The Death Of Computer Forensics: Digital Forensics After the Singularity


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Death Of Computer Forensics: Digital Forensics After the Singularity

  1. 1.             2  May  2011  –  WORKSHOP  -­‐  The  Death  Of  Computer  Forensics:  Digital  Forensics  After  the   Singularity     Workshop  participants  Cory  Altheide  (Google)  Carlo  Blengino  (Lawyer),  Francesca  Bosco  (UNICRI  -­‐  Project   Officer,  Emerging  Crimes  Unit)  Elia  Florio  (Data  Protection  Authority),  Roberto  Flor  (University  of  Verona  -­‐   Faculty  of  Law),  Davide  Gabrini  (Postal  Police),  Rodrigo  Rodriguez  (ATOS  Research),  Monica  Senor  (Lawyer).     Moderators  were:  Giuseppe  Vaciago  (University  of  Milan  -­‐  Faculty  of  Law)  and  Stefano  Zanero  (Politecnico  di   Milano).       Summary  of  the  Workshop   (Giuseppe  Vaciago)     I.  Technical  Challenges  of  Cloud  Forensics  II.  Legal   Challenges  of  Cloud  Forensics  III.  Conclusions     ***     The   lecture   by   Cory   Altheide1  also   served   as   an   opportunity   to   organize   a   workshop   in   which   lawyers,   computer   scientists,   policy   makers   and   members  of  law  enforcement  met  to  discuss  the   future   of   digital   forensics   in   the   cloud   and   defining   the   challenges   that   this   technology   will   face  in  coming  years.                                                                                                                     1 Cory Altheide has nine years of information security, forensics & incident investigations experience. Cory worked at IBM, Google and the National Nuclear Security Administration (NNSA). At IBM, Mr. Altheide performed emergency computer security response for clients ranging from international banks to defense contractors to Fortune 500 retailers. At Google, he managed the response to numerous incidents, ranging from externally reported cross-site scripting vulnerabilities in Google properties, to compromised systems and extortion attempts. Prior to joining Google, Mr. Altheide was the Senior Network Forensics Specialist in the National Nuclear Security Administration's Information Assurance Response Center (NNSA IARC). Mr. Altheide has authored two original research papers for the Computer forensics journal "Digital Investigation” and co-authored “Handbook of Digital Forensics and Investigation (2009).” He holds the SANS GCIH and GCFA certifications. A   number   of   technical   and   legal   considerations   emerged   and   these   will   serve   as   the   basis   for   a   paper   that   the   Polytechnic   of   Milan   and   the   University  of  Milan  Bicocca  are  due  to  draft  in  the   coming  months.  Below  is  a  brief  summary  of  the   matters   of   interest   that   emerged   during   the   workshop.     I.  Technical  Challenges  of  Cloud  Forensics     1.   Although   it   has   become   clear   that   computer   forensics   -­‐   the   practical   analysis   of   digital   data   following  the  acquisition  of  a  bit-­‐stream  image  -­‐   of  a  suspect's  hard  disk  -­‐  suffered  a  setback  with   the   wide   adoption   of   mobile   devices   and   the   increasing   use   of   flash   memory   and   encryption   systems,   it   is   undoubtedly   also   the   case   that   it   experienced   a   fundamental   change       due   to   the   incredible  expansion  of  cloud  computing  systems.     2.  In  order  to  arrive  at  this  "dramatic"  conclusion,   we   need   to   start   with   the   definition   of   cloud   computing   data   devised   by   NIST:   "Cloud   computing  is  a  model  for  enabling  convenient,  on-­‐ demand   network   access   to   a   shared   pool   of   configurable   resources   (eg,   networks,   servers,   storage,   applications,   and   services)   that   can   be   rapidly   provisioned   and   released   with   minimal   effort   or   management   service   provider   interaction.”   Cloud   computing   has   five   essential   characteristics,   i.e.,   on-­‐demand   self-­‐service,   broad   network   access,   resource   pooling,   rapid   elasticity   and   measured   service.   It   has   three   service  models,  i.e.,  Cloud  Software  as  a  Service   (SaaS),   Cloud   Platform   as   a   Service   (PaaS)   and  
  2. 2. Cloud  Infrastructure  as  a  Service  (IaaS).  And  it  has   four   deployment   models,   i.e.,   private   cloud,   community  cloud,  public  cloud  and  hybrid  cloud”   (Mell  and  Grance,  2009).       3.   The   various   types   of   service   or   deployment   models  described  above    pose  an  initial  problem,   insofar   as   they   require   the   use   of   specialized   cloud   forensic   techniques   that   are   extremely   different   from   one   another:depending   on   the   different  cloud  service  models  involved,  the  tools   and  procedures  used  to  collect  forensic  data  also   differ   (e.g.,   in   public   clouds,   provider-­‐side   artifacts   need   to   be   segregated   among   multiple   tenants,   whereas   in   private   clouds,   there   is   no   such  need).     4.  But  this  is  just  the  beginning:  in  digital  forensics   the  key  process  and  techniques  require  that  the   software   must   be   tested,   checked   and   that   the   operations   performed   on   digital   evidence   must   be  repeatable  and  documented.  It  is  possible  to   divide   the   classic   digital   forensics   into   three   scenarios:  :  A.  Data  at  rest  (traditional  computer   forensics,   ex:   disk   imagining)   B.   Data   in   transit   (network  forensics)  C.  Data   in   execution  (live  or   memory   forensics).   If   we   transpose   this   same   breakdown  to  cloud  computing,  we  would  notice   immediately  that  data  at  rest  does  not  reside  on   the  device  except  for  the  few  tracks  that  can  be   found  in  the  cache  or  temporary  files;  that  data  in   transit   can   not   be   easily   analyzed   because   the   major   cloud   providers   will   encrypt   all   traffic   to   keep  that  cloud  instance  secure  from  neighboring   threats   ;   while   this   reduces   the   risk   of   illegal   interception   and   the   risk   of   tampering,   it   also   makes   it   more   difficult   for   legitimate   investigators.  Finally,  ,    any  data  in  execution  will   be  present  only  in  the  cloud  instance  and  it  will   be   equally   difficult   to   exploit   this   during   an   investigation       5.   It   is   clear   that   the   most   difficult   challenge   is   posed  by  the  loss  of  data  control:    virtualization  is   one  of  the  key  elements  in  the  implementation  of   cloud   services,   while   in   most   cases   investigators   require   evidence   to   be   obtained   from   physical   devices     Furthermore,   data   from   the   cloud   only   makes   sense   when   interpreted   using   the   appropriate  cloud  communication  protocols.  The     investigator  who  wants  to  capture  the  bit-­‐stream     data  of  a  given  suspect  image  will  be  in  the  same   situation   as   someone   who   has   to   complete   a   jigsaw   puzzle   whose   pieces   are   scattered   randomly   across   the   globe.   But   that's   not   all:   even  if  it  were  possible  to  reconstruct  the  image,   the  investigator  would  never  be  able  to  validate  it   “beyond  a  reasonable  doubt”  in  the  same  way  as   would  be  possible  with  a  physical  hard  drive.       6.   Finally,   in   traditional   computer   forensics,   recovered  deleted  data  is  an  important  source  of   evidence,  so  it  is  in  the  cloud  as  well.  With  cloud   providers,  the  right  to  alter  or  delete  the  original   snapshot   is   explicitly   reserved   for   the   user   that   created   the   volume.   When   item   and   attribute   data  are  deleted  within  a  domain,  removal  of  the   mapping   within   the   domain   starts   immediately,   and   is   also   generally   complete   within   seconds.   Once  the  mapping  is  removed,  there  is  no  remote   access  to  the  deleted  data.  It  is  likely  that  storage   space   will   be   overwritten   by   newly   stored   data.   However,   some   deleted   data   might   be   still   present   in   the   snapshot   after   deletion.   The   challenge   is   then:   how   to   recover   deleted   data,   identify   the   ownership   of   deleted   data,   and   use   deleted  data  as  sources  of  event  reconstruction  in   the   cloud?   (Keyun   Ruan,   Prof.   Joe   Carthy,   Prof.   Tahar  Kechadi,  Mark  Crosbie,  Cloud  forensics:  An   overview,  Digital  Forensics,  Vol.  7  by  Springer).     II.  Legal  Challenges  of  Cloud  Forensics     1.  The  “loss  of  location”  of  digital  evidence  in  the   cloud  world  creates  problem  of  jurisdiction.  Over   the  last  few  years,  various  approaches  have  been   offered   to   solve   this   problem.   The   traditional   approach   is   the   territorial   principle   by   virtue   of   which   the   Court   in   the   place   where   the   data   is   located   has   jurisdiction   (Art.   32,   Convention   on   Cybercrime).   This   approach   essentially   prohibits   any  type  of  investigation  because  even  the  cloud   provider  might  not  know  exactly  where  the  data   is   located.   Another   approach   is   the   nationality   principle  by  virtue  of  which  the  nationality  of  the   perpetrator   is   the   factor   used   to   establish   criminal   jurisdiction.   This   principle   imposes   certain   restrictions   since   the   perpetrators   in   a   cybercrime  case  might  easily  be  foreign  nationals,   given   that   cybercrime   is   generally   transnational   and   there   is   no   need   for   physical   proximity.   Furthermore,  data  does  not  have  a  nationality  as   it  is  an  attribute  of  an  individual.  A  third  approach   is  the  “flag  principle”,  which  basically  states  that   crimes   committed   on   ships,   aircraft   and   spacecraft   are   subject   to   the   jurisdiction   of   the  
  3. 3. flag  state,  regardless  of  their  location  at  the  time   of  the  crime  (art.  22,  Convention  on  Cybercrime).   Since   digital   data   is   constantly   changing,   this   principle  also  seems  to  be  applicable  to  the  cloud   world.   However,   to   potentially   apply   this   to   the   cloud   computing   scenario,   we   must   remember   that  clouds  might  not  be  the  actual  place  where   the  crime  was  committed  and  that  this  principle   could   motivate   cybercriminals   to   select   a   cloud   computing  provider  under  a  “pirate  flag”.     2.   A   recent   discussion   paper,   prepared   by   Jan   Spoenle   for   the   Economic   Crime   Division   of   the   Council  of  Europe  (Directorate  General  of  Human   Rights  and  Legal  Affairs)  within  the  framework  of   the  global  Project  on  Cybercrime,  suggested  the   “Power   of   Disposal   Approach”.  From  a  practical   point  of  view,  a  regulation  based  on  the  power  of   disposal  approach  would  make  it  feasible  for  law   enforcement  to  access  a  suspect’s  data  within  the   cloud.   Law   enforcement   would   only   have   to   legally   obtain   the   username   and   password   combination  and  be  able  to  prove  that  additional   requirements  have  been  met.     This   type   of   approach   certainly   overcomes   any   legal  issue  but  a  balance  must  be  struck  with  the   legitimate  need  for  privacy  and  the  rights  of  the   suspect  as  well.  Furthermore,  this  approach  may   not   be   easy   to   take,   because   many   devices   (particularly  mobile  ones)  are  protected  through   the  use  of  DRM;  which,  in  addition  to  preventing   the  installation  of  unauthorized  software,  provide   a   level   of   security   that   would   make   access   through   Trojan   horses   or   other   malicious   software  very  complicated.     3.  Another  extremely  sensitive  issue  in  the  cloud   is  data  retention,  since  this  is  a  key  factor  in  the   facilitation  of  investigation  activities.  The  scope  of   Directive   2006/24/EC,   however,   is   very   well   defined  and,  as  such,  limited.  From  an  objective   point   of   view,   it   is   limited   in   scope,   since   it   concerns   only   certain   traffic   and   location   data   generated   through   the   use   of   electronic   communications.  From  a  subjective  point  of  view,   it   concerns   only   providers   of   publicly   available   electronic  communications  services  or  of  a  public   communications  network.  This  begs  the  question   of  who  exactly  are  the  providers  subject  to  these   obligations,   and   whether   cloud   providers   are   included  in  this  definition.       4.  These  considerations  and  recent  constitutional   court  rulings  (Bulgaria  2008,  Romania  2009,  2010   Germany,   Czech   Republic   2011)   which   have   declared   the   unconstitutionality   of   the   directive   on  data  retention  force  us  to  carry  out  a  rethink   in  terms  of  a  new  system  of  data  retention  and   regulation   in   the   cloud     and   the   provision   of   specific   obligations   for   different   actors,   in   particular:   a   standardized   data   retention   period   across   countries   or   mutually   agreed   recognition   principles  so  that  the  retention  period  applied  is   based   on   where   the   user’s   data   is   stored;   standardized  security  standards;  standardized  and   high  level  data  protection  standards;  and  a  rule  of   exceptionality   of   data   retention,     where   proportionate  and  intended  to  protect  important   and   dominant   legal   interests   and   in   the   fight   against   serious   crimes.     The   choice   should   be   based   on   agreed   criteria,   but   not   just   in   Europe   and  between  European  States.     5.   In   this   scenario,   cloud   computing   is   a   perfect   setting  for  the  activities  of  cybercriminals.  Recent   reports   confirm   that   cybercriminals   are   relying   more   on   cloud   computing   models   to   carry   out   cyberattacks.   Cybercriminals   will   either   be   manipulating   the   connection   to   the   cloud,   or   attacking  the  data  center  and  cloud  itself.  In  fact,   the  cloud  gathers  traffic  at  centralized  locations,   allowing  them  to  achieve  critical  mass  for  attacks.   Well-­‐organized   cybercriminals   also   can   easily   harvest   botnets   via   common   cloud   applications,   which   are   not   new   but   have   become   more   prevalent   in   the   recent   times,   as   users   continue   to   let   their   guard   down   and   network   with   increasing  speed  online.       6.   Last   but   not   least,   we   should   not   forget   the   difficulties   that   can   be   encountered   in   legal   proceedings,   where   it   is   not   always   possible   to   obtain  a  clear  validation  of  digital  evidence.  If,  for   example,  digital  evidence  has  been  wiped  by  the   user   and   the   cloud-­‐based   system   has   also   overwritten  that  portion  of  the  hard  disk,  will  the   court   be   able   to   judge   the   corresponding   digital   evidence  impartially  and  effectively  (especially  in   criminal  matters)?     III.  Conclusions     There   are   many   challenges   posed   by   cloud   forensics   and   just   as   many   legal   issues   that   will   need  to  be  addressed  in  the  coming  years.  
  4. 4.   On   the   technical   side,   with   regard   to     Infrastructure   as   a   Service,  it  can  be  assumed  -­‐   without   the   same   guarantees   of   success   -­‐   that   both   traditional   digital   forensic   solutions   and   cloud  forensic  tools  will  need  to  use  the  cloud  as   a  discovery  engine  for  rapid  and  accurate  forensic   investigations.   This   means   that,   although   new   approaches   and   systems   must   be   developed,   above  all  a  strong  working  relationship  needs  to   be  developed  with  cloud  providers.     On   the   legal   side,   the   topic   of   data   retention   provides   examples   of   the   problems   associated   with   jurisdiction.   Faced   with   a   total   absence   of   regulations   on   data   retention   in   the   United   States,   at   the   European   level   a   very   different   situation   prevails:   the   latter   features   very   strict   regulation,   even   if   this   is   controversial   and   not   entirely   applicable   to   cloud   computing.   To   this   must   be   added   the   procedural   difficulty   of   successfully   presenting   cloud-­‐based   evidence   in   court   in   a   way   that   is   both   admissible   and   reliable.   This   uncertainty   can   only   encourage   cybercrime   and,   above   all,   create   a   climate   of   distrust   towards   a   particular   technology   that   offers,   apart   from   obvious   cost   savings,   massive   potential.     If   it   is   true   that   the   law   often   lags   behind   technology,   a   reassessment   of   digital   forensics   is   now   essential   and   will   need   to   be   carried  out,  if  possible,  by  lawyers  and  computer   scientists  working  in  collaboration.