As clouds become more prevalent people are starting to store and back up their machines. Some suggest home computers will be a thing of the past. How will this effect data acquisition?
Which class is this for?
As clouds become more prevalent people are starting to store and back up their machines. Some suggest home computers will be a thing of the past. How will this effect data acquisition?
No class. I am just wondering what direction computer forensics is going. There are going to be some major pros and cons in people storing their data on a shared storage space.
Greetings,
People have been storing information on shared storage space since timesharing was invented. Then NFS came along, and SMB. Now we have the cloud.
We've been collecting email from the cloud for years. Google has an API for pulling information from Google Docs. Facebook has a tool for preserving FB pages, though I think it is for personal use at the moment.
Technology and the legal system will adapt. Providers will likely develop tools to allow us to preserve evidence. Life will move on.
Please forgive me for this somewhat content-free posting. Your question is valid, and this isn't a good answer to it. I'm just a bit tired of all the "oh no, the clouds are here!" hype and it is showing.
-David
Tell us how you really feel. I'm just starting dialog to learn more about it. No better way to stop the hype than to discuss it.
Tell us how you really feel. I'm just starting dialog to learn more about it. No better way to stop the hype than to discuss it.
Some aspects of data acquisition will be easier (push of a putton to create a virtual machine snapshot) - others might be harder (where is that snapshot physically located - can you seize it in that country; to name just an example).
As Dave says, not so much news here. A lot of these challenges have been seen before in other shared environments. It takes time to adapt, both on the investigators' sides and on the service providers' sides.
If being prepared for an investigation is important for you as a customer, you pick a provider who is also prepared. If you want to distinguish yourself as a provider, you show that you thought about security and investigative aspects and that you have adequate processes and tools in place. Customers who think that's not important for them, will go to another (probably cheaper) provider, and that will indeed be cheaper for ca. 80% of them. The 20% who thought they didn't need to be prepared but are facing an investigation, will regret their decision.
In a couple of years, the forensics labs will probably also be running in cloud-like environments to allow for flexible use of computing resources.
When someone uses a cloud are they given a logical drive with a specific hash value or will the fact that the data is on a shared computer prevent us from imaging and securing an exact hash value? Forgive me if I sound like a newbie but… I'm a newbie.
Some aspects of data acquisition will be easier (push of a putton to create a virtual machine snapshot)…
Snapshots are great things, but have some very significant limitations when it comes to using them as a means of forensic acquisition. Most notably, every enterprise storage array I have ever come across implements snapshots in the same way - that is that snapshots capture at a point in time, the state of ACTIVE blocks in a filesystem - by which I mean they do not capture "empty" space, deleted files, files which have been (somehow) placed outside of expected logical boundaries, etc..
This (focus on active information) is also exactly how Facebook's single click "download your information" service works and is the reason why the archive you receive from them does not contain your "full history" as is sometimes claimed in marketing literature - in that you don't get back any items that you deleted before clicking. (FB do carefully explain that it is not a recovery utility.)
Assuming you want/need to see files that a suspect may once have stored in his cloud-space but has deleted before you can request a snapshot from the provider, can you get to the physical disk(s) before the data you are so interested in has been overwritten and lost forever? The thing with multi-tenancy solutions is that they gobble up and reuse tombstoned blocks (ie overwrite old stuff to maximize space efficiencies) alarmingly frequently.
Greetings,
For ediscovery purposes, those snapshots are sufficient. And the ediscovery market is much larger than the computer forensics market, so we may see solutions that meet ediscovery needs but not CF needs.
-David
[…useful stuff…]
I agree with what you say, but again I think this is where we might see interesting developments on the provider side. For customers that require access to historical/deleted data, I think we will see implementations that offer this access to deleted data.
It will likely not be exactly the same as we currently have when looking at physical disks, but rather at a more logical level - nevertheless it can be equally useful. Is this worse or better than what we currently have? I don't know, but as I think we can be pretty sure that more and more applications/companies will be moving towards these kinds of infrastructure, it's what we'll have to live with. I think that if sufficient logging and snapshots to old data are being kept on a logical level, we could have a more reliable and complete picture than we currently sometimes have when he can only hope a physical disks still holds some traces of a deleted file. Of course, this greatly depends on the kind of application and the way this is implemented, but I'll assume a positive scenario here 😉
BTW the recent