Digital and Cloud Forensics
Stavros Simou
Cultural Informatics Laboratory, Department of Cultural Technology and
Communication, University of the Aegean, University Hill, GR 81100
Mytilene, Greece
[email protected]
Forensics
•
Is the scientific method of gathering and examining information about
the past.
•
Finding evidence to establish facts that can be presented in a legal
proceeding.
•
Those that collect forensic evidence must follow strict procedures to
protect evidence from contamination and destruction and to preserve
the chain of custody.
•
Forensics "tells the same story" no matter how many times it is
tested, or how many years have passed.
Early methods of forensics
• In the late 18th century, writings on changes that occurred in the structure of the body as the result of disease began to appear by the French physician Francois Immanuele Fodéré.
• French police officer Alphonse Bertillon was the first to apply the anthropological technique of anthropometry to law enforcement, in the 1870s.
• Sir William Herschel was one of the first to advocate the use of fingerprinting in the identification of criminal suspects, in 1877.
• The first United Kingdom Fingerprint Bureau was founded in Scotland Yard, the Metropolitan Police headquarters, London, in 1901.
• By 1906, New York City Police Department Deputy Commissioner Joseph A. Faurot, introduced the fingerprinting of criminals to the United States.
• Scientific and surgical investigation was widely employed by the Metropolitan Police during their pursuit of the mysterious Jack the Ripper, in the 1880s.
• In the 20th century several British pathologists, pioneered new forensic science methods. Alec Jeffreys pioneered the use of DNA profiling in forensic science in 1984. He realized the scope of DNA fingerprinting, which uses variations in the genetic code to identify individuals.
Digital forensics
•
Digital forensics is a branch of forensic science encompassing the recovery and
investigation of material found in digital devices, often in relation to computer crime.
•
The goal of computer forensics is to examine digital media in a forensically sound
manner with the aim of identifying, preserving, recovering, analyzing and presenting
facts and opinions about the digital information.
•
The first computer crimes were recognized in the 1978 Florida Computer Crimes Act,
which included legislation against the unauthorized modification or deletion of data on a
computer system.
•
Canada was the first country to pass legislation in 1983.
•
The growth in computer crime during the 1980s and 1990s caused law enforcement
agencies to begin establishing specialized groups, usually at the national level, to handle
the technical aspects of investigations.
•
Since 2000, in response to the need for standardization, various bodies and agencies
have published guidelines for digital forensics.
Digital Evidence
•
Laws dealing with digital evidence are
concerned with two issues:
• Integrity - is ensuring that the act of seizing
and acquiring digital media does not modify the evidence (either the original or the copy).
• Authenticity - refers to the ability to
confirm the integrity of information; for example that the imaged media matches the original evidence. The ease with which digital media can be modified means that documenting the chain of custody from the crime scene, through analysis and, ultimately, to the court, is important to establish the authenticity of evidence.
•
Guidelines such as those issued by ACPO
are followed to help document the
authenticity and integrity of evidence.
Types of Digital Evidence
• Address books and contact lists
• Audio files and voice recordings
• Backups to various programs, including backups to mobile devices
• Bookmarks and favorites
• Browser history
• Calendars
• Compressed archives (ZIP, RAR, etc.) including encrypted archives
• Configuration and .ini files (may contain account information, last access dates etc.)
• Cookies
• Databases
• Documents
• Email messages, attachments and email databases
• Events
• Hidden and system files
• Log files
• Organizer items
• Page files, hibernation files and printer spooler files
• Pictures, images, digital photos
• Videos
• Virtual machines
• System files
Cloud Adoption - Forecast
•
3rd Annual Future of Cloud Computing Survey (2013)
•
75 percent of those surveyed reporting the use of some sort of cloud
platform.
•
The growth in the worldwide market for cloud computing it is expected to
reach $158.8 billion by 2014.
•
International Data Corporation (IDC)
•
IT cloud services will reach $47.4 billion in 2013 and is expected to be more
than $107 billion in 2017.
•
Over the 2013–2017 forecast period, public IT cloud services will have a
compound annual growth rate (CAGR) of 23.5%.
Cloud Computing – What is it?
•
Outsourcing (services and equipment)
•
Providers give the ability to customers to use configurable computing
resources that can be rapidly provisioned and released with minimal
management effort.
•
Reduction of cost on infrastructure and support.
•
Increase systems’ scalability.
•
Use of virtualization techniques for providing equipment, software
and platform support as remote services.
•
Five essential characteristics.
•
Three service models.
Digital and Cloud Forensics
•
Digital forensics is the field where the investigators use forensic
processes to search for digital evidence in order to use them in a
court of law.
•
Digital forensics deals with the digital evidence found in the area
where the crime committed.
•
Cloud forensic is a subset of digital forensics, to designate the need
for digital investigation in cloud environments, based on forensic
principles and procedures.
•
Main difference: data is stored on data centers at different
geographical areas with different jurisdictions.
Cloud Forensic Process
•
Based on digital forensics (DFRW model was used with a slight
differentiation)
•
Stages
•
Identification stage - Identifying all possible sources of evidence.
•
Preservation and Collection stage – Collecting evidence from virtualized
environments and preserve the chain of custody and the integrity.
•
Examination and Analysis stage – Inspection of data with tools to reveal useful
information.
•
Presentation stage – Presenting evidence in a way that the jury will
understand all the technical details.
Challenges
• Identification Stage
• Access to evidence in logs
• Physical inaccessibility
• Volatile data
• Distribution – collaboration
• Client side identification
• Dependence on CSP – Trust
• Service Level Agreement (SLA)
• Preservation – Collection Stage
• Integrity and stability
• Privacy and multi-tenancy
• Time synchronization
• Internal Staffing
• Chain of custody
• Imaging
• Bandwidth limitation
• Multi-jurisdiction
• Examination - Analysis Stage
• Lack of forensic tools
• Volume of data
• Encryption
• Reconstruction
• Unification of log formats
• Identity
• Presentation Stage
• Complexity of testimony
• Documentation
• Uncategorised
Challenges identified in the three service
models
Cloud Forensic Challenges / Stage Applicable to
IaaS PaaS SaaS
Identification
Access to evidence in logs partly √ √
Physical inaccessibility √ √ √
Volatile data √ X X
Client side identification √ X √
Dependence on CSP - Trust √ √ √
Service Level Agreement (SLA) √ √ √
Preservation - Collection
Integrity and stability √ √ √
Privacy X √ √
Time synchronization √ √ √
Internal Staffing √ √ √
Chain of custody √ √ √
Imaging X √ √
Bandwidth limitation √ X X
Multi-jurisdiction - collaboration √ √ √
Multi-tenancy √ √ √
Examination – Analysis
Lack of forensic tools √ √ √
Volume of data X √ √
Encryption √ √ √
Reconstruction √ √ √
Unification of log formats √ √ √
Identity √ √ √
Presentation
Complexity of testimony √ √ √
Documentation √ √ √
Uncategorised
