2. Internal Investigations and the Cloud
• What is cloud computing?
• Why is it a problem for investigators?
• What‟s the solution?
• The problem with the consumer cloud
• The consumer cloud – personal accounts
• Good resources
Internal Investigations and the Cloud
3. What is cloud computing?
• Model for delivery of computing services
• Services outsourced and accessed through the
internet, on demand, at desired scale
• Data resides on servers owned by third-
parties, often with the data of others and often in
one or more foreign countries
• Consumer services differ from enterprise services
Internal Investigations and the Cloud
4. What is cloud computing?
• It is related to a “data portability” phenomenon
• “We‟ve got work information on personal devices
and personal information on work devices”
• Add to that, multiple companies on physical servers
• This creates ambiguity that can be dealt with by
contract (and I assume by technology) – i.e. we
need to replace physical control with legal control
Internal Investigations and the Cloud
5. Why is it a problem for investigators?
• It threatens to timely access to reliable evidence
• Providers default to low cost rather than service
• Investigations and e-discovery are afterthoughts
• Specialized forensic data capture services are rare
• Logs and other forensic data can be intermingled
• Proprietary software can make interpretation hard
• Access restrictions create a chain of custody issue
• Law of other jurisdictions may be restrictive
Internal Investigations and the Cloud
6. Why is it a problem for investigators?
• Discussion
• Do your employers or clients use cloud-based
services for business?
• Has this affected your investigations?
• How?
Internal Investigations and the Cloud
7. What’s the solution?
• The solution is simple (in theory)
• Outsourcing process requirements definition, vendor
selection, due diligence and contracting and
administration
• You need to insert yourself in all aspects of this
process to communicate your requirements and see
that they are met
• But… be prepared to compromise because the
cloud is the cloud and physical control is supreme
Internal Investigations and the Cloud
8. What’s the solution?
• The solution is simple (in theory)
• Understand the system and the data it generates
• Develop investigation scenarios
• Develop investigation requirements
• Prioritize requirements
• Discuss requirements
• Ensure requirements can be met
• Service level agreement is key, but is not everything
Internal Investigations and the Cloud
9. What’s the solution?
• Assume your employer or a client is moving its
accounting system to the cloud. As a fraud
investigator, what are your key needs?
Internal Investigations and the Cloud
10. What’s the solution?
• Key questions (among others)
• In what jurisdiction(s) will data reside?
• How is data stored at application & system levels?
• Can our data be extracted independently from
others‟ data?
• What forensic data do we want? Will you make it
available to us? How? To others? How will that
affect us?
Internal Investigations and the Cloud
11. What’s the solution?
• Key questions (among others)
• Will your employee give evidence to establish the
chain of custody?
• How fast will you make all this happen?
Internal Investigations and the Cloud
12. The problem with the consumer cloud
• It is a data security risk – business information is
leeching into personal accounts and home
computers
• Example – employee sends work home via a web
based personal e-mail account
• Example – business unit starts using Google docs to
collaborate though the company has no enterprise
services relationship with Google
Internal Investigations and the Cloud
13. The consumer cloud - personal accounts
• The Calgary Police Service case (April 2012)
• Internal sexual misconduct investigation
• E-mail review… search for “password”
• Found login credentials for personal e-mail account
• Accessed on “data leakage” theory
• Found (unanticipated) evidence of sexual
misconduct
• Alberta OPIC finds a violation of privacy legislation
Internal Investigations and the Cloud
14. The consumer cloud - personal accounts
• Why unauthorized access is a bad idea
• Except in extraordinary circumstances it is likely to
be a criminal offence – Criminal Code s. 342.1
• A labour arbitrator may exclude evidence
• Though not ideal, there is a work-around
Internal Investigations and the Cloud
15. The consumer cloud - personal accounts
• The work-around
• Finish the covert investigation
• Confront the employee
• Make a preservation demand
• Make a reasonable inspection demand
• Be prepared to manage a refusal through an
insubordination charge and an adverse inference
Internal Investigations and the Cloud
16. The consumer cloud - personal accounts
• “Friending” targets is risky
• “Friending” as yourself may not be that helpful
• Impersonation is a criminal offence (s. 403)
• Do your professional rules prohibit the use of fake
profiles to gain information?
Internal Investigations and the Cloud
17. Related Resources
• J. Cheng, “IBM‟s Siri ban highlights companies‟ privacy, trade secret
challenges”
• Digital Forensics Laboratories, “Digital investigations in the Cloud”
• T. Harbert, “E-discovery in the Cloud? Not so easy.”
• W. Manning, “Investigating in the Clouds”
• K. Ruan et al, “Cloud forensics: An overview”
• A. Savvas, “Cloud providers cave into more flexible contracts.”
• T. Trappler, “In the Cloud, Your Data Can Get Caught Up in Legal
Actions”
• K. Zetter, “FBI Uses „Sledgehammer‟ to Seize E-Mail Server in Search
for Bomb Threat Evidence
Internal Investigations and the Cloud
Dan MichalukHicks MorleyWe work for managementSupport internal investigation workArgue cases that flow from internal investigation workWorked with organizations on outsourcings to cloudNot an IT proNot an forensics pro…About how cloud computing will affect your job as an internal investigator and what to do about itImportant topic for investigators because the success of your work depends on access to informationBusiness us of the cloud is a threat, but it can be managedIn a more obvious way social media use is a potential source of evidence… talk about one issue that’s come up recently… access to personal accounts
Let’s cover the basicsAnyone volunteer to describe what cloud computing is?Key features that create a problem-third-party owned-cost effectiveness supersedes control-distributed-server provision is “virtualized” (some degree of intermingling problem)Great trend-tell story about education sector pitchDeveloping distinction between consumer cloud (“public”) and enterprise (“private”) cloud-very important distinction for business-if business has any control, it must have the primary agreement with the cloud provider
Bigger problem for business is data portabilityToo easy to move data between systems nowTell story about Crown’s pitchA bunch of information that should be organization’s control is now “out there”Evidence trails will lead you to data sources that you can’t access through routine and authorized meansWhat do we do about that?There will be some compromise to your investigationYou’ll have to live with thatQuestion is how do we manage the risk when corporate security is not ideal
Summarizes the cloud problemLow cost – comment on cloud provider bias-Computer World UK article from Friday… cloud providers will compete on flexibilityInvestigations and e-discovery afterthought-Barry Murphy, eDJ Group Inc. survey-Anecdotally, investigation rights focused on data breach investigation rights-Forensic issues-Meaning from information-e.g. time stamps… beg more questions about how they are generated
Facilitated discussionLet’s draw from your current experience
This is a business problem not an investigation problemYou need to get identified as a stakeholder and make your needs knownUltimately there will be compromiseThere will be risksIt’s a less than ideal computing model for your needsBe open to thatThe cost savings will compel some level of adoption
Here’s the process I foreseeVery tailored approachThere will be great resistance to this type of analysis from most vendorsBut if you’re going in blind you should at least know that
Facilitated discussionLet’s brainstorm about potential requirements
Here’s what you must know-must know the jurisdiction -less willing to disclose than you think -will affect access to data -good due diligence will entail a local opinion on access to PI-how is data stored -data map/model-intermingling key -stories about law enforcement seizing whole servers -how are you protected from that-last bullet are the “money” questions -can only ask them if you have a good data map
-more questions-might have to prove authenticity of exports or images -cooperation essential -what’s arrangement? -what’s the protocol? -think ahead-how fast -speed of investigation is critical -delay increases exposure to risk of financial harm -increase cost of paying employees on leave -increase risk of employment damages claims
New topicInformation beyond your control Investigations lead to personal devices, computers and accounts