Embed Size (px)
DESCRIPTION
Cloud computing
Citation preview
c om p u t e r l aw & s e c u r i t y r e v i ew 2 6 ( 2 0 1 0 ) 3 0 4e3 0 8
ava i lab le a t www.sc iencedi rec t .com
www.compsecon l ine .com/publ i ca t ions /prodc law.h tm
Digital evidence in cloud computing systems
M. Taylor a, J. Haggerty b, D. Gresty c, R. Hegarty a
aSchool of Computing and Mathematical Sciences, Liverpool John Moores University, UKb School of Computing, Science and Engineering, University of Salford, UKcPost Graduate Student, Lancaster University, UK
Keyword:
Digital evidence cloud computing
0267-3649/$ e see front matter ª 2010 M. Tadoi:10.1016/j.clsr.2010.03.002
a b s t r a c t
Cloudcomputing systemsprovideanewparadigmto thedistributedprocessingofdigital data.
Digital forensic investigations involving such systems are likely to involve more complex
digital evidence acquisition and analysis. Some public cloud computing systemsmay involve
the storage and processing of digital data in different jurisdictions, and some organisations
maychoose toencrypt their databefore it enters the cloud.Bothof these factors inconjunction
with cloud architecturesmaymake forensic investigation of such systemsmore complex and
time consuming. There are no established digital forensic guidelines that specifically address
the investigation of cloud computing systems. In this paper we examine the legal aspects of
digital forensic investigations of cloud computing systems.
ª 2010 M. Taylor, J. Haggerty, D. Gresty & R. Hegarty. Published by Elsevier Ltd. All rights
reserved.
1. Introduction cloud for the investigators to use, whilst carrying on with the
Cloud computing involves the provision of software services
and the underlying hardware resources used as a virtualized
platform across numerous host computers connected by the
Internet or an organisation’s internal network (Treacy, 2009;
Buyya et al., 2009). Examples of commercial cloud service
providers include AmazonWeb Services, Google, andMicrosoft
Azure Services Platform (Mather et al., 2009) as well as open
source cloud systems such as Sun Open Cloud Platform (Sun,
2010) and Eucalyptus (Eucalyptus, 2010). There are three
generally accepted cloud service delivery models: Software as
a service (where the customer rents the software for use on
a subscription or pay-per-use model); Platform as a service
(where the customer rents a development environment for
application developers); and Infrastructures as a service (where
the customer rents the hardware infrastructure on a subscrip-
tion or pay-per-use model and the service can be scaled
depending upon demand) (Viega, 2009).
Cloud computing could in some respects be useful for
computer forensic investigations, if it was necessary to
preserve a computing environment for an investigation. The
environment could potentially be backed up and put into the
ylor, J. Haggerty, D. Gres
normal course of business. However, themigrated data would
only represent a snapshot of when it was sent into the cloud.
Since in a public cloud computing system data could be stored
anywhere in the world, its dispersal could be to a country
where privacy laws are not readily enforced or non-existent. It
could therefore potentially be difficult to establish a chain of
custody for such data. A chain of custody would be taken to
start at the time that the data is preserved for analysis or is
seized. The issues in a cloud computing environment concern
access to the data prior to it being seized, and the preservation
of the data being done correctly, since due to the dynamic
nature of the operation of a cloud computer system, it would
not be possible to go back to the original state of the data. In
addition, cloud resources could be utilised during an investi-
gation to resolve computational load issues associated with
large-scale data set searches. For example, distributed
resources could search small parts of amuch larger data set in
tandem to form a virtual supercomputer similar to the
approach taken by SETI (SETI, 2010). In this way, scalability
could be achieved.
Evidence is more ethereal and dynamic in the cloud envi-
ronment with non- or semi-permanent data. For example, if an
ty & R. Hegarty. Published by Elsevier Ltd. All rights reserved.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 6 ( 2 0 1 0 ) 3 0 4e3 0 8 305
application is accessed via a cloud computing system, data
traditionally written to the operating system, such as registry
entries or temporary Internet files, will reside or be stored
within the virtual environment and so lost when the user exits.
This makes evidence traditionally stored on hard drives
potentially unrecoverable. In addition, whilst the confiscation
of physical computing equipment might be relatively
straightforward, the legal process to gain access to data held in
a public cloud computing system (and one which might utilise
computing devices in different jurisdictions) is more complex
and could delay investigations where the recovery of evidence
is typically time critical. It would seem that at present, there
does not appear to be a universal method for extracting
evidence in an admissible fashion from cloud-based applica-
tions, and in some cases theremight be little evidence available
to extract. Kaufman (2009) commented upon the legal issues
arising from cloud computing such as e-discovery, regulatory
compliance and auditing and their still to be determined
solutions. The European Network and Information Security
Agency (ENISA, 2010) is currently carrying out a risk assess-
ment of cloud computing with regard to the development of
technologies and legislative measures to mitigate risk.
Cloud computing service providers would not be liable for
damages or for any other pecuniary remedy or for any criminal
sanctions as a result of hosting data or applications under the
Electronic Commerce (EC Directive) Regulations 2002 and other
associated regulations, provided that the cloud computing
service provider did not have actual knowledge of unlawful
activity or information, and had no reason to suspect such
unlawful activity or information.
2. Acquisition of digital evidence in cloudcomputing systems
Identifying digital evidence in a cloud computing environment
may be very complex. A public cloud (Internet based) managed
by another organisation that provides cloud computing
services is likely to be more difficult to investigate than
a private cloud (based upon an organisation’s internal
computer network) (Grossman, 2009). There are also hybrid
privateepublic clouds, where a private cloud system may load
(or off-load) data and processing into a public cloud system
depending upon the system requirements and the capacity of
the private cloud. In a cloud computing system (for example,
the open source Eucalyptus) cloud manager software provides
the entry point into the cloud for users and administrators. It
queries resources and makes high level scheduling decisions
via groupmanager software that gathers information regarding
virtualmachine (a software implementation of a computer that
executes programs like a physical computer) execution on
specific instance managers, as well as managing the virtual
instance network. Instance manager software controls the
execution, inspection and termination of virtual machine
instances on the host computer within the cloudwhere it runs.
Themanner inwhich cloud computing services operatemeans
that in practice, an organisationmay not knowwhere data it is
responsible for is located geographically at any particular time.
It should be noted that this may be a logical structure rather
than truly geographic. For example, the servers that provide
manyof Yahoo’s country specific information actually reside in
the USA but appear to be locally hosted to the user. This has
recently been used to great effect by criminals based inAsia but
registering UKWeb sites to sell fake branded goods (Vahl, 2009).
Vella (2009) commented that increased use of cloud
computing will undoubtedly result in jurisdictional difficulties
where data crucial to a case is stored outside the United
Kingdom. It may be necessary for governments to make
arrangements for the immediate preservation of suspect data
following a request from law enforcement agencies in order to
ensure that data does not disappear while a court decides
whether or not the data can be released toUK law enforcement.
The advice from the UK Information Commissioner’s Office
(ICO, 2010) is that data (in particular personal data) should be
encrypted prior to it being transferred to a cloud computing
services company. Both of these aspects of cloud computing
can potentially be time consuming and problematic for
a computer forensic investigation (Allan, 2005) in terms of
digital evidence acquisition. Part III of the UK Regulation of
Investigatory Powers Act 2000 requires provision of decryption
keys for the purpose of preventing or detecting crime.
In R. v. Thames Magistrates Court (2) C&E Commissioners,
Ex Part(1) Paul Da Costa (A firm) (2) Stewart Collins (2002) it
was ruled that a computer hard disk is a single storage entity
and fell within the definition of a document because it is
something ‘in which information of any kind is recorded’.
Thus a hard disk may be seized and removed provided that it
contains material which the searching officer at the time of
the search has reasonable case to believe might be required in
relation to a suspected offence or offences. The officer is not
required to extract from the hard disk just the information he
believes may be required, nor is it practicable for him to do so.
This ruling provides guidance in the case of traditional
computing systems, however in the case of cloud computing
systems, imaging data from all the computers (or even
a subset of the computers) in the cloudmay not be practicable.
Some public cloud service providers may record certain
information relating to use of their services. For example
Google records information relating to use of Google Docs such
as storage usage, number of log-ins, data displayed and clicked
upon, IP address and date and time of access. Such datamay be
retained by Google for short periods even after the user has
deleted the files (Google, 2010). Such data may be useful for
police computer forensic investigations andmight be able to be
obtained under the UK Regulation of Investigatory Powers Act
2000 (RIPA, 2000).
2.1. Personal data accessed during a cloud computingsystem forensic investigation
The UK Data Protection Act, 1998 (DPA, 1998) might apply to
computer forensic investigations that involve the analysis of
personal data stored or processed within a cloud computing
system. Thus, if an investigation of fraud was undertaken that
involved analysis of customers’ personal data, then the prin-
ciples of the Data Protection Act should be applied during the
investigation. For example, appropriate security measures
should be applied to any personal data that had to be examined
as part of the investigation. Personal data accessed as part of
the investigation should not be accessed by unauthorised
c om p u t e r l aw & s e c u r i t y r e v i ew 2 6 ( 2 0 1 0 ) 3 0 4e3 0 8306
individuals outside the investigation team. However, the main
consideration regarding personal digital data that may need to
be examined during a cloud computing system forensic
investigation is that of the different jurisdictions in which the
data of interest may be stored or processed within the cloud
(especially in non-EU countries without an appropriate level of
data protection legislation), and whether such data can be
released in a timely manner (before it may be deleted).
2.2. Monitoring of cloud computing systems duringa computer forensic investigation
The UK Regulation of Investigatory Powers Act, 2000 (RIPA)
makes it unlawful to intercept any communication in the
course of transmissionwithout the consent of oneof the parties
or without lawful authority. UK law distinguishes between the
interception of communication or traffic data (the sender and
recipient, the time and date, and the duration of transmission)
and the content of the communication. Appropriate internal
corporate authorisation would be required to ensure that any
investigation of an internal private cloud systemdid not breach
the Act. Investigation of a public cloud computing system
involving Internet based computing resources would require
the cloud computing services provider to provide the police (or
other agency) investigationwith requireddigital data. However,
due to the nature of cloud computing systems operation, some
of the digital data may not be practicable to obtain.
3. Procedures used for cloud computingforensic investigations
A private cloud computing system is for a single organisa-
tion’s internal use and it may be run by the organisation itself
or outsourced to a third party. A public cloud is managed by
another organisation that provides cloud services. Public
cloud computing systems offer publicly accessible remote
interfaces for creating and managing data. This more
dispersed architecture can have serious ramifications for the
identification of digital evidence. If a computer forensic
investigation involves a private cloud, the digital data will
reside within the organisation or within its outsourced
supplier. The key sources of potential evidence will be iden-
tifiable, such as servers, applications, and data repositories
residing within the organisational IT infrastructure. In addi-
tion, the investigating team may also have access to key
personnel identified by the investigation, such as the suspect
or system administrators. However, if the digital evidence
resides within a public cloud, it will be much more difficult to
identify. As Treacy (2009) comments, the cloud computing
environment aims to be dynamic and customizable. This is
achieved through the seamless interaction of a variety of
applications being delivered to the user as if they were
accessing just a single site or logical location. This seamless
delivery from distributed sources will make the identification
of sources of potential digital evidence, or the digital evidence
itself, much more complex. Moreover, even the existence of
datawill be quite complex to identify as data is pushed further
back into the network rather than purely being delivered to
the user’s physical computing device and may only exist
within tight temporal constraints.
When digital evidence is required from a public cloud
computing systemthere is also the issue of continuity of service
(and level of service) for other users of the cloud services. Ideally
a computer forensic investigationshouldnot impactuponother
cloud service users who are not the target of the investigation.
Any police computer forensic investigation should keep
within the Association of Chief Police Officers’ guidelines for
computer-based electronic evidence (ACPO, 2007). That is to
showacourt, if required that the evidenceproduced is nomore
and no less than when it was first taken into the possession of
the forensic examiner. However, the current version of the
Association of Chief Police Officers’ guidelines for computer-
based electronic evidence does not specifically address cloud
computing investigations but its principles should be main-
tained. If a cloud computing forensic investigation was to
result in a court case, then the UK Criminal Procedure and
Investigations Act, 1996 (CPIA, 1996) and amendments in the
UK Criminal Justice Act, 2003 (Part 5) (CJA, 2003) may be
relevant as they cover the legal requirements to provide both
evidence in support of a prosecution and evidence to support
a reasonable defence. The Criminal Procedure and Investiga-
tions Act, 1996makes a specific requirement on police officers
and their agents (such as computer forensic analysts) to
provide detailed disclosure. Section 3.2 of this Act, Primary
disclosure by prosecutor, concerns digital material that came
into the prosecutor’s possession in connection with the case
for the prosecution, and would include material provided by
police officers, or their agents. This covers not just the disclo-
sure of digital material that supports the prosecution, but also
material that may undermine the prosecution and support
a defence. R. v. Hampton and another 2004 EWCA Crim 2139,
provides an example case where non-disclosure of cell-site
evidence relating to a mobile phone call occurred. Failing to
comply with the Criminal Procedure and Investigations Act,
1996 does not rule evidence inadmissible, but during the trial
the court might be directed to take into account the fact that
the defendant may not have been afforded the opportunity to
acquire evidence to defend themselves (Taylor et al., 2007). In
a cloud computing environment, due to the potentially greater
effort required to identify andexaminecomputingdevices that
had stored or processed digital data of interest to the investi-
gation, there might be limited time and resources available to
identify digital material of wider relevance than that which
specifically concerns the investigation.
An important aspect of providing digital evidence in court
concerns certifying that the computer(s) in question were
working properly at thematerial time. In the case of R. v. Spiby
[1991] (CLR, 1991) it was held that if an instrument (in this case
a computer) was of a kind as to which it was common
knowledge that they were more often than not in working
order, in the absence of evidence to the contrary, the courts
will presume that a mechanical instrument is in working
order at the material time. This is important and potentially
challenging in a cloud computing forensic investigation since
numerous computing devices possibly located in different
countries may have been used during a transaction. Any
computer forensic investigation carried out by a UK police
force would be subject to the codes of practice within the
c om p u t e r l aw & s e c u r i t y r e v i ew 2 6 ( 2 0 1 0 ) 3 0 4e3 0 8 307
Police and Criminal Evidence Act, 1984 (PACE, 1984) (and
possibly the UK Serious Organised Crime and Police Act, 2005
(SOCPA, 2005)).
4. Analysis of digital evidence in cloudcomputing systems
When investigating data recovered from traditional media,
documents and files will typically have meta data preserved
from the original hosting system, for example data relating to
when files were created and modified. This may not be the
case in cloud computing systems. However, meta data
embedded within documents that had subsequently entered
the cloud storage could provide important clues to how the
data has been used and manipulated beforehand (such as
change tracking in MS Word documents).
If unauthorised access or unauthorised access with intent
(CMA, 1990) might be investigated in a cloud computing
environment then digital evidencemay possibly be fairly easy
to obtain from the user’s computer. However, with regard to
unauthorised modification of data or programs (CMA, 1990),
unless confirmation of the modification was sent to user’s
computer, or the application, systems or network software
produced an audit trail, then to prove that unauthorised
modification actually took place itmight be difficult to identify
digital evidence that modification actually took place at the
material time on a computing device within the cloud (espe-
cially if a public cloud computing system or hybrid cloud
computing system is being investigated).
In terms of fraud or money laundering investigations
involving cloud computing systems, financial services organi-
sations (and some other types of organisations) might typically
have audit trails built into their application systems (that can
be used to provide digital evidence). However, other types of
organisations may not use such audit trails in which case it
might be difficult to identify digital evidence to prove that
updating of accounts (not just attempted fraud or money
laundering) took place within the cloud. In a cloud computing
environment actions taken from the moment a fraud is
suspected can have a profound impact on both the amount of
digital evidence available and the extent to which it will be
acceptable in future legal proceedings. If investigation of emails
is required within a cloud computing environment then typi-
cally logs of sent and received emails from the user’s computer
could be used as evidence (unless the tampering of emails is
being investigated in which case evidence from the computing
devices within the cloud could be required).
If an investigation concerned indecent images or extreme
pornography then evidence from the user’s computer of access
ordownloadingorstorageof imagescould typically beobtained.
However, organisations storing and disseminating such mate-
rial might possibly use cloud computing services in which case
the actual computing devices within the cloud storing such
images might need to be determined, if this is possible.
Trackingmalware (includingspyware,computervirusesand
worms and Trojan software) within a cloud computing envi-
ronmentmay be complex. Attempting to track down the effects
ofmalwareupondataorprogramsstoredwithinthecloudcould
bevery complex. Thus if a defence related tomalicious software
being used within the cloud without the knowledge of the
accused, it might be difficult to obtain digital evidence to
support such a defence (Haagman and Ghavalas, 2005).
5. Conclusions
The acquisition and analysis of digital evidence from cloud
computing systems is likely to be more complex than for
previous types of computing systems. It may potentially be
difficult to obtain digital evidence to the same standard as that
currently obtained from traditional server-based systems due
to the nature of the operation of cloud computing systems.
Public and hybrid cloud-based computing systems might
operate across jurisdictions, which might make obtaining
such data more complex and more time consuming. Some
organisations may encrypt digital data before processing in
the cloud, which can again lead to more complexity and delay
in obtaining the necessary digital evidence. In the case of data
stored or processed in different jurisdictions within the cloud,
such delays could potentially result in data being deleted
before it can be made available to investigators.
Unlessa cloudcomputing applicationprovidesanaudit trail,
it may be difficult to extract digital evidence in an admissible
manner from such applications, and in some cases, there may
be little evidence available to extract. This might lead to either
legislation requiring cloud computing service providers to keep
audit trails (or similar records of user activity), or that prose-
cution cases may need to be based upon evidence gained
mainly from the user’s computer, rather than from computing
equipment within the cloud. Thus for example, if an investi-
gation involved analysis of a Google document transaction,
then with regard to user data stored on the user’s personal
computer after such a Google document transaction there
would be cookies for user login and documents and also Google
gears may have created an SQLite database on the users
machine to allow the user to work offline. All these artefacts
stored on the user’s personal computer could provide potential
evidence, even if further digital evidence from computers in the
Google cloud could not easily be obtained.
M. Taylor ([email protected]) School of Computing and Mathe-
matical Sciences, Liverpool John Moores University, UK; J. Haggerty
([email protected]) School of Computing, Science and Engi-
neering, University of Salford; D. Gresty, Post Graduate Student,
Lancaster University; & R. Hegarty ([email protected])
Research Student, School of Computing and Mathematical Sciences,
Liverpool John Moores University, UK.
r e f e r e n c e s
ACPO. Good practice guide for computer-based electronicevidence version 4. England, Wales, and N. Ireland: TheAssociation of Chief Police Officers, http://www.acpo.police.uk; 2007.
Allan W. Computer forensics. IEEE Security and Privacy 2005;3(4):59e62.
Buyya R, Yeo C, Venugopal S, Brobery J, Brandic I. Cloudcomputing and emerging IT platforms: vision, hype and
c om p u t e r l aw & s e c u r i t y r e v i ew 2 6 ( 2 0 1 0 ) 3 0 4e3 0 8308
reality for delivering computing a 5th utility. FutureGeneration Computer Systems 2009;25:599e616.
CJA. UK Criminal Justice Act 2003, http://www.opsi.gov.uk; 2003.Clr. R. v. Spiby. Criminal Law Review; 1991:199.CMA. UK Computer Misuse Act 1990, http://www.opsi.gov.uk;
1990.CPIA. UK Criminal Procedure and Investigations Act 1996, http://
www.opsi.gov.uk; 1996.DPA. UK Data Protection Act 1998, http://www.opsi.gov.uk; 1998.ENISA. ENISA cloud computing risk assessment. European
Network and Information Security Agency, http://www.enisa.europa.eu; 2010.
Eucalyptus. Eucalyptus systems, http://www.eucalyptus.com;2010.
Google. Google Docs, http://www.google.com/google-d-s/privacy.html; 2010.
Grossman R. The case for cloud computing. IT Professional 2009;11(2):23e7.
Haagman D, Ghavalas B. Trojan defence: a forensic view. DigitalInvestigation 2005;2(1):23e30.
ICO. Personal information online code of practice: consultationdocument. UK: Information Commissioner’s Office, http://www.ico.gov.uk; 2010.
Kaufman L. Data security in the world of cloud computing. IEEESecurity and Privacy 2009;7(4):61e4.
Mather T, Kumaraswamy S, Latif S. Cloud security and privacy:an enterprise perspective on risks and compliance.Sebastopol, CA, USA: O’Reilly; 2009.
PACE. UK Police and Criminal Evidence Act 1984, http://www.opsi.gov.uk; 1984.
RIPA. UK Regulation of Investigatory Powers Act, http://www.opsi.gov.uk; 2000.
SETI. Search for Extra-Terrestrial Intelligence, http://setiathome.berkeley.edu; 2010.
SOCPA. Serious Organised Crime and Police Act, http://www.opsi.gov.uk; 2005.
Sun. Sun open cloud platform. SunMicrosystems, http://www.sun.com; 2010.
Taylor M, Haggerty J, Gresty D. The legal aspects of corporatecomputer forensic investigations. Computer Law and SecurityReport 2007;23:562e6.
Treacy B. Cloud computing: data protection concerns unwrapped.Privacy and Data Protection 2009;9(3):1e3.
Vahl S. Fake websites shut down by police. BBC News, http://news.bbc.co.uk/1/hi/uk/8392600.stm; 3 Dec 2009.
Vella P. The future of forensic computing. Criminal Law andJustice Weekly 2009;33:1e2.
Viega J. Cloud computing and the common man. IEEE Computer2009;42(8):106e8.
