• Home

  • Technology

  • The Death Of Computer Forensics: Digital Forensics After the Singularity
4
2 May 2011 WORKSHOP The Death Of Computer Forensics: Digital Forensics After the Singularity Workshop participants Cory Altheide (Google) Carlo Blengino (Lawyer), Francesca Bosco (UNICRI Project Officer, Emerging Crimes Unit) Elia Florio (Data Protection Authority), Roberto Flor (University of Verona Faculty of Law), Davide Gabrini (Postal Police), Rodrigo Rodriguez (ATOS Research), Monica Senor (Lawyer). Moderators were: Giuseppe Vaciago (University of Milan Faculty of Law) and Stefano Zanero (Politecnico di Milano). Summary of the Workshop (Giuseppe Vaciago) I. Technical Challenges of Cloud Forensics II. Legal Challenges of Cloud Forensics III. Conclusions *** The lecture by Cory Altheide 1 also served as an opportunity to organize a workshop in which lawyers, computer scientists, policy makers and members of law enforcement met to discuss the future of digital forensics in the cloud and defining the challenges that this technology will face in coming years. 1 Cory Altheide has nine years of information security, forensics & incident investigations experience. Cory worked at IBM, Google and the National Nuclear Security Administration (NNSA). At IBM, Mr. Altheide performed emergency computer security response for clients ranging from international banks to defense contractors to Fortune 500 retailers. At Google, he managed the response to numerous incidents, ranging from externally reported cross-site scripting vulnerabilities in Google properties, to compromised systems and extortion attempts. Prior to joining Google, Mr. Altheide was the Senior Network Forensics Specialist in the National Nuclear Security Administration's Information Assurance Response Center (NNSA IARC). Mr. Altheide has authored two original research papers for the Computer forensics journal "Digital Investigation” and co-authored “Handbook of Digital Forensics and Investigation (2009).” He holds the SANS GCIH and GCFA certifications. A number of technical and legal considerations emerged and these will serve as the basis for a paper that the Polytechnic of Milan and the University of Milan Bicocca are due to draft in the coming months. Below is a brief summary of the matters of interest that emerged during the workshop. I. Technical Challenges of Cloud Forensics 1. Although it has become clear that computer forensics the practical analysis of digital data following the acquisition of a bitstream image of a suspect's hard disk suffered a setback with the wide adoption of mobile devices and the increasing use of flash memory and encryption systems, it is undoubtedly also the case that it experienced a fundamental change due to the incredible expansion of cloud computing systems. 2. In order to arrive at this "dramatic" conclusion, we need to start with the definition of cloud computing data devised by NIST: "Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable resources (eg, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal effort or management service provider interaction.” Cloud computing has five essential characteristics, i.e., ondemand selfservice, broad network access, resource pooling, rapid elasticity and measured service. It has three service models, i.e., Cloud Software as a Service (SaaS), Cloud Platform as a Service (PaaS) and

The Death Of Computer Forensics: Digital Forensics After the Singularity

  • View
    977

  • Download
    4

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: The Death Of Computer Forensics: Digital Forensics After the Singularity

           

2  May  2011  –  WORKSHOP  -­‐  The  Death  Of  Computer  Forensics:  Digital  Forensics  After  the  Singularity  

 Workshop  participants  Cory  Altheide   (Google)  Carlo  Blengino   (Lawyer),   Francesca  Bosco   (UNICRI   -­‐  Project  Officer,  Emerging  Crimes  Unit)  Elia  Florio   (Data  Protection  Authority),  Roberto  Flor   (University  of  Verona   -­‐  Faculty  of  Law),  Davide  Gabrini  (Postal  Police),  Rodrigo  Rodriguez  (ATOS  Research),  Monica  Senor  (Lawyer).    Moderators  were:  Giuseppe  Vaciago  (University  of  Milan  -­‐  Faculty  of  Law)  and  Stefano  Zanero  (Politecnico  di  Milano).      

Summary  of  the  Workshop  (Giuseppe  Vaciago)  

 I.  Technical  Challenges  of  Cloud  Forensics  II.  Legal  Challenges  of  Cloud  Forensics  III.  Conclusions    

***    The   lecture   by   Cory   Altheide1  also   served   as   an  opportunity   to   organize   a   workshop   in   which  lawyers,   computer   scientists,   policy   makers   and  members  of   law  enforcement  met   to  discuss   the  future   of   digital   forensics   in   the   cloud   and  defining   the   challenges   that   this   technology   will  face  in  coming  years.    

                                                                                                               1 Cory Altheide has nine years of information security, forensics & incident investigations experience. Cory worked at IBM, Google and the National Nuclear Security Administration (NNSA). At IBM, Mr. Altheide performed emergency computer security response for clients ranging from international banks to defense contractors to Fortune 500 retailers. At Google, he managed the response to numerous incidents, ranging from externally reported cross-site scripting vulnerabilities in Google properties, to compromised systems and extortion attempts. Prior to joining Google, Mr. Altheide was the Senior Network Forensics Specialist in the National Nuclear Security Administration's Information Assurance Response Center (NNSA IARC). Mr. Altheide has authored two original research papers for the Computer forensics journal "Digital Investigation” and co-authored “Handbook of Digital Forensics and Investigation (2009).” He holds the SANS GCIH and GCFA certifications.

A   number   of   technical   and   legal   considerations  emerged   and   these   will   serve   as   the   basis   for   a  paper   that   the   Polytechnic   of   Milan   and   the  University  of  Milan  Bicocca  are  due  to  draft  in  the  coming  months.  Below  is  a  brief  summary  of  the  matters   of   interest   that   emerged   during   the  workshop.    I.  Technical  Challenges  of  Cloud  Forensics    1.   Although   it   has   become   clear   that   computer  forensics   -­‐   the   practical   analysis   of   digital   data  following   the   acquisition   of   a   bit-­‐stream   image   -­‐  of  a  suspect's  hard  disk  -­‐  suffered  a  setback  with  the   wide   adoption   of   mobile   devices   and   the  increasing   use   of   flash   memory   and   encryption  systems,   it   is   undoubtedly   also   the   case   that   it  experienced   a   fundamental   change      due   to   the  incredible  expansion  of  cloud  computing  systems.    2.  In  order  to  arrive  at  this  "dramatic"  conclusion,  we   need   to   start   with   the   definition   of   cloud  computing   data   devised   by   NIST:   "Cloud  computing  is  a  model  for  enabling  convenient,  on-­‐demand   network   access   to   a   shared   pool   of  configurable   resources   (eg,   networks,   servers,  storage,   applications,   and   services)   that   can   be  rapidly   provisioned   and   released   with   minimal  effort   or   management   service   provider  interaction.”   Cloud   computing   has   five   essential  characteristics,   i.e.,   on-­‐demand   self-­‐service,  broad   network   access,   resource   pooling,   rapid  elasticity   and   measured   service.   It   has   three  service  models,   i.e.,  Cloud  Software  as  a  Service  (SaaS),   Cloud   Platform   as   a   Service   (PaaS)   and  

Page 2: The Death Of Computer Forensics: Digital Forensics After the Singularity

Cloud  Infrastructure  as  a  Service  (IaaS).  And  it  has  four   deployment   models,   i.e.,   private   cloud,  community  cloud,  public  cloud  and  hybrid  cloud”  (Mell  and  Grance,  2009).      3.   The   various   types   of   service   or   deployment  models  described  above    pose  an  initial  problem,  insofar   as   they   require   the   use   of   specialized  cloud   forensic   techniques   that   are   extremely  different   from   one   another:depending   on   the  different  cloud  service  models  involved,  the  tools  and  procedures  used  to  collect  forensic  data  also  differ   (e.g.,   in   public   clouds,   provider-­‐side  artifacts   need   to   be   segregated   among   multiple  tenants,   whereas   in   private   clouds,   there   is   no  such  need).    4.  But  this  is  just  the  beginning:  in  digital  forensics  the   key   process   and   techniques   require   that   the  software   must   be   tested,   checked   and   that   the  operations   performed   on   digital   evidence   must  be   repeatable   and   documented.   It   is   possible   to  divide   the   classic   digital   forensics   into   three  scenarios:   :  A.  Data  at   rest   (traditional  computer  forensics,   ex:   disk   imagining)   B.   Data   in   transit  (network   forensics)   C.  Data   in   execution   (live   or  memory   forensics).   If   we   transpose   this   same  breakdown  to  cloud  computing,  we  would  notice  immediately   that  data  at   rest  does  not  reside  on  the  device   except   for   the   few   tracks   that   can  be  found  in  the  cache  or  temporary  files;  that  data  in  transit   can   not   be   easily   analyzed   because   the  major   cloud   providers   will   encrypt   all   traffic   to  keep  that  cloud  instance  secure  from  neighboring  threats   ;   while   this   reduces   the   risk   of   illegal  interception   and   the   risk   of   tampering,   it   also  makes   it   more   difficult   for   legitimate  investigators.  Finally,   ,    any  data   in  execution  will  be   present   only   in   the   cloud   instance   and   it  will  be   equally   difficult   to   exploit   this   during   an  investigation      5.   It   is   clear   that   the   most   difficult   challenge   is  posed  by  the  loss  of  data  control:    virtualization  is  one  of  the  key  elements  in  the  implementation  of  cloud   services,   while   in  most   cases   investigators  require   evidence   to   be   obtained   from   physical  devices     Furthermore,   data   from   the   cloud   only  makes   sense   when   interpreted   using   the  appropriate   cloud   communication  protocols.   The    investigator  who  wants  to  capture  the  bit-­‐stream    data  of  a  given  suspect  image  will  be  in  the  same  situation   as   someone   who   has   to   complete   a  

jigsaw   puzzle   whose   pieces   are   scattered  randomly   across   the   globe.   But   that's   not   all:  even  if  it  were  possible  to  reconstruct  the  image,  the  investigator  would  never  be  able  to  validate  it  “beyond  a  reasonable  doubt”  in  the  same  way  as  would  be  possible  with  a  physical  hard  drive.      6.   Finally,   in   traditional   computer   forensics,  recovered  deleted  data  is  an  important  source  of  evidence,  so  it  is  in  the  cloud  as  well.  With  cloud  providers,  the  right  to  alter  or  delete  the  original  snapshot   is   explicitly   reserved   for   the   user   that  created   the   volume.   When   item   and   attribute  data  are  deleted  within  a  domain,  removal  of  the  mapping   within   the   domain   starts   immediately,  and   is   also   generally   complete   within   seconds.  Once  the  mapping  is  removed,  there  is  no  remote  access  to  the  deleted  data.  It  is  likely  that  storage  space   will   be   overwritten   by   newly   stored   data.  However,   some   deleted   data   might   be   still  present   in   the   snapshot   after   deletion.   The  challenge   is   then:   how   to   recover   deleted   data,  identify   the   ownership   of   deleted   data,   and   use  deleted  data  as  sources  of  event  reconstruction  in  the   cloud?   (Keyun   Ruan,   Prof.   Joe   Carthy,   Prof.  Tahar  Kechadi,  Mark  Crosbie,  Cloud  forensics:  An  overview,  Digital  Forensics,  Vol.  7  by  Springer).    II.  Legal  Challenges  of  Cloud  Forensics    1.  The  “loss  of  location”  of  digital  evidence  in  the  cloud  world  creates  problem  of  jurisdiction.  Over  the  last  few  years,  various  approaches  have  been  offered   to   solve   this   problem.   The   traditional  approach   is   the   territorial   principle  by   virtue   of  which   the   Court   in   the   place   where   the   data   is  located   has   jurisdiction   (Art.   32,   Convention   on  Cybercrime).   This   approach   essentially   prohibits  any  type  of   investigation  because  even  the  cloud  provider  might  not  know  exactly  where   the  data  is   located.   Another   approach   is   the   nationality  principle  by  virtue  of  which  the  nationality  of  the  perpetrator   is   the   factor   used   to   establish  criminal   jurisdiction.   This   principle   imposes  certain   restrictions   since   the   perpetrators   in   a  cybercrime  case  might  easily  be  foreign  nationals,  given   that   cybercrime   is   generally   transnational  and   there   is   no   need   for   physical   proximity.  Furthermore,  data  does  not  have  a  nationality  as  it  is  an  attribute  of  an  individual.  A  third  approach  is  the  “flag  principle”,  which  basically  states  that  crimes   committed   on   ships,   aircraft   and  spacecraft   are   subject   to   the   jurisdiction   of   the  

Page 3: The Death Of Computer Forensics: Digital Forensics After the Singularity

flag  state,  regardless  of  their  location  at  the  time  of  the  crime  (art.  22,  Convention  on  Cybercrime).  Since   digital   data   is   constantly   changing,   this  principle  also  seems  to  be  applicable  to  the  cloud  world.   However,   to   potentially   apply   this   to   the  cloud   computing   scenario,   we   must   remember  that   clouds  might  not  be   the  actual  place  where  the   crime  was   committed  and   that   this   principle  could   motivate   cybercriminals   to   select   a   cloud  computing  provider  under  a  “pirate  flag”.    2.   A   recent   discussion   paper,   prepared   by   Jan  Spoenle   for   the   Economic   Crime   Division   of   the  Council  of  Europe  (Directorate  General  of  Human  Rights  and  Legal  Affairs)  within  the  framework  of  the   global   Project   on   Cybercrime,   suggested   the  “Power   of   Disposal   Approach”.  From  a   practical  point  of  view,  a  regulation  based  on  the  power  of  disposal  approach  would  make   it   feasible  for   law  enforcement  to  access  a  suspect’s  data  within  the  cloud.   Law   enforcement   would   only   have   to  legally   obtain   the   username   and   password  combination  and  be  able  to  prove  that  additional  requirements  have  been  met.    This   type   of   approach   certainly   overcomes   any  legal   issue  but  a  balance  must  be  struck  with  the  legitimate  need   for  privacy  and   the   rights  of   the  suspect  as  well.  Furthermore,   this  approach  may  not   be   easy   to   take,   because   many   devices  (particularly  mobile   ones)   are   protected   through  the  use  of  DRM;  which,   in  addition  to  preventing  the  installation  of  unauthorized  software,  provide  a   level   of   security   that   would   make   access  through   Trojan   horses   or   other   malicious  software  very  complicated.    3.  Another  extremely  sensitive   issue   in  the  cloud  is  data   retention,  since  this   is  a  key  factor   in  the  facilitation  of  investigation  activities.  The  scope  of  Directive   2006/24/EC,   however,   is   very   well  defined   and,   as   such,   limited.   From   an   objective  point   of   view,   it   is   limited   in   scope,   since   it  concerns   only   certain   traffic   and   location   data  generated   through   the   use   of   electronic  communications.  From  a  subjective  point  of  view,  it   concerns   only   providers   of   publicly   available  electronic  communications  services  or  of  a  public  communications  network.  This  begs  the  question  of  who  exactly  are  the  providers  subject  to  these  obligations,   and   whether   cloud   providers   are  included  in  this  definition.      

4.  These  considerations  and  recent  constitutional  court  rulings  (Bulgaria  2008,  Romania  2009,  2010  Germany,   Czech   Republic   2011)   which   have  declared   the   unconstitutionality   of   the   directive  on  data   retention   force  us   to   carry  out  a   rethink  in   terms  of  a  new   system  of   data   retention   and  regulation   in   the   cloud     and   the   provision   of  specific   obligations   for   different   actors,   in  particular:   a   standardized   data   retention   period  across   countries   or   mutually   agreed   recognition  principles   so   that   the   retention  period  applied   is  based   on   where   the   user’s   data   is   stored;  standardized  security  standards;  standardized  and  high  level  data  protection  standards;  and  a  rule  of  exceptionality   of   data   retention,     where  proportionate  and  intended  to  protect   important  and   dominant   legal   interests   and   in   the   fight  against   serious   crimes.     The   choice   should   be  based   on   agreed   criteria,   but   not   just   in   Europe  and  between  European  States.    5.   In   this   scenario,   cloud   computing   is   a   perfect  setting  for  the  activities  of  cybercriminals.  Recent  reports   confirm   that   cybercriminals   are   relying  more   on   cloud   computing   models   to   carry   out  cyberattacks.   Cybercriminals   will   either   be  manipulating   the   connection   to   the   cloud,   or  attacking  the  data  center  and  cloud  itself.  In  fact,  the   cloud   gathers   traffic   at   centralized   locations,  allowing  them  to  achieve  critical  mass  for  attacks.  Well-­‐organized   cybercriminals   also   can   easily  harvest   botnets   via   common   cloud   applications,  which   are   not   new   but   have   become   more  prevalent   in   the   recent   times,   as   users   continue  to   let   their   guard   down   and   network   with  increasing  speed  online.      6.   Last   but   not   least,   we   should   not   forget   the  difficulties   that   can   be   encountered   in   legal  proceedings,   where   it   is   not   always   possible   to  obtain  a  clear  validation  of  digital  evidence.  If,  for  example,  digital  evidence  has  been  wiped  by  the  user   and   the   cloud-­‐based   system   has   also  overwritten  that  portion  of  the  hard  disk,  will  the  court   be   able   to   judge   the   corresponding   digital  evidence   impartially  and  effectively   (especially   in  criminal  matters)?    III.  Conclusions    There   are   many   challenges   posed   by   cloud  forensics   and   just   as   many   legal   issues   that   will  need  to  be  addressed  in  the  coming  years.  

Page 4: The Death Of Computer Forensics: Digital Forensics After the Singularity

 On   the   technical   side,   with   regard   to    Infrastructure   as   a   Service,   it   can   be   assumed   -­‐  without   the   same   guarantees   of   success   -­‐   that  both   traditional   digital   forensic   solutions   and  cloud  forensic  tools  will  need  to  use  the  cloud  as  a  discovery  engine  for  rapid  and  accurate  forensic  investigations.   This   means   that,   although   new  approaches   and   systems   must   be   developed,  above   all   a   strong  working   relationship   needs   to  be  developed  with  cloud  providers.    On   the   legal   side,   the   topic   of   data   retention  provides   examples   of   the   problems   associated  with   jurisdiction.   Faced   with   a   total   absence   of  regulations   on   data   retention   in   the   United  States,   at   the   European   level   a   very   different  

situation   prevails:   the   latter   features   very   strict  regulation,   even   if   this   is   controversial   and   not  entirely   applicable   to   cloud   computing.   To   this  must   be   added   the   procedural   difficulty   of  successfully   presenting   cloud-­‐based   evidence   in  court   in   a   way   that   is   both   admissible   and  reliable.   This   uncertainty   can   only   encourage  cybercrime   and,   above   all,   create   a   climate   of  distrust   towards   a   particular   technology   that  offers,   apart   from   obvious   cost   savings,   massive  potential.     If   it   is   true   that   the   law   often   lags  behind   technology,   a   reassessment   of   digital  forensics   is   now   essential   and   will   need   to   be  carried  out,   if  possible,  by   lawyers  and  computer  scientists  working  in  collaboration.    

 


Mundane singularity

Mundane singularity

Technology
Christopher Kurtz // Singularity

Christopher Kurtz // Singularity

Documents
Singularity blues

Singularity blues

Documents
Presentazione Singularity University

Presentazione Singularity University

Technology
COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

Documents
Forensics Time of Death - Mrs. Sikesmarysikes.weebly.com/.../6/0/5/0/60508559/2_forensics_time_of_deat… · FORENSICS TIME OF DEATH. 2 ... • Mechanism of Death is the specific

Forensics Time of Death - Mrs. Sikesmarysikes.weebly.com/.../6/0/5/0/60508559/2_forensics_time_of_deat… · FORENSICS TIME OF DEATH. 2 ... • Mechanism of Death is the specific

Documents
CTE Forensics/Law & Public Safety 1-2 Unit: 8 Death Investigation

CTE Forensics/Law & Public Safety 1-2 Unit: 8 Death Investigation

Documents
Singularity Analysis of Closed Kinematic Chains · Singularity Analysis of Closed Kinematic Chains ... manipulators with a symmetric structure ... (actuator singularity);

Singularity Analysis of Closed Kinematic Chains · Singularity Analysis of Closed Kinematic Chains ... manipulators with a symmetric structure ... (actuator singularity);

Documents
Microsoft Singularity

Microsoft Singularity

Documents
Flake Singularity

Flake Singularity

Documents
Forensics Lab Manual - melissa …€¢ Fractography and Glass Lab Drill Autopsy and Time of Death • Autopsy and Time of Death Concept Animation • Autopsy and Time of Death Lab

Forensics Lab Manual - melissa …€¢ Fractography and Glass Lab Drill Autopsy and Time of Death • Autopsy and Time of Death Concept Animation • Autopsy and Time of Death Lab

Documents
Singularity Boat

Singularity Boat

Documents
Estimating Time of Death Forensics 2013-1014. Livor Mortis Livor Mortis Death Color As body begins to decompose blood seeps down through tissues and settles

Estimating Time of Death Forensics 2013-1014. Livor Mortis Livor Mortis Death Color As body begins to decompose blood seeps down through tissues and settles

Documents
Technogical singularity

Technogical singularity

Technology
Status of Singularity Resolution in Loop Quantum Cosmologybcc.impan.pl/16SingGR/uploads/Singularity/Parampreet_Singh.pdf · Status of Singularity Resolution in Loop Quantum Cosmology

Status of Singularity Resolution in Loop Quantum Cosmologybcc.impan.pl/16SingGR/uploads/Singularity/Parampreet_Singh.pdf · Status of Singularity Resolution in Loop Quantum Cosmology

Documents
Ext2 On Singularity

Ext2 On Singularity

Documents
9 Singularity theory and nonlinear bifurcation analysisychen11/PUBLICATIONS/BookChapter.pdf · Singularity theory and nonlinear bifurcation analysis ... Singularity theory and nonlinear

9 Singularity theory and nonlinear bifurcation analysisychen11/PUBLICATIONS/BookChapter.pdf · Singularity theory and nonlinear bifurcation analysis ... Singularity theory and nonlinear

Documents
The Singularity

The Singularity

Technology
Singularity Function

Singularity Function

Documents
Forensics & Anti- Forensics

Forensics & Anti- Forensics

Documents
Bodies, Autopsies, & Cause of Death K. Davis Forensics Disclaimer: This presentation contains actual autopsy and violent death photos. Some material used

Bodies, Autopsies, & Cause of Death K. Davis Forensics Disclaimer: This presentation contains actual autopsy and violent death photos. Some material used

Documents
Social Effects by the Singularity -Pre-Singularity Era-

Social Effects by the Singularity -Pre-Singularity Era-

Technology
The Millennium Project Director, Venezuela Node ... · Singularity University NASA Ames, California, USA Founder, Spanish Cryonics Foundation VidaPlus The Death of the Death: Immortality

The Millennium Project Director, Venezuela Node ... · Singularity University NASA Ames, California, USA Founder, Spanish Cryonics Foundation VidaPlus The Death of the Death: Immortality

Documents
Technological Singularity

Technological Singularity

Documents
BKL Singularity

BKL Singularity

Documents
Carl Shulman, Singularity Institute Anna Salamon, Singularity Institute

Carl Shulman, Singularity Institute Anna Salamon, Singularity Institute

Documents
SPACE FORENSICS: Death of a Star Sara Mitchell Jim Lochner NASA Goddard Space Flight Center Greenbelt, Maryland

SPACE FORENSICS: Death of a Star Sara Mitchell Jim Lochner NASA Goddard Space Flight Center Greenbelt, Maryland

Documents
Singularity blues copy

Singularity blues copy

Documents
Singularity University - Foundations of Exponential …...Singularity University - Foundations of Exponential Thinking Course Syllabus Author Singularity University Subject Singularity

Singularity University - Foundations of Exponential …...Singularity University - Foundations of Exponential Thinking Course Syllabus Author Singularity University Subject Singularity

Documents
Singularity - easybuilders.github.ioeasybuilders.github.io/easybuild/files/EUM17/20170208-1_Singularity… · Singularity Workflow 1. Create image file $ sudo singularity create [image]

Singularity - easybuilders.github.ioeasybuilders.github.io/easybuild/files/EUM17/20170208-1_Singularity… · Singularity Workflow 1. Create image file $ sudo singularity create [image]

Documents