How To Overcome Digital Forensic Challenges In The Cloud

Professor Hamid Jahankhani, head of doctoral Studies at GSM London, gets all CSI in the cloud environment

Cloud computing has generated significant interest in both academia and industry, but it is still an evolving paradigm.

Cloud computing services are also, a popular target for malicious activities, resulting in the exponential increase of cyber attacks. Digital evidence is the evidence that is collected from the suspect’s workstations or electronic medium that could be used to assist computer forensics investigations.

Big business cybercrime

It is evident that cybercrime is no longer in its infancy. It is ‘big business’ for the criminal entrepreneur, with lots of money to potentially be made with minimal risks.

Cloud computing has generated significant interest in both academia and industry, but it is still an evolving paradigm. Confusion exists in IT communities about how a cloud differs from existing models and how its characteristics affect its adoption. Some see cloud as a novel technical revolution; some consider it a natural evolution of technology, economy, and culture.

Nevertheless, cloud computing is an important concept, with the strong ability to considerably reduce costs through optimisation and increased operating and economic efficiencies.

MicrosoftFurthermore, cloud computing could significantly enhance collaboration, agility, and scale, thus enabling a truly global computing model over the Internet infrastructure. However, without appropriate security and privacy solutions designed for clouds, this potentially revolutionising computing paradigm could become a huge failure.

Several surveys of potential cloud adopters indicate that security and privacy is the primary concern hindering its adoption. At the same time cloud creates unique challenges for digital forensic investigators. Indeed, one of the areas which has been recognised as a contributory element in the failure of law enforcement officers is a lack of proper training.

Migration to cloud computing usually involves replacing much of the traditional IT hardware found in an organisation’s data centre (such as servers and network switches) with remote and virtualised services configured for the particular requirements of the organisation. Hence, data comprising the organisation’s application can be physically hosted across multiple locations, possibly with a broad geographic distribution.

However, cloud computing services are a popular target for malicious activities; resulting in the exponential increase of cybercrimes, or cyber attacks. Consequently, this phenomenon demonstrates the need to explore the various challenges and problems of cloud computing in the forensics community to potentially prevent future digital fraud, espionage, and Intellectual Property (IP) theft, as well as other types of concern.

In 2006 two new laws were passed to tackle e-crime – namely the Fraud Act 2006 which came into force in 2007 aiming “to close a number of loopholes in proceeding anti-fraud legislation that the Government said was unsuited to modern fraud”, and the Police and Justice Act 2006 (part 5) ,which prohibits “unauthorised access to computer material; unauthorised acts with intent to impair operation of computer and the supply of tools that can be used for hacking”.

Documented guidance, practices and procedures were outdated and wholly inadequate to help tackle electronic evidence in a forensic manner, until the first e-crime publication by ACPO (the Association of Chief Police Officers) in July 2007 (subsequently revised in November 2009 and 2012). This is recognised as the best set of guidelines ever produced to assist law enforcement in handling digital evidence. On one hand these guidelines seem sustainable and functional; however on the other hand it is still practically unclear how digital evidence used in courts produced by a digital forensic investigation could be gathered by such guidelines in a cloud environment.

There are basically two types of evidence that could support a digital forensic investigation: physical evidence and digital evidence. Physical evidence is categorised as touchable; substantial items that could be brought to court and shown physically. Examples of physical evidence that could assist in investigations are computers, external hard disk drives and data storage (memory sticks and memory cards), handheld devices including mobile phones/smart phones, networking devices, optical media, dongles and music players. Digital evidence would be the data that is extracted from the physical evidence, or the computer system.

In order to perceive a bit of information or data as evidence, it needs to satisfy five rules, which are:

The evidence should be admissible and accepted in the court of law;

The evidence needs to be authentic and not contaminated;

The evidence needs to the whole piece, not just indicative parts;

The evidence has to be reliable, dependable; and

The evidence needs to be believable.

Digital evidence, as compared to hard evidence, is difficult to find, in terms of defining the nature of the data and classifying it as a digital evidence that is worthy to be presented in court.

Providing evidence which is reliable has been proven to be a difficult task, not just because of the nature of evidence, but also the wide scope and environments from which the evidence are extracted.

In a corporate environment, the forensic investigator team will need to identify, contain and maintain the integrity of the evidence. They must also differentiate whether the piece of evidence is relevant or not to the current crime being investigated, and whether it would stand a chance in helping to find and charge the culprit through legal proceedings.

Among the considerations that need to be evaluated by investigators when dealing with collecting digital evidence are the expenses, cost and loss incurred and the availability of the service during and after the incident.

The question here, then, is can we investigate a crime in the cloud using the existing computer forensics models, frameworks and tools?

The available digital forensic practices, frameworks and tools are mainly intended for offline investigation. Therefore if an investigation is conducted in a cloud computing environment, new challenges come to light since the potential evidence that arises is likely to be ephemeral and stored on media beyond the investigator’s immediate control.

In addition, digital forensics investigation processes rely heavily on theoretical frameworks and enhanced Digital Investigation Process Models. These are practically not very useful for the current available cloud technologies, as they were developed prior to their advent and mainly assume that the investigator has physical access and control over the storage media of the targeted network, system or device.

As a result, it is apparent that current cloud technologies face numerous significant challenges as the majority of available forensic process models do not respond adequately to the requirements of a digital forensic investigation, therefore failing to meet the needs of a complex cloud environment.

In addition, legal requirements for cloud forensics are currently uncertain, and present a challenge for the legal system. This challenge arises from the fact that a cloud environment consists of distributed shared storages, so there is a level of necessary interactions forensic examiners and law enforcement officers require from the cloud provider in order to conduct their investigations.

This means they are at the mercy of public cloud providers and their decision on whether to assist in an investigation. In cloud investigation this lack of physical access, due to the decentralized nature of the data processing, causes enormous technical and legal disruptive challenges.

There are two legal issues:
Validity of the warrant: Establishing a specific location for a search warrant, where it is believed that evidence will be found together with the specifics required in the warrant.
Authenticity: Making sure that the data is the suspect’s (defendant’s) alone when searching shared storages.

The National Institute of Standards and Technology released a draft report in 2014 highlighting the requirement for cloud forensics standards to aid law enforcement. In this report, they identified 65 challenges in nine major groups that forensics investigators face in gathering and analysing digital information stored in the cloud.

The nine major groups are architecture, data collection, analysis, anti-forensics, incident first responders, role management, legal, standards, and training.

From a law enforcement perspective, the task of fighting cyber crime is a difficult one. Although irrespective of how big or small the crime, a decision has to be made on the merits of each case as to whether investigating and prosecuting is in the public’s interest. It is therefore becoming necessary to understand and manage the Computer Forensics process in the cloud.

Cloud computing is still an evolving paradigm and has already created challenges for law enforcement around the globe to effectively carry out cloud forensics investigations.

Although digital forensics models comprehensively review the stages of a digital forensic process, and analyse the cloud forensics’ impact on this process, most of their assumptions are not yet valid in the context of cloud computing, and the problem will only get worse with the explosive growth of data volumes.

Are you all clued up on cloud computing? Try our quiz!