Investigating in the Clouds

Organizations are increasingly storing data and applications on virtual servers around the world via "cloud computing" providers. The implications for fraud examinations could be enormous.

John had just begun his new position as an internal investigator with ABC Company in Los Angeles. In one of his first cases, he received information indicating the possibility that a company employee in the purchasing department was receiving kickbacks in return for awarding contracts to specific vendors. John scheduled a meeting with Marsha, who was ABC's director of information technology (IT). He explained that he needed copies of all digital documents related to the employee he was investigating and also access to the employee's email account.

Marsha said that the company had outsourced all the documentation and project management data to a "cloud computing" provider, and she was not even sure where the provider's servers and data storage were located. Also, she said that ABC had outsourced its email service to a different cloud provider. She offered to contact the providers and give the relevant information to John. Several days later, Marsha explained to John that the first provider had created a "virtual server" on one of its physical network servers located in Mexico to host the purchasing applications, but it had subcontracted with yet another cloud computing provider in Shanghai, China, to store all the purchasing data. She explained that a virtual server is really software that emulates - or "pretends" - to be a physical computer and described the virtual machine as a "computer within a computer." On top of that, ABC stored its emails on another cloud provider's server in Lahore, Pakistan.

John explained that the company needed to preserve the related data for his investigation; Marsha said that this issue had never come up before, and they might need to contact the company's general counsel to determine how to proceed.

During a meeting the following week with the company's general counsel, he said that the contracts with each of the cloud-computing providers would need to be reviewed to determine the contractual obligations of the providers and the access ABC might have to their data. The general counsel also said his team would need to review the laws of each cloud provider location to make sure they addressed any privacy issues prior to preserving the data for the investigation.

Six weeks later, John traveled to Mexico to meet with the cloud-computing provider that managed the purchasing applications for ABC. He obtained a digital "snapshot" of the virtual server used by the vendor, but now he needed special software and an outside consultant before he would be able to review and interpret any of the application transactions.

The cloud provider did not maintain detailed logs of individual transactions on the system, so any useful information related to John's investigation might be limited. The cloud provider had made backup tapes but they also contained data from other clients, so the provider refused to release copies of those tapes to John.

In addition, the provider had overwritten many of the tapes that contained information that John needed for his investigation. ABC's executive management refused to approve John's travel request for either China or Pakistan, but he finally received copies of the email archives and purchasing data from the cloud providers in those two countries. However, John did not know how the data was extracted and preserved, and he was not able to obtain detailed documentation from either cloud vendor. His investigation was incomplete at best, useless at worst.

This fictitious case presents some of the excruciatingly real problems that could arise in an investigation involving cloud computing.

Imagine you are forced to take an airplane trip. You don't know where you are going or when you will get there. The plane flies through clouds during the entire trip, so you never know your altitude or the countries over which you are flying. This is similar to the trials of investigating a case when your relevant data is stored by a cloud-computing provider.

This article is not intended to address the specific technical details of cloud computing nor potential data security issues. I will focus on the problems this technology might be causing fraud examiners and law enforcement investigators.

WHAT IS CLOUD COMPUTING?

IT engineers began referring to the Internet as a "cloud" because they did not necessarily always need to document for laypersons the exact paths their data took via the Internet. Most people only needed to know that they were somehow connected to the web, and their data was moving (most of the time) from point A to point B.

If you use Gmail, Hotmail, Google Docs, Dropbox or an off-site backup company, you are already "in the cloud." These services store emails or files in large servers. More sophisticated providers include Amazon Simple Storage Service and Microsoft Windows Azure. Increasingly, organizations are using cloud vendors to manage their IT needs.

Cloud environments can differ from the traditional IT structure in any combination of the following ways: 

1. Cloud services can be sold on demand, typically by the minute or hour, or by volume.  
2. The customer benefits by being charged for only the amount of service needed, rather than having to make a huge investment in hardware and/or software.  
3. Cloud providers can completely manage services — no matter how many are required — so therefore clients need only small IT staffs.  

Small IT staffs, no messy databases and great cost savings — a no-brainer, right? Not necessarily. Organizations have to strongly consider the impact of cloud computing on investigations, litigation holds and the control and security of their data. Cloud computing can make your jobs as fraud examiners very difficult, if not, at times, impossible.

WHERE IS YOUR POTENTIAL EVIDENCE LOCATED?

In the past, the security — and perhaps even more importantly, the control — of any important asset was first based on defining an outer perimeter around that asset and then using obvious security measures such as walls, guards, fences, locks or alarms. However, the days of an organization securing and controlling all of its data in a central location might be over.

Let us say your organization signs a contract with a cloud-computing provider to host its accounting application and data. The provider then subcontracts with another cloud provider to actually store the data. The subcontractor company happens to be located in India. Now imagine your potential problems in navigating the internal bureaucracies within your organization and the legal and privacy issues in India to preserve this data. Then you have to deal with not one, but two or more cloud providers, to access and preserve the data and any related historical archives.

Laws have been geographically based for centuries. These geographical limitations also establish legal jurisdictions, which issue court orders, subpoenas and search warrants. Of course, a municipal law enforcement agency would find it difficult to issue a search warrant to be served in another country. Courts from one country usually have no jurisdiction in another country.

How can we resolve the differences between law based on political boundaries and the global digital network in the cloud where potential digital evidence might be located anywhere in the world? Right now, there are few answers, but here are several possible suggestions that might help:

1. Make sure that any cloud-computing provider you select stores applications and data in a legal jurisdiction that will not hinder an investigation. 
2. Because it is very unlikely that there will ever be coherent international law to address the jurisdictional issues, I would foresee the development of cloud-computing providers who have the internal expertise to address forensic and e-discovery issues and offer specialized services for both investigatory and e-discovery situations. 
3. It is also probable that the legal and forensics communities will need to alter their positions on what constitutes "best evidence," in that physical access to cloud servers might no longer be possible.

SERVER VIRTUALIZATION 

Most people think of a network server as a single physical piece of computer equipment that facilitates applications, such as email programs, or departments, such as accounting or finance. However, that method does not make efficient use of modern servers. We now use "server virtualization."

Virtualization software creates isolated software "containers" that act like completely separate computers. These containers become virtual machines because they can run separate — and possibly different — operating systems and applications at the same time. These virtual machines share the hardware resources of the physical server, but help maximize those resources.

Cloud-computing providers extensively use server virtualization so they can manage virtual servers — all belonging to different clients — operating simultaneously on the same physical computer. So, much of the time you not only do not know where your crucial data resides, it is often lumped together with other confidential data belonging to other companies. On top of that, you might need special software and expertise just to get into the containers to access your data.

FORENSICS/E-DISCOVERY ISSUES

Examiners in either digital forensics investigations or e-discovery situations, in which data must be preserved for litigation, normally have three primary goals: 

1. The integrity of the data must be protected, and the process must be documented. 
2. The chain of custody of the preserved evidence must be maintained to satisfy "best evidence" requirements if it will be introduced during litigation. 
3. Any analysis or conclusions must be reproducible and capable of validation by accepted methods.

During a traditional investigation, a digital forensics examiner wants to search an organization's server and its individual user computers to capture and protect various important "artifacts" that could provide critical evidence. These artifacts might include deleted files, operating system registry entries that document user activity and temporary files and fragmentary data from space on the digital media that are not currently allocated to files (called "unallocated space" by the forensic community).

However, in the cloud environment, none of these valuable evidentiary artifacts might exist. Data on virtual servers change constantly, and the provider might not be adequately backing up your organization's data. Artifacts might be automatically deleted when a user exits the system depending on the type of virtual server and how it is configured. Furthermore, cloud providers likely would not agree to take any of their servers offline to allow a forensic image of the disk storage arrays and/or virtual servers containing potential evidence. A forensic image of a cloud provider's server(s) would almost certainly contain data from other customers, which would not only raise confidentiality issues but would probably violate its contracts with these customers as well.

Even if you could obtain a complete forensic image of the cloud provider's storage media, it would be difficult to interpret relevant data from the system. If you want to extract any useful information, you might have to obtain detailed knowledge of the software used to create the virtual machine, the operating system, the application(s) and the operation of the user logging system. Network logs and system logs from individual user computers might no longer provide valuable evidence, but system and user activity logs from the cloud provider might not even exist. Unless your company demanded very detailed and granular logging in its initial contract, the provider probably will not keep detailed logs because they do not want to absorb the costs.

Even if the provider might have maintained all applications and data, you still might not be able to substantiate the evidentiary chain of custody and validate the evidence. Digital forensics examiners traditionally can only establish historical provenance of evidence via physical computers or storage media. They normally acquire evidence from a dedicated server, store it on external media — such as a hard drive or optical media — and create a chain of custody form for that media. Every person who handles or accesses that information for any reason must document that activity on the form.

Cloud computing has complicated this chain-of-custody process. We don't know:

• How the data was processed and by whom.
• Who had access to the data and when it was accessed.
• If the data was commingled with other clients' data.
• Who acquired the data submitted for analysis — a trained digital forensics examiner or an employee of the cloud-computing provider.
• How the data was preserved and by whom.

The third goal — ensuring that the data can be accurately reproduced and analyzed by an independent expert using accepted and validated methods — might be the most problematic. Current digital forensics tools are not designed to operate within the cloud environment. Also, it might not even be possible to forensically capture a snapshot of the data for preservation within many cloud-computing environments. And if the provider can provide a snapshot, it might not satisfy the best-evidence requirements for use in litigation. During discovery, the courts require immediate preservation of both active data and historical archives.

REVAMP PROCEDURES NOW 

The growing complexities of the IT cloud-computing infrastructure and the legal issues of countries increasingly impede fraud examinations.

Overhead costs will rise as companies have to hire highly specialized digital forensics examiners to analyze cloud-computing environments so they can identify and forensically preserve data that might provide evidence.

Companies that use cloud-computing providers must include clauses in the service-level agreements that address investigative and e-discovery data preservation and detailed descriptions outlining both responsibility and liability.

The legal, digital forensics and e-discovery communities must revamp their mindsets, tools and training programs to address the new challenges presented by cloud computing. Fraud examiners must begin to think about these issues now and develop procedures and policies. Our cases, organizations and livelihoods depend on it.

Sidebar: Heed the Warnings of These Cloud-Computing Cases

In a 2009 investigation, the FBI was granted a search warrant to seize servers owned by a cloud-computing provider, Liquid Motors. The company provided specialized services to national auto dealers including stock and inventory management and some Internet marketing. Liquid's clients had sent it valuable, sensitive information. The warrant was based on probable cause that a criminal enterprise had been using Liquid's servers to conduct criminal activity. The company was not the subject of the investigation, nor was it charged with any wrongdoing. However, the FBI seized all of its servers and backup tapes. The FBI even confiscated and examined servers owned by Liquid's clients.

As a result of the disruption caused by the FBI seizure, Liquid Motors was forced to purchase: 1) hard drives to give to the FBI so the FBI could obtain copies of Liquid's client data, and 2) new servers so Liquid could reconstruct its entire network. According to one article, the seizure disrupted business for 50 clients of Liquid Motors.

Source: Kim Zetter, Wired.com: Threat Level Blog, Conde Nast Digital, April 8, 2009

A local law enforcement agency in the U.K. executed a search warrant targeting a business within its jurisdiction. It discovered that the business' customer management database, which was the primary source of its potential evidence, was located on a U.S. server. The business decided not to deal with the convoluted, international legal issues and the costs of preserving the data in the U.S. Instead, it asked company employees to bring in their laptops to remotely access the database. Forensic professionals asked questions about the integrity and chain of custody of evidence extracted from the database.

Source: ForensicFocus.com: Digital Forensics Forums – General Discussion, posted Feb. 3-4

Walt Manning, CFE, EnCE, is managing director of Techno-Crime Institute in Green Cove Springs, Fla., and a longtime ACFE faculty member.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.