Brought to you by Magnet Forensics
How police can obtain evidence from the cloud
Investigators face significant hurdles when extracting private cloud data
Cloud computing offers massive storage and processing capabilities to everyday users, and that includes everyday criminals.
You may not appreciate the threat these resources pose to public safety and law enforcement, or how challenging it can be to overcome that threat. The National Institute of Standards and Technology (NIST), an agency of the U.S. Dept. of Commerce, has released a draft report, which is available in full at the end of this article, on the challenges cloud computing offers to forensic science. The report identifies 65 specific problems that investigators already encounter, or will face in the future.
Everybody handles cybercrime
Your first reaction might be, “I don’t handle computer crimes,” but you probably do.
Nearly every bad guy you run into has a smartphone and/or a personal computer, and he uses it for his everyday activities. His contacts (accomplices), calendar (past and future crimes), and personal photos (evidence), among other data, are accessed on those devices.
There is an excellent chance that at least some of that information does not reside solely on that device. Cloud services like iCloud, Google, Microsoft OneDrive, Dropbox, and Amazon back up user files for safeguarding and synchronization between devices.
A skilled offender might keep all his critical (read: incriminating) data in the cloud, so that no devices that can be tied directly to him are tainted.
Conventional investigative methods don’t work
Historically when a data storage device was seized for investigation, the analyst would first “clone” the data on the device onto an empty drive, then disconnect and isolate the original device for safekeeping.
When the data resides in the cloud, you’ll never have possession of the original. The data can physically reside anywhere in the world, likely spread over multiple drives. It will be co-mingled with that of other users, and the host service will never surrender that physical drive.
If the investigator is successful in obtaining a copy of the suspect’s data files (often a tall order in itself), it will be difficult to compare timestamps and determine if the suspect or another user made any changes. There is no universal time stamp system, so some machines will be creating logs based on their local time, and others on some standard format, just as Greenwich Mean Time (GMT).
If the suspect’s login information was available to another party, they could alter or even delete data before law enforcement could act to preserve it. Log files, useful in tracing past activity, may reside in multiple locations and in multiple formats, making it difficult to compare copies.
Single points of failure
Cloud services vary in their redundancy. An outage at one facility has been known to deny service or result in data loss for multiple users.
It is difficult for the investigator to determine if a cloud service suffered a legitimate system failure, or whether they are simply being evasive about responding to a subpoena. The cloud services are far more concerned with their business reputation for reliability than with a criminal investigation.
The facilities that house this data are typically massive server farms. These are climate-controlled enclosures with row after row of running computers, typically located near power generation facilities like hydroelectric dams. In a disaster situation, the provider wants as little infrastructure as possible between the facility and the electrical power that runs it.
The suspect who is using multiple cloud services is not hampered by a single point of failure. A criminal might store data on Dropbox, use Amazon for massed computing tasks and communicate through Gmail.
Use of multiple services also makes it easier for the offender to cover their tracks. The code that launches an attack on another system may be distributed over several providers, denying the investigator the digital smoking gun.
Some system attacks are detectable only in real time by electronic watchdog sensors placed in advance by investigators. When the code that launches the attack is distributed across multiple systems, the investigator doesn’t know where the place the trap.
The various cloud service providers regard their system design and architecture to be proprietary, and will not divulge the necessary information willingly. To aggravate the problem, these designs are under revision constantly, so the method that works today might not work tomorrow. It’s like planning a trip through multiple cities you’ve never seen, without a map, and knowing that all of the streets are always under construction, anyway.
Disappearing virtual machines
A virtual machine is a computer system created within another system, digitally isolated from the host. They are often used to test potentially buggy software or run dissimilar operating systems like Windows and Linux. Cloud computing services can create virtual machines for users that run malicious code, used for criminal enterprises like password cracking or secure system penetration. When the task is done, the virtual machine is dissolved, leaving little trace behind.
NIST recognizes there is little research on recovering the activities of virtual machines, making these an attractive mechanism for malefactors. Couple this with the problem of the virtual machine being distributed across multiple systems, or an array of virtual machines united in an attack on a victim computer, and the forensic task of tracing this activity is even more complex.
A related problem lies within the practice of allocating storage dynamically. A user might accumulate a very large data set, like a batch of credit card numbers collected from multiple victim systems, but need it for only a short time. Once the data is analyzed to identify duplicates and high-credit limit accounts, the excess data is discarded.
Using a personal computer for such a task would require having storage sufficient for the data set, and traces of the data might be left behind and be recoverable. Cloud service providers don’t reserve the space used for that data set after the data is gone. They immediate re-allocate that storage for use by another user, overwriting the evidence and making it unrecoverable. Unwittingly, the cloud service helps the criminal dispose of the evidence.
Not law enforcement-friendly
Most cloud services maintain offices and personnel that are dedicated to responding to subpoenas and other requests for assistance from law enforcement. These functions are necessary evils from the perspective of the business, as they are a drain on profit.
If a service acquires a reputation for being quick to respond to police requests, the same reputation negatively impacts their image with some users who don’t want the police involved with their online activities.
Just identifying the point of contact for these offices is often problematic. Help desk personnel often don’t know or are told not to provide contact information to users, as the same offices will also get demands from parents, significant others, and other non-police persons to surrender information. The email addresses and phone numbers for these offices often comes from investigators at other agencies who share the information informally.
The NIST report is long and highly detailed, at 51 pages and over 16,000 words. This article only touches on some of its findings and detail. The upshot is that the ongoing and expanded use of cloud services will continue to be a challenge for investigators.