As the computing paradigm shifts from the traditional on premise model with enterprises owning and controlling their own infrastructure to an outsourced cloud model where compute, storage and networking are all shared resources the need for a forensics rethink becomes ever more apparent – traditional forensics technologies are struggling to keep up with technological progress. Indeed it feels that digital forensics hasn’t advanced much since the 1980s. The status quo is still for an investigator to use imaging tools and try and figure out what happened after the fact.
An example of this thinking is the following in NIST’s excellent report on Cloud Computing Forensic Science Challenges (step three in the forensics process).
“Imaging/hashing function. When digital evidence is found, it should be carefully duplicated and then hashed to validate the integrity of the copy.”
To quote another 1980s phenomenon: “You CANNOT be serious!”. This thinking, which is perfectly in line with today’s mindset is the reason why cloud forensics will face enormous headwinds. Due to the volatile nature of electronic data any hacker worth his salt knows how to manipulate information to cover his tracks and attribute his activity to an innocent party, which is why attribution of crimes on the Internet is so hard, whether a 16 year-old manipulating school records, a nation-state attack on critical infrastructure or cybercriminals hacking into Ebay’s network.
We will have a lot to say about the NIST report soon. In fact we will have a lot to say about all 66 challenges they raise. Every one of them is impacted by KSI.
Our readers who are already familiar with KSI technology will recognize instantly the impact on the following steps that NIST introduce as part of the forensics process:
"Chain of custody. In legal contexts, chronological documentation of evidence handling is required to avoid allegations of evidence tampering or misconduct.
Imaging/hashing function. When digital evidence is found, it should be carefully duplicated and then hashed to validate the integrity of the copy.
Validated tools. When possible, tools used for forensics should be validated to ensure reliability and correctness.
Repeatability and reproducibility (quality assurance). The procedures and conclusions of forensic analysis should be repeatable and reproducible by the same or other forensic analysts.
Reporting. The forensic analyst must document his or her analytical procedure and conclusions for use by others.
Possible presentation. In some cases, the forensic analyst will present his or her findings and conclusions to a court or other audience."
A Change in Mindset: From Ex Post Facto to In Situ
We recently had the opportunity to attend OSCON 2014 in Portland Oregon. One of the best talks was by Neal Ford on “Functional Thinking”. We even lined up to get a (free) signed copy of his book (Thanks Neal).
In his talk he talked about the change in mindset that was necessary for programmers to move from imperative to functional thinking. He used the analogy of lumberjacks. Traditional programmers (forensics analysts) have axes (imaging tools). Then someone invents a chainsaw. What do the lumberjacks do? They treat the chainsaw as an axe and start hacking trees with their new “axe”. Needless to say the results are inadequate (chainsaws are lousy axes) and they revert back to their traditional tools.
KSI is the chainsaw for forensics
By integrating KSI in to the fabric of cloud computing everything that happens automatically comes with independent verification, chain of custody and portability of evidence across organizational and service provider boundaries baking in mathematically provable and legally admissible evidence.
It’s a change in mindset from “ex post-facto” i.e. forensics done after the incident, to one of “in situ” i.e. “in place”, forensic auditability is intrinsic to the system.
The new mindset will have a profound impact on not just forensics but the world of audit, governance and regulatory compliance.
In a series of blog posts we will discuss the NIST '66', Network Function Virtualization, Legal Intercept, Portability of Evidence and much more.