Legal Challenges in Cloud Forensics_Discussion

pdf

School

Northern Kentucky University *

*We aren’t endorsed by this school

Course

484

Subject

Information Systems

Date

Oct 30, 2023

Type

pdf

Pages

Uploaded by fawb1

Association for Information Systems Association for Information Systems AIS Electronic Library (AISeL) AIS Electronic Library (AISeL) AMCIS 2021 Proceedings Information Security and Privacy (SIG SEC) Aug 9th, 12:00 AM Legal Challenges in Cloud Forensics Legal Challenges in Cloud Forensics Kaitlin Marshall Western Michigan University , kaitlin.m.marshall@wmich.edu Alan Rea Western Michigan University , alan.rea@wmich.edu Follow this and additional works at: https://aisel.aisnet.org/amcis2021 Recommended Citation Recommended Citation Marshall, Kaitlin and Rea, Alan, "Legal Challenges in Cloud Forensics" (2021). AMCIS 2021 Proceedings . 6. https://aisel.aisnet.org/amcis2021/info_security/info_security/6 This material is brought to you by the Americas Conference on Information Systems (AMCIS) at AIS Electronic Library (AISeL). It has been accepted for inclusion in AMCIS 2021 Proceedings by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact elibrary@aisnet.org .

Legal Issues in Cloud Forensics Twenty-Seventh Americas Conference on Information Systems, Montreal, 2021 1 Legal Challenges in Cloud Forensics Completed Research Kate Marshall Western Michigan University kaitlin.m.marshall@wmich.edu Alan Rea Western Michigan University alan.rea@wmich.edu Abstract As the cloud landscape and its number of users continues to grow, so does the amount of criminal activity and evidence on and in the cloud. The need for capable cloud forensic investigations is increasing; however, owing to the slow pace of legal systems compared with the inherent rapidity of technological change, the field of Cloud Forensics is faced with many legal issues and challenges, including blurred jurisdictional boundaries; lack of physical access to media; admissibility of evidence; data ownership uncertainties; and weak chain of custody proofs. The bulk of the research focuses not on technical challenges, but on cloud computing and its associated legal challenges. It sheds light on these legal issues by exploring and identifying legal challenges and lacking existence of standards for cloud forensic investigations. To alleviate difficulties faced in cloud forensic investigations, multiple recommendations are offered. Keywords Cloud forensics, digital forensic investigations, legal challenges, cloud service providers Introduction The exponential growth of cloud computing users directly correlates with an ever-increasing number of cloud connected devices. In turn, forensic investigators are experiencing an upturn in cloud computing encounters (Dees 2018). An associated rise in computer crime is expected, including fraud, theft, storage and hiding of incriminating materials, and copyright distribution; inevitably, evidence of such crimes increasingly will be stored on the cloud (Arford and Chow 2016; Choo et al. 2017). Rising numbers of cybercrime associated with cloud usage, the cloud’s attractiveness for wrongdoing, and insuffi cient forensic standards and practices in traditional digital forensics lead to the need for efficient and effective cloud forensics (Mazurczyk et al. 2017). Investigations concerning evidence stored in the cloud bring forth several legal and technical issues for investigators. Inherently, the cloud transcends traditional boundary lines, and due to its “geographically dispersed nature,” data virtually stored by a person in the United States may be physically stored on servers located across the world (Choo 2014; Svantesson 2015). The slow, methodical pace of legal systems, coupled with both the speed of technology adoption and the increasingly connected, ubiquitous nature of the cloud, has led to a plethora of legal issues surrounding cloud forensic investigations: blurred jurisdictional boundaries; lack of physical access to storage media; necessary reliance on cloud service providers (CSPs) for data acquisition; questions regarding evidence admissibility; uncertainties surrounding data ownership; and weak chain of custody proofs (Nasreldin et al. 2015; Willson 2013). The following research aims to explore these legal issues by addressing the present gap in literature regarding both the identification and implementation of standards for cloud forensic investigations and the ongoing lack of digital forensic readiness as noted by Alenezi et al. (2019). To alleviate difficulties faced in cloud forensic investigations, multiple recommendations are offered, including creation of potential standards and establishment of best practices. Literature Review Literature exploring issues associated with cloud forensics is expanding in number and scope, but still leaves one wanting for greater clarification of, and research into, potential solutions and creation of standards for glaring legal issues. The review methodology was open and used simple search parameters. Searches for “cloud forensics,” “cloud computing,” and “digital forensics” were performed within top

Legal Issues in Cloud Forensics Twenty-Seventh Americas Conference on Information Systems, Montreal, 2021 2 Information Systems journals and Information Security journals. Legal databases, such as Cornell’s L egal Information Institute and JUSTIA, were searched for “digital,” “digital forensics,” and “cloud forensics.” Cloud Computing Cloud computing is considered an “evolving paradigm” that NIST defines as “a model for enabling ubiquitous, convenient, on- demand network access to a shared pool of configurable computing resources” (Mell and Grance 2011). Grance and Mell (2011) also define four main deployment methods: public, private, hybrid, and community along with three service models: Software-as-a-Service (SaaS); Infrastructure-as- a-service (IaaS); and Platform-as-a-Service (PaaS). Arford and Chow (2016) explain that cloud computing allows organizations or individuals to rent services, storage capacity, systems, etc., in order to avoid potentially immense costs associated with maintaining their own infrastructure (Svantesson 2015). Digital vs. Cloud Forensics The field of digital forensics is concerned with crimes involving data stored on digital devices; this evidence must be located, identified, preserved, and analyzed before being presented for litigation or in a court of law (Choo 2014). In relation to digital forensics, computer forensics is defined by US-CERT (2008) as “ the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law” (p.1). In an interview with Cond uitt, Gail-Joon Ahn, director of the Center for Cybersecurity and Digital Forensics at Arizona State University, laid out the four rules of evidence in computer forensics as follows: admissibility, accuracy, timeline, and compliance (Conduitt 2016). Rapid growth and adoption of cloud technologies has necessitated a form of forensics capable of handling the dynamic nature of the cloud. Cloud forensics is described as a subset of digital forensics and largely focuses on the ability to gather evidence regarding an incident that involves cloud servers in addition to user devices accessing the cloud (Choo et al. 2017). Alenezi et al. (2019) note that many studies focus on and investigate digital forensic readiness but fail to address forensic readiness in cloud environments. One glaring difference between digital forensic and cloud forensic investigations is the lack of access to physical devices and media containing evidence. In cloud forensics, investigators generally do not have the physical device in hand and therefore must rely on CSPs for data extraction and acquisition (Choo 2014; Dees 2018). Even in cases where the physical device is present, data and applications stored on the cloud are generally owned and controlled by the customer or user; however, the customer’s access to this data is largely dependent upon service level agreements (SLAs) (Dykstra 2015). Jahankhani and Hosseinian-Far (2017) outline challenges that exist in cloud forensics based on the four major accepted phases of digital investigations (identification, preservation, examination and presentation) while Choo et al. (2017) further identifies a clear lack of affordable, reliable, and verifiable tools for cloud forensic investigations. Legal Challenges Owin g to technology’s inherent nature of rapid change and similar rapidity of changing digital forensic methods, many case rulings that initially set precedent are later overturned when modern cases are ruled differently, thus creating new precedent; this cycle then continues. In many instances, case law has yet to determine precedent for legal matters in digital or cloud forensic investigations. In cases where precedent does exist, it follows precedent set decades prior, which does not adequately account for technological changes . Stare decisis is the “valued judicial practice of extracting the underlying principle from precedent,” or, in other words, the “doctrine of precedent” (Harper n.d.; LII n.d.). Because the U.S.A. (with Louisiana as the only exception) is a common law system, stare decisis is the underpinning principle that allows decisions to be based on previous rulings (LII n.d.). Governments are seeking ways to expand technical capability and implement laws concerning legal issues in cloud forensic investigations but have made little progress. Presently, states are attempting to put laws in place and make procedural amendments to strike a balance between cloud usage and forensic ability. The NIST Cloud Computing Forensic Science Working Group (2014) identified eight primary legal challenges: “juris dictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy, and ethics” (p. 466). The Electronic Communications Privacy Act of 1986 (ECPA) details occurrences in access of data and outlines rules for both voluntary and involuntary information disclosure, while the Fourth Amendment

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Legal Issues in Cloud Forensics Twenty-Seventh Americas Conference on Information Systems, Montreal, 2021 3 largely deals with general individual rights to privacy ( Electronic Communications Privacy Act of 1986 1986). The Stored Communications Act (SCA), Title II of the ECPA, added provisions to explicitly prohibit access to stored electronic communications (LII 1986). Despite being written prior to sometimes indefinite storage of communications on servers, the SCA remains one of the primary precedents for privacy matters related to electronic communications (Robinson 2010). Related Legal Cases There is no shortage of cases involving the Fourth Amendment, SCA, or ECPA, but while some of these cases build upon precedent set by prior rulings, others are more muddied. As digital forensic investigations become more prominent and the transition to necessary cloud forensic investigations continues increasing, there is a significant lack of legal precedent to follow. For example, both Guest v. Leis and U.S. v. Forrester (see Table 1) uphold that while there is a reasonable expectation of privacy for a home computer, they fail to consider reasonable expectation of privacy for mobile devices. The State of Florida v. Casey Marie Anthony exemplifies the importance of secure, reliable acquisition methods. Ultimately, she was acquitted due to evidence gathered with a tool later found to be flawed. After the case’s final verdict, it was revealed that the tools used for investigation into search history only gathered data from Internet Explorer, rather than Firefox, leaving out approximately 98% of her search history, most notably overlooking a search for "foolproof suffocation." This underscores the importance of quality for both investigation tools and personnel (Goodison et al. n.d.; Harper n.d.). The ever-present lag between the legal and digital realms creates space for new precedent to be established, overturned, and then reestablished. Without the ability to adequately keep up with advancements in technology, the U.S. legal system will remain in a continuous state of trying to stay up to date with legal challenges in digital and cloud forensic investigations. Case Year Implications to U.S. Precedent Olmstead v. U.S. 1928 Ruled that the Fourth Amendment is only violated when a physical search and seizure takes place; at the time, prior to the ECPA, the court ruled that wiretapping Olmstead’s telephone did not constitute a violation of the Fourth Amendment ( Olmstead v. U.S. 1928). Katz v. U.S. 1967 Overturned Olmstead v. U.S. and set a new precedent for access to private communications: an individual has a subjective expectation of privacy recognized as reasonable ; any searches “conducted outside the judicial process” are unreasonable (Harper n.d.; Katz v. U.S. 1967). Daubert v. Merrell Dow Pharmaceuticals, Inc. 1993 Concluded that the trial judge is responsible for ensuring reliability of expert witness testimony with regard only to principles and methodology rather than conclusions ( Daubert v. Merrell Pharmeceuticals 1997; Testimony by Expert Witnesses 2011). Became known as the “Daubert standard” that requires methodologies to be falsifiable, repeatable, peer reviewed, and have a known rate of error (Brown et al. 2018). Guest v. Leis 2001 In keeping with the Fourth Amendment and earlier precedent set by Katz v. U.S., it was ruled that individuals have a reasonable expectation of privacy in regard to data stored on home computers ( Guest v. Leis 2001). U.S. v. Riccardi 2005 When a second warrant was issued for search and seizure of the entirety of Riccardi’s computer, investigators noted the generality of the warrant and were reassured that it would stand ( United States v. Riccardi 2005). Silong v. U.S. 2006 Related to the Daubert standard and Federal Rule of Evidence 702, it was ruled that all data must have proof of integrity assurance and tool reliability in evidence acquisition ( Silong v. U.S. 2006). U.S. v. Triumph Capital Group, Inc. 2008 Ruled that when a warrant both states the crime under investigation and addresses which file types to be searched, both are enforceable (Brown et al. 2018; U.S. v. Triumph Capital Group, Inc., 2008 2008). State of Florida v. Casey Marie Anthony 2011 Ruled not guilty beyond a reasonable doubt; digital evidence used by prosecutors was shown to have been acquired through a flawed tool, ultimately resulting in forensic validity doubts (Goodison et al. n.d.). U.S. v. Jones 2012 Ruling called into question the changing Fourth Amendment protection granted with advancements in technology. Found warrantless use of GPS data served as a violation to the Constitution ( U.S. v. Jones 2012).

Legal Issues in Cloud Forensics Twenty-Seventh Americas Conference on Information Systems, Montreal, 2021 4 Case Year Implications to U.S. Precedent Riley v. California 2014 Ruled by the Supreme Court that information on cell phones is not immune from searches, but that warrants are required to perform searches, even if the cell phone is seized at the time of arrest ( Riley v. California 2014). U.S. v. Ganias 2016 In what may have been the first case to set precedent regarding the length of time in which the government can possess digital records, it was ruled that records may not be “possessed indefinitely” ( U.S. v. Ganias 2016). U.S. v. Microsoft Corp 2018 Microsoft claimed they were unable to comply because the data requested resided on a server in Ireland. The passage of the CLOUD Act in 2018 forced compliance (“U.S. v. Microsoft Corp., 584 U.S.” 2018) . Table 1. Relevant Court Cases and Subsequent Precedent Implications Analysis of Legal Challenges For an adequate discussion of legal issues in cloud forensics to occur, an important distinction must be made. Forensics on the cloud refers to criminal activity taking place on the cloud while forensics in the cloud refers to evidence of criminal activity being stored within the cloud (Martini and Choo 2014). For the purposes of this research, focus is forensics in the cloud. Jurisdictional Cooperation Jurisdiction is defined as (1) the power of a court to make judgment on cases and issue orders and (2) the territory within which a court or government agency may exercise its power (LII n.d.) . The court’s power over an area or territory has historically been defined by geographical boundaries, but the rise of cloud computing has led to virtual connections that cross geographical borders and data that may be virtually accessible in any location despite being physically stored around the world (Brown 2015; Cho 2017). For example, assume a client residing in Texas utilizes Microsoft’s Azure cloud platform; the client is in Texas, Microsoft is headquartered in Washington, and the physical server is located in Ireland (Microsoft 2018, n.d.). Wall (2019) points out that in current CSP environments, users can select where they want their data to reside; malicious actors may take advantage of this ability and exploit jurisdictional challenges. According to Dykstra (2015) , “law, rooted in the physical world, is interested in where property is,” but as “property” (i.e. data) may now be scattered across multiple domestic and/or international boundaries, laws need to adapt more quickly than present doctrine allows for. Location Determination When seeking evidence, access requires reliance upon cloud providers and a warrant with respect to location but determining location may difficult. Al Sadi (2015) describes the process of determining the location of data through its “chain of dependencies.” Tracing through this chain requires mapping the flow of data through its travel across various jurisdictions; along the way, investigators must be mindful of the laws governing the different jurisdictions (Taylor et al. 2011). Difficulties determining evidence location often leads investigators to default to the headquarters of the company for jurisdictional purposes, but sometimes companies contain a chain of dependencies, and the correct cloud provider must be identified (Willson 2013). Dropbox, for example, states that the files stored via Dropbox utilize Amazon Web Services (AWS) servers across the United States for storage (Dropbox 2012). In this case, it would likely be necessary for investigators to contact both Dropbox and Amazon for evidence disclos ure; however, due to Amazon’s dispersion of servers across the U.S., multiple jurisdictions would likely exist (Dykstra 2015; Willson 2013). International Data Seizure Different countries have different laws in place governing the security of data when a warrant is present, and nations where physical datacenters are held may have drastically different laws and regulations concerning data seizure, privacy, security, and litigation processes (Arford and Chow 2016; Bagby 2013; Choo 2014). For instance, Rule 2703 regarding requirements for disclosure of customer electronic communications means that CSPs in the United States may be compelled to provide client data, but the rule is only applicable domestically, leaving the waters muddy when CSP server locations are located abroad (“18 U.S. Code § 2703” 1986; Arford and Chow 2016) . Rule 41 streamlines the process of seizing data outside of the issuing judge’s jurisdiction by allowing seizure with a single warrant . However, copying of all

Legal Issues in Cloud Forensics Twenty-Seventh Americas Conference on Information Systems, Montreal, 2021 5 information could potentially deter victims or those with evidence from reporting suspicious online activity due to “concerns that their personal information would become part of the investigation” (Conduitt 2016). In this same vein, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which clarifies rules in the SCA, has worked to eliminate some gray areas surrounding data seizure from foreign jurisdictions. Under the CLOUD Act, a valid warrant would require U.S. companies to provide requested data even if servers are located in a foreign jurisdiction ( Clarifying Lawful Overseas Use of Data Act (CLOUD Act) 2018). Ownership and Control While the CLOUD Act more directly affects jurisdiction, it also highlights the importance of understanding ownership and control of data. Legal questions surrounding ownership and control concern who actually owns data and how that compares with broad user expectations of privacy (Lawton 2011). The multi- tenancy property of the cloud, meaning many users’ data and information is co -mingled in the same space, adds a layer of complexity to determining who is responsible for and who owns data on the cloud. Ownership and control can be difficult to prove because the data resides in a pool of many others (Mitchell 2014). In determining ownership, data is broken into two pieces: content and metadata. Content consists of data and applications owned by the client, while metadata (data about client data) is owned by the CSP (Willson 2013) . Rule 16 of the Federal Rules of Criminal Procedure (FRCrP) allows for requesting data “in the defendant’s possession, custody, or control” (Dykstra 2015). To understand where the request for data should be sent during discovery, differences in ownership must be understood. Some data will fall in ownership of the CSP and the client may have no legal custody over it, while some data will remain the user’s and th e CSP may have no legal power over it. Service Level Agreements Generally speaking, when a user puts data on the cloud, it is considered content and the user has ownership of that data, but this is dependent upon SLAs and terms of service laid out by the CSP (Willson 2013). In both PaaS and SaaS service models, customers rely on CSPs for access to logs because they do not physically control the hardware. It is therefore plausible that instances may arise where CSPs intentionally hide log details from users or have a policy in place stating services to collect logs will not be offered (Wall 2019). Issues such as these regarding ownership should be clarified in SLAs; for example, Microsoft makes it known that user content stored via their services remains in the ownership of the users. On its website, Microsoft Azure’s SLA states: “You are solely responsible for the content of all Customer Data… Microsoft does not and will not assume any obligations with respect to Customer Data or to your use of the Product other than as expressly set forth in this Agreement or as required by applicable law” (Microsoft 2014). Additionally, as pointed out by Cauthen (2014), SLAs often hold encryption guarantees designed to prevent anyone other than the user from accessing his or her data, which implies that the information and content stored with the CSP is indeed under the user’s ownership rights. Admissibility and Acquisition Evidence acquisition and admissibility are tied tightly together because admissibility is largely dependent upon the success and integrity of acquisition. As traditional forensic acquisition techniques generally do not work with cloud forensic investigations, existing techniques and tools may not provide forensically sound evidence (Choo 2014). For instance, according to Nasreldin et al. (2015), static acquisitions were once considered best practice for physical imaging while live acquisitions were usually required for cloud forensic investigations; however contrasting views currently exist regarding whether static or live acquisitions are best. Additionally, evidence acquisition in the cloud presents many challenges, including dynamic content stored within the cloud, multiple sources, and spanning locations (Brown et al. 2018). Cloud Evidence Acquisition When data is stored in the cloud, investigators will rarely have possession of the original physical media device; instead, data may physically reside on large, sometimes inaccessible servers anywhere in the world and be dispersed across multiple locations . As stated earlier, due to the cloud’s multi -tenancy characteristic, it may also be mixed with other user data. As a result, it is unlikely that CSPs will ever give investigators full access to the complete physical drive or server (Dees 2018). Additionally, evidence acquisition is complicated by the cloud’s inherent architecture. Data in the cloud resides in three places: data -at-rest on

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Legal Issues in Cloud Forensics Twenty-Seventh Americas Conference on Information Systems, Montreal, 2021 6 client devices; data-in-transit; and data-at-rest on CSP servers (Choo et al. 2017). These three described states of data in the cloud are often in a constant state of flux, and this, combined with data storage fragmentation, makes acquisition of data incredibly difficult (Bagby 2013). As privacy concerns become more central to the industry, sophisticated encryption of both data-at-rest and data-in-transit will add to acquisition’s complexity (Choo 2014). To combat potential admissibility issues, Rule 902 of the Federal Rules of Evidence was amended in 2017 to account for “evidence that is self - authenticating” ; it recommends use of hash values to authenticate proper data acquisition, but also allows for other generally accepted methods, resulting in an ongoing gray area (“Rule 902. Evidence That Is Self - Authenticating” 2017) . Admissibility of Evidence Data ownership plays into admissibility of evidence because in order for a piece of evidence to hold, it must be traceable or have proven association with the suspect user; oftentimes, due to the cloud’s characteristics, tracing files back to users and “deciphering who is responsible” for information stored on the cloud becomes difficult (Mitchell 2014). Perhaps more importantly, evidence admissibility is largely dependent upon forensically sound practices for its retrieval. When evidence is stored on the cloud, it, in most cases, shares its location with other users. As a result, physical imaging or cloning of the device is generally prohibited by CSPs and CSPs themselves must retrieve the data (Brown 2015). The current state of reliance on CSP technicians or administrators for access to evidence, its extraction, and acquisition will likely result in questions surrounding the validity and quality of procured data (Arford and Chow 2016; Choo 2014). In an attempt to alleviate some of this reliance, the national commission released a document outlining its views and support of NIST’s ability to “fairly and impartially evaluate the merit of the science underlying forensic procedures and practice” (National Commision on Forensic Science 2016). Another barrier of admissibility is in the difficulty of arguing to the court or a jury why acquired evidence should be admissible. Cloud computing concepts are highly technical and explaining terms such as hypervisors and virtual machines to nontechnical users can be difficult. If the forensic soundness of evidence must be argued, admissibility could be in jeopardy out of sheer misunderstanding of the implications of acquired data or terminology. Chain of Custody Closely tied to evidence admissibility is the legal concept of chain of custody. Chain of custody is a process that must be followed for evidence to be considered acceptable in a court of law and contains three main pieces: evidence is properly identified by the collector; evidence must be collected by a neutral party with no interest in results; after collection, evidence should be secured and tamper proof (U.S. Legal n.d.). Unique challenges are presented in cloud forensics because of reliance on CSPs for data acquisition. As a result, if the investigator chosen by the CSP is not adequately trained to forensic standards, the chain of custody may fail to stand up in court (Wall 2019). One glaring chain of custody issue comes from differences in time synchronization (Al Sadi 2015). Dees (2018) points out that there is no universal system for timestamps, which makes them difficult to compare; where some systems create logs based on the system’s local time, others may use GMT or UTC-based timestamps. Another issue stems from the inability to meet standards of required isolation and security of evidence during an investigation; in order to maintain a proper chain of custody, evidence needs to be isolated so as to not be tampered with, but the inherent multi- tenancy of the cloud makes this difficult (Martini et al. 2016). The suspect user, if able, could access his or her data from another device before its potential extraction and isolation, at which point evidence may be altered or deleted before ever entering into the chain of custody (Dees 2018). This creates a situation where it becomes beneficial, or perhaps necessary, to not alert any person(s) under investigation. Other Issues As mentioned previously, the four explored topics concerning legal issues in cloud forensics is by no means exhaustive. For example, CSP hindrance generally results from an unwillingness to work with law enforcement for various reasons. Oftentimes, CSPs are more concerned with their reputation for user privacy and reliability than with outwardly complying to requests for evidential data. Additionally, cloud providers are often reluctant to openly share their ability to locate and extract both data and metadata. As a result, sp eculation may be made about what types of data are available but not about the CSP’s ability to locate and retrieve it (Dykstra 2015). Privacy laws, such as the European Union’s General Data Protecti on Regulation (GDPR), will inevitably add to the already-complex legal issues surrounding the field. While its effects remain to be seen, it is often considered only the latest development, implying the likelihood of

Legal Issues in Cloud Forensics Twenty-Seventh Americas Conference on Information Systems, Montreal, 2021 7 similar laws to follow (Moore 2019). It makes sense that as cybercrime, threats, and malware become more sophisticated, so do the methods for covering up these crimes; this process is referred to as anti-forensics and will continue adding to challenges in cloud forensics (Mazurczyk et al. 2017). To meet public requests for privacy and data protection, more CSPs offer encryption, sometimes end-to-end, of data stored or transmitted through their service(s). Recommendations Confronting issues explored in this research requires changes that can be broken down into five main areas: jurisdiction, SLAs, CSP coordination, CSP framework, and legal processes. Jurisdictional Cooperation A simple, somewhat immediate resolution to the jurisdiction issue could come from the use of well-trained third-party consultants. Data stored remotely is often subject to international, rather than domestic, laws (Martini et al. 2016). It is therefore advisable that cloud forensic investigations crossing jurisdictional lines have legal and/or policy scholars either on staff or available for consultation when undertaking cloud forensic investigations. A more long-term resolution lies with the establishment of best practices for cloud forensic practices and procedures, especially for admissibility purposes. They need to be developed in a way that counters jurisdiction issues resulting from the inherent global reach of cloud computing. Rule 41 is a step in the right direction but lacks consideration of user privacy. Therefore, international cooperation is recommended for the establishment of a baseline for best practices (“Rule 41. Search and Seizure” n.d.) . This could mirror the ideology of international cooperation in long-standing, traditional maritime law. Once the baseline is established, individual nations can have the ability to instate further best practices on top of the baseline, but at least there will be a standard in which to follow when evidence spans geographical boundaries. Development of standardized, cost-effective, and verified tools could help further reinforce the established baseline and make best practices more attainable. SLAs Regulation Current SLAs between the CSP and clients often leave the provider with physical access to the data but lacking the ability to recover it because it is encrypted with the client’s key (Cauthen 2014). Additional SLA clauses saying encryption keys may be requested in the case of federal level subpoenas for information could alleviate this issue, but the willingness of cooperation by the user will most likely be lacking and it may lead to further questions regarding privacy. If this practice is not possible, regulations governing CSPs and their cooperation could ease pressure on investigators working with unwilling CSPs. Regulations could include requiring CSPs to maintain all logs and metadata for a certain number of days and provide location information about the flow and resting point of data on and between servers. Compliance to these regulations could help in evidence recovery and location determination. Improve CSP Coordination If regulation required the CSP to contain its own UTC timestamp system for file modification, doubts regarding time synchronization could be alleviated. As blockchain technology continues to grow both in capability and reliability, implementation of private blockchains could prove beneficial in alleviating chain of custody issues; however, the “newness” of blockchain technology adoption calls into question its secureness, implying that implementation should come only when data confidentiality, integrity, and availability is more certain. Issues regarding evidence acquisition, admissibility and chain of custody often result from reliance on CSPs for evidence extraction. Establishing trust between CSPs and forensic investigators may not always be possible and would likely vary between cultures due to differing expectations and ideologies surrounding trust; however, if education were provided to CSP administrators or technicians responsible for data extraction, it may be possible to train them on how to acquire forensically sound evidence that could be verified and admissible in court. A similar solution lies in CSP employment of a digital cloud forensic specialist aware of and able to move around the specific cloud provider’s system . Likewise, having someone who understands the architecture and can quickly sift through massive amounts of multiple users’ d ata and is also forensically trained would alleviate pressures on evidence admissibility. Improve CSP Framework

Legal Issues in Cloud Forensics Twenty-Seventh Americas Conference on Information Systems, Montreal, 2021 8 Technical changes could also be made to ease the process of cloud forensics. Martini and Choo (2014) propose a forensic-ready system where implementation of forensic capabilities occurs prior to any need for evidence gathering. Lawton (2011) makes a similar recommendation when he discusses the need for CSPs to set up their infrastructure in a way that allows for evidence requests to be met in a timely fashion. Both of these proposals, however, bring forth many questions and concerns regarding privacy and monitoring. For instance, having systems or infrastructure preemptively ready for investigation implies that there is either logging of personal data happening regularly or a hardcoded key or backdoor for entry; therefore, such recommendations should be undertaken only if privacy and security concerns can be assuaged. Improve Legal Processes Common law practices often require precedent to be set through the interpretation of laws, but as technology continues to evolve, a greater number of unique challenges may arise. Because of this, further research must be done into both difficulties currently faced and potential future issues in the field. Implementation of legislative or regulatory norms is a slow legal process that will likely continue to lag behind technological advancements. As the rapidity of cloud adoption continues increasing, it will be difficult to set precedent for current issues and technologies because previous precedent will have been set for now-obsolete technologies. This necessitates a dynamic political framework allowing for quick changes to laws without sacrificing constitutional values. Research into possible future developments in cloud computing, criminal evidence stored on the cloud, and ways to combat potential future issues could proactively work to shed light where legal precedent or stare decisis may be lacking before incidents occur. Limitations As stated earlier, examining legal issues associated with cloud forensic investigations is a complex process. While this research focuses on issues involving jurisdiction, ownership and control, evidence acquisition and admissibility, and chain of custody procedures, it is by no means exhaustive in its exploration of challenges or its analysis of chosen issues. The same is true for its identification of cases defining legal precedent. Furthermore, it does not address more technical aspects associated with cloud forensic investigation challenges, such as cryptography and anti-forensic capabilities. Discussion about available tools for investigations are only mentioned briefly. Finally, it does not analyze or provide recommendations on how to perform acquisitions; instead, it focuses on legal challenges surrounding data acquisitions. Conclusion and Future Directions Recognizing that the various legal issues in cloud forensics are not mutually exclusive is crucial to making strides in alleviating legal hurdles. Problems facing jurisdiction feed into issues with acquisition and admissibility, which ties into chain of custody and ownership. Essentially, each of the identified issues are linked together; they are deeply intertwined in both the legal and cloud computing realms. It is critical, therefore, to understand that changing or altering the legal state of one category will inevitably affect the others, but it is equally important to recognize that changing nothing will leave cloud forensics in its current muddied, gray-area state. The current legal system does not have the capability, on its own, to keep pace with technologies, but the cloud environment is a growing storehouse of criminal evidence and activity. Research shows that current cloud forensic practices are palpably insufficient; steps must be taken toward clarity of legal issues and establishment of best practices to combat this deficiency. While there is a great deal of research that outlines difficulties and challenges in cloud forensics, a limited few actively work to provide solutions for overcoming challenges. This, in conjunction with a lack of in- depth analysis devoted to challenge identification, creates space for expanding and enhancing this research in either direction (identification of solutions or deeper analysis of specific challenges). Doing so may provide direction toward establishing better standards for acquisition and serve as a stepping stone toward framework development of best practices for organizations both using and providing cloud services. REFERENCES “18 U.S. Code § 2703 - Required Disclosure of Customer Communications or Records.” 1986. LII / Legal Information Institute . (https://www.law.cornell.edu/uscode/text/18/2703). Alenezi, A., Atlam, H. F., and Wills, G. B. 2019. “Experts Reviews of a Cloud For ensic Readiness

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Legal Issues in Cloud Forensics Twenty-Seventh Americas Conference on Information Systems, Montreal, 2021 9 Framework for Organizations,” Journal of Cloud Computing (8:1), Journal of Cloud Computing. (https://doi.org/10.1186/s13677-019-0133-z). Arford, E., and Chow, M. 2016. “Holes in the Cloud [White Paper].” (http://www.cs.tufts.edu/comp/116/archive/fall2016/earford.pdf). Bagby, J. W. 2013. “On Resolving the Cloud Forensics Conundrum by The Cloud Conundrum [Abstract],” in ADFSL Conference on Digital Forensics, Security and Law , Pennsylvania: The Pennsylvania State University. Brown, A. J., Glisson, W. B., Andel, T. R., and Choo, K. K. R. 2018. “Cloud Forecasting: Legal Visibility Issues in Saturated Environments,” Computer Law and Security Review (34:6), Elsevier Ltd, pp. 1278 – 1290. (https://doi.org/10.1016/j.clsr.2018.05.031). Brown, C. S. D. 2015. “Investigating and Prosecuting Cyber Crime: Forensic Dependencies and Barriers to Justice,” International Journal of Cyber Criminology (9:1), pp. 55 – 119. (https://doi.org/10.5281/zenodo.22387). Cauthen, J. M. 2014. “Executing Search Warrants in the Cloud — LEB,” Law Enforcement Bulletin . (https://leb.fbi.gov/articles/featured-articles/executing-search-warrants-in-the-cloud). Cho, B. 2017. “Cloud Computing Across International Borders—Challenges to Traditional Jurisdiction,” Cornell International Law Journal Online . (http://cornellilj.org/cloud-computing-across- international-borders-challenges-to-traditional-jurisdiction/). Choo, K. K. R. 2014. “Legal Issues in the Cloud,” IEEE Cloud Computing (1:1), Published by the IEEE Computer Society, pp. 94 – 96. (https://doi.org/10.1109/MCC.2014.14). Choo, K. K. R., Esposito, C., and Castiglione, A. 2017. “Evidence and Forensics in the Cloud: Challenges and Future Research Directions,” IEEE Cloud Computing (4:3), pp. 14 – 19. (https://doi.org/10.1109/MCC.2017.39). Clarifying Lawful Overseas Use of Data Act (CLOUD Act) . 2018. Conduitt, J. 2016. “How an Obscure Rule Lets Law Enforcement Search Any Computer | Engadget,” Engadget . (https://www.engadget.com/2016-12-01-rule-41-fbi-doj-hacking-power-expand-search- seizure.html). Daubert v. Merrell Pharmeceuticals . 1997. pp. 1 – 8. Dees, T. 2018. “How to Obtain Evidence from the Cloud for a Police Investigation,” Police1.Com . (https://www.police1.com/police-products/investigation/computer-digital-forensics/articles/how- police-can-obtain-evidence-from-the-cloud-X2bX137fJVI5NefK/). Dropbox. 2012. “Where Does Dropbox Store Everyone’s Data?” Dykstra, J. 2015. Seizing Electronic Evidence from Cloud Computing Environments. Cloud Technology: Concepts, Methodologies, Tools, and Applications. (https://doi.org/10.4018/978-1-4666-2662- 1.ch007). Electronic Communications Privacy Act of 1986 . 1986. Goodison, S. E., Davis, R. C., and Jackson, B. A. (n.d.). “Digital Evidence and the U.S. Criminal Justice System: Identifying Technology and Other Needs to More Effectively Acquire and Utilize Digital Evidence.” Guest v. Leis . 2001. Harper, J. (n.d.). “Fourth Amendment in the Digital Age - National Constitution Center. A,” National Constitution Center . (https://constitutioncenter.org/digital-privacy/The-Fourth-Amendment-in- the-Digital-Age, accessed February 28, 2021). Jahankhani, H., and Hosseinian- Far, A. 2017. “Challenges of Cloud Forensics,” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (10131 LNCS), pp. 1 – 18. (https://doi.org/10.1007/978-3-319-54380-2_1). Katz v. U.S. 1967. pp. 354 – 359. Lawton, G. 2011. “Cloud Computing Crime Poses Unique Forensics Challenges,” SearchCloudComputing . (https://searchcloudcomputing.techtarget.com/feature/Cloud-computing-crime-poses-unique- forensics-challenges). LII. 1986. “18 U.S. Code § 2701 - Unlawful Access to Stored Communications.” (https://www.law.cornell.edu/uscode/text/18/2701). LII. (n.d.). “Jurisdiction.” (ht tps://www.law.cornell.edu/wex/jurisdiction). Martini, B., and Choo, K. K. R. 2014. “Cloud Forensic Technical Challenges and Solutions: A Snapshot,” IEEE Cloud Computing (1:4), pp. 20 – 25. (https://doi.org/10.1109/MCC.2014.69). Martini, B., Do, Q., and Choo, K. K. R. 2016. “Digital Forensics in the Cloud Era: The Decline of Passwords and the Need for Legal Reform,” Trends & Isses in Crime and Criminal Justice (512).

Legal Issues in Cloud Forensics Twenty-Seventh Americas Conference on Information Systems, Montreal, 2021 10 Mazurc zyk, W., Caviglione, L., and Wendzel, S. 2017. “Recent Advancements in Digital Forensics,” IEEE Security and Privacy (15:6), pp. 10 – 11. (https://doi.org/10.1109/MSP.2017.4251106). Mell, P. M., and Grance, T. 2011. “The NIST Definition of Cloud Computing,” Gaithersburg, MD. (https://doi.org/10.6028/NIST.SP.800-145). Microsoft. 2014. “Microsoft Azure Legal Information | Microsoft Azure,” Microsoft Azure Agreement . (https://azure.microsoft.com/en-us/support/legal/). Microsoft. 2018. “Facts About Mi crosoft - Stories.” (https://news.microsoft.com/facts -about-microsoft/). Microsoft. (n.d.). “Data Residency in Azure | Microsoft Azure,” Azure Locations . (https://azure.microsoft.com/en-us/global-infrastructure/data-residency/). Mitchell, B. 2014. “NIST In vestigates Forensic Challenges in the Cloud - FedScoop,” FedScoop . (https://www.fedscoop.com/nist-investigates-challenges-in-cloud-forensics/). Moore, T. 2019. “Best Practices for Strengthening the Cybersecurity of Legal Information across Law Firms and Ju risdictions,” Journal of Internet Law (June). Nasreldin, M. M., El-Hennawy, M., Aslan, H. K., and El- Hennawy, A. 2015. “Digital Forensics Evidence Acquisition and Chain of Custody in Cloud Computing,” IJCSI International Journal of Computer Science Issues (12:1), pp. 153 – 160. National Commision on Forensic Science. 2016. “Views of the Commission, Validation of Forensic Science Methodology.” (https://www.justice.gov/archives/ncfs/page/file/831546/download). of Standards, N. I., and (NIST), T. 2014. NIST Cloud Computing Forensic Science Challenges . (http://safegov.org/media/72648/nist_digital_forensics_draft_8006.pdf). Olmstead v. U.S. 1928. Riley v. California . 2014. (Vol. No. 13 – 132). Robinson, W. 2010. “Free at What Cost: Cloud Computing Privacy under the S tored Communications Act,” Georgetown Law Journal , p. 1195. (https://heinonline.org/HOL/LandingPage?handle=hein.journals/glj98&div=36&id=&page=). “Rule 41. Search and Seizure.” (n.d.). LII / Legal Information Institute . (https://www.law.cornell.edu/rules/frcrmp/rule_41). “Rule 902. Evidence That Is Self - Authenticating.” 2017. LII / Legal Information Institute . (https://www.law.cornell.edu/rules/fre/rule_902#rule_902_1_A). Al Sadi, G. 2015. “Cloud Computing Architecture and Forensic Investigation Challenges,” International Journal of Computer Applications (124:7), pp. 20 – 25. (https://doi.org/10.5120/ijca2015905521). Silong v. U.S. 2006. Svantesson, D. 2015. “A New Legal Framework for the Age of Cloud Computing.” (https://theconversation.com/a-new-legal-framework-for-the-age-of-cloud-computing-37055). Taylor, M., Haggerty, J., Gresty, D., and Lamb, D. 2011. “Forensic Investigation of Cloud Computing Systems,” Network Security (2011:3), Elsevier Ltd, pp. 4 – 10. (https://doi.org/10.1016/S1353- 4858(11)70024-1). Tes timony by Expert Witnesses. 2011. “Rule 702. Testimony by Expert Witnesses | Federal Rules of Evidence.” (https://www.law.cornell.edu/rules/fre/rule_702). U.S. Legal. (n.d.). “Chain of Custody Law and Legal Definition.” (https://definitions.uslegal.com/c/c hain- of-custody/). U.S. v. Ganias . 2016. (Vol. 755 F.3d 1). U.S. v. Jones . 2012. (Vol. 615 F. 3d). “U.S. v. Microsoft Corp., 584 U.S.” 2018. (https://www.supremecourt.gov/opinions/17pdf/17 - 2_1824.pdf). U.S. v. Triumph Capital Group, Inc., 2008 . 2008. (Vol. 544 F.3d 1). United States v. Riccardi . 2005. (Vol. 246), pp. 0 – 8. US-CERT. 2008. Computer Forensics . Wall, T. 2019. “Forensics in the Cloud: What You Need to Know,” Tripwire . (https://www.tripwire.com/state-of-security/security-data-protection/cloud/forensics-cloud-need- to-know/). Willson, D. 2013. Expert Reference Series of White Papers: Legal Issues of Cloud Forensics , Global Knowledge, pp. 1 – 8.