The recent legal challenges surrounding TikTok underscore the critical need for proactive data preservation strategies. With the U.S. government threatening a nationwide ban on TikTok, originally set to take effect on January 19, 2025, citing national security concerns, ongoing access to data hosted on the platform has become uncertain.
In January 2025, President Donald Trump intervened in the TikTok ban by issuing an executive order granting a 75-day reprieve, allowing the platform to continue operations while ownership issues were addressed. This move provided time for potential deals to be negotiated, aiming to resolve national security concerns associated with TikTok's Chinese ownership.
Does Data on the Internet Really Live Forever?
It’s a common misconception that once something is on the internet, it’s there forever. Despite TikTok’s massive popularity, the platform could still face operational shutdowns due to regulatory concerns. Such situations highlight the risks of assuming data will always be available.
Legal experts emphasize the importance of understanding the data policies of platforms like TikTok. Given the possibility of sudden data loss from platform shutdowns or policy changes, it’s essential to act quickly to preserve necessary information. This may involve proactively collecting data or advising clients to keep their accounts active and avoid deleting important content.
Taking Action: Protecting Your Clients’ Data
In light of these challenges, it’s vital to take a proactive approach to data preservation:
- Identify Early – Pinpoint potential sources of important data across different cloud platforms and familiarize yourself with their retention policies.
- Collect Promptly – Secure data before it becomes inaccessible due to changes in platform policies or shutdowns.
- Monitor Continuously – Stay updated on changes in platform operations and regulations that could affect data availability.
The Limitations of “Preservation in Place” as a Litigation Readiness Strategy
When enterprise data resides within the possession, custody, and control of third-party enterprise cloud providers, organizations effectively cede their disaster recovery plans to these vendors. They must rely entirely on the availability, retention policies, and security measures dictated by the provider rather than maintaining direct control over their critical data.
While cloud platforms offer “preservation in place” features, these are often limited to user-generated content and do not encompass essential system-generated data, such as IT audit logs. These logs are vital for tracing activities and identifying anomalies, yet they are frequently excluded from standard preservation protocols.
The Role of Audit Logs in Forensic Investigations
Audit logs provide a chronological record of system activities, capturing who did what, where, and when. They are indispensable for:
- Detecting Security Breaches – Logs help identify unauthorized access and potential security threats.
- Facilitating Forensic Analysis – In the event of an incident, logs enable investigators to reconstruct events and determine the root cause.
- Ensuring Compliance – Many regulations require organizations to maintain detailed logs to demonstrate adherence to security standards.
Moreover, cloud service providers often offer selective logging and data access. Organizations are unable to request or hire forensic firms to acquire bitstream images of physical hard disks within a provider’s data center, significantly limiting the scope of forensic analysis.
Acquiring forensic bitstream images from third-party data centers like Microsoft, Google, or Meta is impractical because these cloud providers do not grant direct access to physical storage media. This leaves organizations dependent on selective logs, API exports, and metadata, which may not provide full forensic defensibility.
This lack of comprehensive access means that organizations are at the mercy of these providers and whatever they choose to share.
“Collect to Preserve” as a Litigation Readiness Strategy
Traditionally, organizations gathered and stored copies of data as a precautionary measure. While this method had its merits, it often led to challenges such as increased storage costs and potential security risks. As digital environments have become more complex, a new approach has emerged: “preservation in place.”
This strategy focuses on safeguarding data where it resides without moving it. By applying legal holds and ensuring data remains unchanged and accessible, organizations can reduce disruptions and maintain the security features of the original platform. However, this requires robust monitoring systems and continuous data management across various platforms.
When determining the most effective data preservation strategy, it's essential to weigh the advantages and disadvantages of preservation-in-place versus collect-to-preserve approaches.
Preservation in Place
Pros:
- Cost Efficiency: Maintaining data in its original location eliminates the expenses associated with data duplication and additional storage requirements.
- Reduced Disruption: Preserving data where it resides minimizes interruptions to daily operations, allowing users continued access without significant workflow changes.
- Enhanced Security: Limiting data movement decreases the risk of exposure during transfers, thereby maintaining the security protocols already established in the original environment.
Cons:
- Risk of Spoliation: Relying on custodians to preserve data can lead to accidental or intentional alterations or deletions, increasing the potential for data spoliation.
- Limited Accessibility for Review: Data retained in its native environment may pose challenges for legal teams attempting to perform early case assessments or comprehensive reviews without first collecting the data.
- Dependence on IT Resources: Implementing and managing in-place preservation often requires significant IT involvement to ensure data is appropriately secured and preserved, which can strain resources.
Collect to Preserve
Pros:
- Immediate Control: By collecting data into a centralized repository, organizations gain direct control over the information, facilitating easier access and management.
- Facilitates Early Case Assessment: Having data readily available in a dedicated environment allows legal teams to promptly analyze and assess information pertinent to litigation or investigations.
- Mitigated Risk of Data Loss: Proactively collecting data ensures that critical information is secured against potential loss due to system failures, policy changes, or external factors affecting the original storage location.
Cons:
- Increased Costs: Duplicating and storing large volumes of data can lead to substantial expenses related to storage infrastructure and maintenance.
- Potential Security Risks: Each instance of data replication introduces additional points of vulnerability, potentially increasing the risk of unauthorized access or breaches.
- Operational Disruption: The process of collecting data may require system downtime or impact performance, leading to temporary disruptions in regular business activities.
Evaluating these nuances against your unique data habits, risk profile, and priorities is essential in choosing the preservation strategy that’s ideal for your organization.
The Continued Importance of Endpoint Forensics
Given these constraints, endpoint forensics remains a critical component of a robust data preservation strategy. By focusing on devices under an organization's control, endpoint forensics allows for:
- Comprehensive Data Capture – Collecting data directly from endpoints ensures that all relevant information, including system logs and user activities, is preserved.
- Enhanced Incident Response – Access to detailed endpoint data enables faster and more effective responses to security incidents.
- Improved Threat Detection – Analyzing endpoint data can uncover both known and emerging threats, including insider activities that might go unnoticed in cloud-only logs.
Incorporating endpoint forensics into an organization’s incident response plan is essential for maintaining a comprehensive security posture. This includes developing clear policies for data collection, investing in appropriate forensic tools, and ensuring continuous monitoring of endpoint activities.
The Role of Disaster Recovery Planning in “Collect to Preserve”
A well-structured disaster recovery plan that incorporates collect to preserve is essential when preservation in place is at risk, as seen with TikTok’s uncertain future. When legal holds and cloud-based retention policies are no longer guaranteed, proactively collecting critical data ensures organizations maintain control over their evidence before it becomes inaccessible or permanently lost. By integrating collect to preserve into disaster recovery, businesses can safeguard their investigative and compliance needs, even in the face of platform shutdowns, regulatory restrictions, or service disruptions.
Conclusion
The TikTok scenario serves as a stark reminder of the vulnerabilities inherent in relying solely on cloud-based data preservation. To safeguard against data loss and ensure forensic defensibility, organizations must adopt a balanced approach that includes proactive “collect to preserve” strategies, with a particular emphasis on endpoint forensics. By doing so, they can maintain control over their data, ensure comprehensive evidence collection, and be better prepared to respond to legal and security challenges in an increasingly cloud-dependent world.
This topic was also discussed during Jerry Bui’s lightning round session at the 12th annual University of Florida Levin College of Law e-Discovery Conference, highlighting the importance of “collect to preserve” in today’s digital age.
Right Forensics can help navigate the complexities of cloud preservation. Our team of cloud forensics experts specializes in collecting and preserving digital evidence from a wide range of platforms, ensuring you’re prepared for any legal proceedings.
Graphics for this article were created by Sarah Vachlon.
