View
977
Download
4
Embed Size (px)
DESCRIPTION
Citation preview
2 May 2011 – WORKSHOP -‐ The Death Of Computer Forensics: Digital Forensics After the Singularity
Workshop participants Cory Altheide (Google) Carlo Blengino (Lawyer), Francesca Bosco (UNICRI -‐ Project Officer, Emerging Crimes Unit) Elia Florio (Data Protection Authority), Roberto Flor (University of Verona -‐ Faculty of Law), Davide Gabrini (Postal Police), Rodrigo Rodriguez (ATOS Research), Monica Senor (Lawyer). Moderators were: Giuseppe Vaciago (University of Milan -‐ Faculty of Law) and Stefano Zanero (Politecnico di Milano).
Summary of the Workshop (Giuseppe Vaciago)
I. Technical Challenges of Cloud Forensics II. Legal Challenges of Cloud Forensics III. Conclusions
*** The lecture by Cory Altheide1 also served as an opportunity to organize a workshop in which lawyers, computer scientists, policy makers and members of law enforcement met to discuss the future of digital forensics in the cloud and defining the challenges that this technology will face in coming years.
1 Cory Altheide has nine years of information security, forensics & incident investigations experience. Cory worked at IBM, Google and the National Nuclear Security Administration (NNSA). At IBM, Mr. Altheide performed emergency computer security response for clients ranging from international banks to defense contractors to Fortune 500 retailers. At Google, he managed the response to numerous incidents, ranging from externally reported cross-site scripting vulnerabilities in Google properties, to compromised systems and extortion attempts. Prior to joining Google, Mr. Altheide was the Senior Network Forensics Specialist in the National Nuclear Security Administration's Information Assurance Response Center (NNSA IARC). Mr. Altheide has authored two original research papers for the Computer forensics journal "Digital Investigation” and co-authored “Handbook of Digital Forensics and Investigation (2009).” He holds the SANS GCIH and GCFA certifications.
A number of technical and legal considerations emerged and these will serve as the basis for a paper that the Polytechnic of Milan and the University of Milan Bicocca are due to draft in the coming months. Below is a brief summary of the matters of interest that emerged during the workshop. I. Technical Challenges of Cloud Forensics 1. Although it has become clear that computer forensics -‐ the practical analysis of digital data following the acquisition of a bit-‐stream image -‐ of a suspect's hard disk -‐ suffered a setback with the wide adoption of mobile devices and the increasing use of flash memory and encryption systems, it is undoubtedly also the case that it experienced a fundamental change due to the incredible expansion of cloud computing systems. 2. In order to arrive at this "dramatic" conclusion, we need to start with the definition of cloud computing data devised by NIST: "Cloud computing is a model for enabling convenient, on-‐demand network access to a shared pool of configurable resources (eg, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal effort or management service provider interaction.” Cloud computing has five essential characteristics, i.e., on-‐demand self-‐service, broad network access, resource pooling, rapid elasticity and measured service. It has three service models, i.e., Cloud Software as a Service (SaaS), Cloud Platform as a Service (PaaS) and
Cloud Infrastructure as a Service (IaaS). And it has four deployment models, i.e., private cloud, community cloud, public cloud and hybrid cloud” (Mell and Grance, 2009). 3. The various types of service or deployment models described above pose an initial problem, insofar as they require the use of specialized cloud forensic techniques that are extremely different from one another:depending on the different cloud service models involved, the tools and procedures used to collect forensic data also differ (e.g., in public clouds, provider-‐side artifacts need to be segregated among multiple tenants, whereas in private clouds, there is no such need). 4. But this is just the beginning: in digital forensics the key process and techniques require that the software must be tested, checked and that the operations performed on digital evidence must be repeatable and documented. It is possible to divide the classic digital forensics into three scenarios: : A. Data at rest (traditional computer forensics, ex: disk imagining) B. Data in transit (network forensics) C. Data in execution (live or memory forensics). If we transpose this same breakdown to cloud computing, we would notice immediately that data at rest does not reside on the device except for the few tracks that can be found in the cache or temporary files; that data in transit can not be easily analyzed because the major cloud providers will encrypt all traffic to keep that cloud instance secure from neighboring threats ; while this reduces the risk of illegal interception and the risk of tampering, it also makes it more difficult for legitimate investigators. Finally, , any data in execution will be present only in the cloud instance and it will be equally difficult to exploit this during an investigation 5. It is clear that the most difficult challenge is posed by the loss of data control: virtualization is one of the key elements in the implementation of cloud services, while in most cases investigators require evidence to be obtained from physical devices Furthermore, data from the cloud only makes sense when interpreted using the appropriate cloud communication protocols. The investigator who wants to capture the bit-‐stream data of a given suspect image will be in the same situation as someone who has to complete a
jigsaw puzzle whose pieces are scattered randomly across the globe. But that's not all: even if it were possible to reconstruct the image, the investigator would never be able to validate it “beyond a reasonable doubt” in the same way as would be possible with a physical hard drive. 6. Finally, in traditional computer forensics, recovered deleted data is an important source of evidence, so it is in the cloud as well. With cloud providers, the right to alter or delete the original snapshot is explicitly reserved for the user that created the volume. When item and attribute data are deleted within a domain, removal of the mapping within the domain starts immediately, and is also generally complete within seconds. Once the mapping is removed, there is no remote access to the deleted data. It is likely that storage space will be overwritten by newly stored data. However, some deleted data might be still present in the snapshot after deletion. The challenge is then: how to recover deleted data, identify the ownership of deleted data, and use deleted data as sources of event reconstruction in the cloud? (Keyun Ruan, Prof. Joe Carthy, Prof. Tahar Kechadi, Mark Crosbie, Cloud forensics: An overview, Digital Forensics, Vol. 7 by Springer). II. Legal Challenges of Cloud Forensics 1. The “loss of location” of digital evidence in the cloud world creates problem of jurisdiction. Over the last few years, various approaches have been offered to solve this problem. The traditional approach is the territorial principle by virtue of which the Court in the place where the data is located has jurisdiction (Art. 32, Convention on Cybercrime). This approach essentially prohibits any type of investigation because even the cloud provider might not know exactly where the data is located. Another approach is the nationality principle by virtue of which the nationality of the perpetrator is the factor used to establish criminal jurisdiction. This principle imposes certain restrictions since the perpetrators in a cybercrime case might easily be foreign nationals, given that cybercrime is generally transnational and there is no need for physical proximity. Furthermore, data does not have a nationality as it is an attribute of an individual. A third approach is the “flag principle”, which basically states that crimes committed on ships, aircraft and spacecraft are subject to the jurisdiction of the
flag state, regardless of their location at the time of the crime (art. 22, Convention on Cybercrime). Since digital data is constantly changing, this principle also seems to be applicable to the cloud world. However, to potentially apply this to the cloud computing scenario, we must remember that clouds might not be the actual place where the crime was committed and that this principle could motivate cybercriminals to select a cloud computing provider under a “pirate flag”. 2. A recent discussion paper, prepared by Jan Spoenle for the Economic Crime Division of the Council of Europe (Directorate General of Human Rights and Legal Affairs) within the framework of the global Project on Cybercrime, suggested the “Power of Disposal Approach”. From a practical point of view, a regulation based on the power of disposal approach would make it feasible for law enforcement to access a suspect’s data within the cloud. Law enforcement would only have to legally obtain the username and password combination and be able to prove that additional requirements have been met. This type of approach certainly overcomes any legal issue but a balance must be struck with the legitimate need for privacy and the rights of the suspect as well. Furthermore, this approach may not be easy to take, because many devices (particularly mobile ones) are protected through the use of DRM; which, in addition to preventing the installation of unauthorized software, provide a level of security that would make access through Trojan horses or other malicious software very complicated. 3. Another extremely sensitive issue in the cloud is data retention, since this is a key factor in the facilitation of investigation activities. The scope of Directive 2006/24/EC, however, is very well defined and, as such, limited. From an objective point of view, it is limited in scope, since it concerns only certain traffic and location data generated through the use of electronic communications. From a subjective point of view, it concerns only providers of publicly available electronic communications services or of a public communications network. This begs the question of who exactly are the providers subject to these obligations, and whether cloud providers are included in this definition.
4. These considerations and recent constitutional court rulings (Bulgaria 2008, Romania 2009, 2010 Germany, Czech Republic 2011) which have declared the unconstitutionality of the directive on data retention force us to carry out a rethink in terms of a new system of data retention and regulation in the cloud and the provision of specific obligations for different actors, in particular: a standardized data retention period across countries or mutually agreed recognition principles so that the retention period applied is based on where the user’s data is stored; standardized security standards; standardized and high level data protection standards; and a rule of exceptionality of data retention, where proportionate and intended to protect important and dominant legal interests and in the fight against serious crimes. The choice should be based on agreed criteria, but not just in Europe and between European States. 5. In this scenario, cloud computing is a perfect setting for the activities of cybercriminals. Recent reports confirm that cybercriminals are relying more on cloud computing models to carry out cyberattacks. Cybercriminals will either be manipulating the connection to the cloud, or attacking the data center and cloud itself. In fact, the cloud gathers traffic at centralized locations, allowing them to achieve critical mass for attacks. Well-‐organized cybercriminals also can easily harvest botnets via common cloud applications, which are not new but have become more prevalent in the recent times, as users continue to let their guard down and network with increasing speed online. 6. Last but not least, we should not forget the difficulties that can be encountered in legal proceedings, where it is not always possible to obtain a clear validation of digital evidence. If, for example, digital evidence has been wiped by the user and the cloud-‐based system has also overwritten that portion of the hard disk, will the court be able to judge the corresponding digital evidence impartially and effectively (especially in criminal matters)? III. Conclusions There are many challenges posed by cloud forensics and just as many legal issues that will need to be addressed in the coming years.
On the technical side, with regard to Infrastructure as a Service, it can be assumed -‐ without the same guarantees of success -‐ that both traditional digital forensic solutions and cloud forensic tools will need to use the cloud as a discovery engine for rapid and accurate forensic investigations. This means that, although new approaches and systems must be developed, above all a strong working relationship needs to be developed with cloud providers. On the legal side, the topic of data retention provides examples of the problems associated with jurisdiction. Faced with a total absence of regulations on data retention in the United States, at the European level a very different
situation prevails: the latter features very strict regulation, even if this is controversial and not entirely applicable to cloud computing. To this must be added the procedural difficulty of successfully presenting cloud-‐based evidence in court in a way that is both admissible and reliable. This uncertainty can only encourage cybercrime and, above all, create a climate of distrust towards a particular technology that offers, apart from obvious cost savings, massive potential. If it is true that the law often lags behind technology, a reassessment of digital forensics is now essential and will need to be carried out, if possible, by lawyers and computer scientists working in collaboration.