Lecture 20 Cloud Forensics and IoT Forensics

Cloud Forensics

• Challenges: Discusses challenges in cloud and IoT forensics.
• Focus: Cloud forensics addresses data storage off-premises and shared obligations. IoT forensics centers on passive data collection and privacy threats.

IT Paradigm Shift

• Evolution: From custom-made, locally managed IT to standardized, centralized cloud services.
• Progression: On-premise IT → Shared Service Centers → Hosting → Outsourcing → Cloud Computing.

Cloud Model Characteristics

• Resource Pooling: Shared resources among multiple customers (multi-tenancy).
• Rapid Elasticity: Scalable services based on demand.
• On-Demand Self-Service: Instant access to cloud services.
• Measured Service: Pay-as-you-go model.
• Broad Network Access: Accessible via various devices through the Internet.

Cloud Service Models

• IaaS: Provider manages servers, storage, virtualization, and networking; customer manages OS, middleware, runtime, applications, and data.
• PaaS: Provider manages servers, storage, virtualization, OS, middleware, runtime, and networking; customer manages applications and data.
• SaaS: Provider manages all layers; customer manages data.

Cloud Computing & Digital Forensics Challenges

• Assumption: Traditional forensics assumes control and management of IT assets.
• Challenge: This assumption is not always valid in cloud computing.

Evidence Source Identification & Preservation

• Traditional Approach: Physical device seizure and byte-to-byte copy.
• Cloud Reality: Remote access to logical data representation.
• Issue: Data may be stored in multiple locations.

Issues in the Cloud

• Infeasibility: Obtaining physical device is impractical.
• Chain of Custody: Lack of investigator control over evidence audit trail.
• Encryption: Customer-held decryption keys complicate data access.
• Privacy: RAM contents may include non-relevant data.
• Jurisdiction: Hardware location may be outside the request's jurisdiction.

Deleted Data

• Conventional Forensics: Deleted data is often a valuable evidence source.
• Cloud Challenges: Volatility and elasticity make recovery difficult.
• Provider Policies: Some providers physically remove deleted data.

Data Retention

• Directive: Data Retention Directive (2006) may not cover cloud providers.
• GDPR: EU Cloud Code of Conduct relevance.

Cross-Organizational Cooperation

• ACPO Principle: Only forensically competent individuals should access digital evidence.
• Challenge: Proprietary technologies require provider involvement.

Additional Issues

• Jurisdiction: Cloud provider may be in a different jurisdiction.
• Time Zones: Establishing correct time is essential.
• Validation of Tools: Cloud providers use single hashing tools without external validation.

Evidence Presentation

• Report: Summarize findings for court submission.
• Jury Assessment: Reliability of methods and techniques.
• Challenge: Lack of standard evaluation methods in cloud forensics.

Conclusion: Cloud Forensics

• Crucial: Vital in modern digital investigations.
• Challenges: Requires addressing from forensics research, laws, cloud providers, and practitioners.

IoT Forensics

• Smart Homes: Integration of smart devices (thermostats, meters, etc.) managed through home area networks.
• Smart Cities: Use of sensors for monitoring (streetlights, air quality, etc.).
• Smart Wearables & Implanted Things: Medical Body Area Networks (BAN) for health monitoring and treatment.

Increase of Connected Devices

• Exponential Growth: Significant rise in IoT devices.

IoT-Related Crimes

• Potential Crimes: Tampering with smart devices (medicine dispensers, pacemakers, utility meters), DoS attacks, and botnets.

Sources of Evidence

• Household Appliances: Dishwashers, kettles, baby monitors.
• Wearable Devices: Insulin monitors and pacemakers.
• City Appliances: Traffic lights and road temperature monitors.

Challenges for Digital Forensics

• Disparity: Wide variety of devices requires tools for data acquisition and analysis of different formats.
• Number of Devices: Increased number of items to be seized or investigated.
• Volume of Data: Large volumes for analysis, leading to backlogs.
• Expertise: Need for specialized tools and up-to-date training.

Location of Evidence

• Cloud Storage: IoT data utilizes cloud storage, increasing jurisdictional issues.
• Complexity: Devices used across different jurisdictions raise prosecution challenges.

Network Complexity

• Blurring Lines: Devices move between networks (BAN, PAN, HAN, NAN, MAN), leaving evidence across multiple locations.

Complexity of Investigations

• Evidence Location: Identifying where to look for evidence is challenging.
• Data Availability: Sources of evidence can become unavailable.
• Number of People Involved: Establishing the number of people communicating through devices is difficult.

Legal Aspect

• Legal Frameworks: Needed for investigators to access homes with compromised smart appliances.
• Homeowner Rights: Balancing investigation needs with homeowner rights.

IoT Forensics: Moving Forward

• IoT-Aware Triage Procedures: Develop specific triage processes for IoT devices.
• Automation: Automate acquisition and investigation processes.
• Legislation Updates: Update laws to address novel crimes.
• Standardization: Standardize data formats, protocols, and interfaces.
• Adapted Methods: Develop new investigative methods and processes.