As cloud computing becomes more widespread, its use in criminal activity will likely grow. Authorities will need better forensic tools if they're going to extract evidence from cloud-based environments.
Cloud services are relatively new, insofar as use by the general public for storage is concerned, said Martin Novak, physical scientist at the National Institute of Justice (NIJ). Over time, it's expected that clouds will contain more and more evidence of criminal activity. To help extract that evidence, the Department of Justice's research arm, the NIJ, recently revealed plans to fund research into improved electronic forensics in several areas, including the cloud.
There is a paucity of case law specific to forensics as applied to cloud computing.
Martin Novak, physical scientist at the National Institute of Justice (NIJ)
Over time, the use of digital evidence in criminal and civil matters will continue to expand. Cloud providers and customers need to set up their infrastructures to meet these lawful requests or face fines and other legal repercussions. Furthermore, they need to do so without violating local privacy laws or accidentally giving away competitive secrets.
Swamped by justice
The demands of cloud forensics could prove costly as lawsuits and investigations become more complex. A 2009 study by McKinsey & Company found that electronic discovery requests were growing by 50% annually. This is mirrored by a growth in e-discovery spending from $2.7 billion in 2007 to $4.6 billion in 2010, according to a Socha Consulting LLC survey.
In the U.S., courts are becoming insistent on the need for systems to gather and preserve digital evidence. In early 2010, Judge Shira Scheindlin imposed sanctions on 13 parties that neglected to meet discovery obligations. She wrote, "Courts cannot and do not expect that any party can meet a standard of perfection. Nonetheless, the courts have a right to expect that litigants and counsel will take the necessary steps to ensure that relevant records are preserved when litigation is reasonably anticipated and that such records are collected, reviewed and produced to the opposing party."
The U.S. government has also attempted to expand the scope of data that can be lawfully requested without a warrant through a National Security Letter (NSL). In August, the Obama administration requested to add "electronic communication transaction records" to the data included in an NSL, which would require providers to include the addresses a user has emailed, the times and dates of transactions, and possibly a user's browser history. This will create a need to ensure that the provider's infrastructure can deliver on these requests in a timely manner.
The trouble with cloud forensics
"Cloud forensics is difficult because there are challenges with multi-tenant hosting, synchronization problems and techniques for segregating the data in the logs," said Keyun Ruan, a PhD candidate at the Centre for Cyber Crime Investigation in Ireland. "Right now, most of the cloud service providers are not open to talking about this because they don't know the issue ."
Traditional computer forensics must address the following steps: Collection of media at the crime scene or location where the media was seized; preservation of that media; and validation, analysis, interpretation, documentation and courtroom presentation of the results of the examination. In traditional computer forensics, the evidence contained within the media is within the control of law enforcement from the moment of seizure. Assuming that the cloud in question is within the United States, the forensic challenges raised by cloud computing are related to control of the evidence, including collection, preservation and validation.
"With cloud computing, law enforcement does not have physical control of the media nor the network on which it resides," Novak said. "Many users will have access to a particular cloud. How does law enforcement seize only that portion of the media where the evidence may exist? How will they know if they have gotten everything that they will need during the analysis, interpretation, documentation and presentation phases?"
Another challenge comes from the massive databases used in customer relationship management systems and social graphs that current forensics cannot address.
At the moment, investigators rely on traditional evidence-gathering methods while documenting the steps taken by law enforcement during the seizure and examination phases. "While this approach might suffice in some cases," Novak said, "there is a paucity of case law specific to forensics as applied to cloud computing ."
The non-localized nature of cloud computing will also usher in a debate about jurisdiction. As Novak noted, "One of the long-term issues related to cloud computing are those clouds that physically exist on a foreign server. What legal jurisdiction does law enforcement have in these cases? Do they have jurisdiction at all? Will the country in question be cooperative in terms of obtaining evidence?"
Developing a cloud forensics strategy
Organizations face numerous federal and state laws relating to the preservation of information related to taxes, securities and employment regulation. At the same time, they need to maintain compliance with other laws relating to the destruction of information that is no longer needed.
Cloud computing also raises new questions about who owns the data and the customer's expectations of privacy. Laws vary on the legal protections regarding data in the cloud from country to country. "We need to make a list of comparisons about privacy and how to deal with confidential data," Ruan said.
Most of the cloud service providers are not open to talking about [cloud forensics] because they don't know the issue.
Keyun Ruan, PhD candidate at the Centre for Cyber Crime Investigation in Ireland
The case law around expectations of cloud privacy is still in its early stages. But in the recent case of State vs. Bellar, Oregon Court of Appeals Judge Timothy Sercombe wrote, "Nor are a person's privacy rights in electronically stored personal information lost because that data is retained in a medium owned by another. Again, in a practical sense, our social norms are evolving away from the storage of personal data on computer hard drives to retention of that information in the 'cloud,' on servers owned by Internet service providers. That information can then be generated and accessed by hand-carried personal computing devices. I suspect that most citizens would regard that data as no less confidential or private because it was stored on a server owned by someone else."
In the long run, new cloud-based electronic discovery tools might help to keep these costs down. Companies including Orange, Autonomy, Clearwell and Kazeon have launched hosted services for collecting, preserving and analyzing digital evidence. Gartner research director Debra Logan said she expects that many corporations will start investing in e-discovery infrastructure and that, by 2012, companies without this infrastructure will spend 33% more to meet these requests.
The complex nature of cloud computing may lead to specialization. Bill Jeitner, CEO of BK Forensics, said, "Cloud forensics will be closer to a medical field analogy where you will have a general forensics practitioner and there will be different areas of cloud computing."
But like any tool, investigators want to get the most benefit at the least cost.
"You have to think in conjunction with other tools," Jeitner explained. "You are not going to do an analysis for thousands of dollars when you can get that same information easier. You don't go into everything 100%; you look at what you need to solve the crime."
GEORGE LAWTON'S BIO:
George Lawton is a journalist based near San Francisco, Calif. Over the last 15 years he has written over 2,000 stories for publications about computers, communications, knowledge management, business, health and other areas which interest him. Find out more at glawton.com.
This was first published in January 2011