Legal Process and Requirements for Cloud Forensic Investigations

For the emerging field of cloud forensics, the development of validated and repeatable scientific processes for conducting cloud forensic investigations should include requirements that establish evidence collected as legally admissible. There is currently an uncertainty in the legal requirements for cloud forensics. Forensic investigations in the cloud introduce unique issues that must be addressed, and the legal environment of the cloud must be considered. The authors will detail the process in criminal cloud forensic investigations for commanding production from cloud providers including constitutional and statutory limitations, and the civil and criminal admissibility processes. Decisions in court cases rely on the authenticity and reliability of the evidence presented. Ensuring cases involving cloud forensics follow the proper legal process and requirements will be beneficial for validating evidence when presented in court. Further, understanding of legal requirements will aid in the research and development of cloud forensics tools to aid investigations.

Challenges to Digital Forensic Evidence in the Cloud

Digital forensic evidence is subject to a variety of challenges, and these challenges apply in the Cloud as anywhere else. This chapter is an overview of these issues specifically oriented toward the Cloud Computing environments of today.

A Forensic-as-a-Service Delivery Platform for Law Enforcement Agencies

With the global diffusion of cybercrime, the ever-growing market penetration of high-performance and low-cost personal digital devices, and the commercial success of cloud computing, the area of digital forensics is faced with various new challenges that must be taken seriously. In this chapter, the authors describe a novel approach to digital investigations based on the emerging “Forensics as a Service” (FaaS) model. This model attempts to optimize Law Enforcement Agency’s (LEA) forensic procedures, reduce complexity, and save operational costs. Inspired by previous work on distributed computing for forensic analysis, this chapter provides the reader with design guidelines of a FaaS platform for secure service delivery. The proposed FaaS platform should be able to support investigators and practitioners in their daily tasks (e.g. digital evidence examination, analysis, and reporting) once implemented by a cloud forensic provider or internally by a LEA. In this chapter, the authors also present the architecture components, interfaces, communication protocols, functional and non-functional requirements, as well as security specifications of the proposed framework in detail.

Forensics as a Service

Cloud computing as a paradigm shift is transforming how services are being delivered. In this chapter, the authors present a Forensics as a Service (FaaS) model using cloud computing to deliver forensic services. This model leverages the flexibility, elasticity, and dynamics of cloud computing, and is affordable for business, government, or individuals in need, due to its reduced cost. It also addresses the challenge of processing a large volume of forensic data by using MapReduce and distributed computing.

Forensics as a Service

In today’s dynamic information technology system, one area of tremendous focus and recent growth has been that of the cloud-computing model in its various offerings. With this growth, however, come new challenges within the realms of e-discovery and digital forensics, as we traditionally know it. The rapid growth of cloud-computing services and the rate of acceptance and use by consumers are on the rise. Conversely, both legitimate and illegitimate activates can leverage the resources of the cloud to execute their operations. With the challenges growing to combat computer crime that utilizes the cloud ecosystem and the ease of which a criminal activity may be hidden using a cloud service, it is imperative that a cloud provider dedicate time, training, budget, and other resources to provide the facility for forensic investigators as well as law enforcement to combat this threat. The Cloud-Forensics-as-a-Service (FRaaS) model introduced later in this chapter can provide a comprehensive cloud forensics solution for creating a repeatable system. Such a system could be implemented as a standard forensics operational model for deployment within the cloud ecosystem regardless of environments and client service lines.

Data Recovery Strategies for Cloud Environments

Data acquisition and data recovery are essential to any e-discovery or digital forensic process. However, these two aspects seem to be considerably difficult in a cloud-computing environment. The very nature of the Cloud raises a number of technical and organizational challenges, which renders traditional approaches and tools inapplicable. Resource pooling, rapid elasticity, and geographical distribution of data are only a small part of the Cloud’s features that hinder the forensic investigation. At the same time, there is significant absence of forensic readiness in cloud computing policy framework. In this chapter, the authors discuss the challenges pertaining to data acquisition in a cloud environment and discuss possible directions for meeting these challenges by presenting representative cases and sketching acquisition process and scenarios.

Digital Forensic Investigation and Cloud Computing

This chapter aims to be a high-level introduction into the fundamental concepts of both digital forensic investigations and cloud computing for non-experts in one or both areas. Once fundamental concepts are established, this work begins to examine cloud computing security-related questions, specifically how past security challenges are inherited or solved by cloud computing models, as well as new security challenges that are unique to cloud environments. Next, an analysis is given of the challenges and opportunities cloud computing brings to digital forensic investigations. Finally, the Integrated Digital Investigation Process model is used as a guide to illustrate considerations and challenges during an investigation involving cloud environments.

Compliance in the Cloud and the Implications on Electronic Discovery

Cloud Computing will be a disruptive technology that will ultimately change the face of computing with a market approaching $300 billion over the next five years, according to recent study from the Market Intel Group (Mathews, 2010). The unstoppable migration of data to the Cloud is undoubtedly due to numerous financial benefits, particularly for small and medium-sized companies, which historically do not have the same capital budgets as larger enterprises. However, this boundless upside is not without risks from a legal and compliance perspective, making it all that more important for entities to look before they leap. Today, nearly every corporation is required to preserve and produce Electronically Stored Information (ESI), such as emails and other electronic documents, as part of their response to litigation, regulatory inquiries, and subpoenas. When the subject ESI happens to be stored in the Cloud, there are a handful of potential obstacles that serve to complicate the eDiscovery process. For some, this leads to sanctions and increased compliance risks. In order to navigate these potentially treacherous waters, organizations need to be proactive and follow a “measure twice, cut once” approach. This chapter will discuss the basics of eDiscovery and explore ways to minimize potential compliance hurdles when migrating significant data stores to/from the Cloud.

Seizing Electronic Evidence from Cloud Computing Environments

Despite a growing adoption of cloud computing, law enforcement and the judicial system are unprepared to prosecute cloud-based crimes. This chapter illuminates legal problems in the United States for electronic discovery and digital forensics arising from cloud computing and argues that cloud computing challenges the process and product of electronic discovery. The researchers investigate how to obtain forensic evidence from cloud computing using the legal process by surveying the existing statues and recent cases applicable to cloud forensics. A hypothetical case study of child pornography being hosted in the Cloud illustrates the difficulty in acquiring evidence for cloud-related crimes. For the first time, a sample search warrant is presented that could be used in this case study, and which provides sample language for agents and prosecutors who wish to obtain a warrant authorizing the search and seizure of data from cloud computing environments. The chapter concludes by taking a contrasting view and discusses how defense attorneys might be able to challenge cloud-derived evidence in court.

Security Architecture and Forensic Awareness in Virtualized Environments

Just about every technology magazine and article published today mentions virtualization or cloud computing. Technically, the two are different but very much intertwined. When environments use virtualization, there are artifacts an investigator can request that may provide valuable information. The content of this chapter explores the virtualization process, types of virtualized environments, and the part virtualization plays in cloud computing. A section will be included that presents case scenarios to demonstrate the type of evidence gathered in each environment for forensic investigations. A final section will include recommendations for additional areas of research in the area of investigating environments containing virtualization integration with cloud environments.