Digital Forensics in a Virtualized World, Research Paper Example
Words: 2425Research Paper
The emerging subject of digital forensics is important to consider due to the implications that the developing field has on those who utilize the services of computer technology. The fast-paced and dynamic changes occurring in the current circumstances of the online community present difficulty for those that are attempting to investigate potential issues regarding data and technology. Furthermore, it affects their ability to both provide the necessary services for their customers and accurately convey the results of their investigation. These issues grow in concern as society becomes increasingly dependent upon services such as cloud storage. This emerging technology presents a major obstacle for those who work in digital forensics to overcome, due to the difficulty in analysis of the information as well as in establishing protocols for the effective management and application of policies to the issues at hand. In order to establish more effective methods for investigation, analysis of the short history and present circumstances of the field of digital forensics should be carried out to determine a more viable solution.
One of the major challenges facing the implementation of cloud technologies is the susceptibility that they have to attacks. This is primarily due to the underlying nature of the technology itself. “Cloud infrastructure offers an attractive prize for hackers, with exceptional bandwidth, storage, and computing power, and a consolidated repository of data” (Dykstra 157). In this sense, the problem of developing methods of implementing solutions to these issues, investigators must overcome various challenges. “The very attributes that make cloud computing attractive can be at odds with forensic and legal goals” (Dykstra 157). These challenges are legal, technical, and managerial in nature. Not only do investigators run into challenges regarding what specific department, organization, or agency has jurisdictional authority over the investigation, but also in the methods utilized in order to ensure that any evidence that is able to be recovered is done so in a way that preserves its state without changing the information in any way. Jurisdiction and preservation of evidence are two major challenges that are faced (Dykstra 157). These challenges are in direct contrast, however, to the undelaying open nature that lies at the heart of cloud technologies.
While there is a need to establish safe and effective protocols for the consumption of cloud-based storage data, it is also important to consider the need to safeguard the open nature of this technology for the end user. It is, obviously, important to implement safety protocols, “Cloud computing, however, is concerned with providing customers with raw remote computing resources such as computation or data storage, and the ability to provision those resources themselves” (Dykstra 158). This presents the major challenge to implementing strategies for ensuring the effective application of policies regarding this new technology. Furthermore, the broad nature of cloud storage and its applications should be understood in regards to the implications that these factors have on the investigations of the technology. There are, for instance, a variety of formats in which the forensics can take place. “Digital forensics is an umbrella term for any digital data that encompass sub-disciplines such as computer forensics, network forensics, database forensics, mobile device forensics, and video forensics” (Dykstra 159). This presents a need to understand the implications and impact of specific policies and their methods for providing investigators with the necessary tools to carry out their jobs.
For this reason, it is also important to understand the variety of interests that are involved in the question of digital forensics due to their use of cloud storage technologies. As the use of these technologies grow, the need for better tools to prevent data breaches will become more evident. “There are many stakeholders involved in cloud forensics activities, including members of government, industry, and academia” (NIST 3). For this reason, it is important to have clearly established protocols for the implementation of investigative strategies into potential criminal behavior involving the information that is contained within the digital storage technologies in question. Who is responsible and who is potentially effected by policies is important to consider due to the fact that, when under investigation, “stakeholders start making assertions about ownership and responsibilities” (NIST 3). For this reason, policies should be clear and concise in demonstrating who and what is under investigation.
One of the major advantages of cloud storage is its ability to reduce costs to companies, individuals, and government agencies that implement the technology. The efficiency cost reductions provide important incentives for switching to the use of cloud-based storage services. “Virtualized services provide greater flexibility over an in-house physical IT infrastructure, because services can be rapidly re-configured or scaled to meet new and evolving requirements without the need to acquire new and potentially redundant hardware” (Grispos 2). The rapid implementation of these services has left a gap in the capabilities of digital investigators to implement effective measures in mitigating the costs and damages related to the storage of data or information. The major challenge is, therefore, that “existing digital forensic principles, frameworks, practices and tools are largely intended for off-line investigation” (Grispos 2). The major issue with these traditional approaches is that they do not take the locality of the storage into account.
The software, platform, and infrastructure must be accounted for in developing strategies for conducting these investigations. For this reason, proper identification of criminal use of data, preservation and collection of evidence regarding that crime, established protocols for the chain of processes that went into the investigation, and cooperation among various organizations should be considered priorities. One of the most important priorities, however, should be the development of a methodology for acquiring the data in the most secure and legal means possible. This is evident in the fact that “an acquisition methodology needs to be developed such that forensic ‘images’ can be acquired from the virtual machines” (Grispos 18). By doing so, a snapshot of the data at the point of investigation can be taken. There are, however, various ways in both ensuring the quality of the images and utilizing the best methods in order to analyze the data within.
There are various issues that should be considered when implementing these policies. These issues are framed regarding the various problems that can will be faced when developing protocols for cloud computing technology safety. One of the major factors that should be considered is the variety of ways in which data can be transferred over the internet. This is true in regards to both the way that people are connected, through mobile data, cable connections, fiber optics, and phone lands, as well as in how they connect, through web-browsers, apps, and other media portals. For this reason, “the effectiveness of the data transmission encryption may depend on a number of variables and the actual cryptographic algorithms and protocols may not meet the Federal Information Processing Standards (FIPS) encryption requirements” (FBI 2). For this reason, a more effective standard for the implementation of policies should be developed by experts in the field.
Storage of data is also an issue that must be considered. This is mainly due to the physicality of the information and how it is stored. In traditional methods, data is stored locally, and the source of its collection can be easily maintained. However, as cloud storage methods become more popular, the physical and political boundaries that would have once limited the nature and ability of transmission have dissolved, these limitations have disappeared as well. Furthermore, the need for storage services to move their storage facilities or transfer data presents challenges for determining the authenticity of data in some circumstances. This can potentially cause a rise in the chance of data corruption or leakage across these boundaries “either by intentional manipulation of the shared infrastructure by a malicious actor, or unintentional spillage due to administrator error in system configuration or data manipulation operations” (FBI 3). These issues should be mitigated by the methods employed in order to investigate these criminal activities.
Through promoting methods that increase the rate of retention and backups that are made by storage providers, ensuring locality of storage centers, and providing means of access to storage or for recovery in disasters or other emergency situations, these issues can be alleviated. Furthermore, by developing better means of cryptographic security and identification, more effective capabilities in both limiting and investigating potential criminal behavior can be established. The nature of shared infrastructures determines the need to promote these basic considerations. For this reason, the effective development and application of managerial control over basic protocols should be ensured. “The most effective risk reduction mechanism regarding cryptographic keys or digital certificate management is to generate, distribute, maintain, and revoke all keys and certificates using organizationally controlled key management systems” (FBI 13). This demonstrates the importance of providing effective security protocols at the level of management in cloud-based systems.
For this reason, the various challenges facing investigators should be understood in regards to the underlying conditions that they will face when developing more effective methods for implementing these strategies. Issues such as the quantity of data, the ease of contamination of data, the potential time period of determining that a crime has been committed, and the increasingly large number of potential suspects in the online community are all a concern (Reilly 29). Furthermore, having authentic, reliable, complete, believable, and admissible evidence is also an important factor, which demonstrates the barriers that must be overcome in implementing digital forensics. In this sense, investigations into cloud-based criminal behaviors are difficult due to the need to causally link various pieces of evidence throughout various time-periods, and from various formats, in order to establish a case.
Investigators have, therefore, developed process models in order to create a more structured approach in dealing with these issues. “The process models specify generalized steps that are used to conduct a complete investigation” (Reilly 29). In outlining these steps, a more effective system for the framework of investigation can be created. It is, therefore, important to understand the basic process that takes place when implementing these models. This process includes identification and preservation of associated data, its collection, examination, and analysis, and, finally, the information is organized so that it can be presented in a “clear, concise, and objective manner” (Reilly 30). This demonstrates the importance of outlining clear and effective methods in determining the best strategy for digital forensics in regards to the emerging technology of cloud storage.
Furthermore, there are various principles and guidelines that should be followed in order to establish effective methods for data collection, analysis, and presentation. Investigators should, of course, not change any of the data in any way. Having clear guidelines for accessing storage devices should also be an established rule. A way to provide a step-by-step report on what was done during the investigation should also be developed. Finally, those in positions of management or authority over other’s actions should take into account the moral and ethical considerations of their methods (Reilly 30). This can help to effectively mitigate the circumstances under which the information under question might become corrupted or obsolete under the investigation.
One method that presents an important point of departure is to create a controlled environment for the investigation through the isolation of a specific instance of the cloud storage under investigation. “The controlled environment will aid in protecting the instance from contamination and tampering” (Delport 3). This is important in developing strategies that provide the necessary level of precaution in regards to the data or information in question. Instance relocation, server farming, failover, sandboxing, and address relocation are all argued to be effective methods of doing so. However, none of these techniques are perfect and applicable to the wide range of circumstances that might be faced. “The techniques may be combined to provide a feasible method to isolate a cloud instance” (Delport 7). By doing so, investigations that are ethical, just, and fair can be established.
The major challenge to digital investigators regarding cloud storage is in the implementation of effective strategies to accurately and concretely assess the various risks that are being placed as well as to provide solutions for how to determine the underlying failures in security that had resulted in the criminal breach of the information. These challenges are made more difficult by the underlying nature of cloud architecture, which necessitates a level of flexibility regarding the locale and the accessibility of the information itself. The difficulty in developing strategies in relation to the location of potential risks due to the geographic and spatial distribution of storage devices lies in the challenge faced when having to account for the various forms of authority that might have a stake in the investigation as well as the underlying issues that occur out of the need to transfer or move information from one facility to another. This presents issues regarding not only the legitimacy and accuracy of data, but also in the ability to track the time period in which the data was implemented. In providing solutions to these challenges, those developing policies regarding the criminal liability of specific actions should, furthermore, be provided the underlying authority to implement investigations that can lead to the application of the legal structures to the problem. This is, however, made more difficult by the dissolution of boundaries regarding the information that the information is stored in. This can present challenges in how the investigations are carried out due to questions of jurisdiction and ownership. For this reason, the implementation of policies that provide more concrete structures for the methods involved in cloud storage investigations should be prioritized.
Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet. Academic Press. 840.
Delpot, W., Olivier, M.S., Kohn, M. (2005). Isolating a Cloud Instance for a Digital Forensic Investigation. University of Pretoria. 7.
Dykstra, J. (2013). Seizing Electronic Evidence from Cloud Computing Environments. IGL Global. 156-185.
Grispos, G., Storer, T., and Glisson, W.B. (2012). Calm Before the Storm: The Challenges of Cloud Computing in Digital Forensics. International Journal of Digital Crime and Forensics. Volume 4, Issue 2, 28-48.
Neelson, B., Phillips, A., Steuart, C. (2015).Guide to Computer Forensics and Investigations. Cengage. 752.
“NIST Cloud Computing Forensic Science Challenges”. (2014). NIST. 51.
Reilly, D. (2011).Cloud Computing: Pros and Cons for Computer Forensic Investigations. International Journal Multimedia and Image Processing (IJMIP), Volume 1, Issue 1, 26- 34.
“Recommendations for Implementation of Cloud Computing Solutions”. (2012). Federal Bureau of Investigation. 69.
Time is precious
don’t waste it!