Cloud Computing Forensics: In The Criminal Mind

By Saron Messembe Obia

Information and communication technology have gone beyond the initial stage of security of the 1980s. Cloud computing system have emerged with new form of securing and storing data. Organizations are increasingly deploying their infrastructure into remote, virtual environments, often hosted and managed by third parties. This evolution has significant implications for digital forensic investigators, equipment vendors, law enforcement, as well as audit departments. Digital forensic investigation focuses on control and management of IT assets (data storage) in order to provide adequate evidence to the criminal justice system. This paper analyses the key aspects of cloud computing and expose limits of digital forensic procedures which invalidate certain criminal trends. The implementation of virtual security by third parties in infrastructures are strategic factor to digital forensic investigators, equipment vendors and law enforcement officers. 

Globalization period changed the dynamics of information and communication technology, with virtual services use for IT infrastructure security, because of the rapidly re-configuration and evolving requirements limiting the request for redundant services (hardware). It’s also worth noting that cloud computing reduces the costs of providing IT services, by eliminating redundant computing power and storage, reducing support requirements, as well as capital commitment reduction. Organizations have a gain 37% cost if the migrate their IT infrastructure from an outsourced data-center to the Amazon Cloud (Khajeh-Hosseini, Greenwood, & Sommerville, 2010). Critical to point out security breach during the past decade have been alarming, with private data sold in the dark market by hackers.

The past decade has recorded several internet crimes; from organizational security breaches, cyber-attacks or policy violations occur, necessary for conducting digital forensic investigation. However, the practice (digital forensic) or principles, frameworks, and tools are limited to off-line investigation. In modern era assumption is critical to criminal investigations, considering that the storage media under investigation might have incriminating data is not usually the case after the investigator screens the gadget. But with investigations related to cloud computing is challenging, for evidence is likely to be ephemeral and stored on media beyond.

Digital Forensics in Cloud Computing

Each year millions of cyber security experts graduate from universities, some work for private and public organizations, while others work for the underworld, thereby raising several challenges in analyses in criminal investigations as well as existing models of digital forensics. The discussion will be focus on Intrusion Detection Systems (DIP) model which provides a comprehensive review of digital forensic process, and structural impact of cloud forensics on this process. It shall explore three different aspects in cloud computing forensic investigation; identification, preservation and collection of data and storage capacity.

Identification

Usually assumed to be simple by law enforcement officers and auxiliary of the criminal justice system, the shift from tradition patterns in the field of IT-specific crimes is challenging. Identification is one of the preliminary aspect for investigators engage in forensics is deduced from complaints made by individuals, anomalies detected by Intrusion Detection Systems (IDS), monitoring and profiling. The identification phase focuses and explore detection of suspicious search in a cloud and the form of cloud services (SaaS, PaaS or IaaS) used. Several researchers have argued on the fascinating result which can be gotten form the deployment of conventional intrusion detection systems in a cloud (Roschke, Cheng, & Meinel, 2009; Vieira, Schulter, Westphall, & Westphall, 2010) such as Infrastructure as a Service (IaaS) clouds (for user), Software as a Service (SaaS) and Platform as a Service (PaaS) clouds (for service provider). Private cloud infrastructure providers can tune IDS for particular suite of services deployed which meets an organization’s needs (G. Grispos, T. Storer, and W.B. Glisson, 2012). Public clouds usually operate with a multi-layered strategy, as users can monitor suspicious events occurring with the services they are using. Providers can monitor the underlying infrastructure used to host the cloud, and therefore detect much larger attacks that could affect a much larger audience.

Collection and Preservation of Data

One of the major aspect for the criminal justice system to render judgement is the acquisition of data (evidence) through scientific patterns. Digital forensic investigator is usually concern with data collection from computer-based systems and other device like android phones which constitute evidence for criminal proceedings. International and regional convention and standard have been put forth for forensic investigation by states, such as the Daubert principles (Marsico, 2004), which prone that forensic evidence must be testable, and the methods used for the acquisition of evidence be repeatable. The most used model for data is the DIP model; it defines activities prior to data collection to ensure the integrity of data throughout the investigation life cycle, which necessitates evidence (data from a computer) to be accurately represented. Though several aspects of the preservation phase are affected by the use of a cloud environment.

Storage Capacity

In conventional investigations, one of the major issue is the preservation of evidence and availability of a secure storage capacity or device for the data gathered to be archived. Billions of devices are connected to the internet and also offline within a particular period, as such data gathered during forensic investigations, is increasingly challenging for investigators to extract evidence (Richard & Roussev, 2006; Roussev, Wang, Richard, & Marziale, 2009; Sommer, 2004). This increase warrants extra finance for investigators with the responsibility to store and curate the data, not ignoring time required to examine it. The use of cloud environments may limit the problem of data storage to an extent. It is usually challenging for some investigators to gather extremely large amount of data placed in a cloud by a user. The use of public cloud o store evidence by investigators can limit some criminals issues, due to the legal and technical challenges involve. Challenges relating to data protection and privacy which limits investigations, and has impact on evidence stored in the cloud. 

Simulating a criminal case; case of Mr. Y

The globalization period has led to the evolution of technology, systems formerly Mac OS, Android and iOS built from Microsoft Windows are being neglected as new computers and laptops switch to Apple systems, and to Android and Apple iOS operating systems for mobile devices. Several legal prescriptions have been endorsed in relation to mobile phone forensics, there are many unknowns related to investigations and even challenging. An example is the San Bernardino case in United States of America. Criminal patterns keep changing as software are develop each minute in the world. Encryption-by-default is another aspect which have redefined sociology of crimes in the digital age, as storing data with an encryption and creating network connections that use secure tunnels can be established by anyone. At this stage the paper will be simulating a criminal pattern in relation to a conventional forensic investigation, in order to establish and maintain a chain of custody for evidence:

Digital Image Acquisition

Cybercriminals think far beyond law enforcement officers, most images used to perpetrate crimes are usually not that of the criminal. In sub Saharan Africa, a lot still need to be done in relation of identification, slow pace of biometric identification, staff dishonesty and double registration are just the aspect of inadequate training of law enforcement officers engaged in the identification process. The narrative exposed by Association of Chief Police Officers & 7Safe, 2007; Palmer, 2001 in relation of an investigator gaining control of the cloud service to obtain accurate copy of data held by a service analysis remains a myth even with the Investigative Process Model (DIP Model) and Association of Chief Police Officers (ACPO) guidelines. 

The investigator usually exploits a storage device by connecting to their own computer via a write blocker as shown. Software such as Access Data’s FTK Imagerv or the open-source tool ddvi are used to extract images from device. In case of multiple copies of the image are taken, digital hashes of each image is been verified whether the source image has been compromised. Extracting evidence from a cloud environment is highly challenging to investigators, due to persistent memory acquisition software and a client computer may provide minimal data. During a field survey in 2018, research probed that most criminals, after operation sell their devices in the black market, thereby re-orientating criminal investigations and even putting the third party (person that purchase a criminal gadget in the dark market) in to problems. It was discovered that most criminals use images, gotten from social networking sites, operate with it and store in cloud and can been retrieved with any other device bought. For example, Google File System (GFS) use to store customer data in the cloud (Ghemawat, Gobioff, & Leung, 2003). The system is a “multi-tenant distributed” file system which store personal or organizational data in several physical locations (Google, 2010). But there are several its inevitable that methods employed allows only a partial recovery of data from any one physical device, which is critical forensic principles and incomplete data can compromise investigation (Carrier & Spafford, 2004).

Cybercriminal investigators should avoid assuming on certain digital material. Each second there is a computer breach in the world, be it financial institutions, security agencies, hospitals and even social networking sites. Such breach is usually related to privacy (stolen data of person or entity), despite data protection legislation. However, an investigator to scan a memory card, hard drive or cached of a user’s computer during interactions with cloud services. He must locate and arrest the individual, take his machine for proper investigation, relaying on digital image used by criminals is not usually quite sustainable, as some after several ‘hits’, damage the hard drive after formatting and sell the parts of the computer in the dark market. 

Deleted Data

Criminals continue to gain momentum with the help of crackers, who help bypass certain security protocols in order to secure and limit gadgets from being traced. Notwithstanding, is necessary to point out that cloud could assist and as well hamper security attempts to recover data that have been deleted by the suspect. In a field survey of some suspects engaged in non-conventional crimes, revealed that most are intellectuals, some have even university degrees in IT and law, as such no material evidence is neglected, as hard drive or USB flash drive, which a suspect has physical access are usually damage after several hits. In conventional investigations, data that a user has attempt to delete is usually crucial for criminal justice system to render judgement. Even in cloud computing, recovery of deleted data challenging, and user privacy is also a priority with certain providers (Google, 2010). For example, Google’s policy regarding deleted data is challenging to the criminal justice system, once a user deletes their data from Google Services, that data is equally deleted from both active and replication servers, making tracing deleted data extremely difficult.

Cross-Organizational Cooperation

A thesis on ‘cyber criminality as an emergent security challenge in Cameroon’ at the pan African institute for development west Africa, revealed three aspects in policing  white collar crimes; cyber warrior team (constitute hackers and criminal profilers vest with cybercriminal patterns and language), cooperation amongst expert, law enforcement through trainings and research and helping victims to properly lay their complaint (some have not gone through formal education and others sometimes threaten by the way an agent talk them). Cross-organizational cooperation in this study simply refer to collaboration amongst the different security units and experts in relation to evidence gathering from cloud environments. Most investigator usually have difficulty in working the ‘experience’ cloud provider’s employees assigned to assist the investigation, particularly if the protocols adopted within the organization are not directly comparable to those of the investigator.

 Most cloud providers use of proprietary technologies in order to facilitate investigation. Most GFS are considered proprietary business information. Investigators may require the cooperation of cloud providers to locate evidence. But reliability and quality of the chain of custody may be insufficient for the investigator’s purposes. It necessary for cloud providers to recruit individuals within their organization, trained and qualified to perform forensic investigations if need arise or in case of any national and international security menace. Investigation will quickly yield result, because most investigators overwhelmed with the range and number of the devices that are connected and need to be investigated. However, this process is challenging for several reasons, the major privacy.

With the numerous challenges in the field of security, Cloud Computing continue to be solicited by some companies because of limited budgets for security resources. However, cloud computing forensics still have loopholes, such as; the loss of control caused by Cloud environments and vendors presents a huge challenge for investigators. First, computer forensic community specialize in digital forensics have to be revised and adapted to modern trends. Law enforcement officers (forensic investigators) must be trained in order to easily reconstitute criminal scenarios and test hypothesizes. Cloud Computing Forensics is not possible anymore following new criminal patterns challenging international, regional and national security organizations.

Reference

Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital investigation process.International Journal of Digital Evidence, 2(2).

Carrier, B., & Spafford, E. H. (2004). An Event-based Digital Forensic Investigation Framework. Paper presented at the Digital Forensic Research Workshop 2004, Baltimore, Maryland.

G. Grispos, T. Storer, and W.B. Glisson (2012). Calm Before the Storm: The Challenges of Cloud Computing in Digital Forensics. International Journal of Digital Crime and Forensics, Volume 4, Issue 2, Pages 28-48

Ghemawat, S., Gobioff, H., & Leung, S. T. (2003). The Google File System. Paper presented at the 19^th ACM Symposium on Operating Systems Principles, Bolton Landing, New York, USA.

Google. (2010). Google Apps Messaging and Collaboration Products. Google Security White paper Retrieved February 2, 2012, from

http://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en//a/help/intl/en-GB/admins/pdf/ds_gsa_apps_whitepaper_0207.pdf

Google. (2011). Message Security for Google Apps: Administration Guide. Google White PaperRetrieved February 2, 2012, from

https://acs9.postini.com/help/admin_msd/administration_msd.pdf

Khajeh-Hosseini, A., Greenwood, D., & Sommerville, I. (2010). Cloud Migration: A Case Study of Migrating an Enterprise IT System to IaaS. Paper presented at the IEEE International Conference on Cloud Computing, CLOUD 2010, Miami, FL, USA.

Roussev, V., Wang, L., Richard, G., & Marziale, L. (2009). A Cloud Computing Platform for Large-ScaleForensic Computing. Paper presented at the Advances in Digital Forensics V, 5th IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA.

Sommer, P. (2004). The Challenges of Large Computer Evidence Cases. Digital Investigation, 1(1), 16-17.

( The Author is the Editor of crimeandmoreworld.com)

• Report Warns,Climate Change Set to Cut Average Income by 19%
• Timor-Leste Seeks Economic Lifeline as Oil Wealth Dwindles
• South Africa Prepares to End Lion Hunting in Captivity
• UN Secretary-General Meets with Working Group on Discrimination Against Women and Girls
• On Both US Coasts,Pro Palestinian Encampment Protesters Hold Ground

Subscribe Our You Tube Channel