Investigating inappropriate activity in cloud computing
20th July 2009
Traditional digital forensic investigative techniques have had to develop quickly to maintain a level playing field with the perpetrators of cybercrime.
An evidentially sound investigation requires digital data to have been collected using forensically sound methodology if the integrity of any subsequent investigation is to be maintained.
Digital evidence should be complete, accurate, and verifiable.
Cloud computing, however, will undoubtedly test further the resilience and resources of law enforcement agencies responsible for investigating cloud related criminal activity. This is reiterated by Gartner Consulting, who in 2008 stated:
Investigating inappropriate or illegal activity may be impossible in cloud computing. Cloud services are especially difficult to investigate because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation—along with evidence that the vendor has already successfully supported such activities—then your only safe assumption is that investigation and discovery requests will be impossible.
In the UK the burden of proof lies with the prosecution, where they must in criminal trials, prove beyond reasonable doubt that the person standing trial is guilty of the offence they are being charged with.
If Gartner’s suggestion that data stored on cloud servers is shared, however, how in the first instance can the prosecution prove beyond reasonable doubt that cross-contamination of evidential data has not occurred?