The Death Of Computer Forensics: Digital Forensics After the Singularity
1.
2
May
2011
–
WORKSHOP
-‐
The
Death
Of
Computer
Forensics:
Digital
Forensics
After
the
Singularity
Workshop
participants
Cory
Altheide
(Google)
Carlo
Blengino
(Lawyer),
Francesca
Bosco
(UNICRI
-‐
Project
Officer,
Emerging
Crimes
Unit)
Elia
Florio
(Data
Protection
Authority),
Roberto
Flor
(University
of
Verona
-‐
Faculty
of
Law),
Davide
Gabrini
(Postal
Police),
Rodrigo
Rodriguez
(ATOS
Research),
Monica
Senor
(Lawyer).
Moderators
were:
Giuseppe
Vaciago
(University
of
Milan
-‐
Faculty
of
Law)
and
Stefano
Zanero
(Politecnico
di
Milano).
Summary
of
the
Workshop
(Giuseppe
Vaciago)
I.
Technical
Challenges
of
Cloud
Forensics
II.
Legal
Challenges
of
Cloud
Forensics
III.
Conclusions
***
The
lecture
by
Cory
Altheide1
also
served
as
an
opportunity
to
organize
a
workshop
in
which
lawyers,
computer
scientists,
policy
makers
and
members
of
law
enforcement
met
to
discuss
the
future
of
digital
forensics
in
the
cloud
and
defining
the
challenges
that
this
technology
will
face
in
coming
years.
1
Cory Altheide has nine years of information security,
forensics & incident investigations experience. Cory
worked at IBM, Google and the National Nuclear
Security Administration (NNSA). At IBM, Mr. Altheide
performed emergency computer security response for
clients ranging from international banks to defense
contractors to Fortune 500 retailers. At Google, he
managed the response to numerous incidents, ranging
from externally reported cross-site scripting
vulnerabilities in Google properties, to compromised
systems and extortion attempts. Prior to joining
Google, Mr. Altheide was the Senior Network Forensics
Specialist in the National Nuclear Security
Administration's Information Assurance Response
Center (NNSA IARC). Mr. Altheide has authored two
original research papers for the Computer forensics
journal "Digital Investigation” and co-authored
“Handbook of Digital Forensics and Investigation
(2009).” He holds the SANS GCIH and GCFA
certifications.
A
number
of
technical
and
legal
considerations
emerged
and
these
will
serve
as
the
basis
for
a
paper
that
the
Polytechnic
of
Milan
and
the
University
of
Milan
Bicocca
are
due
to
draft
in
the
coming
months.
Below
is
a
brief
summary
of
the
matters
of
interest
that
emerged
during
the
workshop.
I.
Technical
Challenges
of
Cloud
Forensics
1.
Although
it
has
become
clear
that
computer
forensics
-‐
the
practical
analysis
of
digital
data
following
the
acquisition
of
a
bit-‐stream
image
-‐
of
a
suspect's
hard
disk
-‐
suffered
a
setback
with
the
wide
adoption
of
mobile
devices
and
the
increasing
use
of
flash
memory
and
encryption
systems,
it
is
undoubtedly
also
the
case
that
it
experienced
a
fundamental
change
due
to
the
incredible
expansion
of
cloud
computing
systems.
2.
In
order
to
arrive
at
this
"dramatic"
conclusion,
we
need
to
start
with
the
definition
of
cloud
computing
data
devised
by
NIST:
"Cloud
computing
is
a
model
for
enabling
convenient,
on-‐
demand
network
access
to
a
shared
pool
of
configurable
resources
(eg,
networks,
servers,
storage,
applications,
and
services)
that
can
be
rapidly
provisioned
and
released
with
minimal
effort
or
management
service
provider
interaction.”
Cloud
computing
has
five
essential
characteristics,
i.e.,
on-‐demand
self-‐service,
broad
network
access,
resource
pooling,
rapid
elasticity
and
measured
service.
It
has
three
service
models,
i.e.,
Cloud
Software
as
a
Service
(SaaS),
Cloud
Platform
as
a
Service
(PaaS)
and
2. Cloud
Infrastructure
as
a
Service
(IaaS).
And
it
has
four
deployment
models,
i.e.,
private
cloud,
community
cloud,
public
cloud
and
hybrid
cloud”
(Mell
and
Grance,
2009).
3.
The
various
types
of
service
or
deployment
models
described
above
pose
an
initial
problem,
insofar
as
they
require
the
use
of
specialized
cloud
forensic
techniques
that
are
extremely
different
from
one
another:depending
on
the
different
cloud
service
models
involved,
the
tools
and
procedures
used
to
collect
forensic
data
also
differ
(e.g.,
in
public
clouds,
provider-‐side
artifacts
need
to
be
segregated
among
multiple
tenants,
whereas
in
private
clouds,
there
is
no
such
need).
4.
But
this
is
just
the
beginning:
in
digital
forensics
the
key
process
and
techniques
require
that
the
software
must
be
tested,
checked
and
that
the
operations
performed
on
digital
evidence
must
be
repeatable
and
documented.
It
is
possible
to
divide
the
classic
digital
forensics
into
three
scenarios:
:
A.
Data
at
rest
(traditional
computer
forensics,
ex:
disk
imagining)
B.
Data
in
transit
(network
forensics)
C.
Data
in
execution
(live
or
memory
forensics).
If
we
transpose
this
same
breakdown
to
cloud
computing,
we
would
notice
immediately
that
data
at
rest
does
not
reside
on
the
device
except
for
the
few
tracks
that
can
be
found
in
the
cache
or
temporary
files;
that
data
in
transit
can
not
be
easily
analyzed
because
the
major
cloud
providers
will
encrypt
all
traffic
to
keep
that
cloud
instance
secure
from
neighboring
threats
;
while
this
reduces
the
risk
of
illegal
interception
and
the
risk
of
tampering,
it
also
makes
it
more
difficult
for
legitimate
investigators.
Finally,
,
any
data
in
execution
will
be
present
only
in
the
cloud
instance
and
it
will
be
equally
difficult
to
exploit
this
during
an
investigation
5.
It
is
clear
that
the
most
difficult
challenge
is
posed
by
the
loss
of
data
control:
virtualization
is
one
of
the
key
elements
in
the
implementation
of
cloud
services,
while
in
most
cases
investigators
require
evidence
to
be
obtained
from
physical
devices
Furthermore,
data
from
the
cloud
only
makes
sense
when
interpreted
using
the
appropriate
cloud
communication
protocols.
The
investigator
who
wants
to
capture
the
bit-‐stream
data
of
a
given
suspect
image
will
be
in
the
same
situation
as
someone
who
has
to
complete
a
jigsaw
puzzle
whose
pieces
are
scattered
randomly
across
the
globe.
But
that's
not
all:
even
if
it
were
possible
to
reconstruct
the
image,
the
investigator
would
never
be
able
to
validate
it
“beyond
a
reasonable
doubt”
in
the
same
way
as
would
be
possible
with
a
physical
hard
drive.
6.
Finally,
in
traditional
computer
forensics,
recovered
deleted
data
is
an
important
source
of
evidence,
so
it
is
in
the
cloud
as
well.
With
cloud
providers,
the
right
to
alter
or
delete
the
original
snapshot
is
explicitly
reserved
for
the
user
that
created
the
volume.
When
item
and
attribute
data
are
deleted
within
a
domain,
removal
of
the
mapping
within
the
domain
starts
immediately,
and
is
also
generally
complete
within
seconds.
Once
the
mapping
is
removed,
there
is
no
remote
access
to
the
deleted
data.
It
is
likely
that
storage
space
will
be
overwritten
by
newly
stored
data.
However,
some
deleted
data
might
be
still
present
in
the
snapshot
after
deletion.
The
challenge
is
then:
how
to
recover
deleted
data,
identify
the
ownership
of
deleted
data,
and
use
deleted
data
as
sources
of
event
reconstruction
in
the
cloud?
(Keyun
Ruan,
Prof.
Joe
Carthy,
Prof.
Tahar
Kechadi,
Mark
Crosbie,
Cloud
forensics:
An
overview,
Digital
Forensics,
Vol.
7
by
Springer).
II.
Legal
Challenges
of
Cloud
Forensics
1.
The
“loss
of
location”
of
digital
evidence
in
the
cloud
world
creates
problem
of
jurisdiction.
Over
the
last
few
years,
various
approaches
have
been
offered
to
solve
this
problem.
The
traditional
approach
is
the
territorial
principle
by
virtue
of
which
the
Court
in
the
place
where
the
data
is
located
has
jurisdiction
(Art.
32,
Convention
on
Cybercrime).
This
approach
essentially
prohibits
any
type
of
investigation
because
even
the
cloud
provider
might
not
know
exactly
where
the
data
is
located.
Another
approach
is
the
nationality
principle
by
virtue
of
which
the
nationality
of
the
perpetrator
is
the
factor
used
to
establish
criminal
jurisdiction.
This
principle
imposes
certain
restrictions
since
the
perpetrators
in
a
cybercrime
case
might
easily
be
foreign
nationals,
given
that
cybercrime
is
generally
transnational
and
there
is
no
need
for
physical
proximity.
Furthermore,
data
does
not
have
a
nationality
as
it
is
an
attribute
of
an
individual.
A
third
approach
is
the
“flag
principle”,
which
basically
states
that
crimes
committed
on
ships,
aircraft
and
spacecraft
are
subject
to
the
jurisdiction
of
the
3. flag
state,
regardless
of
their
location
at
the
time
of
the
crime
(art.
22,
Convention
on
Cybercrime).
Since
digital
data
is
constantly
changing,
this
principle
also
seems
to
be
applicable
to
the
cloud
world.
However,
to
potentially
apply
this
to
the
cloud
computing
scenario,
we
must
remember
that
clouds
might
not
be
the
actual
place
where
the
crime
was
committed
and
that
this
principle
could
motivate
cybercriminals
to
select
a
cloud
computing
provider
under
a
“pirate
flag”.
2.
A
recent
discussion
paper,
prepared
by
Jan
Spoenle
for
the
Economic
Crime
Division
of
the
Council
of
Europe
(Directorate
General
of
Human
Rights
and
Legal
Affairs)
within
the
framework
of
the
global
Project
on
Cybercrime,
suggested
the
“Power
of
Disposal
Approach”.
From
a
practical
point
of
view,
a
regulation
based
on
the
power
of
disposal
approach
would
make
it
feasible
for
law
enforcement
to
access
a
suspect’s
data
within
the
cloud.
Law
enforcement
would
only
have
to
legally
obtain
the
username
and
password
combination
and
be
able
to
prove
that
additional
requirements
have
been
met.
This
type
of
approach
certainly
overcomes
any
legal
issue
but
a
balance
must
be
struck
with
the
legitimate
need
for
privacy
and
the
rights
of
the
suspect
as
well.
Furthermore,
this
approach
may
not
be
easy
to
take,
because
many
devices
(particularly
mobile
ones)
are
protected
through
the
use
of
DRM;
which,
in
addition
to
preventing
the
installation
of
unauthorized
software,
provide
a
level
of
security
that
would
make
access
through
Trojan
horses
or
other
malicious
software
very
complicated.
3.
Another
extremely
sensitive
issue
in
the
cloud
is
data
retention,
since
this
is
a
key
factor
in
the
facilitation
of
investigation
activities.
The
scope
of
Directive
2006/24/EC,
however,
is
very
well
defined
and,
as
such,
limited.
From
an
objective
point
of
view,
it
is
limited
in
scope,
since
it
concerns
only
certain
traffic
and
location
data
generated
through
the
use
of
electronic
communications.
From
a
subjective
point
of
view,
it
concerns
only
providers
of
publicly
available
electronic
communications
services
or
of
a
public
communications
network.
This
begs
the
question
of
who
exactly
are
the
providers
subject
to
these
obligations,
and
whether
cloud
providers
are
included
in
this
definition.
4.
These
considerations
and
recent
constitutional
court
rulings
(Bulgaria
2008,
Romania
2009,
2010
Germany,
Czech
Republic
2011)
which
have
declared
the
unconstitutionality
of
the
directive
on
data
retention
force
us
to
carry
out
a
rethink
in
terms
of
a
new
system
of
data
retention
and
regulation
in
the
cloud
and
the
provision
of
specific
obligations
for
different
actors,
in
particular:
a
standardized
data
retention
period
across
countries
or
mutually
agreed
recognition
principles
so
that
the
retention
period
applied
is
based
on
where
the
user’s
data
is
stored;
standardized
security
standards;
standardized
and
high
level
data
protection
standards;
and
a
rule
of
exceptionality
of
data
retention,
where
proportionate
and
intended
to
protect
important
and
dominant
legal
interests
and
in
the
fight
against
serious
crimes.
The
choice
should
be
based
on
agreed
criteria,
but
not
just
in
Europe
and
between
European
States.
5.
In
this
scenario,
cloud
computing
is
a
perfect
setting
for
the
activities
of
cybercriminals.
Recent
reports
confirm
that
cybercriminals
are
relying
more
on
cloud
computing
models
to
carry
out
cyberattacks.
Cybercriminals
will
either
be
manipulating
the
connection
to
the
cloud,
or
attacking
the
data
center
and
cloud
itself.
In
fact,
the
cloud
gathers
traffic
at
centralized
locations,
allowing
them
to
achieve
critical
mass
for
attacks.
Well-‐organized
cybercriminals
also
can
easily
harvest
botnets
via
common
cloud
applications,
which
are
not
new
but
have
become
more
prevalent
in
the
recent
times,
as
users
continue
to
let
their
guard
down
and
network
with
increasing
speed
online.
6.
Last
but
not
least,
we
should
not
forget
the
difficulties
that
can
be
encountered
in
legal
proceedings,
where
it
is
not
always
possible
to
obtain
a
clear
validation
of
digital
evidence.
If,
for
example,
digital
evidence
has
been
wiped
by
the
user
and
the
cloud-‐based
system
has
also
overwritten
that
portion
of
the
hard
disk,
will
the
court
be
able
to
judge
the
corresponding
digital
evidence
impartially
and
effectively
(especially
in
criminal
matters)?
III.
Conclusions
There
are
many
challenges
posed
by
cloud
forensics
and
just
as
many
legal
issues
that
will
need
to
be
addressed
in
the
coming
years.
4.
On
the
technical
side,
with
regard
to
Infrastructure
as
a
Service,
it
can
be
assumed
-‐
without
the
same
guarantees
of
success
-‐
that
both
traditional
digital
forensic
solutions
and
cloud
forensic
tools
will
need
to
use
the
cloud
as
a
discovery
engine
for
rapid
and
accurate
forensic
investigations.
This
means
that,
although
new
approaches
and
systems
must
be
developed,
above
all
a
strong
working
relationship
needs
to
be
developed
with
cloud
providers.
On
the
legal
side,
the
topic
of
data
retention
provides
examples
of
the
problems
associated
with
jurisdiction.
Faced
with
a
total
absence
of
regulations
on
data
retention
in
the
United
States,
at
the
European
level
a
very
different
situation
prevails:
the
latter
features
very
strict
regulation,
even
if
this
is
controversial
and
not
entirely
applicable
to
cloud
computing.
To
this
must
be
added
the
procedural
difficulty
of
successfully
presenting
cloud-‐based
evidence
in
court
in
a
way
that
is
both
admissible
and
reliable.
This
uncertainty
can
only
encourage
cybercrime
and,
above
all,
create
a
climate
of
distrust
towards
a
particular
technology
that
offers,
apart
from
obvious
cost
savings,
massive
potential.
If
it
is
true
that
the
law
often
lags
behind
technology,
a
reassessment
of
digital
forensics
is
now
essential
and
will
need
to
be
carried
out,
if
possible,
by
lawyers
and
computer
scientists
working
in
collaboration.