The Changing Face of Digital Forensics
Written by Dr Lamine Aouad   

The IT world is continually evolving. In the last few years, we have witnessed a shift in the device type: mobile devices have overtaken PCs, both in numbers and usage. Cloud-based applications and deployments have been surging in popularity. The latest round of cloud computing forecasts by leading IT companies and market research firms all show how rapidly cloud is, and will be, adopted in coming years. Content is more distributed than ever, and forensics investigations will not only involve a single isolated piece of hardware, as it used to be, but rather a set of logical and physical entities, using a wide range of unceasingly changing technologies and devices. This paper will briefly describe current state-of-the-art, and challenges and issues ahead of digital forensic investigations in coming years.

We live in the information age. User’s data is increasingly large and located everywhere, not only on their computers or mobile systems. Two major trends have risen and will continue to dominate over the next decades: mobility and the clouds. There has been a mobile boom in recent years, along with a dramatic change of the usage pattern of these devices - from predominately serving voice to large data consumption, using highly sophisticated gadgets called smartphones. According to NPD, Android users in the US for instance consume an average 3.3GB of data per month (cellular and WiFi combined). Mobile data traffic is also expected to increase 18-fold over the next five years, approaching an astonishing 11 Exabyte per month according to Cisco systems. Our computers and mobile devices are becoming knowledge collectors, a good chunk of our data is processed and backed-up somewhere else, as most of the services we consume are delivered over the network.

These tremendous technological shifts in data, services, and resources usage and consumption make forensic investigations more complicated than ever. Current software tools and forensics experts are already struggling to acquire evidence and to keep up-to-date with the fast-growing pace and constant updates and changes in these services and products. For instance, the iPhone is less than 6 years old; it is already in its 6th generation and Apple has already shipped more than 300 millions devices worldwide. Android, which accounts for a 70% share of the global smartphone market (Q4 2012), is constantly evolving and customized by manufacturers. Something as basic as the database structure is constantly changing - the file systems, the variety of APIs and protocols, etc. In addition, Android is compliant with over 300 different smartphone models (and this is a constantly growing number!). These obviously are not the only players; Microsoft, Blackberry, Nokia, to name only the big challengers, another wave of emerging manufacturers and software vendors, that include Firefox, Canonical, Tizen, etc. also want a slice of the cake. There is already a huge and urgent need to build knowledge around these technology stacks.

On the cloud side, a large number of services, in terms of hosting, computing, storage, etc. are provided to an increasing number of companies and developers. From start-ups to multinationals, the adoption of the cloud is widely spreading. AWS (Amazon Web Services) case studies for instance show the large number of companies already using their services. The astonishing expected growth (a $100 billion market in 2016 according to IDC research) makes the cloud a very competitive marketplace that moves incredibly fast and therefore lacks any kind of standards. It makes the clouds one of the next big challenges in digital forensics. A large knowledge base about each of the architectures, deployment stacks, delivery models, and the huge range of services and service models, need to be built. The process is particularly challenging in this case because of the very nature of the cloud, i.e. combining a range of logical and physical entities, rather than an isolated physical entity as in traditional digital forensics.

It is clear, however, that the client side, i.e. the mobile device or the computer itself, would still be a primary source of evidence in the case of an investigation. But we believe that any server-side data source can still play an important role in any investigation. While the methods, processes, and procedures are more or less well established in traditional hard-drive based computer forensics, the counterparts for mobile and cloud systems are still in their infancy or inexistent altogether. In the rest of this paper, we will discuss general issues of conducting forensic investigations on mobile devices, and data and services running on the clouds, based on our experience in dealing with mobile systems and different cloud architectures and providers.

What are the challenges?

There are many reasons to this extra complexity in dealing with mobile digital forensics, or conducting forensics investigations in a cloud setup. The main ones have already been mentioned - namely, the large variety in design, dependent on the manufacturer or the service provider, in hardware and software, their type, functionality, underlying technologies, etc. These technologies are also continually evolving, as existing ones progress and new ones are being introduced, with short product cycles, which obviously make it very difficult for investigators to remain up-to-date with current technologies.

It is hugely important for the forensics toolkits developer, as well as the forensics investigator, to develop and update their understanding of the way these new systems and components work, the features they possess, in addition to the appropriate methods and tasks to perform while dealing with them on a forensic basis. This is currently far from being straightforward. Consider the mobile side for instance, hard disks are too large in size, too fragile, and consume too much power to be useful in these systems. These devices use then flash memories, which provide relatively fast read access times and better kinetic shock resistance than hard disks. Now, when it comes to examining evidence, the basic rule is to keep the data held on the storage medium unchanged. For flash memories, this principle is more challenging than it is in hard disks. Techniques used to work around the erase cycles limitations to maximize their lifetime, such as wear leveling, might cause unpredictable data changes. Even switching a phone off and on again has shown to produce some data changes. These devices also use different file systems specifically designed for flash memory features, such as YAFFS or JFFS, among others. The forensic support for these special-purpose file systems is still limited, and more research is needed on this topic. Also, there is no simple way for the data acquisition, data recovery, or the mounting and the analysis of their memory images for instance. Interested reader can find the description of interesting existing tools, as well as interesting research aspects related to mobile digital forensics here.

In a cloud context, and depending on the remote service or the breaches type, it should be possible to obtain data (actual data or logs) to recreate accesses and events. The main technical challenge though is how to identify and find the information source, e.g. that particular virtual instance that was running or supporting that particular service at that particular time. And time is a very important aspect here, if the logging is not properly synchronized between the different sides of the system, it would be difficult to present it as a valid evidence. So next generation forensic acquisition tools must be able to identify all the physical and logical components amongst various use cases, architectures, and implementations of delivery models. In the cloud, there are three basic delivery models, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). They basically differ in terms of access to the provider-side resources.

IaaS is the delivery of virtualized instances and would be the most open of the delivery models, in terms of access to the provider side. It is the only one where the traditional forensic acquisition may apply, via snapshots and machine images for instance. There are, however, still challenges on the way different IaaS offering are presented. Data is not always persistent. In Amazon’s EC2 for instance, a service called EBS (Elastic Block Store) has to be used to allow data persistency independently from the lifetime of an instance. Logs and data might also be fragmented and distributed, which might affect the acquisition. Multi-tenancy aspects and shared resources, and the way the storage space is allocated might also contaminate the imaging and the acquisition. In addition, even though there is a relative accessibility, low-level analysis is still not possible, as well as access to the hardware.

PaaS and SaaS, as their names suggest, provide development and deployment platforms, and access to ready-to-use applications licensed by the provider. These are more closed type of offerings. An investigation would be very dependent on the cloud side access and logging features, in addition to the services implementation and their mapping or deployment, which are obviously very provider-specific and might greatly differ across the board. How to isolate a particular process would be a problem in these cases as well. The emerging trend of multi-cloud deployments makes it even more challenging to trace and analyse applications and data. Many platforms, such as VMware’s Cloud Foundry, and many other libraries, such as libcloud or jclouds, support multi-cloud deployments, where a user can easily deploy interoperable applications between cloud providers.

Another huge challenge for forensic investigators in these setups and environments is to obtain evidence using forensically acceptable methods so the evidence can be admitted according to the law in the trial. The forensics investigator should also be aware that laws might vary across borders (in the case of dealing with the cloud). Evidence admissibility requires a lawful search and the strict adherence to chain of custody rules including evidence collection, preservation, analysis, and reporting. The process of acquiring the data is indeed often more scrutinized than the actual evidence recovered for a criminal investigation. An important part of the preservation of evidence is in securing and isolating components, but this is easier said than done in these environments. Some of the mobile devices for instance can be remotely wiped (such as the iPhone). Keeping the device connected to the carrier’s network or Wi-Fi can also lead to potential updates of the system, incoming signals, messages, etc. which might alter or corrupt the data and potentially affect evidence. Data persistency is also a huge problem to tackle in cloud systems.

We need standards!

Standardization is another big challenge. In the mobile space, there have been attempts to bring together providers and device manufacturers, such as the WAC organization (Wholesale Applications Community), but it is currently more concerned by creating an open and unified platform and API for application developers. A set of standardized technologies, or guidelines, which would be adopted by manufacturers, will lower the cost and speed up the process of recovering data for investigations. It is, however, quite a difficult task to create standards for such a large group of manufacturers who use proprietary circuits, and do not seem to agree on communications. For instance, Apple has already stated they will not join any standards. So, this is not likely to happen anytime soon, and fragmentation issues are more likely to worsen.

The same applies to the cloud. There are, however, many standardization efforts, at various levels in the delivery of services and from different organizations, including OGF (Open Grid Forum) or OASIS (Organization for the Advancement of Structured Information Standards), among many others. Although most of this is centered on removing fragmentation and lowering barriers to adoption of the clouds, there are still difficulties in bringing together the major players of the ecosystem to collaborate and define common approaches, processes, or metrics. Everybody is trying to extend and/or consolidate its reach in the market, and very few of them actually worry about defining standards. The on-going showdown ‘Amazon’ vs. everybody else including OpenStack, Microsoft, Google, etc. shows how this promises to be hard to achieve!


Digital forensics needs to play a central role in the evolving IT space, rather than playing catch-up with industry and new technologies being introduced. It is a fact that current software tools, and also forensics experts, are struggling to keep up-to-date with recent technologies and releases, and to provide efficient and durable forensics methods and techniques. The majority of the existing tools are either not fully developed or do not yet provide full functionality for a large range of systems and devices. The systems we have mentioned in this paper will play an increasingly important role in criminal investigations and law disputes, as well as in information security. Data will be increasingly susceptible to alteration, updates, or deletion. Cloud systems and mobile devices are by nature more prone to incorrect or inappropriate digital forensics processes than separated pieces of hardware. It is becoming essential to take the lead in documenting best practices and measures to be taken to ensure the reliability and accuracy of next generation forensics processes, not only with regard to technical aspects, but also juridical and legal issues.

About the Author

Dr Lamine Aouad is a Research Fellow a the UCD School of Computer Science, University College Dublin.

< Prev   Next >

Item of Interest

The language barrier between English-speaking investigators and Spanish-speaking witnesses is a growing problem. (Updated 28 February 2011)