extracting legally defensible evidence from the cloud
Contents
1. e g delivering mobile expertise White Paper EXTRACTING LEGALLY DEFENSIBLE EVIDENCE FROM THE CLOUD Explaining UFED Cloud Analyzer Extraction and Analysis Processes With data privacy a major topic of discussion among consumers and service providers in most countries investigators need to be able to certify that the processes they used to collect cloud based evidence are legally defensible and forensically sound The current process relies on a chain of legal paperwork including preservation orders Subpoenas and or search warrants to secure evidence directly from cloud service providers However as the National Institute of Standards and Technology noted in its 2014 NIST Cloud Computing Forensic Science Challenges draft report this is limited for many different reasons NIST identified thirteen major factors that challenge the identification collection and preservation of cloud based media While some of these issues such as understanding cloud topology policies and storage systems are beyond its scope Cellebrite developed UFED Cloud Analyzer to help investigators identify the right accounts forensically preserve private media within the account and reduce problems associated with media volume As NIST notes in its report The cloud exacerbates many technological organizational and legal challenges already faced by digital forensics examiners This paper discusses UFED Cloud Analyzer in the context o2. Testing chat in activity luy Only me post Clouxtio Brite on tour Hi Mareike Greebngs from Cloudio Erite aka your ex colleague Joachim Cloudio Brite E x Ei Eve 18 05 7015 05 15 00 00 Cloudia Brite User qon Cloudio Brite Testing back chat in activity log user User User User User User User User _ inl Include in report UFED Cloud Analyzer reduces the risk of missing content and its context and meaning by allowing investigators to view and capture it in that context and also in conjunction with UFED Link Analysis to put it in context of other data available from a suspects mobile device s or operator s call detail records This way investigators gain further insight into how evidence correlates among devices and services 38 Annex B Item 11 39 Annex B Item 37 celebrite delivering mobile expertise The ability to normalize and correlate data can show gaps in a timeline that warrant further investigation whether evidence appears in a victim s account but not a suspect s or witness statements indicate that evidence should exist in a given device or cloud account In addition the normalized dataset offered by UFED Cloud Analyzer with or without UFED Link Analysis enhances collaboration by providing an easily visualized dataset enabling communication about the data and persons of interest While this doesn t solve all the concerns with international collabor
3. always have the option of asking service providers to send records and testify about their authenticity In a Similar vein unless they are engaged in certain types of investigation most investigators do not need to identify storage media or understand the cloud environment and UFED Cloud Analyzer is not designed for these purposes Nor is it designed to help cloud providers proactively address business issues such as ensuring that customers illicit activities don t impinge on legitimate uses Finally real time investigation intelligence processes are currently not possible with UFED Cloud Analyzer which does not set sensors in the real time environment as NIST suggests UFED Cloud Analyzer does collect snapshots of evidence as it exists at any given point in time but it is not possible for another user to login simultaneously while an extraction is taking place nor could UFED Cloud Analyzer record streaming media such as a live video 53 Annex B Item 8 56 Annex B Items 13 12 60 Annex B Items 30 25 63 Annex B Item 57 54 Annex B Item 22 57 Annex B Item 49 61 Annex B Item 32 64 Annex B Item 14 55 Annex B Item 30 58 Annex B Item 50 62 Annex B Item 35 celebrite delivering mobile expertise In spite of the many ongoing and evolving challenges associated with cloud forensic extraction and analysis UFED Cloud Analyzer offers a unique solution to investigators who are frustrated with cloud service providers ch
4. credentials obtained from a user s mobile device means that there is no need to segregate forensic data 24 Evidentiary issues preservation authentication amp validation The ability to validate repeat and reproduce a process is foundational to any forensic science and the primary criteria courts use to determine evidence admissibility Digital forensics is an evolving discipline and as NIST pointed out cloud forensics testability validation and scientific principles have not been widely addressed Adding to this the cloud system is volatile and likely to change following collection Therefore it is impossible for a third party to verify after acquisition that the data collected is correct because the data is no longer the same as at the time of acquisition NIST s report notes 21 Annex B Items 4 24 Annex B Item 21 22 Annex B Item 20 25 Annex B Item 62 23 Annex B Item 48 26 Annex B Item 34 Ccellebrife delivering mobile expertise Shipley and Bowker 2014 quoting Merritt 2012 note that not only must online communication be authenticated as to its proponent s claim that it is evidence the result of investigative efforts must also accurately preserve the original message including associated metadata Their assertion A hash value must be calculated either during the actual collection of the data or as soon as possible after the data is saved electronically 28 This is also importan
5. evidence hijacking and investigator access the same process used becomes more complicated when the user s identity is fictitious to authenticate cloud based evidence comparing it to mobile device evidence can identify anomalous activity A criminal can trivially obtain In other words content that doesn t read or sound like credit card numbers and the device or account user or that was created during nen peed perme a timeline when the device account user could not have ee eu ss media websites to make his created it can indicate unauthorized access ner dlowel telantiiy assez to have a corresponding equivalent in the real world NiSt Sireo on stares A forensic investigator is then faced with the daunting challenge of obtaining data on the criminal identity from multiple online entities many of which are geographically Spread around the world Once an investigator has identified evidence imaging the cloud is in NIST s word impractical even though it s recommended because of the difficulty providers have in responding to subpoenas 4 High volumes of evidence and location issues make it difficult to image an entire cloud server Furthermore data may be scattered on several servers mixed among data pieces belonging to other accounts This makes the computer forensics concept of imaging a hard drive impractical and probably not applicable for the realm of cloud stored dat
6. learn more visit www cellebrite com For more information contact sales 2015 Cellebrite Mobile Synchronization LTD All rights reserved celebrite delivering mobile expertise
7. 7015 71 27 05 2015 20 27 05 2015 20 27 05 2015 20 27 05 2015 19 Time Ranges af E H Ada I J i x C CA t Content Categories amp Iypes I Parti 27 05 2015 18 27 05 2015 18 27 05 2015 17 27 05 2015 17 27 05 2015 17 17 27 05 2015 16 arties F E A E li l Properties Google E Include in report That s because UFED Cloud Analyzer relies upon the service provider s API to extract data If the API allows an investigator can access deleted or archived data However along with identifying data via hash value the use of account credentials means that UFED Cloud Analyzer does allow data deleted or live to be attributed to a specific user Cellebrite continues to add support for data available with the API method as UFED Cloud Analyzer evolves 19 Annex B Items 2 1 20 Annex B Item 33 Ccellebrife delivering mobile expertise API use also reduces the risk associated with the need to reconstruct virtual images or storage because provider records obtained with a search warrant can validate APl based evidentiary collections No additional validation of reconstruction algorithms is required Finally API use removes the need to confiscate or seize entire cloud resources to acquire evidence Because cloud resources often have multiple tenants API use reduces risks to tenants other than the one s under investigation 23 By the same token use of
8. Cloud Analyzer currently cannot align local time to a specific time zone as UFED Physical Analyzer can use of the API means that most time and date stamps from cloud posts already contain UTC It also means that provider records will Show the same times and dates and thus validate API based extractions celebrite delivering mobile expertise Remaining cloud forensics challenges To be sure some challenges remain and will require ongoing discussion These include Determining the source of an unauthorized change to a user s cloud computing environment Geolocation unknowns and resulting jurisdictional issues that can affect the chain of custody It s likely that NIST was referring to the number of unknown people who might be involved with preserving and collecting data located on physical hard drives in various locations so whether this detail is important has yet to be determined especially in the courts Lack of transparency in the cloud s operational details provider s API use notwithstanding 6 Identifying criminal organizations cells which can operate independently and with no way to associate them because of the distributed nature of cloud computing The lack of access to proprietary details of cloud based software applications used to produce records For example in a particular criminal case involving email through cloud providers NIST noted the details of how drafts are
9. a As NIST states however Partial imaging may have legal implication in the presentation to the court However even in cases where the suspect has used a burner phone to further conceal their identity commonalities will likely exist between device s and cloud account s such that investigators will be able to tie devices and accounts to an actual person 10 Annex B Item 59 13 Annex B Item 38 11 Annex B Item 60 14 Annex B Item 48 12 Annex B Item 61 celebrite delivering mobile expertise New extraction earch Data 3 dential Wald Sources validation Import account package Add data source Data Source Type Account Credentials e Dropbox Storage service E Goode Die g Storage service A Google Location v Location service E Facebook Social network Iv Twitter lv Microblogging E cmai Email service Enter Credentials Ik KIK Messaging Enter Credentials To continue select the required data sources to be extracted Extract X Xx v x v X X X v X UFED Cloud Analyzers account based approach reduces these risks by focusing on a specific users data no matter where it s stored This selective data acquisition NIST acknowledges is a challenge because prior knowledge about relevant data sources is often difficult to obtain in a cloud environment 5 With that prior knowledge coming from the account holder s mobile device an investigator c
10. an reduce the scope of search That s because UFED Cloud Analyzer relies upon not only user credentials but also existing artifacts extracted and decoded from the user s mobile device These help to narrow the field of cloud data including a relevant time date range and specific cloud services involved By focusing on user accounts and credentials investigators needn t worry that an unrelated party s data bled over into their suspect s or victim s data or that key evidence might be found in an unrelated account and can be assured that the evidence maintains its integrity User data stored in the cloud can be encrypted and encryption Is gaining ground among major cloud service providers Whether providers hold encryption keys as part of their service or follow Apple s and Google s lead by making keys local to users alone UFED Cloud Analyzer s reliance on user credentials eliminates the loss of ability to decrypt data 15 Annex B Item 39 18 Vijayan Jaikumar Cloud computing 2014 Moving to a zero trust security model ComputerWorld December 6 Andere and 2013 13 http www computerworld com article 2487123 data privacy cloud computing 2014 moving to a zero trust security model html accessed March 2015 19 17 Annex B Item 40 Ccellebrife delivering mobile expertise Solving forensic cloud storage problems provider APIs Headlining Annex B of NIST s report is deleted cloud data Attributing deleted d
11. anging policies and creeping pace Its account based approach reduces many of the logistical and privacy challenges with cloud forensics while its reliance upon provider API and hashing allows for the necessary authentication and validation of its processes Finally its integration with other UFED products empowers investigators to find the data they need when they need it to collaborate with investigators outside their own agencies and to build defensible cases more efficiently Cellebrite Delivering Mobile Expertise Founded in 1999 Cellebrite is a global company known for its technological breakthroughs in the cellular industry with dedicated operations in the United States Germany Singapore and Brazil A world leader and authority in mobile data technology Cellebrite established its mobile forensics division in 2007 introducing a new line of products targeted to the law enforcement sector Using advanced extraction methods and analysis techniques Cellebrite s Universal Forensic Extraction Device UFED is able to extract and analyze data from thousands of mobile devices including feature phones smartphones and GPS devices Cellebrite s UFED is the tool of choice for thousands of forensic specialists in law enforcement military intelligence security government and private sector organizations in more than 100 countries Cellebrite is a wholly owned subsidiary of the Sun Corporation a listed Japanese company 6736 Q To
12. ata to a specific user and Recovering overwritten data as well as dynamic storage speak to the need for investigators to serve a provider with a preservation order Preservation orders mitigate some of the risks of evidence being deleted before an investigator has a chance to secure it Even when data has been deleted a preservation order increases the likelinood that the evidence will be extracted rather than overwritten when the nodes pointing to it are deleted Catlahaee NEEN inod AOE PITT ee EE ome te x BhOBeAH OLO Save Evtractions Vens Generate Frpan Close Help ssion Manasye epon penon 7 Cloudio Brite Extractions suntunary Timeline table x Files x Contacts x Mao x is les Filters rest 671 Files amp lt Page 1 1 200 41677 gt IPage 1 Go Q Sez x EdE i gt Tae Data Sources Sort by Posttime Group by None sloshing Select All Clear Al j oy v lt a Plus t ta tthe web witha ut anmeying p i I E v Cloudio Brite o 28 05 2015 06 7ay05 2015 as eii 04 78 05 7015 03 28 05 2015 01 78 05 7015 01 Google Drive E E a E v Cloudio Brite 7 io ai o bs Ea PN al Cloudio Brite 9 28 05 2015 28 05 2015 00 27 05 2015 23 27 05 2015 23 27 05 2015 23 27 05 7015 27 27 05 2015 2 Fi Facebook F B E Ei E E El v cinudin brite omail com ys TLA a 7 5 x Eme R Googe EE af CloudioBrite o 27 05 2015 2 27 05 2015 22 27 05
13. ation including the need for timely enough responses it s an improvement Finally NIST s report noted a lack of interoperability between cloud providers including a lack of insight or control over providers proprietary architecture challenges investigators when they try to correlate activity across platforms While identifying the similarities and differences in architectures for validation purposes is beyond UFED Cloud Analyzer s scope the software does seek to provide some consistency by normalizing the data from disparate providers including log and data source formats 40 Annex B Item 55 43 Annex B Item 5 41 Annex B Item 9 42 Annex B Item 3 CONSTRUCTING TIMELINES LOGS AND METADATA Timestamp synchronization across physical machines potentially located in different geographies presents a challenge in that timestamps can end up being inconsistent Therefore it becomes more difficult for investigators to construct a timeline of events around a crime or other illicit activity UFED Cloud Analyzer handles dates and times in a similar manner as UFED Physical Analyzer presenting both local time and Coordinated Universal Time UTC The time presented in Cloud Analyzer including format and time zone comes from the cloud data provider via APL ICIS preen aS Is to the user However UFED Cloud Analyzer normalizes all dates and times into a single chronological order Although UFED
14. bile device will enable an investigator to build a case Data from multiple accounts contextualizes a suspect s or victim s activities and shows an investigator s due diligence in building a case EEH e pe euU Conversation Cinse person Views Filters Reset Data Sources Select All Clear Al 2s Dropbox Choxlio Brite Gooale Drive Cloudio Brite o r Google Locatton History Cloudio Brite Fi Facebook doudio brite gmail com FF vce Cloudiognte o lime Ranges Ada Content Categories amp Types Parties Event Properties Files x Help Contacts x 94 Events x Time 18x03 m g 2 18 05 2015 05 15 36 00 00 18 05 2015 05 17 44 00 00 REJ m 3 17 05 7015 12 01 52 00 00 Krag Py 4 H 5 12 ns 13 05 2015 13 28 53 00 00 13 05 2015 12 17 55 00 00 12 05 2015 08 43 26 00 00 12 05 2015 08 43 26 00 00 12 05 2015 08 22 33 00 00 23 03 2015 13 55 01 00 00 23 03 2015 13 55 01 00 00 23 03 2015 E Cloudio Brite SSS lt lt Page 1 1 94 1 94 gt Parties E cloucia rrite F cloudio grite gt E Cioudio Brite E Cloudia Brite gt E Cloudio Brite l E Cloudio Brite gt E Cloudio Brite F cloudio Brite E Mareike Neumayer Cloudio Brite E Cloudio Brite Page 1 Go Q Content Testing back chat in activity log
15. e exported from UFED Physical Analyzer following a file system or physical extraction of a smartphone s memory Alternatively investigators can manually enter usernames and passwords provided by users with documented consent Then UFED Cloud Analyzer uses the provider s application programming interface API to collect snapshots of private cloud based evidence UFED Cloud Analyzer users should adhere to best practices around forensic cloud extraction E Serve the provider with a preservation order and if necessary a nondisclosure order for the account s in question Obtain the level of legal authority to search that is appropriate for the examiner s country and jurisdiction E Extract cloud based evidence to a storage medium specifically designed and prepared for that purpose a flash drive external hard drive a location on an internal forensic network or internal drive or partition within the forensic computer gt Assuming that the account credential data is unencrypted or can be decrypted 6 This is comparable to a logical mobile device extraction undertaken with UFED Touch or UFED 4PC 7 In the United States a preservation order is defined under 18 US Code 8 2703 f also known as the Stored Communications Act celebrite delivering mobile expertise Solving cloud extraction problems with an account based approach Identifying evidence in the cloud is a challenge because of data volume Too much and a
16. f NIST s report specifically the items outlined in Annex B 3 1 National Institute of Standards and Technology NIST Cloud Computing Forensic Science Challenges June 2014 http csrc nist gov publications drafts nistir 8006 draft_nistir 8006 pdf accessed March 2015 19 2 Outlined in Items 47 42 in Annex B of the report 3 Not every data point listed in Annex B of NIST s paper is relevant These are noted in a sidebar Executive Summary Among the dozens of issues NIST identified were forensic issues around cloud storage user privacy and logistical concerns While many of these are grounded in traditional computer forensics concepts and may or may not be applicable to cloud investigations some foundational forensic principles validation authentication repeatability are universal to any forensic data collection and analysis UFED Cloud Analyzer s extraction approach begins with user data including credentials found on a subject mobile device and extracted with the proper legal authority This account based approach selectively acquires data associated only with a specific user using data artifacts found on the Subject device to narrow the scope of a search to certain date time frames and content types This approach effectively preserves the privacy of other tenants collocated on the same server and minimizes issues with evidence being scattered around different storage locations UFED Cloud Analyzer also promotes fore
17. nsic best practices around validation and authentication by relying on provider APIs to perform extractions A Cloud Analyzer extraction hashes each individual artifact and separately its associated metadata Not only does this ensure repeatability it also allows for proper validation using records obtained directly from the service provider Finally UFED Cloud Analyzer normalizes and correlates evidence from multiple accounts and disparate data formats reducing the risk of missing content and context through the use of timelines and visual tools In short UFED Cloud Analyzer helps to mitigate the risks associated with slower than desired responses to legal process 4 whether this is due to demand on service providers provider reluctance to comply with government requests for private information or providers residing in jurisdictions that are not part of the MLAT treaty While it may not negate the need for records requests from providers it does enable law enforcement to validate what providers offer via the use of hashing and data identifiers and on the flip side for provider data to validate its own extractions 4 Annex B Item 51 celebrite delivering mobile expertise UFED Cloud Analyzer Basics UFED Cloud Analyzer is extraction and analysis software that can be installed on any Windows based PC platform It is designed to import a file that contains account credentials from popular cloud services This account package can b
18. r Selected Manufacturer Samsung CDMA gt E gt Selected Device Name SCH R970 Galaxy S4 5 gt IE Malware Scanner T Connection Type Cable No 100 gt a eee Is encrypted False aie Extraction Type File System Android File System D Offline Maps r Extraction ID C7D02182 DD61 460A 8C3F 8D452470710D A S Open in UFED Link Analysis b g TomTom gt z TE y gt rence hash information is available for this project Calculate hashes WF Settings Ctrl T eee cuo b Fal Notes 6 Passwords 11 Phone Number ICCID 89972010410030053444 i at an Time Zone Asia Jerusalem Country US Powering Events 52 IMSI 425010770155446 Mac Address CC 3A 61 09 43 FD D Q Searched Items 10 Mock Locations Allowed False Phone Activation Time 23 07 2013 06 02 36 UTC 0 b SMS Messages 2 OSVersion 4 2 2 Fanon Number 00000000000 BT MAC Address 08 08 C2 13 F8 EB Android Id 9293346f256ee83f ZS User Accounts 23 Language en User Dictionary 2 Root gt E Web Bookmarks 15 Is Rooted True b gt LL Web History 169 Tethering fain pers _ J 8 Annex B Item 32 9 Annex B Item 58 Ccellebrife delivering mobile expertise It s difficult for investigators to identify unauthorized DEALING WITH FICTITIOUS third party data access whether by persons in a CLOUD ACCOUNTS suspect s or victim s life or strangers Although UFED ee ree Cloud Analyzer cannot differentiate between account and authenticating
19. rimes 30 Further information about this process is described in the UFED An Introduction to Solving Crimes in Cyberspace Syngress p 78 Cloud Analyzer user guide 28 Shipley amp Bowker p 81 31 Annex B Item 65 29 Annex B Item 7 celebrite delivering mobile expertise It should be possible to validate UFED Cloud Analyzer results by downloading content for example a photo from a service provider hashing it then comparing the manual hash with the software generated hash Investigators can also approach the service provider to ask for any given data identifier then hash it to compare with the hash created at the time of extraction 32 Annex B Item 52 LEGAL ISSUES WITH CLOUD FORENSICS UFED Cloud Analyzer can help to mitigate some but not all issues associated with legal risks One of the major challenges limitations in international collaboration and cross nation legislative mechanisms 2 Existing legal processes such as the MLAT were built with physical evidence in mind They are lengthy and complex therefore they are not suitable for the digital era where the dynamic nature and fast pace of data and at least by some opinion the less deterministic nature of cloud based data s physical location requires speedy process responses This is at least partially solved by UFED Cloud Analyzer s flexibility in allowing investigators in each nation to apply relevant laws For example investigator
20. s in countries that legally view the mobile device as a portal to cloud data need not apply for a new search warrant while investigators in countries that view device and cloud as Separate storage entities require a warrant for each entity 33 Privacy of course continues to be a critical conversational element 34 Again UFED Cloud Analyzer seeks to reduce risks to personal business and government information by limiting investigative searches only to certain timeframes and certain types of data which ideally should match the content and timeframes specified on the search warrant The software also logs each user and extraction performed Finally investigators concerned about the limitations of their investigative power should work with appropriate counsel to determine the extent of limitations and how they might affect an investigation including the use of UFED Cloud Analyzer 33 The question of whether an investigator can apply for a domestic search warrant to search the account s of a citizen within their own borders even if the account is with a cloud service provider located in a foreign country with the potential for data to be stored on a server physically located in a third country has yet to be determined in a court of law 34 Annex B Item 56 35 Annex B Item 46 celebrite delivering mobile expertise Normalizing and correlating evidence from multiple accounts NIST s report notes Faults occur either inten
21. search might be overbroad too little and investigators could miss important data Evidence extraction using UFED Cloud Analyzer starts with existing artifacts extracted and decoded from the users mobile device This helps to identify likely sources of evidence reducing the chance of missing either inculpatory or exculpatory data Timeline and data type particulars which should be Specified in a search warrant or other legal authority to search prevent overbroad searches Assuming the investigator has the mobile device or can quickly identify a suspect the mobile device can help confirm a suspect s true identity and account ownership 2 In other words using a suspect s mobile device to obtain login credentials means that investigators are in a better position to authenticate the evidence g UFED Physical Analyzer 422 25 M Sr fy File View Extract Python Plug ins Report Help BF Bs 9 Read Data from UFED Chu LAAG All Projects x 2 V Extraction Summary X vx i Retrieve BlackBerry 10 backup key Summary Project settings TE Generate Report Ex Dump File System Ctrl D i a pa gt Ei Im Se gt am intend Samsung CDMA_SCH R970 Galaxy 4 samsung SCH R970 Galaxy S IV Android gt Fi a EN we OF Extraction start date time 10 05 2015 10 59 34 Sy Spat scones package F Extraction end date time 10 05 2015 11 05 07 4 ep An g j Unit Version 4 2 0 15 a Watch List Edito
22. t when considering using metadata as an authentication method 2 UFED Cloud Analyzer s use of suspect credentials does not change metadata to the extent that it would present problems in either civil or criminal trials While credential verification may generate a signature within the cloud provider e g creating a log on the server side for example within the Facebook activity log it also creates two separate hashes for each piece of data it collects 30 Each artifact tweet private message image etc together with its associated metadata receives its own separate hash Files such as images and documents are hashed separately from the posts to which they are connected NIST specifically calls out training as an important element of proper cloud forensics Investigators need training not just on cloud forensics policy and procedure but also the foundation of cloud computing technology Most digital forensic training materials are outdated and are not applicable in cloud environments The lack of knowledge about cloud technology may interfere with remote investigations where systems are not physically accessible and there is an absence of proper tools to effectively investigate the cloud computing environment the report notes UFED Cloud Analyzer training is and will be available in the form of webinars a user manual and instructor led raining courses 27 Shipley Todd and Bowker Art Investigating Internet C
23. tionally or accidentally and consist of missed content contextual information meaning of content process elements relationships ordering timing location corroborating content consistencies and inconsistencies in multiple computers in multiple locations under control of multiple parties 26 Along with multiple points of failure is the risk of a single point of failure for instance service outages UFED Cloud Analyzer reduces the risk posed by single points of failure because even if a platform is experiencing an outage at the time of collection the examiner can always go back once the problem is resolved Internal processes such as notifications to the user when such an issue occurs and retry attempts are built into the software When the software identifies that the connection with the service is down the extraction automatically stops At this point extractions cannot be resumed and the user has to start the extraction process over for that particular data source 36 Annex B Item 42 37 Annex B Item 10 Ccellebrife delivering mobile expertise Moreover NIST states For all investigators collection and analysis of data from distributed and disparate sources is challenging because perpetrators can use services from different Cellebrite UFED Cloud Analyzer 42 214 providers 38 Indeed it isn t often that data from just a single social media filesharing or location based data account or mo
24. turned into deliverable messages were unavailable leading to the inability to prove whether or not a draft was ever sent and more obviously whether it was ever transmitted or received 48 Limited custodian and record keeper knowledge on what logs and records might constitute evidence International cloud services and how law enforcement can ensure it is obtaining legal access to data in a way that is not currently clear Lack of standard digital forensic processes and models including standard procedures and best practices for investigations in the cloud Not knowing where data is stored or who has access to it makes it more difficult to assess whether evidence was leaked or contaminated and thus whether investigators maintained chain of custody 2 The credential based extraction process is a Start but not a panacea Although UFED Cloud Analyzer prevents other logins while an investigator is using the software this doesn t control for account activity before or after investigative login 44 Annex B Item 16 47 Annex B Item 19 50 Annex B Items 53 54 45 Annex B Item 17 48 Annex B Item 36 51 Annex B Item 63 46 Annex B Item 18 49 Annex B Item 64 52 Annex B Items 23 24 celebrite delivering mobile expertise ISSUES OUTSIDE UFED CLOUD ANALYZER S SCOPE UFED Cloud Analyzer s account based approach renders many issues moot but others are entirely outside its technological scope Timeline anal
25. ysis of logs for Dynamic Host Configuration protocol DHCP address assignments and other related data is not possible for example because logs are typically not part of the provider s API The protection of system boundaries is difficult to define and remains an architectural challenge Likewise the collection of data associated with removed virtual machine VM instances UFED Cloud Analyzer is not designed to detect malicious acts or the use of cloud systems as low cost command and control centers such as botnets Port scanning and Transmission Control Protocol Internet Protocol TCP IP network traffic dumping are also beyond UFED Cloud Analyzer s scope UFED Cloud Analyzer is not designed to help isolate an entire virtual machine Further because UFED Cloud Analyzer does not act as a VM there is no risk that malicious software will prevent the isolation and imaging of cloud data In some cases such as the investigation of a large scale data breach the physical location of data may become important The decreased access and data control a cloud network s chain of dependencies among cloud providers and constantly moving data among multiple locations and geographies including virtual machines can all affect the evidence available to investigators Most civil and criminal inquiries however rely on the content of evidence rather than its location UFED Cloud Analyzer users who require deeper insights into data locations
Download Pdf Manuals
Related Search