c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 3 0 4 e3 0 8

available at www.sciencedirect.com

www.compseconline.com/publications/prodclaw.htm

Digital evidence in cloud computing systems
M. Taylor a, J. Haggerty b, D. Gresty c, R. Hegarty a
a

School of Computing and Mathematical Sciences, Liverpool John Moores University, UK School of Computing, Science and Engineering, University of Salford, UK c Post Graduate Student, Lancaster University, UK
b

abstract
Keyword: Digital evidence cloud computing Cloud computing systems provide a new paradigm to the distributed processing of digital data. Digital forensic investigations involving such systems are likely to involve more complex digital evidence acquisition and analysis. Some public cloud computing systems may involve the storage and processing of digital data in different jurisdictions, and some organisations may choose to encrypt their data before it enters the cloud. Both of these factors in conjunction with cloud architectures may make forensic investigation of such systems more complex and time consuming. There are no established digital forensic guidelines that specifically address the investigation of cloud computing systems. In this paper we examine the legal aspects of digital forensic investigations of cloud computing systems. ª 2010 M. Taylor, J. Haggerty, D. Gresty & R. Hegarty. Published by Elsevier Ltd. All rights reserved.

1.

Introduction

Cloud computing involves the provision of software services and the underlying hardware resources used as a virtualized platform across numerous host computers connected by the Internet or an organisation’s internal network (Treacy, 2009; Buyya et al., 2009). Examples of commercial cloud service providers include Amazon Web Services, Google, and Microsoft Azure Services Platform (Mather et al., 2009) as well as open source cloud systems such as Sun Open Cloud Platform (Sun, 2010) and Eucalyptus (Eucalyptus, 2010). There are three generally accepted cloud service delivery models: Software as a service (where the customer rents the software for use on a subscription or pay-per-use model); Platform as a service (where the customer rents a development environment for application developers); and Infrastructures as a service (where the customer rents the hardware infrastructure on a subscription or pay-per-use model and the service can be scaled depending upon demand) (Viega, 2009). Cloud computing could in some respects be useful for computer forensic investigations, if it was necessary to preserve a computing environment for an investigation. The environment could potentially be backed up and put into the

cloud for the investigators to use, whilst carrying on with the normal course of business. However, the migrated data would only represent a snapshot of when it was sent into the cloud. Since in a public cloud computing system data could be stored anywhere in the world, its dispersal could be to a country where privacy laws are not readily enforced or non-existent. It could therefore potentially be difficult to establish a chain of custody for such data. A chain of custody would be taken to start at the time that the data is preserved for analysis or is seized. The issues in a cloud computing environment concern access to the data prior to it being seized, and the preservation of the data being done correctly, since due to the dynamic nature of the operation of a cloud computer system, it would not be possible to go back to the original state of the data. In addition, cloud resources could be utilised during an investigation to resolve computational load issues associated with large-scale data set searches. For example, distributed resources could search small parts of a much larger data set in tandem to form a virtual supercomputer similar to the approach taken by SETI (SETI, 2010). In this way, scalability could be achieved. Evidence is more ethereal and dynamic in the cloud environment with non- or semi-permanent data. For example, if an

0267-3649/$ e see front matter ª 2010 M. Taylor, J. Haggerty, D. Gresty & R. Hegarty. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2010.03.002

where a private cloud system may load (or off-load) data and processing into a public cloud system depending upon the system requirements and the capacity of the private cloud. 2005) in terms of digital evidence acquisition. It should be noted that this may be a logical structure rather than truly geographic.1. Vella (2009) commented that increased use of cloud computing will undoubtedly result in jurisdictional difficulties where data crucial to a case is stored outside the United Kingdom. imaging data from all the computers (or even a subset of the computers) in the cloud may not be practicable. 2000). For example. For example. an organisation may not know where data it is responsible for is located geographically at any particular time. This ruling provides guidance in the case of traditional computing systems. Thus a hard disk may be seized and removed provided that it contains material which the searching officer at the time of the search has reasonable case to believe might be required in relation to a suspected offence or offences. v. Thus. It queries resources and makes high level scheduling decisions via group manager software that gathers information regarding virtual machine (a software implementation of a computer that executes programs like a physical computer) execution on specific instance managers. Instance manager software controls the execution. and had no reason to suspect such unlawful activity or information. then the principles of the Data Protection Act should be applied during the investigation. Acquisition of digital evidence in cloud computing systems Identifying digital evidence in a cloud computing environment may be very complex. 1998 (DPA. appropriate security measures should be applied to any personal data that had to be examined as part of the investigation.c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 3 0 4 e3 0 8 305 application is accessed via a cloud computing system. IP address and date and time of access. Cloud computing service providers would not be liable for damages or for any other pecuniary remedy or for any criminal sanctions as a result of hosting data or applications under the Electronic Commerce (EC Directive) Regulations 2002 and other associated regulations. 2009). number of log-ins. Thames Magistrates Court (2) C&E Commissioners. There are also hybrid privateepublic clouds. The advice from the UK Information Commissioner’s Office (ICO. the open source Eucalyptus) cloud manager software provides the entry point into the cloud for users and administrators. data traditionally written to the operating system. will reside or be stored within the virtual environment and so lost when the user exits. For example Google records information relating to use of Google Docs such as storage usage. as well as managing the virtual instance network. Personal data accessed as part of the investigation should not be accessed by unauthorised . The European Network and Information Security Agency (ENISA. The manner in which cloud computing services operate means that in practice. 2. data displayed and clicked upon. In a cloud computing system (for example. Such data may be useful for police computer forensic investigations and might be able to be obtained under the UK Regulation of Investigatory Powers Act 2000 (RIPA. the servers that provide many of Yahoo’s country specific information actually reside in the USA but appear to be locally hosted to the user. the legal process to gain access to data held in a public cloud computing system (and one which might utilise computing devices in different jurisdictions) is more complex and could delay investigations where the recovery of evidence is typically time critical. Ex Part(1) Paul Da Costa (A firm) (2) Stewart Collins (2002) it was ruled that a computer hard disk is a single storage entity and fell within the definition of a document because it is something ‘in which information of any kind is recorded’. In addition. regulatory compliance and auditing and their still to be determined solutions. there does not appear to be a universal method for extracting evidence in an admissible fashion from cloud-based applications. inspection and termination of virtual machine instances on the host computer within the cloud where it runs. Personal data accessed during a cloud computing system forensic investigation The UK Data Protection Act. 2010) is that data (in particular personal data) should be encrypted prior to it being transferred to a cloud computing services company. 2010) is currently carrying out a risk assessment of cloud computing with regard to the development of technologies and legislative measures to mitigate risk. A public cloud (Internet based) managed by another organisation that provides cloud computing services is likely to be more difficult to investigate than a private cloud (based upon an organisation’s internal computer network) (Grossman. if an investigation of fraud was undertaken that involved analysis of customers’ personal data. and in some cases there might be little evidence available to extract. nor is it practicable for him to do so. 2009). This makes evidence traditionally stored on hard drives potentially unrecoverable. In R. Some public cloud service providers may record certain information relating to use of their services. Kaufman (2009) commented upon the legal issues arising from cloud computing such as e-discovery. The officer is not required to extract from the hard disk just the information he believes may be required. It may be necessary for governments to make arrangements for the immediate preservation of suspect data following a request from law enforcement agencies in order to ensure that data does not disappear while a court decides whether or not the data can be released to UK law enforcement. however in the case of cloud computing systems. whilst the confiscation of physical computing equipment might be relatively straightforward. such as registry entries or temporary Internet files. 2. 2010). This has recently been used to great effect by criminals based in Asia but registering UK Web sites to sell fake branded goods (Vahl. It would seem that at present. Both of these aspects of cloud computing can potentially be time consuming and problematic for a computer forensic investigation (Allan. Part III of the UK Regulation of Investigatory Powers Act 2000 requires provision of decryption keys for the purpose of preventing or detecting crime. Such data may be retained by Google for short periods even after the user has deleted the files (Google. provided that the cloud computing service provider did not have actual knowledge of unlawful activity or information. 1998) might apply to computer forensic investigations that involve the analysis of personal data stored or processed within a cloud computing system.

even the existence of data will be quite complex to identify as data is pushed further back into the network rather than purely being delivered to the user’s physical computing device and may only exist within tight temporal constraints. R. in the absence of evidence to the contrary. Public cloud computing systems offer publicly accessible remote interfaces for creating and managing data.. and the duration of transmission) and the content of the communication. it will be much more difficult to identify. An important aspect of providing digital evidence in court concerns certifying that the computer(s) in question were working properly at the material time. However. Appropriate internal corporate authorisation would be required to ensure that any investigation of an internal private cloud system did not breach the Act. When digital evidence is required from a public cloud computing system there is also the issue of continuity of service (and level of service) for other users of the cloud services. A public cloud is managed by another organisation that provides cloud services. such as the suspect or system administrators. provides an example case where non-disclosure of cell-site evidence relating to a mobile phone call occurred. then the UK Criminal Procedure and Investigations Act. In addition. Any police computer forensic investigation should keep within the Association of Chief Police Officers’ guidelines for computer-based electronic evidence (ACPO. This is important and potentially challenging in a cloud computing forensic investigation since numerous computing devices possibly located in different countries may have been used during a transaction. As Treacy (2009) comments. 2007). However. 3. Section 3. That is to show a court. due to the nature of cloud computing systems operation. This more dispersed architecture can have serious ramifications for the identification of digital evidence. 2007). 1996) and amendments in the UK Criminal Justice Act. the investigating team may also have access to key personnel identified by the investigation.2 of this Act. 1996 makes a specific requirement on police officers and their agents (such as computer forensic analysts) to provide detailed disclosure. v. 1996 (CPIA. This seamless delivery from distributed sources will make the identification of sources of potential digital evidence. Ideally a computer forensic investigation should not impact upon other cloud service users who are not the target of the investigation. 2003 (Part 5) (CJA. This is achieved through the seamless interaction of a variety of applications being delivered to the user as if they were accessing just a single site or logical location. the courts will presume that a mechanical instrument is in working order at the material time. Procedures used for cloud computing forensic investigations A private cloud computing system is for a single organisation’s internal use and it may be run by the organisation itself or outsourced to a third party. but also material that may undermine the prosecution and support a defence. However. applications. If a cloud computing forensic investigation was to result in a court case. the time and date. Spiby [1991] (CLR. 2003) may be relevant as they cover the legal requirements to provide both evidence in support of a prosecution and evidence to support a reasonable defence. Investigation of a public cloud computing system involving Internet based computing resources would require the cloud computing services provider to provide the police (or other agency) investigation with required digital data. 2000 (RIPA) makes it unlawful to intercept any communication in the course of transmission without the consent of one of the parties or without lawful authority. Hampton and another 2004 EWCA Crim 2139. concerns digital material that came into the prosecutor’s possession in connection with the case for the prosecution. or their agents. and whether such data can be released in a timely manner (before it may be deleted). 1996 does not rule evidence inadmissible. The Criminal Procedure and Investigations Act.2. and data repositories residing within the organisational IT infrastructure. the current version of the Association of Chief Police Officers’ guidelines for computerbased electronic evidence does not specifically address cloud computing investigations but its principles should be maintained. In a cloud computing environment. Primary disclosure by prosecutor. the cloud computing environment aims to be dynamic and customizable. much more complex. if the digital evidence resides within a public cloud. but during the trial the court might be directed to take into account the fact that the defendant may not have been afforded the opportunity to acquire evidence to defend themselves (Taylor et al. such as servers. 2. due to the potentially greater effort required to identify and examine computing devices that had stored or processed digital data of interest to the investigation. 1991) it was held that if an instrument (in this case a computer) was of a kind as to which it was common knowledge that they were more often than not in working order. and would include material provided by police officers. or the digital evidence itself. In the case of R. there might be limited time and resources available to identify digital material of wider relevance than that which specifically concerns the investigation. If a computer forensic investigation involves a private cloud. Failing to comply with the Criminal Procedure and Investigations Act. the digital data will reside within the organisation or within its outsourced supplier. if required that the evidence produced is no more and no less than when it was first taken into the possession of the forensic examiner. This covers not just the disclosure of digital material that supports the prosecution. some of the digital data may not be practicable to obtain. However. v. Monitoring of cloud computing systems during a computer forensic investigation The UK Regulation of Investigatory Powers Act. UK law distinguishes between the interception of communication or traffic data (the sender and recipient.306 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 3 0 4 e3 0 8 individuals outside the investigation team. Moreover. The key sources of potential evidence will be identifiable. Any computer forensic investigation carried out by a UK police force would be subject to the codes of practice within the . the main consideration regarding personal digital data that may need to be examined during a cloud computing system forensic investigation is that of the different jurisdictions in which the data of interest may be stored or processed within the cloud (especially in non-EU countries without an appropriate level of data protection legislation).

then with regard to user data stored on the user’s personal computer after such a Google document transaction there would be cookies for user login and documents and also Google gears may have created an SQLite database on the users machine to allow the user to work offline. which can again lead to more complexity and delay in obtaining the necessary digital evidence. Good practice guide for computer-based electronic evidence version 4. UK. Venugopal S. However. 1984) (and possibly the UK Serious Organised Crime and Police Act. documents and files will typically have meta data preserved from the original hosting system. uk.ac. In a cloud computing environment actions taken from the moment a fraud is suspected can have a profound impact on both the amount of digital evidence available and the extent to which it will be acceptable in future legal proceedings. This might lead to either legislation requiring cloud computing service providers to keep audit trails (or similar records of user activity). England. Liverpool John Moores University. M. Ireland: The Association of Chief Police Officers. Brandic I. However. 1990). Cloud computing and emerging IT platforms: vision. with regard to unauthorised modification of data or programs (CMA. such delays could potentially result in data being deleted before it can be made available to investigators.3(4): 59e62.C. unless confirmation of the modification was sent to user’s computer.Haggerty@salford. It may potentially be difficult to obtain digital evidence to the same standard as that currently obtained from traditional server-based systems due to the nature of the operation of cloud computing systems. other types of organisations may not use such audit trails in which case it might be difficult to identify digital evidence to prove that updating of accounts (not just attempted fraud or money laundering) took place within the cloud. Lancaster University. However.acpo. hype and . All these artefacts stored on the user’s personal computer could provide potential evidence. meta data embedded within documents that had subsequently entered the cloud storage could provide important clues to how the data has been used and manipulated beforehand (such as change tracking in MS Word documents). even if further digital evidence from computers in the Google cloud could not easily be obtained. Analysis of digital evidence in cloud computing systems When investigating data recovered from traditional media. If investigation of emails is required within a cloud computing environment then typically logs of sent and received emails from the user’s computer could be used as evidence (unless the tampering of emails is being investigated in which case evidence from the computing devices within the cloud could be required). Post Graduate Student. Thus if a defence related to malicious software 5. Science and Engineering. for example data relating to when files were created and modified. School of Computing and Mathematical Sciences.ac. Haggerty (J. there may be little evidence available to extract.ljmu. Brobery J. or that prosecution cases may need to be based upon evidence gained mainly from the user’s computer.uk) School of Computing.c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 3 0 4 e3 0 8 307 Police and Criminal Evidence Act. Wales. Thus for example. if this is possible.taylor@ljmu. If an investigation concerned indecent images or extreme pornography then evidence from the user’s computer of access or downloading or storage of images could typically be obtained. financial services organisations (and some other types of organisations) might typically have audit trails built into their application systems (that can be used to provide digital evidence). Some organisations may encrypt digital data before processing in the cloud. it may be difficult to extract digital evidence in an admissible manner from such applications. 1984 (PACE. computer viruses and worms and Trojan software) within a cloud computing environment may be complex. Yeo C. In terms of fraud or money laundering investigations involving cloud computing systems. 1990) might be investigated in a cloud computing environment then digital evidence may possibly be fairly easy to obtain from the user’s computer. http://www. 2007.j. Hegarty (R. University of Salford. and N. In the case of data stored or processed in different jurisdictions within the cloud. IEEE Security and Privacy 2005. 2005 (SOCPA. 2005). Allan W. & R. or the application. Tracking malware (including spyware. then to prove that unauthorised modification actually took place it might be difficult to identify digital evidence that modification actually took place at the material time on a computing device within the cloud (especially if a public cloud computing system or hybrid cloud computing system is being investigated). If unauthorised access or unauthorised access with intent (CMA. D. 4. systems or network software produced an audit trail. rather than from computing equipment within the cloud.uk) School of Computing and Mathematical Sciences.Hegarty@2006. Public and hybrid cloud-based computing systems might operate across jurisdictions.police. Taylor (m. Attempting to track down the effects of malware upon data or programs stored within the cloud could be very complex. it might be difficult to obtain digital evidence to support such a defence (Haagman and Ghavalas. Buyya R. Liverpool John Moores University. references ACPO. However.ac. Computer forensics. if an investigation involved analysis of a Google document transaction. organisations storing and disseminating such material might possibly use cloud computing services in which case the actual computing devices within the cloud storing such images might need to be determined. Gresty. and in some cases. J. being used within the cloud without the knowledge of the accused.uk) Research Student. This may not be the case in cloud computing systems. UK. Unless a cloud computing application provides an audit trail. 2005)). which might make obtaining such data more complex and more time consuming. Conclusions The acquisition and analysis of digital evidence from cloud computing systems is likely to be more complex than for previous types of computing systems.

eu.opsi. http://setiathome. 2010.308 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 3 0 4 e3 0 8 reality for delivering computing a 5th utility.gov. Sun Microsystems.opsi. 1991:199. UK Police and Criminal Evidence Act 1984. ENISA. USA: O’Reilly.ico. UK Regulation of Investigatory Powers Act. 1998. http:// www.com/google-d-s/privacy. Kumaraswamy S. Cloud security and privacy: an enterprise perspective on risks and compliance. html. UK: Information Commissioner’s Office. Computer Law and Security Report 2007.enisa. Google Docs.gov.23:562e6.opsi. Serious Organised Crime and Police Act. R. The future of forensic computing. 1984.uk. Fake websites shut down by police. Haggerty J. http://www. Data security in the world of cloud computing. http://www. http:// www.42(8):106e8. 3 Dec 2009. Criminal Law Review. http://www. Search for Extra-Terrestrial Intelligence. Sun. CJA. opsi. The case for cloud computing. http://www. http://www. CMA. Sun open cloud platform. Latif S. Privacy and Data Protection 2009.2(1):23e30. UK Computer Misuse Act 1990.uk/1/hi/uk/8392600.sun. Personal information online code of practice: consultation document.stm.gov.gov. IEEE Security and Privacy 2009. ENISA cloud computing risk assessment. Gresty D. 2009. Treacy B. Ghavalas B. Grossman R.edu.gov. RIPA.gov. UK Criminal Procedure and Investigations Act 1996. gov. gov. CA. European Network and Information Security Agency. IT Professional 2009. com. v. 2003.uk. Cloud computing: data protection concerns unwrapped. http://news. Future Generation Computer Systems 2009.uk. BBC News. Kaufman L. http://www. Spiby.9(3):1e3. SOCPA. IEEE Computer 2009. Eucalyptus systems. Haagman D. Clr.opsi. 2010. UK Criminal Justice Act 2003. http://www. PACE.25:599e616. Vella P.com.opsi.eucalyptus. CPIA.co. http://www. Mather T. 1990. 2010. Sebastopol. 2010. Viega J. 2000. . Trojan defence: a forensic view. Taylor M. http://www.opsi. 1996. 2010. DPA. Eucalyptus. Digital Investigation 2005. Google.uk.33:1e2. Vahl S. 2005.uk. bbc. UK Data Protection Act 1998. http://www. ICO. berkeley.uk.google. 2010.uk. The legal aspects of corporate computer forensic investigations.uk. Criminal Law and Justice Weekly 2009. europa. SETI. Cloud computing and the common man.7(4):61e4. 11(2):23e7.

Sign up to vote on this title
UsefulNot useful