Proving the the time of a data breach is clearly one of the most critical requirements in any forensics investigation. Without strong proof of what happened when any evidence will be easily dismissed in court. The new EU regulations on data breach reporting requires the details of any breach to be reported within a certain time to regulators which begs the question how do organizations know when (or even if) an incident occurred and what records were impacted by the breach.
Timestamps alone are inadequate - any hacker worth his salt knows how how to manipulate records and timestamps of activity to cover his tracks and attribute his activity to an innocent party, which is why attribution of crimes on the Internet is so hard, whether a 16 year-old manipulating school records, a nation-state attack on critical infrastructure or cyber-criminals hacking into Ebay’s network.
Not surprisingly time features heavily in the NIST report on Cloud Computing Forensic Science Challenges:
"Time is frequently a critical issue as related to time synchronization and the possible disappearance of evidence if not found quickly. Zimmerman and Glavach point out, “Once the information source is identified, do all involved entities have time synchronized via a consistent time source such as Network Timing Protocol (NTP). If a forensic expert has a difficult time convincing your legal counsel that the time stamps from client side log files match time stamps on provider-side log files, the forensics will be difficult to defend.” Also, if evidence is not found quickly enough, it may be overwritten or lost in some other manner. Some example challenges in Annex B related to time include Challenge #5 (Timestamp synchronization), Challenge #14 (Real-time investigation intelligence processes not possible), Challenge #30 (Data available for a limited time), and Challenge #53 (International cloud services)."
NTP is of course a very reliable mechanism of knowing what the time is at the current instant but due to attribution challenges highlighted above it is less useful of proving time as the timestamp itself is just meta-data which can easily be deleted or manipulated.
PKI based cryptographic timestamping is one approach to prove time but the idea of using PKI to digitally timestamp digital data in a cloud environment is so horrifically bad that nobody would ever consider it in reality, certainly not at the scale required for cloud computing.
For better or worse (mostly worse) for the last 40 years PKI has been the only tool in the cryptographic toolshed for linking time to digital events.
Another more subtle problem and one that brings us to Lorentz is that it requires a reference timekeeper, a trusted source who can act as a witness in the event of a forensics investigation. However in the digital world, just as in the physical world, trust doesn’t scale - across time or number of participants in the system i.e. the evidence is not portable across organizational boundaries and relies on the ability of the reference timekeeper to ensure the security of key stores, timesource and trustworthiness of the administers who manage all of the infrastructure.
Something that we have seen time and time again is notoriously hard to do.
Time in the KSI system is something very different indeed. It is not based on a trusted reference source but, using the concept of a Hash Calendar, is publicly verifiable and defined using the distributed consensus of all the participants in the system ( public "ledger" of events if you will)
Distributed Consensus is receiving a lot of attention these days not least of which due to the popularity of crypto-currencies, which Marc Andreessen claims is the Internet of 2014. Bitcoin uses distributed consensus (among miners) to validate that a coin has not been double spent. We have a lot to say about crypto-currencies and how to overcome the challenges of scalability, proof of work, settlement time and lack of governance but this is not the time nor place.
In Einstein’s Theory of Relativity two events have causal relationships only if one is in the light cone of the other. In KSI, two hash values are causally related if there is a hash (block) chain from one to another.
It is a fun analogy but the implications for cloud forensics are profound - by integrating KSI into the fabric of cloud computing - not only the time but integrity and identity of every piece of data (whether configurations, virtual machines, database entries or system events) can be verified independently using causal relations of hash chains providing forensic auditability as a natural part of the data lifecycle.