E-Discovery and Digital Forensics in the Cloud

chirpskulkInternet και Εφαρμογές Web

3 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

216 εμφανίσεις

E
-
Discovery and Digital Forensics in the
Cloud

By Amelia Phillips

Chair, Pure & Applied Science Division

CIS and Computer Science Departments

Highline Community College

Objectives


Define the Cloud


Digital Forensics vs. E
-
Discovery


How does e
-
discovery differ from digital forensics?


Can forensics software be used to teach e
-
discovery?


What happens when the “cloud” enters the picture?


What laws, policies, etc affect how you approach e
-
discovery and digital forensics in the cloud?


AWS


an inexpensive approach


An E
-
Discovery / Digital Forensics Curriculum


Summary

Cloud computing is a model for enabling
convenient, on
-
demand network access to a
shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal
management effort or service provider
interaction.

Basic Framework


Five Essential Services


Three Service Models


Four Deployment Models

Definition


On
-
demand self service


Broad network access


Resource pooling


Rapid elasticity


Measured Service


Five Essential Characteristics

The Cloud as Defined by NIST


Three Service Models


SaaS


PaaS


IaaS


Four Deployment Models/Methods


Private


Public


Community


Hybrid




Models and Methods

Define Digital Forensics


The application of forensics techniques to
collect and analyze digital information


May be used for civil, criminal, or
administrative investigations


May be
inculpatory

or
exculputory

Define E
-
Discovery


The process of applying the traditional legal
discovery process to electronic evidence


Discovery is the
compulsary

disclosure of data,
facts and documents in civil and criminal
cases.


Electronic evidence encompasses any
electronically stored information (ESI)


Civil, criminal, bankruptcy cases

Whose Perspective?

Four General Perspectives


The legal expert, an attorney or a paralegal who
understands the law but may or may not have
been exposed to e
-
discovery or digital forensics


The e
-
discovery expert who comes from a
corporate perspective.


The digital forensics expert who understands
forensic standards and software and the
procedures involved.


The IT expert who knows where things are stored
on the OS and NOS but may have no (or very
limited) legal knowledge


Digital Forensics Tools


EnCase


AccessData’s

FTK


ProDiscover


X
-
Ways


SleuthKit

/ Autopsy


Variety of others

AccessData’s

FTK

Showing Header Info

An Effective Digital Forensics Tool


Create a forensically sound device image


File hashing


Searches (
DTSearch
)


Data carving


Deleted files, file fragments


Registry information, logs, encryption,
metadata


Activity Logging

E
-
Discovery Tools


Concordance


Discovery Assistant by
IMAGEMaker


@
LegalDiscovery


Catalyst CR


AD Summation
iBlaze



Nextpoint

Discovery Cloud


Sherpa Software Discovery
Attender


And more


An Effective E
-
Discovery Tool


Searches (
DTSearch
)


De
-
duping


Convert data/documents to TIFF or PDF


OCR for indexing


Bates Numbering for tracking


Exporting


Activity Logging



Reverse Funnel Method

Discovery
Attender

Finding email

Choose Search Criteria

Search Results

De
-
Duping

Comparison

E
-
Discovery

Digital Forensics

Types of Cases

Civil, Criminal,
Bankruptcy

Civil, Criminal, Administrative

What information
are you
looking for

Probably Know

May or May not Know

Requires a Forensic image or
similar

Rarely

Generally

De
-
Duping

Generally

Never

Established
Policies

/
Procedures

Yes

No (see explanation)

Warrants and subpoenas

Depends on Case

Depends on case

Timeline critical

Generally Not

Generally Yes

Metadata

Sometimes

Always

Dealing with Multinational
Corporations



Every country must deal with email, mobile
business and devices, data, ecommerce, Black
Berries, and PDAS



Privacy laws vary from country to country.


Chain of custody


Qualifications of examiners


Process and procedure


HCSS44

EDRM


Electronic Discovery Reference Model


Created by George
Socha

and Tom
Gelbmann

(an
attorney and a former CIO of two law firms)


Based on the Sedona Principles


Participating companies include AccessData,
Guidance Software, Deloitte,
Avantstar

,


Chesapeake Energy, IBM, LexisNexis



From http://www.edrm.net

Sedona Principles


Guidelines for handling electronic documents


Native format


Converted to TIFF or PDF


14 guidelines


1. Electronically stored information is potentially
discoverable under Fed. R. Civ. P. 34 or its state
equivalents. Organizations must properly
preserve electronically stored information that
can reasonably be anticipated to be relevant to
litigation.

Sedona Principles


2. When balancing the cost, burden, and need for
electronically stored information, courts and
parties should apply the proportionality standard
embodied in Fed. R. Civ. P. 26(b)(2)(C) and its
state equivalents, which require consideration of
the technological feasibility and realistic costs of
preserving, retrieving, reviewing, and producing
electronically stored information, as well as the
nature of the litigation and the amount in
controversy.


Sedona Principles


3. Parties should confer early in discovery
regarding the preservation and production of
electronically stored information when these
matters are at issue in the litigation and seek to
agree on the scope of each party’s rights and
responsibilities.


4. Discovery requests for electronically stored
information should be as clear as possible, while
responses and objections to discovery should
disclose the scope and limits of the production.


Growth of E
-
Discovery


A 2009 study by McKinsey & Company


electronic discovery requests were growing by
50% annually.


Growth in e
-
discovery spending from $2.7 billion
in 2007 to $4.6 billion in 2010, according to a
Socha

Consulting LLC survey.


Taken from George Lawson
http://searchcloudcomputing.techtarget.com/feature/C
loud
-
computing
-
crime
-
poses
-
unique
-
forensics
-
challenges


Laws in the Cloud


Laws cannot keep pace with technology


Common law countries such as the US, UK,
South Africa, Namibia use Case Law


Civil Law countries use statutory law


Objectives


Digital Forensics


Evidence obtained hold up in court


The examiner holds up under scrutiny


Multinational Companies

Privacy Laws


USA citizens take the expectation of privacy for
granted


Privilege “according to UK common law … allows
a person to refuse to testify on a matter or to
withhold information”


Includes self incrimination


Legal counsel privilege


Statements made without prejudice


China and Japan (and other non
-
English speaking
nations) have laws that are significantly different

HICSS44

Presented at HICSS 44

Privacy in the Cloud


State vs.
Bellar
, Oregon Court of Appeals Judge Timothy
Sercombe wrote, "Nor are a person's privacy rights in
electronically stored personal information lost because
that data is retained in a medium owned by another.
Again, in a practical sense, our social norms are
evolving away from the storage of personal data on
computer hard drives to retention of that information
in the 'cloud,' on servers owned by Internet service
providers. That information can then be generated and
accessed by hand
-
carried personal computing devices.
I suspect that most citizens would regard that data as
no less confidential or private because it was stored on
a server owned by someone else."


http://searchcloudcomputing.techtarget.com/feature/Cloud
-
computing
-
crime
-
poses
-
unique
-
forensics
-
challenges

Whose Laws / Jurisdiction?


Very little case law exists


How is jurisdiction determined?


Country of accused or responding party


Country of accuser or requesting party


Where the servers are located?


Multi
-
tenants in the Cloud


Unless you specify and pay for no neighbors,
you / your company share the hardware with
others


Do you know who they are?


Implies shared logs, metadata, registry, etc


Cloud Service Providers (CSPs) may have to
create an infrastructure to address how to
efficiently respond to requests



The U.S. government has also attempted to
expand the scope of data that can be lawfully
requested without a warrant through a National
Security Letter (NSL).


In
August, the Obama administration requested
to add "electronic communication transaction
records" to the data included in an NSL,


R
equire
providers to include the addresses a user has
emailed, the times and dates of transactions, and
possibly a user's browser history.


Have to ensure
that the provider's infrastructure can
deliver on these requests in a timely manner.

Taken from
http://searchcloudcomputing.techtarget.com/feature/Cloud
-
computing
-
crime
-
poses
-
unique
-
forensics
-
challenges


E
-
Discovery / Digital Forensics Curriculum


Bridging the gap between legal and IT
students


Study of terminology


Differences in process


Add a legal class to the curriculum

Using Forensics Software for E
-
Discovery


Students must understand the difference


Privacy issues


Proprietary information


Time and cost constraints


Students in the Cloud


Cloud University


Free certification (may change)


http://www.rackspace.com/knowledge_center/clou
du/


Amazon Web Services


http://aws.amazon.com/education/


Offers a grant of $100 of free time per student
registered

Case Study A


A multi
-
national company with 70% of their
data in the cloud is being sued


The CSP by happenstance moves the data to
their servers in Brazil


Have the students find the applicable laws for
a civil and a criminal case for retrieval of the
data


Case Study B


Create three servers in the academic cloud


Assign them names to track


Plant data on each


Using standard load balancing techniques have
the data move each day


Assign either a criminal forensics case or civil
e
-
discovery case to the students and have
them apply the correct procedure or law
based on the country

Summary


E
-
discovery is here to stay


Not a hard transition for curriculum


Some cost factors


New frontier