Tim Storer

Calm Before the Storm: The Challenges of Cloud Computing in Digital Forensics

Cloud computing is a rapidly evolving information technology (IT) phenomenon. Rather than procure, deploy and manage a physical IT infrastructure to host their software applications, organizations are increasingly deploying their infrastructure into remote, virtualized environments, often hosted and managed by third parties. This development has significant implications for digital forensic investigators, equipment vendors, law enforcement, as well as corporate compliance and audit departments (among others). Much of digital forensic practice assumes careful control and management of IT assets (particularly data storage) during the conduct of an investigation. This paper summarises the key aspects of cloud computing and analyses how established digital forensic procedures will be invalidated in this new environment. Several new research challenges addressing this changing context are also identified and discussed.

Using Smartphones as a Proxy for Forensic Evidence Contained in Cloud Storage Services

Cloud storage services such as Drop box, Box and Sugar Sync have been embraced by both individuals and organizations. This creates an environment that is potentially conducive to security breaches and malicious activities. The investigation of these cloud environments presents new challenges for the digital forensics community. It is anticipated that smart phone devices will retain data from these storage services. Hence, this research presents a preliminary investigation into the residual artifacts created on an iOS and Android device that has accessed a cloud storage service. The contribution of this paper is twofold. First, it provides an initial assessment on the extent to which cloud storage data is stored on these client-side devices. This view acts as a proxy for data stored in the cloud. Secondly, it provides documentation on the artifacts that could be useful in a digital forensics investigation of cloud services.

A comparison of forensic evidence recovery techniques for a windows mobile smart phone

Acquisition, decoding and presentation of information from mobile devices is complex and challenging. Device memory is usually integrated into the device, making isolation prior to recovery difficult. In addition, manufacturers have adopted a variety of file systems and formats complicating decoding and presentation. A variety of tools and methods have been developed (both commercially and in the open source community) to assist mobile forensics investigators. However, it is unclear to what extent these tools can present a complete view of the information held on a mobile device, or the extent the results produced by different tools are consistent. This paper investigates what information held on a Windows Mobile smart phone can be recovered using several different approaches to acquisition and decoding. The paper demonstrates that no one technique recovers all information of potential forensic interest from a Windows Mobile device; and that in some cases the information recovered is conflicting.

Deriving Information Requirements from Responsibility Models

This paper describes research in understanding the requirements for complex information systems that are constructed from one or more generic COTS systems. We argue that, in these cases, behavioural requirements are largely defined by the underlying system and that the goal of the requirements engineering process is to understand the information requirements of system stakeholders. We discuss this notion of information requirements and propose that an understanding of how a socio-technical system is structured in terms of responsibilities is an effective way of discovering this type of requirement. We introduce the idea of responsibility modelling and show, using an example drawn from the domain of emergency planning, how a responsibility model can be used to derive information requirements for a system that coordinates the multiple agencies dealing with an emergency.

Electronic retention: what does your mobile phone reveal about you?

The global information rich society is increasingly dependent on mobile phone technology for daily activities. A substantial secondary market in mobile phones has developed as a result of a relatively short life-cycle and recent regulatory measures on electronics recycling. These developments are, however, a cause for concern regarding privacy, since it is unclear how much information is retained on a device when it is re-sold. The crucial question is: what, despite your best efforts, does your mobile phone reveal about you?. This research investigates the extent to which personal information continues to reside on mobile phones even when users have attempted to remove the information; hence, passing the information into the secondary market. A total of 49 re-sold mobile devices were acquired from two secondary markets: a local pawn shop and an online auction site. These devices were examined using three industry standard mobile forensic toolkits. Data were extracted from the devices via both physical and logical acquisitions and the resulting information artifacts categorized by type and sensitivity. All mobile devices examined yielded some user information and in total 11,135 artifacts were recovered. The findings confirm that substantial personal information is retained on a typical mobile device when it is re-sold. The results highlight several areas of potential future work necessary to ensure the confidentially of personal data stored on mobile devices.

An empirical comparison of data recovered from mobile forensic toolkits

Mobile devices are increasingly being used as a source of digital evidence in criminal investigations. Mobile forensic toolkit manufacturers have responded to this trend by developing recovery methods capable of recovering evidence from the ever growing range of mobile device models. However, there is a considerable amount of concern as to the reliability of evidence produced from forensic software, with a number of authors documenting difficulties verifying evidence when it is obtained. This paper reports on a comparison of data recovered by a selection of software based methods available in three mobile device forensic toolkits. The results provide the first empirical evidence that there is considerable variation in results between recovery methods in terms of the proportion of data recovered from different devices by different toolkits. In addition, the results suggest that a forensics investigator will face serious challenges verifying the data recovered using one method using the data recovered by another.

Polsterless Remote Electronic Voting

Abstract Remote electronic voting is currently being piloted in the UK as a means of increasing the convenience of casting a ballot, which it is hoped will be reflected in an increased participation in elections. Most proposed electronic voting schemes envisage the use of cryptography in order to model the features of democratic elections, which, informally, include notions such as the secret ballot and a verifiable tallying system. This approach requires the use of a software artifact, or polster, which casts a ballot on the electors behalf. A consequence of this approach requires the elector to trust software supplied by the election authority, as well as limiting the range of devices on which the ballot may be cast. An alternative to the use of cryptography employs a polsterless electronic voting system. Here, a proposed polsterless system for UK elections is considered and the flaws identified. A revised scheme is then proposed that provides verifiability and improved resistance to abuse, without requiring too much additional participation from the elector.

Recovering residual forensic data from smartphone interactions with cloud storage providers.

There is a growing demand for cloud storage services such as Dropbox, Box, Syncplicity, and SugarSync. These public cloud storage services can store gigabytes of corporate and personal data in remote data centers around the world, which can then be synchronized to multiple devices. This creates an environment which is potentially conducive to security incidents, data breaches, and other malicious activities. The forensic investigation of public cloud environments presents a number of new challenges for the digital forensics community. However, it is anticipated that end-devices, such as smartphones, will retain data from these cloud storage services. This research investigates how forensic tools that are currently available to practitioners can be used to provide a practical solution for the problems related to investigating cloud storage environments. The research contribution is threefold. First, the findings from this research support the idea that end-devices which have been used to access cloud storage services can be used to provide a partial view of the evidence stored in the cloud service. Second, the research provides a comparison of the number of files which can be recovered from different versions of cloud storage applications. In doing so, it also supports the idea that amalgamating the files recovered from more than one device can result in the recovery of a more complete dataset. Third, the chapter contributes to the documentation and evidentiary discussion of the artifacts created from specific cloud storage applications and different versions of these applications on iOS and Android smartphones.

OBSERVATIONS OF THE SCOTTISH ELECTIONS 2007

In the recent Scottish elections, an e-counting system was employed to manage the increased complexity of the Scottish electoral system. The elections were also the first to allow members of the public to register as election observers, accredited by the Electoral Commission. This paper discusses some of the issues that arose during observations made by the authors as observers, relating to the use of the new e-counting system.

E-Voting in an Ubicomp World

The advances made in technology have unchained the user from the desktop into interactions where access is anywhere, anytime. In addition, the introduction of ubiquitous computing (ubicomp) will see further changes in how we interact with technology and also socially. Ubicomp evokes a near future in which humans will be surrounded by “always-on,” unobtrusive, interconnected intelligent objects where information is exchanged seamlessly. This seamless exchange of information has vast social implications, in particular the protection and management of personal information. This research project investigates the concepts of trust and privacy issues specifically related to the exchange of e-voting information when using a ubicomp type system.