Digital and Cloud Forensics Stavros Simou Cultural Informatics Laboratory, Department of Cultural Technology and Communication, University of the Aegean, University Hill, GR 81100 Mytilene, Greece ssimou@aegean.gr
Forensics Is the scientific method of gathering and examining information about the past. Finding evidence to establish facts that can be presented in a legal proceeding. Those that collect forensic evidence must follow strict procedures to protect evidence from contamination and destruction and to preserve the chain of custody. Forensics "tells the same story" no matter how many times it is tested, or how many years have passed.
Early methods of forensics In the late 18th century, writings on changes that occurred in the structure of the body as the result of disease began to appear by the French physician Francois Immanuele Fodéré. French police officer Alphonse Bertillon was the first to apply the anthropological technique of anthropometry to law enforcement, in the 1870s. Sir William Herschel was one of the first to advocate the use of fingerprinting in the identification of criminal suspects, in 1877. The first United Kingdom Fingerprint Bureau was founded in Scotland Yard, the Metropolitan Police headquarters, London, in 1901. By 1906, New York City Police Department Deputy Commissioner Joseph A. Faurot, introduced the fingerprinting of criminals to the United States. Scientific and surgical investigation was widely employed by the Metropolitan Police during their pursuit of the mysterious Jack the Ripper, in the 1880s. In the 20th century several British pathologists, pioneered new forensic science methods. Alec Jeffreys pioneered the use of DNA profiling in forensic science in 1984. He realized the scope of DNA fingerprinting, which uses variations in the genetic code to identify individuals.
Forensics
Digital forensics Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. The first computer crimes were recognized in the 1978 Florida Computer Crimes Act, which included legislation against the unauthorized modification or deletion of data on a computer system. Canada was the first country to pass legislation in 1983. The growth in computer crime during the 1980s and 1990s caused law enforcement agencies to begin establishing specialized groups, usually at the national level, to handle the technical aspects of investigations. Since 2000, in response to the need for standardization, various bodies and agencies have published guidelines for digital forensics.
Laws dealing with digital evidence are concerned with two issues: Integrity - is ensuring that the act of seizing and acquiring digital media does not modify the evidence (either the original or the copy). Authenticity - refers to the ability to confirm the integrity of information; for example that the imaged media matches the original evidence. The ease with which digital media can be modified means that documenting the chain of custody from the crime scene, through analysis and, ultimately, to the court, is important to establish the authenticity of evidence. Guidelines such as those issued by ACPO are followed to help document the authenticity and integrity of evidence. Digital Evidence
Types of Digital Evidence Address books and contact lists Audio files and voice recordings Backups to various programs, including backups to mobile devices Bookmarks and favorites Browser history Calendars Compressed archives (ZIP, RAR, etc.) including encrypted archives Configuration and.ini files (may contain account information, last access dates etc.) Cookies Databases Documents Email messages, attachments and email databases Events Hidden and system files Log files Organizer items Page files, hibernation files and printer spooler files Pictures, images, digital photos Videos Virtual machines System files Temporary files
Cloud Adoption - Forecast 3rd Annual Future of Cloud Computing Survey (2013) 75 percent of those surveyed reporting the use of some sort of cloud platform. The growth in the worldwide market for cloud computing it is expected to reach $158.8 billion by 2014. International Data Corporation (IDC) IT cloud services will reach $47.4 billion in 2013 and is expected to be more than $107 billion in 2017. Over the 2013 2017 forecast period, public IT cloud services will have a compound annual growth rate (CAGR) of 23.5%.
Cloud Computing What is it? Outsourcing (services and equipment) Providers give the ability to customers to use configurable computing resources that can be rapidly provisioned and released with minimal management effort. Reduction of cost on infrastructure and support. Increase systems scalability. Use of virtualization techniques for providing equipment, software and platform support as remote services. Five essential characteristics. Three service models. Four deployment models.
Digital and Cloud Forensics Digital forensics is the field where the investigators use forensic processes to search for digital evidence in order to use them in a court of law. Digital forensics deals with the digital evidence found in the area where the crime committed. Cloud forensic is a subset of digital forensics, to designate the need for digital investigation in cloud environments, based on forensic principles and procedures. Main difference: data is stored on data centers at different geographical areas with different jurisdictions.
Cloud Forensic Process Based on digital forensics (DFRW model was used with a slight differentiation) Stages Identification stage - Identifying all possible sources of evidence. Preservation and Collection stage Collecting evidence from virtualized environments and preserve the chain of custody and the integrity. Examination and Analysis stage Inspection of data with tools to reveal useful information. Presentation stage Presenting evidence in a way that the jury will understand all the technical details.
Challenges Identification Stage Access to evidence in logs Physical inaccessibility Volatile data Distribution collaboration Client side identification Dependence on CSP Trust Service Level Agreement (SLA) Preservation Collection Stage Integrity and stability Privacy and multi-tenancy Time synchronization Internal Staffing Chain of custody Imaging Bandwidth limitation Multi-jurisdiction Examination - Analysis Stage Lack of forensic tools Volume of data Encryption Reconstruction Unification of log formats Identity Presentation Stage Complexity of testimony Documentation Uncategorised Compliance issues
Challenges identified in the three service models Cloud Forensic Challenges / Stage Applicable to IaaS PaaS SaaS Identification Access to evidence in logs partly Physical inaccessibility Volatile data X X Client side identification X Dependence on CSP - Trust Service Level Agreement (SLA) Preservation - Collection Integrity and stability Privacy X Time synchronization Internal Staffing Chain of custody Imaging X Bandwidth limitation X X Multi-jurisdiction - collaboration Multi-tenancy Examination Analysis Lack of forensic tools Volume of data X Encryption Reconstruction Unification of log formats Identity Presentation Complexity of testimony Documentation Uncategorised Compliance issues
Major open issues Introduction of new methodologies and frameworks. Development of new forensic tools. Trusted relations between CSPs and consumers should be built. International collaborations between law enforcement and CSPs.