Jusletter IT

If the appearance of our «Information Society» can be described as distributed networks,¹ data are its substance and computation is its form. Indeed, current technologies allow not only to access huge and pervasive amounts of information, but also to handle «virtualized» computing resources.

The cutting-edge trend in ICT is brought about by «cloud computing».² In it, such «virtualization» can be provided in very different ways,³ yet the most common are known as «Infrastructure as a Service» (IaaS),⁴ «Platform as a Service» (PaaS),⁵ and «Software as a Service» (SaaS).⁶

These technologies are spreading at a very fast pace not only in the legal, but also the illegal economy. Indeed, nowadays cybercrime is scattered in transnational networks capable of sudden attacks with severe damages and often irreversible consequences.

The key issue is that, day by day, it becomes more and more difficult for investigating authorities to collect evidence. The main challenge is that, with such technologies, criminal activities don’t leave any trace on the servers, so prosecutors have neither hard disks to access, nor a network to analyse or a data stream to intercept⁷.

In this paper we address legal and technical issues of «cloud forensics» in order to offer, on the one hand, the theoretical framework in which they are placed and, on the other hand, to detect criteria suitable to contribute to solving practical difficulties. To do so, we focus on three different profiles that can be expressed in the following answers: (1) from a philosophical-epistemical perspective, in which sense an «information» can be considered as «evidence»? (2) in a legal-theorical sense, how «information» can be introduced in legal proceedings? (3) forensically, what requirements should «digital evidence» gathered from a cloud fulfil in order to become affordable? In the next paragraphs, after discussing these issues, we provide an example of a peculiar technology developed according to the identified criteria and then we express some final remarks.

As «information» is not a material entity, many issues arise in contemporary legal thought. Among them, some are afflicting the concept of «proof», which needs to be redefined in order to include, on one hand, the idea of «information» in itself and, on the other hand, evidence collected with digital support⁸.

In order to provide a background explanation for the concept of «information», it is useful to recall the epistemical perspective better known as the «Philosophy of Information»,⁹ which has been taken into consideration in the «Onlife Manifesto»,¹⁰ a document promoted under the auspices of the European Union. In this regard, we focus on three main topics: (1) the ontological status of the «information», (2) the «Level of Abstraction» (LoA) and (3) the Multi-Agent System (MAS).

Starting with the first, we may say that the «Philosophy of Information» shapes a metaphysical perspective from the cybernetic¹¹ vision, identifying three ontological statuses of «information»: (1) «Information as reality», for example the electrical signal, which is transmitted regardless of the message contained, (2) «Information about reality», that is information about natural phenomena, (3) «Information for reality», which conveys instructions or algorithms to one or many recipients. The evolution of the contemporary concept of «information» is represented in the following table¹².

Information theory13	Cybernetics	Philosophy of Information14
Technical information	Technological information	Information as reality
Semantic information	Natural information	Information about reality
Influential information	Cultural information	Information for reality

Table 1: Three ontological statuses of «information»

Considering the second aspect, since the «Philosophy of Information» aims to overtake the traditional distinction between «reality» and «representation», on the one hand, and between «object» and «subject», on the other hand, «information» is conceived within its «Level of Abstraction» (LoA) that represents the perspective adopted by the observer in gathering information. Precisely, a LoA is a formalized model of the observer’s expectations concerning the inputs of the observation.¹⁵

As regards the third profile, since in the «Philosophy of Information» every aspect of reality can be represented and thus formalized in «information», a LoA can contain many observers sharing resources and exchanging data in different ways.

According to such perspective, the concept of legal system in itself can be redefined: political, institutional, economic, legal and also personal interactions can be conceived as MASs¹⁶. Thus, by means of legal rules it is possible to set LOAs in which not only the difference between hardware and software becomes irrelevant, but also between technological protocols and procedural regulations, or even people and machines.¹⁷

We can implement the vision brought by the «Philosophy of Information» into the legal system not only from a comprehensive view, as done in the previous paragraph, but also focusing on the workflows in which law actually is enforced. In such terms, a legal procedure can be generally arranged on a LoA defined as a given set of technological processes – natural and artificial, bureaucratic and technical in a strict sense – managed by a MAS including very heterogeneous figures (judges, lawyers, policemen, parties, witnesses, expert witnesses, court clerks, etc.) each pursuing its own strategy in gathering data and interacting with others.¹⁸

If the structure of a legal proceeding can be shaped in a LoA and if its functions can be modelled in a MAS, then we can develop a vision in which each kind of «information» finds a correspondence in traditional legal concepts: (1) «Information as reality» includes «evidence», (2) «Information about reality» corresponds to procedural rules»; (3) «Information for reality» is represented by the judicial decision¹⁹.

Provided that evidence has to be considered as «information about reality», additional issues arise concerning the «quality of information» collected.²⁰ Indeed, precautions have to be adopted in the process of abstracting information from facts so as to guarantee the affordability of data to be presented as evidence and discussed by parties in the proceedings. Historically, we can say that this is the purpose of all forensic disciplines, which have evolved and developed criteria, methods and standards to allow expert witnesses to contribute with their findings to the debate among non-experts (defendants, prosecutors, judges).²¹

In «digital forensics»,²² two important features need to be identified. Firstly, since «information» becomes the very subject of inquiry, the technological factor needs indeed to be considered, so the continuous and fast evolution of ICTs requires endless forensic methodologies and best practices updates. Secondly, it becomes critical for expert witnesses to be trusted in their findings as well as to have the most widespread technological know-how or to cope with elevated scientific understanding.²³ In this field «information quality» hangs on different factors, the most relevant of which are «data security» (confidentiality of investigative information), «data privacy» (discretion of personal matters) and «data transparency» (reviewability of procedures).²⁴ Best practices, acknowledged by international treaties and implemented by state legislations aim to establish a «chain of custody» of the physical support in order to safeguard the transparency of the operations performed on it.²⁵

Digital forensics, of course, has specialized in a sub-field of inquiry concerning «cloud forensics»²⁶ where «information quality» is even a more challenging task.

The overall approach to this suite of technologies, methods and criteria is qualified as «hybrid» since it involves «technology» (different technologies, such as remote, virtual, network, live, large-scale, thin client, thick client), «organization» (different roles, such as cloud provider, cloud consumer, cloud broker, cloud carrier, cloud auditor) and «legislation» (multijurisdictional and multi-tenant situations). Each aspect presents various challenges, which have been discussed by scholars²⁷ and explored by governments.²⁸ Besides technical details cloud forensics is a very elusive concept, in fact, the contents of the cloud, by their nature, are extremely volatile and thus relevant data can be changed or no longer be available at the time of trial, due to several factors: for example, voluntary deletion, fortuitous event, data obsolescence, damaged infrastructure, database corruption. Furthermore, as said above, the cloud does not keep any trace of such modification²⁹. Given these facts, it is mandatory to acquire evidence that can be considered identical to the source, even if original data is no longer available at the time of the trial, as in other branches of digital forensics (i.e. «forensics images» of hard disks).

Unlike digital forensics, in cloud forensics there are still no specific standards or clear guidelines recognized at an international level. Hence, in this field to guarantee the «quality of information» – precisely: to ensure that the collected data are identical to the original even if those are missing – the only method is to adapt the current procedures (such as ISO/IEC 27037:2012).

We argue that «information quality» in «cloud forensics» can be guaranteed designing an ad hoc clean and transparent virtual «forensics capture environment» fulfilling at least the following four criteria: (1) a secure connection has to be established between said environment (which is used by the forensics operator) and the web server containing relevant data (the information to be acquired), in the absence of devices that could tamper the content of the network traffic; (2) said environment has to be guaranteed to be clean from any kind of malware; (3) the data collector cannot have any kind of control on the platform and its processes; (4) the process has to be transparent and any alteration after the data collection has to be prevented.

Many commercial tools perform some of the previously mentioned criteria without any warranty on the fact that data cannot be subsequently modified or that data has not been altered before reaching the capture environment (intentionally, for incompetence or due to third parties)³⁰.

This guarantee is provided instead by the LegalEYE™ platform (www.legaleye.it), supported by the Departments of Computer Science and of Legal Sciences in the University of Udine.

LegalEYE™’s solution consists in an innovative procedure, based on ISO/IEC 27037:2012³¹ but greatly improved and adapted to an online environment.

The first part of the innovative approach is the change of the acquisition environment, which is now based on a monitored and protected cloud environment with an encrypted «evidence recording» service available for the forensics operator – or user – only. The user has no administration rights on this environment and is not able to alter the evidence collected or the network connection. The acquisition environment is not the user’s device anymore, which can be affected by a virus or a malware that would alter/destroy the evidence and make it useless in front of the court.

Another outcome of this approach is that the network connection between the acquisition environment and the web server containing the relevant data is the one between the target webserver and the LegalEYE™ monitored infrastructure, and not the user’s Internet connection, which can be altered by a network device.

The LegalEYE™ cloud environment relies on virtual machines. Every time a user starts an acquisition, a new virtual machine is powered up using a standard and certified template. The virtual machine template gets the current time and date from NTP servers, captures network traffic, records the video of the browsing activity, takes screenshots of the visited websites, gets data from the Domain Name System and uses other tools/commands such as ipconfig, route, arp, tcpdump, tracert, win32tm, nslookup, whoisCL, etc.³²

Thanks to this innovative approach and to other procedures, the collected evidences cannot be altered with errors, malice, malware or concealed network devices because the user has no way to modify the LegalEYE environment. All the collected evidences are automatically stored in an encrypted container, which is digitally signed using a timestamp and a strong Hash algorithm.

From the user’s perspective, LegalEYE™ is an online tool (rather than a software) accessible via a web-interface. The user logs into the LegalEYE™ website, starts the acquisition and is able to browse the Internet via the LegalEYE™ web interface, collecting evidences that are automatically checked, recorded, hashed, marked, encrypted and directly stored in a secure cloud environment and cannot be altered by any third party (including the user). The LegalEYE™ process of evidence collection is in compliance with the regulations and standards required by the law.

When the user has completed his evidence collection he can download an encrypted archive with all the evidence and a whitepaper that describes the LegalEYE™ environment and outlines the set of technical and legal documents which LegalEYE™ is compliant with³³.

Cloud forensics are very promising tools to be used in tackling the challenges of cybercrime.

In order to be suitable for this aim, not only technological procedures have to be standardized, but also theoretical premises need to be clarified and legal framework has to be enforced accordingly.

Provided that we intend to proceed in the following paths of research: (1) deepen the representation of the legal procedures in terms of LOA, according to the approach developed in the «Philosophy of Information»; (2) define the role of the «information quality» not only in forensic science (information about reality), but also as regards the procedural rules (information as reality) and court decision (information for reality); (3) improve the understanding of cloud forensics; (4) represent in terms of «second-order» systems the strategic behaviour of each agent within a legal procedure.

Association of Chief Officers Policy, Good Practice Guide for Digital Evidence, Version 5, ACPO, 2012.

Attanasio, Antonino/Costabile, Gerardo (eds.), IISFA Memberbook 2012. Digital Forensics. Knowledge sharing among members of the IISFA Chapter, Experta, Forlì 2013.

Attanasio, Antonino/Costabile, Gerardo (eds.), IISFA Memberbook 2013. Digital Forensics. Knowledge sharing among members of the IISFA Chapter, Experta, Forlì 2014.

Barabási, Albert-László, Network science, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences 2013, Vol. 371, Issue 1987.

Baran, Paul, On Distributed Communications Networks. RAND Corporation papers, RAND 1962.

Bateson, Gregory, Mind and nature: a necessary unity, Dutton, New York 1979.

Birk, Dominik/Panico, Michael (eds.), Mapping the Forensic Standard ISO / IEC 27037 to Cloud Computing CSA (Cloud Security Alliance), 2013.

Borgmann, Albert, Holding on to reality. The nature of information at the turn of the millennium, University of Chicago Press, Chicago 1999.

Council of Europe, Electronic evidence guide – A basic guide for police officers, prosecutors and judges Version 1.0, 2013.

Floridi, Luciano, The Ethics of Information, Oxford University Press, London 2013.

Floridi, Luciano (ed.), The Onlife Manifesto. Being Human in a Hyperconnected Era, Open Access Springer, Berlin-Heidelberg 2015.

Floridi, Luciano, The Philosophy of Information, Oxford University Press, Oxford 2013.

Floridi, Luciano/Illari, Phyllis, The Philosophy of Information Quality, Synthese Library, 358, Springer, Berlin-Heidelberg 2014.

Gettier, Edmund, Is Justified True Belief Knowledge?, Analysis 1963, Vol. 23, Issue 6, pp. 121–123.

Harjinder Singh, Lallie/ Lee, Pimlott, Challenges in applying the principles in ACPO cloud forensic investigations, the Journal of Digital Forensics, Security and Law 2012, Vol. 7, Issue 1, pp. 15–28.

IACIS, Internet Forensics and Investigation Training Program, 2015.

Illari, Phyllis/Allo, PatrickBaumgaertner, Bert/D’Alfonso, Simon/Fresco, Nir/Gobbo, Federico/Grubaugh, Carson/Iliadis, Andrew/Kerr, Eric/Giuseppe, Primiero/Russo, Federica/Schulz, Christoph/Taddeo, Mariarosaria/Turilli, Matteo/Vakarelov, Orlin/Zenil, Hector, The Philosophy of Information – a Simple Introduction. Society for the Philosophy of Information, 2012.

Kohn, M. D./Eloff, M. M./Eloff, J. H. P., Integrated digital forensic process model, Computers & Security 2013, Vol. 38, pp. 103–115.

Luhmann, Niklas, Soziale Systeme. Grundriss einer allgemeinen Theorie, Suhrkamp, Frankfurt am Main 1984.

Maturana, Humberto R./Stafford Beer, Anthony/Varela, Francisco J., Autopoiesis and cognition: the realization of the living, Boston Studies in the Philosophy of Science, 42, D. Reidel Pub. Co., Dordrecht 1972.

Mell, Peter/ Grance, Timothy, The NIST Definition of Cloud Computing, NIST Special Publication 800-145, U.S. Department of Commerce, Gaithersburg 2011.

NIST Cloud Computing Forensic Science Working Group, NIST Cloud Computing Forensic Science Challenges, 2014.

Oliveira, José Antonio Maurilio Milagre/Caiado, Marcelo Beltrão, Cloud Forensics. Best practice and challenges for process efficiency of investigations and digital forensics, Proceedings of the Eight Conference in Computer Science ICOFCS, Brasilia, 2013.

Palmer, Gary, A Road Map for Digital Forensic Research. Report From the First Digital Forensic Research Workshop (DFRWS), New York 2001.

Pichan, Ameer/Lazarescu, Mihai/Soh, Sie Teng, Cloud forensics: Technical challenges, solutions and comparative analysis, Digital Investigation 2015, Vol. 13, pp. 38–57.

Povar, Digambar/Geethakumari, G., A Heuristic Model for Performing Digital Forensics in Cloud Computing Environment. In: Mauri JaimeLloret, Thampi SabuM, Rawat DandaB, Jin Di (eds.), Security in Computing and Communications, Communications in Computer and Information Science, Springer, Berlin-Heidelberg 2014, pp. 341–352.

Ruan, Keyun/Carthy, Joe/Kechadi, Tahar/Baggili, Ibrahim, Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results, Digital Investigation 2013, Vol. 10, Issue 1, pp. 34–43.

Ruan, Keyun/Carthy, Joe/Kechadi, Tahar/Crosbie, Mark, Cloud forensics, Advances in digital forensics VII Springer, Berlin-Heidelberg 2011, pp. 35–46.

Schafer, Burkhard, Information Quality and Evidence Law: A New Role for Social Media, Digital Publishing and Copyright Law? In: Floridi Luciano, Illari Phyllis (eds.), The Philosophy of Information Quality, Synthese Library, 358, Springer, Berlin-Heidelberg 2014, pp. 217–238.

Sharma, Sugan, Evolution of as-a-Service Era in Cloud. https://arxiv.org/abs/1507.00939v1, 2015.

Simon, Judith, Distributed Epistemic Responsibility in a Hyperconnected Era. In: Floridi Luciano (ed.), The Onlife Manifesto, Springer, Berlin-Heidelberg 2015, pp. 145–159.

Simou, Stavros/Kalloniatis, Christos/Kavakli, Evangelia/Gritzalis, Stefanos, Cloud Forensics: Identifying the Major Issues and Challenges. In: Jarke Matthias, Mylopoulos John, Quix Christoph, Rolland Colette, Manolopoulos Yannis, Mouratidis Haralambos, Horkoff Jennifer (eds.), Advanced Information Systems Engineering, Lecture Notes in Computer Science, Springer, Berlin-Heidelberg 2014, pp. 271–284.

van Beek, H. M. A./van Eijk, E. J./van Baar, R. B./Ugen, M./Bodde, J. N. C./Siemelink, A. J., Digital forensics as a service: Game on, Digital Investigation 2015, Vol. 15, pp. 20–38.

Weaver, Warren, The Matemathics of Communication, Scientific American 1949, Vol. 181, Issue 1, pp. 11–15.