Digital evidence in cloud computing systems

Cloud computing systems provide a new paradigm to the distributed processing of digital data. Digital forensic investigations involving such systems are likely to involve more complex digital evidence acquisition and analysis. Some public cloud computing systems may involve the storage and processing of digital data in different jurisdictions, and some organisations may choose to encrypt their data before it enters the cloud. Both of these factors in conjunction with cloud architectures may make forensic investigation of such systems more complex and time consuming. There are no established digital forensic guidelines that specifically address the investigation of cloud computing systems. In this paper we examine the legal aspects of digital forensic investigations of cloud computing systems.     

Digital evidence and ‘cloud’ computing

The term ‘cloud computing’ has begun to enter the lexicon of the legal world. The term is not new, but the implications for obtaining and retaining evidence in electronic format for the resolution of civil disputes and the prosecution of alleged criminal activities might be significantly affected in the future by ‘cloud’ computing. This article is an exploratory essay in assessing the effect that ‘cloud’ computing might have on evidence in digital format in criminal proceedings in the jurisdiction of England & Wales.     

Distributed filesystem forensics: XtreemFS as a case study

Distributed filesystems provide a cost-effective means of storing high-volume, velocity and variety information in cloud computing, big data and other contemporary systems. These technologies have the potential to be exploited for illegal purposes, which highlights the need for digital forensic investigations. However, there have been few papers published in the area of distributed filesystem forensics. In this paper, we aim to address this gap in knowledge. Using our previously published cloud forensic framework as the underlying basis, we conduct an in-depth forensic experiment on XtreemFS, a Contrail EU-funded project, as a case study for distributed filesystem forensics. We discuss the technical and process issues regarding collection of evidential data from distributed filesystems, particularly when used in cloud computing environments. A number of digital forensic artefacts are also discussed. We then propose a process for the collection of evidential data from distributed filesystems.     

日本《信托法》的修改及其借鉴意义

2006年12月日本对施行84年之久的《信托法》进行了重大修改。此次修改的主要内容表现在受托人的义务、受益人的权利以及信托利用的形态等三个方面。修改后的日本《信托法》确立了民事信托、商事信托与公益信托的共同规则;扩大了信托当事人的意思自治空间,增加了大量任意性规范;增强了法律用语的科学性和制度的可操作性。我国《信托法》宜借鉴日本《信托法》的此次修改,在立法观念上加以更新,并对法律规范进行修改和增补。     

中国信托业陷入低迷的法律分析——写在《信托法》实施以后

我国信托业虽然与银行业、保险业、证券业一并号称为现代金融体系的四大支柱,但信托业无疑是最弱的一支。《信托法》的出台并没有带来信托业的繁荣,在真正回归了＂受人之托,代人理财＂的核心主业以后,信托业却长期陷入了低迷。分析表明,在我国信托法中,双重所有权的法系冲突问题悬而未决,受托人容易沦为委托人的代理人,委托人和受益人容易出现对峙僵局,瑕疵承继制度矫枉过正,信托财产公示制度有名无实,没有合理的市场退出机制。这些立法缺陷是中国信托业陷入低迷状态的重要原因,也是信托制度在我国没有顺利实现本土化的突出表现。可以断言,中国的信托业已进入瓶颈阶段,信托法能否实现本土化是我国信托业能否走出低迷的关键。     

Trust in the information society

Trust is an important feature for all users of the Internet who rely on the safety and security of network technologies and systems for their daily lives. Trust, or the lack of it, has also been identified by the European Commission’s Digital Agenda as a major barrier to further development of the information society in Europe. One of the areas in which concerns have been raised is in relation to children’s safety online. As a result, substantial efforts have been made by policymakers and by the industry to build greater trust and confidence in online digital safety. This paper examines what trust means in the context of children’s use of the Internet. Should policy on trust enhancement, for instance, include children’s own trust in the technologies or services they use or is it sufficient to seek to reinforce parental and adult confidence that children can be adequately protected? What is required to build that trust from either perspective? Does it need, or should it include a relationship of trust between parents and children? To tease out these questions further, the paper examines current European Union policy frameworks on digital safety, particularly industry responses to the call for a more trusted Internet environment for children, and argues that technical solutions to be effective need to carefully balance a number of competing objectives and to be sufficiently grounded in evidence of parental and child experience of the Internet.     

Protecting digital identity in the cloud: Regulating cross border data disclosure

Widespread use of cloud computing and other off-shore hosting and processing arrangements make regulation of cross border data one of the most significant issues for regulators around the world. Cloud computing has made data storage and access cost effective but it has changed the nature of cross border data. Now data does not have to be stored or processed in another country or transferred across a national border in the traditional sense, to be what we consider to be cross border data. Nevertheless, the notion of physical borders and transfers still pervades thinking on this subject. The European Commission (“EC”) is proposing a new global standard for data transfer to ensure a level of protection for data transferred out of the EU similar to that within the EU. This paper examines the two major international schemes regulating cross-border data, the EU approach and the US approach, and the new EC and US proposals for a global standard. These approaches which are all based on data transfer are contrasted with the new Australian approach which regulates disclosure. The relative merits of the EU, US and Australian approaches are examined in the context of digital identity, rather than just data privacy which is the usual focus, because of the growing significance of digital identity, especially to an individual's ability to be recognized and to transact. The set of information required for transactions which invariably consists of full name, date of birth, gender and a piece of what is referred to as identifying information, has specific functions which transform it from mere information. As is explained in this article, as a set, it literally enables the system to transact. For this reason, it is the most important, and most vulnerable, part of digital identity. Yet while it is deserving of most protection, its significance has been largely under-appreciated. This article considers the issues posed by cross border data regulation in the context of cloud computing, with a focus on transaction identity and the other personal information which make up an individual's digital identity. The author argues that the growing commercial and legal importance of digital identity and its inherent vulnerabilities mandate the need for its more effective protection which is provided by regulation of disclosure, not just transfer.     

Trust in the clouds

The “cloud” is not new, and its roots go back to the original plans for computing from the 1950s. Now that computing is moving back to the original cloud-based models that were envisioned more than 60 years ago, with it, consumers are realizing the increases in security and safety that accompany the move to centralized servers. Yet the perception of “trust” in this context is often still formed by views that people have from their use of computers over the past two decades, which is localized in nature (“if I can see it, I can control it”). This view is based on perception more than fact. Our paper discusses different views of trust in other contexts (such as banking and travel) and concludes that users of cloud computing should recast their view of trust in a similar way that consumers of banking and travel have changed their perceptions of trust in the last 100 years.     

Automated event and social network extraction from digital evidence sources with ontological mapping

The sharp rise in consumer computing, electronic and mobile devices and data volumes has resulted in increased workloads for digital forensic investigators and analysts. The number of crimes involving electronic devices is increasing, as is the amount of data for each job. This is becoming unscaleable and alternate methods to reduce the time trained analysts spend on each job are necessary.This work leverages standardised knowledge representations techniques and automated rule-based systems to encapsulate expert knowledge for forensic data. The implementation of this research can provide high-level analysis based on low-level digital artefacts in a way that allows an understanding of what decisions support the facts. Analysts can quickly make determinations as to which artefacts warrant further investigation and create high level case data without manually creating it from the low-level artefacts. Extraction and understanding of users and social networks and translating the state of file systems to sequences of events are the first uses for this work.A major goal of this work is to automatically derive ‘events’ from the base forensic artefacts. Events may be system events, representing logins, start-ups, shutdowns, or user events, such as web browsing, sending email. The same information fusion and homogenisation techniques are used to reconstruct social networks. There can be numerous social network data sources on a single computer; internet cache can locate Facebook, LinkedIn, Google Plus caches; email has address books and copies of emails sent and received; instant messenger has friend lists and call histories. Fusing these into a single graph allows a more complete, less fractured view for an investigator.Both event creation and social network creation are expected to assist investigator-led triage and other fast forensic analysis situations.     

Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools,trust, and techniques

We expose and explore technical and trust issues that arise in acquiring forensic evidence from infrastructure-as-a-service cloud computing and analyze some strategies for addressing these challenges. First, we create a model to show the layers of trust required in the cloud. Second, we present the overarching context for a cloud forensic exam and analyze choices available to an examiner. Third, we provide for the first time an evaluation of popular forensic acquisition tools including Guidance EnCase and AccesData Forensic Toolkit, and show that they can successfully return volatile and non-volatile data from the cloud. We explain, however, that with those techniques judge and jury must accept a great deal of trust in the authenticity and integrity of the data from many layers of the cloud model. In addition, we explore four other solutions for acquisition—Trusted Platform Modules, the management plane, forensics-as-a-service, and legal solutions, which assume less trust but require more cooperation from the cloud service provider. Our work lays a foundation for future development of new acquisition methods for the cloud that will be trustworthy and forensically sound. Our work also helps forensic examiners, law enforcement, and the court evaluate confidence in evidence from the cloud.     

Triaging digital device content at-scene:- Formalising the decision-making process

The prominence of technology usage in society has inevitably led to increasing numbers of digital devices being seized, where digital evidence often features in criminal investigations. Such demand has led to well documented backlogs placing pressure on digital forensic labs, where in an effort to combat this issue, the ‘at-scene triage’ of devices has been touted as a solution. Yet such triage approaches are not straightforward to implement with multiple technical and procedural issues existing, including determining when it is actually appropriate to triage the contents of a device at-scene. This work remains focused on this point due to the complexities associated with it, and to support first responders a nine-stage triage decision model is offered which is designed to promote consistent and transparent practice when determining if a device should be triaged.     

Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform

We describe the design, implementation, and evaluation of FROST—three new forensic tools for the OpenStack cloud platform. Our implementation for the OpenStack cloud platform supports an Infrastructure-as-a-Service (IaaS) cloud and provides trustworthy forensic acquisition of virtual disks, API logs, and guest firewall logs. Unlike traditional acquisition tools, FROST works at the cloud management plane rather than interacting with the operating system inside the guest virtual machines, thereby requiring no trust in the guest machine. We assume trust in the cloud provider, but FROST overcomes non-trivial challenges of remote evidence integrity by storing log data in hash trees and returning evidence with cryptographic hashes. Our tools are user-driven, allowing customers, forensic examiners, and law enforcement to conduct investigations without necessitating interaction with the cloud provider. We demonstrate how FROST's new features enable forensic investigators to obtain forensically-sound data from OpenStack clouds independent of provider interaction. Our preliminary evaluation indicates the ability of our approach to scale in a dynamic cloud environment. The design supports an extensible set of forensic objectives, including the future addition of other data preservation, discovery, real-time monitoring, metrics, auditing, and acquisition capabilities.     

Security-oriented cloud computing platform for critical infrastructures

The rise of virtualisation and cloud computing is one of the most significant features of computing in the last 10 years. However, despite its popularity, there are still a number of technical barriers that prevent it from becoming the truly ubiquitous service it has the potential to be. Central to this are the issues of data security and the lack of trust that users have in relying on cloud services to provide the foundation of their IT infrastructure. This is a highly complex issue, which covers multiple inter-related factors such as platform integrity, robust service guarantees, data and network security, and many others that have yet to be overcome in a meaningful way. This paper presents a concept for an innovative integrated platform to reinforce the integrity and security of cloud services and we apply this in the context of Critical Infrastructures to identify the core requirements, components and features of this infrastructure.     

Copyright in the blockchain era: Promises and challenges

The paper focuses on various legal-related aspects of the application of blockchain technologies in the copyright sphere. Specifically, it outlines the existing challenges for distribution of copyrighted works in the digital environment, how they can be solved with blockchain, and what associated issues need to be addressed in this regard. It is argued that blockchain can introduce long-awaited transparency in matters of copyright ownership chain; substantially mitigate risks of online piracy by enabling control over digital copy and creating a civilized market for “used” digital content. It also allows to combine the simplicity of application of creative commons/open source type of licenses with revenue streams, and thus facilitate fair compensation of authors by means of cryptocurrency payments and Smart contracts. However, these benefits do not come without a price: many new issues will need to be resolved to enable the potential of blockchain technologies. Among them are: where to store copyrighted content (on blockchain or “off-chain”) and the associated need to adjust the legal status of online intermediaries; how to find a right balance between immutable nature of blockchain records and the necessity to adjust them due to the very nature of copyright law, which assigns ownership based on a set of informal facts, not visible to the public. Blockchain as a kind of time stamping service cannot itself ensure the trustworthiness of facts, which originate “off-chain”. More work needs to be done on the legal side: special provisions aimed at facilitating user's trust in blockchain records and their good faith usage of copyrighted works based on them need to be introduced and transactions with cryptocurrencies have to be legalized as well as the status of Smart contracts and their legal consequences. Finally, the economics of blockchain copyright management systems need to be carefully considered in order to ensure that they will have necessary network effects. If those issues are resolved in a satisfactory way, blockchain has the potential to rewrite how the copyright industry functions and digital content is distributed.     

Setting aside a trust on the ground of mistake--In the Matter of the DSL Remuneration Trust: DSL Remuneration Trust [2007] JRC 251

This case concerned a remuneration trust which had been establishedby a company called DSL in April 2000. The beneficiaries ofthe Trust were named as the past, present and future employeesof DSL and their families. The shares in DSL were owned by acouple, Mr and Mrs L, who were also the two directors of DSL.The Trust assets comprised the proceeds of sale of the businessof DSL and its interest in two retail shops, and representedthe bulk of the assets of Mr and Mrs L and their family. The terms of the Trust prevented any outright distribution orpayments being made or any benefits     

How much privacy do clouds provide? An Australian perspective

Cloud computing is becoming the standard operating process, communications system and underlying infrastructure of the Internet. This is of paradigm-shifting significance to the law. Multinationals, such as Google, Amazon, Apple, Facebook, and Microsoft, own and operate the cloud computing infrastructure of the Internet as well as influencing its culture. They have been called the Four Horsemen of Technology and consider Microsoft their inspiration.¹ Business can now be transacted at the speed of thought. The digital nervous system that Bill Gates envisioned is blossoming as cloud computing. However, sovereign nations can no longer effectively regulate the telecommunications systems within their borders without the tacit compliance of these cloud operating multinationals. The aim of this paper is to determine whether or not cloud computing infrastructure can support privacy regulation yet remain practical.     

数字证据、电子证据、科学证据、电子记录概念比较分析

与数字证据相关的概念很多,但它们的内涵和外延存在一定差异,从提出概念的出发点、载体、表现形式、研究范围等角度分析数字证据、电子证据、科学证据、电子记录等概念的差异,并进一步提出对数字证据进行专门研究的科学性和必要性。     

Protecting the privacy and security of sensitive customer data in the cloud

The global ubiquity of cloud computing may expose consumers' sensitive personal data to significant privacy and security threats. A critical challenge for the cloud computing industry is to earn consumers' trust by ensuring adequate privacy and security for sensitive consumer data. Regulating consumer privacy and security also challenges government enforcement of data protection laws that were designed with national borders in mind. From an information privacy perspective, this article analyses how well the regulatory frameworks in place in Europe and the United States help protect the privacy and security of sensitive consumer data in the cloud. It makes suggestions for regulatory reform to protect sensitive information in cloud computing environments and to remove regulatory constraints that limit the growth of this vibrant new industry.     

Digital evidence strategies for digital forensic science examinations

Given the size and complexity of many digital forensic science device examinations, there is a need for practitioners to formally and strategically determine a course of conduct which allows them to undertake the most robust and efficient examination possible. This work outlines both the need for practitioners to have a digital evidence strategy (DES) when tackling any given examination scenario, how to construct one and the concerns which exist when no formal DES is in place. Approaches to DES development are examined and the context to which they should be deployed are analysed, with focus being on the use of DESs at the examination/processing stage of the investigative workflow. Finally, a ‘DES skeleton’ is offered to guide practitioners as they seek to create their own DES.