Cloud computing is just one of many recent technologies that have highlighted shortcomings in the development of formal digital forensic processes, which up until now have been focused on a particular group of practitioners, such as law enforcement, and have been too high-level to be of significant practical use, or have been too detailed and specific to accommodate new technology as it emerges. Because the tools and procedures employed by digital forensic practitioners are generally outside the knowledge and understanding of the courts, they need to be described in such a way that they can be understood by the layperson. In addition, they should also conform to some standards of practice and be recognised by other practitioners working in the field (Armstrong, 2003; Kessler, 2010). Unfortunately, as Cohen (2011) points out, the whole field of digital forensics lacks consensus in fundamental aspects of its activities in terms of methodology and procedures. There has been a lot of activity around different aspects of cloud computing, and in Australia this has centered on the protection of personal data (Solomon, 2010). On an international scale, there have been several articles written by lawyers (Gillespie, 2012; Hutz, 2012; Kunick, 2012) discussing other legal considerations of accessing data in the cloud; however, this chapter looks at the issues surrounding digital evidence acquisition and introduces a new high-level process model that can assist digital forensic practitioners when it comes to presenting evidence in court that originated in the cloud.
TopBackground
Given the pervasive nature of information technology the nature of evidence presented in court is less likely to be paper-based and in most instances will be in electronic form (Stanfield, 2009). However, evidence relating to computer crime, regardless of definition, is significantly different from that associated with the more ‘traditional’ crimes for which there are well-established standards and procedures (Smith, Grabosky, & Gregor Urbas, 2004; Stanfield, 2009).
In Australian courts, the admissibility of evidence is governed by both statute and common law. Each state and territory have their own Evidence Act, with some combined to echo the Federal (Commonwealth) Evidence Act. The general principle adopted by these courts for copies of documents presented as evidence is that a copy of a document is recognised as equivalent to the original and that this applies to computer records. As with other types of evidence, the courts make no presumption that such evidence is reliable without some evidence of empirical testing in relation to the theories and techniques associated with the production of the copy (Mason, 2007). Edmond states that “…reliability assessments should focus on the technique and its accuracy (as well as the proficiency of the operator/analyst)” (Edmond, 2010, p. 94). This issue of reliability means that courts pay close attention to the manner in which electronic evidence has been obtained and in particular the process in which the data is captured and stored (Cohen, 2011; Grant v Marshall FCA 1161, 2003; Hargreaves, 2009; Kessler, 2010; Mason, 2007).
Because the tools and procedures employed by digital forensic practitioners are generally outside the knowledge and understanding of the courts and juries they need to be described in such a way that they can be understood by the layperson. In addition, they should also conform to some standards of practice and be recognised by other practitioners working in the field (Armstrong, 2003; Kessler, 2010). Courts may apply methods used for testing scientific evidence to digital evidence presented before them and this is commonly based on American practice (Abdullah, Mahmod, Ghani, Abdullah, & Sultan, 2008; Beebe & Clark, 2004; Palmer, 2001; Peisert, Bishop, & Marzullo, 2008; Stanfield, 2009; Moles, 2007; Stephenson, 2003). In this regard it is the practice of American Courts, when seeking to determine the reliability of scientific evidence, to apply the Daubert Test, named after the Daubert v Merrell Dow Pharmaceuticals case (Supreme Court of the United States, 1993). In this case the US Supreme Court determined that it was the duty of a trial judge to scrutinise evidence, particularly if it is of an ‘innovative or unusual scientific’ nature to ensure that it meets with the requirements of the Federal Rule of Evidence 702. This has been identified as the judge taking on the role of ‘gatekeeper’ (Kessler, 2010).
Based on the Federal Rule of Evidence 702 the process for determining the admissibility of evidence requires that any expert testimony must be derived from “scientific knowledge.” However, “scientific knowledge” itself requires that “sound scientific methodology” has been applied based on the “scientific method” and this led to the court in the Daubert v Merrell Dow Pharmaceuticals case establishing what has become known as the Daubert Test. In practice the Daubert Test is often summarised as four components that provide clarity around determination of ‘sufficient facts or data’ and ‘reliable principles and methods’ (Gosh, 2004a; Stephenson, 2003):
- 1.
Whether the theory or technique in question can be and has been tested.
- 2.
Whether it has been subjected to peer review and publication.
- 3.
Its known potential rate of error along with the existence and maintenance of standards controlling the technique’s operation.
- 4.
The degree of acceptance within the relevant scientific community