis of the gap between the ideal and actual relationship between LEAs and CSPs. Moreover, this thesis addresses the need for a unified, collaborative model between LEAs and CSPs to facilitate compliant investigations. This study, approved by the Omani National Digital Forensic Laboratory, ultimately aims to enhance trust and confidence between LEAs and local CSPs. A mixed-methods approach was conducted through a survey and focus groups that explored the perceptions of practitioners and professionals involved in corporate or national digital forensics projects as part of their roles in LEAs, CSPs, academia or industry in the Sultanate of Oman. In the first stage of the research, 118 responses were collected through an online questionnaire, 86 of which were complete and formed part of the analysis. The second stage, two focus groups, involved six practitioners and professionals. The convergence between participant responses reflects a gap manifested by the lack of laws and regulations, standard operating procedures, readiness and accountability, and anticipated cooperation between different organisations when investigations cover the cloud. This gap may affect aspects of cloud forensic investigations, including but not limited to credibility obligations under data protection laws and transparency towards CSP clients.