XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE

Next-Generation Digital Forensics: Challenges and Future Paradigms

Reza Montasari Department of Computing and Engineering

The University of Huddersfield

Huddersfield, U.K. [email protected]

Richard Hill Department of Computing and Engineering

The University of Huddersfield

Huddersfield, U.K. [email protected]

Abstract— In recent years, Information and Communications

Technology (ICT) has rapidly advanced, bringing numerous benefits to the lives of many individuals and organisations. Technologies such as Internet of Things (IoT) solutions, Cloud-Based Services (CBSs), Cyber-Physical Systems (CPSs) and mobile devices have brought many benefits to technologically-advanced societies. As a result, commercial transactions and governmental services have rapidly grown, revolutionising the life styles of many individuals living in these societies. While technological advancements undoubtedly present many advantages, at the same time they pose new security threats. As a result, the number of cases that necessitate Digital Forensic Investigations (DFIs) are on the rise, culminating in the creation of a backlog of cases for law enforcement agencies (LEAs) worldwide. Therefore, it is of paramount importance that new research approaches be adopted to deal with these security threats. To this end, this paper evaluates the existing set of circumstances surrounding the field of Digital Forensics (DF). Our research study makes two important contributions to the field of DF. First, it analyses the most difficult technical challenges that need to be considered by both LEAs and Digital Forensic Experts (DFEs). Second, it proposes important specific future research directions, the undertaking of which can assist both LEAs and DFEs in adopting a new approach to combating cyber- attacks.

Keywords—digital forensics, IoT forensics, cloud forensics,

cybersecurity, digital investigation, encryption, anti-forensics

I. INTRODUCTION In recent years, we have witnessed rapid advancements in

Information and Communication Technology (ICT) features. Technologies such as communication networks, mobile devices, Internet of Things (IoT) solutions, Cloud-Based Services (CBSs), Cyber-Physical Systems (CPSs) have brought many benefits to technologically-advanced societies [1, 2, 3]. As a result, commercial transactions and governmental services have rapidly grown, revolutionising the life styles of many individuals living in these societies. While technological advancements undoubtedly present many advantages, at the same time they pose new cybersecurity threats which have

significant impacts on a variety of domains such as government systems, enterprises, ecommerce, online banking, and critical infrastructure. According to an official survey conducted by The Office for National Statistics [4], there were an estimated 3.6 million cases of fraud and two million computer misuse offences in a year. Although there is a variety of reasons for conducting cybercrimes, the motivation is often for financial gain. The fundamental issue associated with cybercrime consists of damage to reputation, monetary loss, in addition to impacts on the confidentiality, integrity and availability of data.

By exploiting technology, cybercriminals, for instance, will be able to turn IoT nodes into zombies (using malicious software), carry out distributed denial of service (DDoS) attacks (engineered through botnets), and create and distribute malware aimed at specific appliances (such as those affecting VoIP devices and smart vehicles) [1, 2], [5, 6, 7, 8, 9]. Other challenges resulting from such technological advancements include, but are not limited to: high volume of data, heterogeneous nature of digital devices, advanced hardware and software technologies, anti-forensic techniques, video and rich media, whole drive encryption, wireless, virtualisation, live response, distributed evidence, borderless cybercrime and dark web tools, lack of standardised tools and methods, usability and visualisation. The deployment of IP anonymity and the ease with which individuals can sign up for a cloud service with minimum information can also pose significant challenges in relation to identifying a perpetrator [2], [5], [8], [9, 10].

As a result, the number of cases that necessitate DFIs are on the rise, culminating in the creation of a backlog of cases for LEAs worldwide [11, 12]. Therefore, given the discussion above, it is of paramount importance that new research approaches be created to deal with the aforementioned security challenges. To this end, we evaluate the existing set of circumstances surrounding the field of DF. Our research study makes two important contributions to the field of DF. First, it analyses the most difficult mid and long-term challenges that need to be considered by both LEAs and DFEs. Second, it

Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.

proposes important specific future research directions, the undertaking of which can assist both LEAs and DFEs in adopting a new approach to combating cyber-attacks.

II. CHALLENEGES As the field of DF continues to evolve, its development is

severely challenged by the growing popularity of digital devices and the heterogeneous hardware and software platforms being utilised [2], [13, 14]. For instance, the increasing variety of file formats and OSs hampers the development of standardised DF tools and processes [15]. Furthermore, the emergence of smartphones that increasingly utilise encryption renders the acquisition of digital evidence an intricate task. Additionally, advancements in cybercrime have culminated in the substantial challenge of business models, such as Crime as a Service (CaaS), which provides the attackers with easy access to the tools, programming frameworks, and services needed to conduct cyberattacks [2]. The following sub-sections analyse the key issues that pose significant challenges to the field of DF.

A. Cloud Forensics

The cloud computing paradigm presents many benefits both to the organisations and individuals. One of such advantages relates to the manner in which data is managed by the cloud infrastructure. For instance, data is spread between various data centres to improve performance and facilitate load-balancing, scalability, and deduplication features. Because of this, data requires an efficient indexing so that retrieval and optimisation performance can take place to evade duplication that often contributes to the expansion of storage needs. As a result, evidence left by adversaries is more difficult to eliminate since it can be copied in various locations, rendering the acquisition of evidence and its examination easier to perform.

However, despite its many benefits, cloud computing poses significant challenges to the LEAs and DFEs from a forensic perspective. These include, but are not limited to, problems associated with the absence of standardisation amongst different CSPs, varying levels of data security and their Service Level Agreements [5], [16, 17], multiple ownerships, tenancies, and jurisdictions. Moreover, the distributed nature of cloud computing services presents a variety of challenges to LEAs as data often resides in a number of different jurisdictions. In contrast with traditional DF in which data is held on a single device, within cloud environments data is often spread over multiple different nodes. As a result, LEAs need to rely on local laws to be able to conduct digital evidence acquisition [1], [7], [18]. Therefore, the discrepancy in the legal systems of different jurisdictions combined with the lack of cooperation between CSPs also poses significant challenges from a DF perspective.

In addition, existing DF models, frameworks, methodologies and tools are mainly intended for off-line investigations, designed on the premise that data storage under investigation is within the LEAs’ control [19]. However, performing DFIs within a cloud environment is increasingly challenging as digital evidence is often short-lived and stored on media beyond the control of DFEs [1]. Anonymising tools and distributed data storage in cloud services also enable criminals to cover their malicious activities more easily. Furthermore, the use of features

such as IP anonymity and the ease with which one can sign up for a cloud service with minimal information make it almost impossible to identify criminals in cloud environments [1], [7, 8]. Another challenge for DF is the availability of different models for delivering cloud services (CSs). Specifically, investigating the data of an infrastructure-as-a-service (IaaS) user can be done without too many restrictions, but in the case of customers using software-as-a-service (SaaS) resources, access to information might be minimal or entirely absent.

Last, but not least, accessing a software application through a cloud computing system often leaves traces of evidence in various places on the OS, such as registry entries or temporary Internet files. However, evidence is lost once the user has exited the virtual environment as virtualisation sanitises traces of leftover artefacts. As a result, virtualisation limits the traditional examination of the leftover artefacts, rendering digital evidence traditionally stored on hard drives potentially unrecoverable [20, 21]. Therefore, cloud-based forensic investigations pose significant challenges related to the identification and extraction of evidential artefacts.

B. Network Forensics

A Network Forensic Investigation (NFI) pertains to the acquisition, storage and examination of network traffic (encapsulated in network packets) generated by a host, an intermediate node, or the whole portion of a network in order to establish the source of a security attack. Network traffic objects that require analysis consist of protocols used, IP addresses, port numbers, timestamps, malicious packets, transferred files, user- agents, application server versions, and operating system versions, etc. This data can be acquired from different types of traffic.

Similar to any other sub-fields of DF, NF poses various challenges to DFEs and LEAs. One of the challenges concerns traffic data sniffing. Contingent on the network set up and security measures where the sniffer is installed, the tool is likely not to capture all intended traffic data. However, this challenge can be addressed by utilising a span port on network devices in various places in the network. Another challenge for NF is that an attacker might be able to encrypt the traffic by utilising a SSL VPN connection. In this case, although the address and port will still be visible to DFEs, data stream will not be available. Therefore, additional analysis will need to be carried out so as to establish penetrated data.

Another challenge is determining the source of an attack since an attacker may use a zombie machine, an intermediate host to perform an attack, or simply use a remote proxy server. The deployment of such methods by an attacker makes it very difficult for DFEs to determine the source of the attack. However, this can be remedied by examining each packet only in a basic manner in memory and storing only certain data for future examination. Notwithstanding that this approach necessitates less amounts of storage, it often requires a faster processor to be able to manage the incoming traffic. To capture and analyse evidential network data, DFEs need to use a number of commercial and open-source security applications such as tcpdump and windump. Additionally, ensuring the privacy of legitimate end users is another challenging factor in NF as all

Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.

packet data including that of the end user is captured during an investigation.

C. Internet of Things (IoT) Forensics

The Internet of Things (IoT) which is supported by the cloud, big data and mobile computing often connects anything and everything ‘online’. The IoT represents the interconnection of uniquely identifiable embedded computing devices within the current Internet infrastructure. Some IoT devices are ordinary items with built-in Internet connectivity, whereas some are sensing devices developed specifically with IoT in mind. The IoT covers technologies, such as: unmanned aerial vehicles (UAVs), smart swarms, the smart grid, smart buildings and home appliances, autonomous cyber-physical and cyber- biological systems, wearables, embedded digital items, machine to machine communications, RFID sensors, and context-aware computing, etc. Each of these technologies has become a specific domain on their own merit. With the new types of devices constantly emerging, the IoT has almost reached its uttermost evolution. With an estimated number of 50 billion devices that will be networked by 2020 [20, 21], it is estimated that there will be 10 connected IoT devices for every person worldwide [22].

IoT-connected devices offer many benefits both individually and collectively. For instance, connected sensors can help farmers to monitor their crops and cattle so as to improve production, efficiency and track the health of their herds. Intelligent health-connected devices can save or significantly improve patients’ lives through wearable devices. For instance, the wearable device developed by Intel can track symptoms of Parkinson's disease patients by passively collecting 300 observations per second from each wearer, tracking various activities and symptoms [23, 24].

However, despite its many benefits, IoT-connected devices pose significant privacy and security challenges as these devices and systems collect significant personal data about individuals. As an example of privacy challenge, employers can use their employees’ security access cards to track where they are in the building to determine how much time the employees spend in their office or in the kitchen. Another example relates to smart meters that can determine when one is home and what electronics they use. This data is shared with other devices and stored in databases by companies. In relation to the security challenges, due to the constant emergence of new and diverse devices with varied OSs as well as the different networks and related protocols, IoT produces a wider security attack surface than that created by cloud computing. Examples of cyberattacks that can be carried out on IoT devices include: intercepting and hacking into cardiac devices such as pacemakers and patient monitoring systems, launching DDoS attacks using compromised IoT devices, hacking or intercepting In-Vehicle Infotainment (IVI) systems, and hacking various CCTV and IP cameras. Therefore, security is of paramount importance for the secure and reliable operation of IoT-connected devices.

Although IoT uses the same monitoring requirements similar to those utilised by cloud computing, it poses more security challenges resulting from issues such volume, variety and velocity. Furthermore, DFIs of IoT devices can be even more

difficult than those of cloud-based investigations as more complex procedures are needed for investigation of these devices.

IoT Forensics must involve identification and extraction of evidential artefacts from smart devices and sensors, hardware and software which facilitate a communication between smart devices and the external world (such as computers, mobile, IPS, IDS and firewalls), and also hardware and software which are outside of the network being investigated (such as cloud, social networks, ISPs and mobile network providers, virtual online identities and the Internet). However, extracting evidential artefacts from IoT devices in a forensically-sound manner and then analysing them tend to be a complex process, if not impossible, from a DF perspective. This is due to a variety of reasons, including: the different proprietary hardware and software, data formats, protocols and physical interfaces, spread of data across multiple devices and platforms, change, modification, loss and overwriting of data, and jurisdiction and SLA (when data is stored in a cloud). Thus, determining where data resides and how to acquire data can pose many challenges to DFEs.

For instance, the DF analysis of IoT devices used in a business or home environment can be challenging in relation to establishing whom data belongs to since digital artefacts might be shared or transmitted across multiple devices. In addition, due to the fact that IoT devices utilise proprietary formats for data and communication protocols, understanding the links between artifacts in both time and space can be very complex. Another challenge related to the DFI of IoT devices concerns the chain of custody. In civil or criminal trial, collecting evidence in a forensically sound manner and preserving chain of custody are of paramount importance. However, ownership and preservation of evidence in an IoT setting could be difficult and can have a negative effect on a court’s understanding that the evidence acquired is reliable.

Furthermore, existing DF tools and methods used to investigate IoT devices are designed mainly for traditional DF examining conventional computing devices such as PCs, laptops and other storage media and their networks. For instance, the current methods utilised to extract data from IoT devices include: obtaining a flash memory image, acquiring a memory dump through Linux dd command or netcat, and extracting firmware data via JTAG and UART techniques. Moreover, protocols such as Telnet, SSH, Bluetooth and Wi-Fi are deployed to access and interact with IoT devices. Likewise, tools such as FTK, EnCase, Cellebrite, X-Ways Forensic and WinHex, etc. and internal utilities such as Linux dd command (for IoT devices with OSs such as embedded Linux) are used to extract and analyse data from IoT devices. However, the forensic investigation of IoT devices necessitates specialised handling procedures, techniques, and understanding of various OSs and file systems. Additionally, by using conventional Computer Forensic tools to conduct IoT Forensics, it would be highly unlikely to maintain a chain of custody, the adherence to which is required by the Association of Chief Police Officers [25], concerning the collection of digital evidence.

Therefore, to deal with the aforementioned challenges posed by IoT-connected devices, cloud cybersecurity will need to be

Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.

reviewed since each IoT device produces data that is stored in the cloud. Cloud cybersecurity policies must be blended with IoT infrastructure so as to provide timely responses for suspicious activities [20]. They must be reviewed in relation to evidence identification, data integrity, preservation, and accessibility. CSPs will need to ensure the integrity of the digital evidence acquired from cloud computing components in order to facilitate an unbiased investigation process in establishing the root cause of the cyberattack in IoT. Therefore, as the IoT paradigm is further developed, it becomes necessary to develop adaptive processes, accredited tools and dynamic solutions tailored to the IoT model.

D. Big Data and Backlog of Digital Forensic Cases

Another key challenge that the field of DF is currently facing pertains to the substantial and continuing increase in the amount of data, i.e. big data – both structured and unstructured – acquired, stored and presented for forensic examination. This data is collected from a variety of sources such as digital devices, networks, cloud, IoT devices, social media, sensors or machine- to-machine data, etc. In particular, this challenge is relevant to live network analysis since DFEs are unlikely to acquire and store all the essential network traffic [2], [10]. This growth in data volume is the consequence of the ongoing advancement of storage technology such as growing storage capacity in devices and cloud storage services, and an increase in the number of devices seized per case. Consequently, this has resulted in an increase in the backlog of DF cases that are awaiting (often many months or years in some cases) investigations. The backlog of DF cases necessitating investigation has had a seriously adverse impact on the timeliness of criminal investigations and the legal process. The delays of up to 4 years in performing DFIs on seized digital devices have been reported to have significant effect on the timeliness of criminal investigations [5], [11], [26]. Due to such delays, some prosecutions have even been discharged in courts. This backlog of DF cases is predicted to increase due to the modern sources of evidence such as those of IoT devices and CBSs.

To address the aforementioned issues, i.e. the 3Vs of the big data, including: volume, variety and velocity, researchers have, in recent years, proposed various solutions ranging from data mining [27, 28, 29], data reduction and deduplication [27], [30, 31], triage [12], [32, 33, 34], increased processing power, distributed processing [35, 36], cross-drive analysis [31], artificial intelligence, and other advanced methods [30]. Despite the usefulness of these solutions, additional research studies are required to address the real-world relevance of the proposed methods to deal with the data volume that gravely challenges the field of DF. Therefore, it is of paramount importance to implement several practical infrastructural enhancements to the existing DF process. These augmentations should cover elements such as automation of device collection and examination, hardware-facilitated heterogeneous evidence processing, data visualisation, multi-device evidence and timeline resolution, data deduplication for storage and acquisition purposes, parallel or distributed investigations and process optimisation of existing techniques. Such enhancements should be integrated to assist both law enforcement and third- party providers of DF service to speed up the existing DF

process. The implementation of the stated elements can significantly assist both new and augmented forensic processes.

E. Encryption

According to a survey conducted by the Forensic Focus [37], data encryption in addition to Cloud Forensics (discussed previously) are the most difficult challenges encountered by DFEs. Encryption is the fastest method used to prevent access to data held on a device. There exist numerous encryption methods that can be implemented on a system or its peripherals. Increase in storage devices has resulted in the creation of tools capable of encrypting the entire volume of a hard drive. Encryption can also be performed on an application, a folder, a cloud service, mobile devices, and data stored in a database or transmitted through email, etc. Concerning network-based data hiding, this can be facilitated through methods such as Virtual Private Network (VPN) tunnelling and the utilisation of proxy servers and terminal emulators. Regardless of data being stored in an unknown server in the cloud or on the perpetrator’s computer’s encrypted hard drive, encryption often makes it impossible for DFEs to acquire data essential for a DFI. Although such technologies are not unbeatable, they often necessitate large amount of time and luck to be bypassed [32], [38, 39].

Since many of the encryption schemes are implemented to resist brute-force attacks, it is, therefore, of paramount importance that researchers be able to design certain workarounds and exploits in order to be able to overcome encryption and acquire evidence from encrypted devices. Depending on the type of digital device involved, forensic challenges of encrypted devices differ. There are currently several exploits that DFEs can leverage to overcome encryption in DFIs. For instance, DFEs can decrypt a BitLocker volume by determining the correct Microsoft Account password. This can be achieved by recovering the matching escrow key directly from Microsoft Account. There are various tools and methods (the discussion of which is outside the scope of this paper) for retrieving the password. Another method of exploit used by the researchers is to conduct RAM Forensics (imaging the RAM) using a tool such as Belkasoft Live RAM Capturer and then draw out a binary decryption key from that RAM image. Using this method enables DFEs to bypass encryption and identify malware that is not placed in persistent storage. For instance, full-disk encryption on Windows desktop computers (BitLocker) can be attacked by imaging the RAM through a kernel-mode tool while the volume is mounted and examining that memory image to acquire the binary decryption key. This facilitates mounting BitLocker volumes in a short period of time.

However, the development of RAM Forensic tools as noted by Garfinkel [32] is more challenging than the creation of disk tools. Data stored in disks is persistent and intended to be read back in the future. However, data written to RAM can only be read by the running program. Garfinkel [32] argues that as a result there is less desire “for programmers to document data structures from one version of a program to another”. Therefore, issues as such can complicate the tasks of tool developers.

Authorized licensed use limited to: University of the Cumberlands. Downloaded on November 24,2022 at 15:10:21 UTC from IEEE Xplore. Restrictions apply.

F. Limitations in DF Tools and Lack of Standardisation

Existing DF tools and techniques are also limited in their functionality and are poorly appropriate to the task of identifying data which is “out-of-the-ordinary, out-of-place, or subtly modified” [32], [40]. Traditional DF tools, techniques and methods often lag behind new emerging technologies lacking adequate capabilities to address the resultant challenges presented by these technologies. Although current DF tools might be able to handle a case containing several terabytes of data, they are incapable of putting together terabytes of data into a succinct report. Furthermore, it is challenging to employ DF tools to recreate a unified timeline of past events or the activities of a culprit. Event and timeline reconstructions are often conducted manually during a given DFI. DF tools are also often slow to conduct data analysis. Furthermore, the task of creating digital documents which can be presented in courts has had an adverse effect on the production of DF methods that could process data that is not easily available [32], [41].

With regards to the lack of standardisation in DF, although researchers in the field have made some attempts to agree on formats, schema, and ontologies on DF artefacts, very little progress have been made, if any [15], [42, 43, 44]. This is while analysis of advanced cyber-attacks often necessitates concerted efforts to deal with the processing of complex data. In most cases such cooperation does not exist amongst DFEs and DF researchers alike. As a result, the diversity problem arising from the absence of standardised methods and guidelines to detect, acquire, store, examine, analyse and present digital evidence also pose significant challenges for DFIs [45, 46]. The lack of formal and generic Digital Forensic Investigation Process Models (DFIPMs) also contribute to the intricacy of acquiring and analysing digital evidence in a forensically sound manner [42]. Therefore, it is essential that DF community engage in more collaborations to create effective standard formats and abstractions.

III. RESEARCH DIRECTIONS

A. IoT Forensics

The Identification, Acquisition and Analysis (main phases of a conventional DFI) of digital evidence in IoT environments pose significant challenges to LEAs and DFEs. In relation to the identification of a particular user’s data, it would be difficult for investigators to determine how to conduct search and seizure when the location and provenance of data (representing potential digital evidence) cannot be determined. One of the ways to address this challenge is to integrate the IoT device data into Building Information Modelling. Thus, the research community can consider this as a research opportunity to be explored.

With regards to the problems of extracting a specific user’s data in IoT devices, the volatility of evidence in these devices is more complex than the evidence volatility in traditional devices. In IoT environments, data might be held locally by an IoT device. In this case, the lifespan of the data is very short before it is overwritten or compressed. Furthermore, digital evidence (data) from an IoT device might be shifted and used by another IoT device (or a local network of IoT-connected devices), or it might be moved to the cloud for aggregation and processing. As

a result, the transmission and aggregation of evidence poses significant challenges for maintaining the chain of evidence. To deal with this challenge, we propose the development of new investigation methods that can track and filter the transfer of data across IoT-connected devices as supported by (Hegarty et al., 2014). Such methods can then pave the way for the acquisition of data that have been altered or deleted. Therefore, the creation of such techniques should be considered as a new research opportunity for further exploration

In terms of the challenges of the analysis process, IoT devices produce large amounts of data which are stored in large- scale distributed cloud environments. If this data requires Digital Forensic analysis, first it needs to be imaged in order to adhere to the principles of ‘forensically-sound investigations’. However, from a technical point of view, the imaging of such data (representing potential digital evidence) using the existing conventional DFI procedures is not a feasible acquisition process. This is due to the scale, distribution and remote nature of such data, generated by IoT and stored in the cloud. As a result, new

Related Tags