June
30, 2013
Abstract
As information technology continues
to evolve, a growing number of software and hardware devices now have the
ability to store digital evidence. From
personal computers and smart phones to virtual machines and cloud computing,
these technologies are becoming commonplace for individuals and organizations
alike. Just as these tools are
ubiquitous in the modern era, they have also become invaluable sources of
evidence for digital investigators. With
any innovative technology though, come new challenges for forensic
examiners. The following paper presents
four sources of digital information (RAM, smart phones, cloud computing and
virtual machines) and outlines their usefulness to investigators in obtaining
forensic evidence from network intrusion, malware installation, and insider-based
attacks.
Introduction
Digital
media and the devices that use them have become increasingly commonplace in the
modern world. From transportation and
banking to personal smart phones and laptops, virtually every sector in the
developed world has integrated some aspect of information technology. For the legal system, these tools provide an
effective means of reconstructing past event and accordingly, have led to an
increase in their inclusion as evidence in court proceedings. This in turn has led to a rise in the demand
for digital forensic analysis. As
computing advances, the techniques and methodologies to collect evidence from
these devices must also evolve.
RAM
Arguably, the
development of information technology has had one of the biggest impacts in the
modern era. From personal computers to
automobiles and TVs, an increasing number of devices rely on this functionality
in one form or another. While comprised
of a myriad of technologies, a critical component for any modern computer
system is random access memory (RAM).
RAM speeds up data recovery by allowing direct access to information,
versus the more traditional process used for hard drives, CDs, and DVDs. Unlike traditional memory however, RAM is
considered volatile storage. Any
information written to this media will be lost once power is disconnected. This feature presents a number of challenges
for forensic investigators.
Collecting RAM from a
system involves a “live acquisition” of the data. This process is contrary to the approach digital
investigators historically practice. The
traditional approach to digital media collection is a static method which
involves first powering down the system.
Once disconnected from electricity, the analyst then makes a
forensically sound image of the storage media (Hay & Nance, 2009). Once powered down though, any information
stored in RAM is lost. Types of data
that can be collected from this area include currently running processes and
files located in temporary storage.
Acquiring this information gives a more complete picture of the computer
and its users. This provides an accurate
depiction of an information system’s active state by enabling the collection of
“information not likely written to disk, such as open ports, active network
connections, running programs, temporary data, user interaction, encryption
keys, decrypted content, data pages pinned to RAM, and memory resident malware”
(Hay & Nance, 2009, p. 31). The
other major challenge to investigators when collecting volatile media is the repeatability
of the process. Data presented as legal
evidence must be collected using forensically sound practices. As defined by the Daubert principle, this
means that a forensic process should have the capability to be replicated
(Welch, 2006). This allows for an
independent analysis of collected evidence by third parties. With the live acquisition of evidence from
RAM however, any action the investigator takes changes the state of the
computer system and therefore cannot be repeated (Hay & Nance, 2009). So although this process provides a more
complete picture of a system’s history, it may not always be admissible in
court without additional corroborating evidence.
As it pertains to
identifying network intrusions, malware installation and file deletion by
insiders, collecting volatile data such as RAM is crucial to investigators in
all three areas. During a static
collection, an investigator traditionally shuts down the system either through
the OS-provided shutdown process or by disconnecting the power directly from
the system. This has the potential to
destroy relevant evidence that is stored in data logs, temporary files or
cached data. Additionally, paranoid or
clever suspects may enable scripting cleanup or wiping applications to run
during a shutdown process. In either
instance, valuable digital evidence may be lost to investigators if a live
acquisition of RAM is not utilized.
Acquiring active media images prior to a shutdown has the potential to
identify malware installation and network intrusions. Collecting an “attacker’s post-compromise
interaction with the system” requires capturing a complete picture of a system
to include volatile data (Hay & Nance, 2009, p. 31). Identifying the user’s interaction with the
target system has the potential to recreate the steps taken by a hacker
penetrating a system. Similarly,
collecting the temporary data written to RAM gives forensic analysts important
clues to what types of data was accessed by trusted insiders as well as files
that may have been altered or deleted.
Virtual Machines
Like many technologies,
the concept of virtualization has revolutionized the information technology
field. First appearing in the 1960’s,
virtual machines (VM) perform the same function as traditional computers, but
offers advantages in the areas of server consolidation, testing, and cost
(Khangar & Dharaskar, 2012).
Organizations and individuals are no longer limited by physical hardware
requirements, allowing data and applications to be processed in a logical realm. Although VMs operate in ways similar to that
of traditional systems, there are still some challenges digital investigators
must address when collecting evidence from them.
According to Nelson,
Phillips, & Steuart (2010) digital investigations involving VMs do not
differ significantly from those focusing on traditional systems. One of the biggest challenges in collecting
data from this technology however is a lack of understanding. For investigators analyzing any new
technology, it is crucial to recognize how the device interacts or compares to
traditional technologies. In the case of
virtualization, comprehending the interaction between the VM software and the
host system is vital to collecting evidentiary data. Because virtual systems operate in much the
same way as their hardware-based counterparts, digital investigators should
acquire a forensic image of the target computer and then process the data using
a traditional methodology. This includes
auditing the user logs for both the host system and the virtual machine running
on it (Sungsu, Byeongyeong, Jungheum, Keunduck, & Sangjin, 2011). Understanding the structure and organization
specific to VMs is also a critical step in the investigatory process. For instance, recognizing where data is
located under VMware’s Virtual Machine File System (VMFS) can aid analysts in
locating critical data in an efficient fashion (Khangar & Dharaskar,
2012). Additional nuances with
collecting data from virtual systems in general include ensuring information is
not altered during acquisition, gathering volatile data prior to powering down
the system, and overcoming the legal challenges of presenting forensically
sound evidence from a new technology.
Because VMs operate in an active state, collecting volatile data from
these systems is as important as it is with traditional computers. As virtualization becomes more commonplace,
the forensic capabilities for analyzing these platforms also increase. This equates to more effective techniques for
collecting virtual data as well as wide-spread acceptance of digital forensics
throughout the legal process (Khangar & Dharaskar, 2012).
Investigators targeting
a virtual machine for analysis have the potential to find evidence similar in
amount and scope as they would on a traditional system. This includes evidentiary data related to
network intrusions, malware installation and insider file deletions. Although virtual systems operate in a logical
environment, collecting data from this platform can be accomplished by mounting
the VM and then assessing the contents of the digital image. Just as suspects leave evidence behind on a
traditional computer system, activities conducted on a VM also create a set of
files which are written to the host computer (Khangar & Dharaskar,
2012). Obtaining a forensic image of the
host computer can provide investigators with network logs pertaining to both
the host and the virtual system (Nelson et al., 2010). One of the most common versions of
virtualized software, VMware, “…as the default generates each
virtual machine image, memory dump, log and configuration file” (Sungsu et al., 2011, p. 151). Similar to files found on a traditional
computer system, these data repositories may contain evidence related to
network intrusions, malware installations and the deletion of files by trusted
users.
Smart Phones
One of the most
ubiquitous and innovative advancements within the information technology arena
has been the invention of the smart phone.
The sheer computing power these devices possess combined with the
portability of this technology has made them an invaluable tool. Just as businesses and individuals have
leveraged the growth of communication technology, so have a variety of criminal
entities. Aside from the intrinsic value
these devices represent, modern smart phones possess the computing power to
rival traditional computer systems. Many
cybercrimes that were historically facilitated with laptops or desktops can now
be carried out with a smaller, more concealable smart phone. As a result of this development, smart
phones have become an important repository for evidence for law enforcement
agencies throughout the world (Casey & Turnbull, 2011). Because smart phones are both computers and
digital communication devices, collecting data from these sources present a
number of challenges for investigators.
The single biggest issue
to address in collecting evidence from any mobile device is staying current
with the technology. Every year,
companies release a multitude of smart phones to the public. Many of these models contain proprietary
software and hardware features that forensic investigators must stay abreast
with. This involves not only a
continuous cycle of education but also a significant financial commitment for forensic
laboratories to purchase test models and software. Although the sheer number of potential phones
available may be daunting, there are a number of commercial tools made
specifically for digital investigators.
Companies like MicroSystemation, Logicube, and Cellebrite manufacture
products that are specially designed to acquire data from mobile devices (Casey
& Turnbull, 2011). Many of these
companies also issue updates for software versions and hardware connectors,
providing forensic analysts the ability to stay current with emerging
technologies.
Additional forensic
challenges associated with collecting data from smart phones deal with those
features inherent to mobile communication devices. Modern smart phones integrate a multitude of
communication paths to include cellular, Wi-Fi and Bluetooth. This means there are numerous ways for data
on these devices to be overwritten or remotely destroyed. Many smart phones have the capability to
allow remote wiping of stored data on the device. Although this was designed to protect user
data in the event of theft, it also has the unintended consequence of providing
criminals the ability to destroy evidence before law enforcement can obtain
it. The ability to alter or destroy data
wirelessly means investigators must take added precautions when seizing smart
phones. Options to prevent these devices
from receiving or sending signals include turning off the phone or removing the
battery. Although this eliminates the
possibility of outside sources altering data on the phone, it may also activate
security features such as encryption or lock codes (Casey & Turnbull,
2011). Smart phones like RIM’s line of
BlackBerrys includes 256-bit encryption, an ECC public key, and later versions
of the phone’s firmware do not allow for mobile password resetting. This means that turning off the device will most
likely render data recovery virtually impossible (Martin, 2008). To avoid this situation and isolate the
device from unintended signals, investigators can instead place the item in an
RF shielded container such as a Faraday bag.
Although smart phones
and other mobile communication devices possess a number of challenges for
forensic investigators, they also represent valuable sources of digital
evidence. This is in no small part due
to the type of storage media that many smart phones possess: flash memory. Although criminals have a number of potential
methods to destroy or alter data on a mobile device, the use of flash memory
chips means information can often be successfully recovered. Due to proprietary algorithms on many smart
phones, data is written and erased on flash memory in such a way that deleted
information is not immediately wiped.
Flash memory “can only be erased block-by-block, and mobile devices
generally wait until a block is full before erasing data” (Casey & Turnbull,
2011, p. 3). In addition, this form of
data storage is also generally more durable against extreme conditions such as
temperature, pressure, or impact; making physical destruction of the chips more
difficult. As a result of these
features, investigators have the potential to recover data pertaining to
malware installation and network intrusion.
Malware loaded onto mobile devices and later erased by perpetrators may
still leave digital clues. Similarly,
network intrusions using or directed at smart phones may also leave a trail of
evidence for investigators to find (Casey & Turnbull, 2011). The deletion of files by an insider however
may be more difficult to ascertain on a smart phone. Although these devices often belong to a
single individual and should be relatively straightforward to assign ownership
to, without sufficient defense mechanisms activated, this lack of security
means anyone can use the phone. Even
though data is deleted from a smart phone or the device is used to destroy
information on a network, actually identifying the culprit may require more
evidence than a digital investigator can obtain.
Cloud Computing
IT experts estimate
that cloud computing has the potential to transform information technology as
significantly as personal computers, the World Wide Web, and smart phones have
(Ruan, Carthy, Kechadi & Crosbie, 2011).
This model encompasses a host of IT concepts that generally describe
distributed computing over a network, which fundamentally changes the historic
model of IT services. Large data centers
have replaced individual workstations to create a virtual environment for
organizations and individuals alike.
Cloud computing employs VMs and a “combination of Infrastructure as a
Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service
(SaaS)” (Barbara, 2009). Individuals are
able to utilize programs in a manner similar to that of traditional hardware-based
computers, but at a fraction of the cost.
As a result of these savings, an increasing number of companies have
incorporated cloud computing into their traditional approach to data
processing. According to Gartner, cloud
computing was forecasted to grow 19.6% in 2012 to an estimated 109 billion
worldwide (Gartner, 2012). This
represents a growth rate five times faster than that of on-premises IT
equipment (Ruan et al., 2011). Although
cloud computing has revolutionized technology on a number of fronts, this
concept is not without its own unique challenges for both customers and
forensic investigators alike.
Storing and accessing
data on remote servers represents a number of potential concerns for
clients. Utilizing Internet applications
to retrieve sensitive data is inherently risky for organizations. In addition, cloud users often do not know
physically where their data resides or who else the provider may maintain as a
client. This commingling of information
and users has the potential for malicious or unintentional data loss if
adequate security features are not in place (Barbara, 2009). It is these same considerations that also
represent a variety of unique concerns for digital investigators.
Locating, preserving,
and analyzing digital information becomes a challenge when the data is stored
in the cloud. A forensic issue of
concern is the loss of valuable pieces of digital evidence. Items historically acquired by investigators
such as registry entries, temporary files, and other similar artifacts may be
lost when a user exists a cloud application.
In addition, cloud customers and investigators often have limited access
to log files and auditing information (Ruan et al., 2011). The use of cloud computing also provides
suspects with an additional layer of anonymity when carrying out malicious
activity. These factors call into
question the issue of evidence validity in a court of law. Establishing a chain of custody for evidence
and creditably explaining this process to a jury is problematic for
investigators. Determining where
information is stored, who had access to it, and could other entities have
altered the information are all serious considerations for law enforcement
agencies (Barbara, 2009). As a result,
the emergence of cloud computing has forced the creation of an entirely new
focus in digital forensics called cloud forensics (Ruan et al., 2011). While data acquisition from computers
includes a number of traditional methodologies, retrieving data from cloud-based
systems also incorporates a number of other technologies and challenges.
Currently, many
forensic examiners admit that "there is no foolproof, universal method for
extracting evidence in an admissible fashion from cloud-based
applications" (Barbara, 2009). This
consideration along with chain of custody issues means cloud computing is one
of the least reliable technologies for investigators seeking information about
network intrusions, malware installations, or the deletion of files by
insiders. Technical dimensions that make
this technology difficult to forensically analyze include live forensics,
evidence segregation and virtualization.
Many of the same considerations for live acquisition of RAM also exist
for investigators collecting evidence from cloud-based systems. Complex configurations with multiple
connected resources significantly increase the forensic workload. Recreating a timeline of events that occurred
solely within the cloud requires precise time synchronization; a feat made more
difficult by disparate locations of users and cloud-based data
repositories. Cloud computing is
designed to provide a pool of resources to multiple users. This aspect presents a challenge for forensic
investigators not from a data acquisition standpoint, but rather protecting the
confidentiality of other clients. Cloud
providers achieve data segregation using software-based
compartmentalization. This configuration
presents a challenge for investigators when attempting to collect data from one
individual that happens to be sharing resources with numerous other users. Finally, the last challenge for investigators
is the concept of virtualization.
Although VMs on traditional systems is relatively straightforward, on
cloud-based systems, this concept takes on a completely new dimension. Data mirroring over systems located in
different states or even countries introduces a number of jurisdictional
concerns for law enforcement agencies (Ruan et al., 2011).
Conclusion
The continued evolution
of information technology represents a host of potential benefits for
mankind. From personal computers to
cloud computing, each new development has advanced our lives in various ways. For digital investigators however, the
emergence of new technologies signifies both advantages and challenges. New devices mean additional sources of data
for investigators to leverage in the course of their analysis. Conversely, each new scientific advancement
represents a myriad of new technologies that investigators must master in order
to collect the evidence they possess.
Public and private organizations seeking to stay current in this field
must commit to a continuing investment in both money and education.
References
Barbara,
J. J. (2009). Cloud computing: Another digital forensic challenge. Forensic Magazine.
Retrieved
from http://www.forensicmag.com/articles/2009/10/cloud-computing-another-digital-forensic-challenge#.UcmPejvVDkU
Casey,
E. & Turnbull, B. (2011). Digital
evidence and computer crime (3rd ed.), 1-44. Waltham,
MA:
Elsevier. Retrieved from http://www.elsevierdirect.com/companions/9780123742681/Chapter_20_Final.pdf
Gartner.
(2012). Gartner says worldwide cloud services market to surpass $109 billion in
2012.
Retrieved
from http://www.gartner.com/newsroom/id/2163616
Hay,
B., & Nance, K. (2009). Live analysis: Progress and challenges. IEEE Computer and
Reliability Studies, 30-37. Retrieved from http://nob.cs.ucdavis.edu/bishop/papers/2009-ieeesp-2/liveanal.pdf
Khangar,
S. V., & Dharaskar, R. V. (2012). Digital forensic investigation for
virtual machines.
International Journal of Modeling and
Optimization, 2(6),
663-666. Retrieved from http://www.ijmo.org/papers/205-S4038.pdf
Martin,
A. (2008). Mobile device forensics. SANS.
Retrieved from http://www.sans.org/reading_room/whitepapers/forensics/mobile-device-forensics_32888
Nelson,
B., Phillips, A., & Steuart, C. (2010). Guide
to computer forensics and investigations.
Boston,
MA: Course Technology.
Ruan,
K., Carthy, J., Kechadi, T. & Crosbie, M. (2011). Cloud forensics. Advances in Digital
Forensics VII, 15-26. Retrieved
from http://cloudforensicsresearch.org/publication/Cloud_Forensics_An_Overview_7th_IFIP.pdf
Sungsu,
L., Byeongyeong, Y., Jungheum, O., Keunduck, B., & Sangjin, L. (2011). A
research on the
investigation method of digital forensics for a VMware workstation’s virtual
machine. Mathematical and Computer Modeling,
55, 151-160. Retrieved from http://www.sciencedirect.com.ezproxy.umuc.edu/science/article/pii/S0895717711001014
Welch,
C. H. (2006). Flexible standards, deferential review: Daubert’s legacy of
confusion. Harvard Journal of Law &
Public Policy, 29(3), 1085-1105. Retrieved from http://www.harvard-jlpp.com/archive/#293
No comments:
Post a Comment