Master Thesis - Diva-portal.org
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Master Thesis
Network Forensics, 60 credits
AUTOMATED CROSS-BORDER MUTUAL
LEGAL ASSISTANCE IN DIGITAL
FORENSIC (AUTOMLA)
A global realized Enterprise Architecture
Digital Forensics, 15 credits
Auckland, New Zealand 2021-06-02
Jonas Henriksson
HALMSTAD
UNIVERSITY
AUTOMATED CROSS-
BORDER MUTUAL LEGAL
ASSISTANCE IN DIGITAL
FORENSIC (AUTOMLA)
A global realized Enterprise Architecture
Abstract
Organized cybercrime has no borders in cyberspace. This paper
suggests a state-of-the-art architected solution for a global Automated
cross-border mutual legal assistance system within Digital Forensic
(AUTOMLA). The Enterprise framework with technical viewpoint
enables international collaboration between sovereign countries
Fusion Centers. The evaluation concludes a user interface built in
React, middleware Apollo with schema support linked to graph
database Neo4j. GraphQL is the preferred application protocol over
REST. Fusion Centers API is deployed as federated gateways, and
business functions are implemented as PaaS serverless services.
Its intuitive modeling Forensics in graphs, semantic networks enables
causality and inference. All suggested elements in AUTOMLA are
forming an internationally agreed collaborative platform; the solution
for fast cross-border crime investigations. AUTOMLA deployed on the
Internet is a subject for threats. Risks are mitigated in design guided
by security frameworks. The recommended development method is
agile, distributed in between autonomous teams.
Jonas Henriksson
mob.jonhen@gmail.com
AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
Halmstad University
Course: Master program Network Forensics 2020-2021 Assignment: Master thesis
Author: Jonas Henriksson Date: 2021-06-02 Version: 0.6
Reviewed by: Eric Järpe Review date: 2021-05-11
Keywords: Digital Forensic, Mutual Legal Assistance, Enterprise Architecture, System of Systems,
Incident Command System, Fusion Center, Semantic Network, GraphQL, React, Cloud, Graph
Database, Apollo, REST, Security
Frontpage border is a traditional Polynesian tattoo pattern made by the standard elements turtle
shell, enata and spearhead. The design tells the story of the tattoo owner. Some tattoos form a
more prominent image like manta or tiki, but the essential elements are always the same. There are
similarities between architecture descriptions and Polynesian tattoos. You have the stakeholder for
the tattoo, architect and language expert is the tattoo artist. Symbols in a context are an ancient
traditional standardized language defined differently in many human cultures.
This master thesis is dedicated to all kinds of explorers
Jonas Henriksson | Great Barrier Island, New Zealand | March 2021
Version Date Who Description
0.1 2021-03-31 Jonas Henriksson Created
0.2 2021-04-16 Jonas Henriksson Updated after Review #1 Mark Dougherty
0.3 2021-05-02 Jonas Henriksson Updated after Review #2 Mark Dougherty
0.4 2021-05-07 Jonas Henriksson Layout, Figure references, submitted version
Removed Figure 5, 6, 7, 8, 9, 10, 19 and Table 3 after Review
0.5 2021-05-13 Jonas Henriksson
#3 Eric Järpe
Minor changes like clarify some Figures, added Method overview
0.6 2021-06-02 Jonas Henriksson in section Method, added Climate change in section Further
work. Replaced personal address with work, project, assignment.
JONAS HENRIKSSON 1
AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
Table of contents
AUTOMLA ............................................................................................................... 4
1 Introduction .................................................................................................................................... 4
1.1 Problem ................................................................................................................................... 5
1.2 Purpose ................................................................................................................................... 6
1.3 Audience .................................................................................................................................. 6
1.4 Limits....................................................................................................................................... 6
1.5 Method .................................................................................................................................... 6
1.6 Plan ......................................................................................................................................... 8
1.7 Risk analysis ............................................................................................................................ 13
1.8 System quality attribute evaluation ........................................................................................... 13
2 Related work .................................................................................................................................. 15
2.1 Legal systems and transborder treaties ..................................................................................... 15
2.2 The powers of the Cloud .......................................................................................................... 16
2.3 Metadata and provenance ........................................................................................................ 18
2.4 Cloud Forensics ....................................................................................................................... 18
2.5 System-of-systems (SoS).......................................................................................................... 20
2.6 Incident Command System ....................................................................................................... 20
2.7 Enterprise Architecture Modeling Language ............................................................................... 21
2.8 Ontology overview ................................................................................................................... 22
3 AUTOMLA ....................................................................................................................................... 23
3.1 Architecture............................................................................................................................. 26
3.2 Motivation AUTOMLA ............................................................................................................... 27
3.3 Collaboration AUTOMLA ........................................................................................................... 30
3.4 Service Level Agreement .......................................................................................................... 31
3.5 Business functions AUTOMLA .................................................................................................... 32
3.6 Business entities AUTOMLA ...................................................................................................... 34
3.7 Semantic network AUTOMLA .................................................................................................... 35
JONAS HENRIKSSON 2
AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
3.8 Technical viewpoint AUTOMLA .................................................................................................. 36
3.9 Risk and security AUTOMLA ...................................................................................................... 38
4 Evaluation ...................................................................................................................................... 41
4.1 Willingness evaluation .............................................................................................................. 42
4.2 Enterprise Modeling evaluation ................................................................................................. 43
4.3 Technical evaluation ................................................................................................................ 44
4.4 Method evaluation ................................................................................................................... 47
4.5 Evaluation summary................................................................................................................. 48
5 Conclusion ...................................................................................................................................... 49
6 Further work................................................................................................................................... 50
References............................................................................................................................................. 51
JONAS HENRIKSSON 3
AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
AUTOMLA
1 Introduction
Organized cybercrime has no borders in cyberspace. Imagine a virtually connected system-of-
systems (SoS) scenario where organizations or individuals create digital instances of virtual
superpowers with a single credit card. Those temporary platforms for fraud and invasion of privacy
can rapidly exist and vanish within hours. All computing assets like powerful GPUs1, storage, ram,
network and applications can be defined with standardized code templates in the service-oriented
architecture at Cloud Service Providers (CSP). This can enable powerful collaborating SoS that
executes all over the planet. There are no physical disks to investigate. They probably only existed
for some hours before erased. With these powers, criminals can decrypt sensitive governmental
information assets like documents, images or videos and use that compromising material in a
racketeering2 scheme. In this racket, the criminal organization enables corruption in society.
Investigating teams within an Incident Command System (ICS) have a challenging task acquiring
time-lined evidence over several computing artifacts. Transborder criminal activity can span several
CSPs in different societies and legal systems.
The criminal scenario where a cloud DevOps3 within a criminal organization deploys software-coded
rackets is not unlikely—this product of coded and illegally purposed connected criminal SoS, from
infrastructure to applications.
1
Graphics processing unit can perform parallel operations on multiple sets of data such as video or machine
learning.
2
A racket is an organized criminal act, conducting a racket is racketeering.
3
DevOps is a set of practices that combines software development (Dev) and IT operations (Ops).
JONAS HENRIKSSON 4AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
The transborder law enforcement authorities (LEA) need emergent capabilities when criminals using
a concept of virtual SoS. This kind of criminal can raise temporary global superpowers in hours. The
interpolicing continuous process globally connected ICS needs fast regulated cooperating access to
all CSP's computing assets. Obtaining evidence in those situations requires immediate automated
cross-border mutual legal assistance, the AUTOMLA.
The suggested contribution in the Forensic short project assignment was the contours of the system
AUTOMLA (Henriksson, 2020). This automated capability will connect legal systems and societies
worldwide to enable local subpoenas or warrants to acquire and restore evidence. AUTOMLA system
can be added and join an ICS.
This paper engineers the previous contours of a solution to an architected SoS as an agile and
state-of-the-art collaborating open-source platform.
1.1 Problem
Acquire cross-border permission for digital forensic evidence is mandatory because countries are
sovereign entities of jurisdiction. It can be a complex procedure asking for permission when
jurisdiction and agreements differ between countries. This rule-based process is a good candidate
for automatization based on a generic attributed set of rules.
• What architecture is the current state-of-the-art for transborder collaboration?
• Can a global collaboration solution be designed?
o What kind of requirements is there for a collaborating system?
• Which relevant alternate solutions to compare for AUTOMLA?
o Jack Reacher suggested in a movie from 2012: "I like to have at least one alternate
theory"4
• Who are the stakeholders?
• What is inside the environment of AUTOMLA and what is outside?
• How do you choose among alternatives that all fulfill the requirement?
• How is the willingness of collaboration between sovereign countries?
o How to compare the willingness of collaboration between countries?
• What are the attributes and rules for AUTOMLA?
• How to define an evaluation model from system quality attributes?
• What are the risks and how to mitigate those hazards?
o Where is the highest risk, a system with low - or high interaction?
• Is performance a concern for AUTOMLA?
4
https://www.imdb.com/title/tt0790724/
JONAS HENRIKSSON 5AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
• How to implement a modern version of "crazy wall"5?
• Why are agile iterations the preferred working methodology?
o Why is "failing fast" a good approach?
• How to enable interoperability?
• What is the definition of architecture?
1.2 Purpose
The purpose of the master thesis is to architect and engineer AUTOMLA. The solution will show the
emergent capabilities that enable transborder law enforcement teams to work efficiently to seek
direct access to evidence in other countries.
1.3 Audience
This paper is a mix of conceptual and technical but tries to use a technology-neutral language as
much as possible. The architecture language in this paper follows industry standards. There are
references to architecting literature if the reader gets inspired by this powerful tool.
1.4 Limits
• No external stakeholders except Halmstad University
• No implementation details; this is a paper about architecture
o No load testing
o No detailed volumes
1.5 Method
Method overview:
• V-Model
• Agile
o Iterative
o Fail-Fast
• Work Breakdown Structure
• System viewpoints
• System-of-systems
• Two alternative theories and solutions
5
Crazy wall = Evidence board
JONAS HENRIKSSON 6AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
The overall working process is a V-model (GeeksforGeeks, 2020), suggesting an agile, iterative
process with gradient verification and validation steps (Babar, Brown, Mistrik, & Mistrik, 2013), see
Figure 1. A project should try failing fast to detect design problems and learn from them to the next
iteration (McGrath, 2020). This work presents the activities in a Gannt charted waterfall model;
working agile is not like that. There is a significant risk of working in a feed-forward loop because
many hidden problems will be pushed forward and exposed in the end. It's cheaper to change the
overall design early than re-design a delivered project that was not responsive and missed the goal.
Figure 1 - Agile, iterative V-model development
1. Project-plan with clear purpose and goal
1.1. Risk analysis and mitigation of the plan
2. Foundation is the architectural viewpoints and views, iterate design and validation of the
architecture. Create measures of the system qualities.
3. Dynamic modeling of architecture for simulation of system dynamics and agents
3.1. Feature selection for experiment data collection
4. Experiment
4.1. Collect and aggregate data from simulation
5. Report finalizing by
5.1. Creating a draft for peer review
5.2. Finalizing the paper.
JONAS HENRIKSSON 7AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
Report
Experiment
Dynamics
Architecture
Figure 2 - Report foundation
1.6 Plan
1. Work breakdown structure
2. Plan
2.1. Activities
2.2. Communication plan
3. Risk analysis
JONAS HENRIKSSON 8AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
1.6.1 Work Breakdown Structure
Hierarchical view of products to deliver in the project (Norman, Brotherton, & Fried, 2011).
Thesis
3.Architecture 4.Dynamic 5.Experiment
1.Plan 2.Research 6.Report
definition modeling & Iterate
1.1 Purpose &
2.1 Read 3.1 Viewpoints 4.1 System 5.1 Tool 6.1 Draft
Goal
1.2 Detailed 6.2 Peer
2.2 Notes 3.2 Validation 4.1 Agent 5.2 Measures
plan review
1.3 Risk 3.3 Peer 4.2 Peer 5.3.Peer 6.3 Final
analysis review review review version
1.4 Peer 5.4 Run
review experiment
5.5 Collect &
aggregate
5.6 Evaluate
Figure 3 - Thesis Work Breakdown Structure (WBS)
JONAS HENRIKSSON 9AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
1.6.2 Aggregated activities
Aggregated areas of activities are presented as a stack in Figure 4. The aggregate day count is
163 and the most significant project area is the experiment. The activity-stack day count is
derived from the section tasklist. The tasks are worked from the bottom, start with task area 1
and finish with activity-area 6. The first agile loop is tasked 1-3, and the second agile loop is
areas 3 and 4, the third loop is area 5 and the last loop is area 6.
Plan Master Thesis
200
150 29
37
DAYS
100
17
25
50
27
28
0
Task
6.Report 2021-04-30 2021-05-29
5.Experiment 2021-03-24 2021-04-30
4.Dynamic 2021-03-07 2021-03-24
3.Architect 2021-02-10 2021-03-07
2.Research 2021-01-14 2021-02-10
1.Plan 2020-11-09 2020-12-07
Figure 4 - Aggregated plan of activities
JONAS HENRIKSSON 10AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
1.6.3 Tasklist
The tasklist in Table 1 is derived and detailed from WBS in Figure 3.
Columns Description
Category Activity, Goal, Milestone
Who Person {Writer, Reviewer}
Percent done of activity.
0% - Not started
Progress 50% - Started
90% - Almost done
100% - Done
Start Startdate (Stopdate is derived by Days)
Calendar days, not the same as working
Days
hours.
JONAS HENRIKSSON 11AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
Task Category Who Progress Start Days
1.Plan
1.1 Purpose & Goal Low risk Jonas 100% 2020-11-09 1
1.2 Detailed plan Low risk Jonas 100% 2020-11-15 3
1.3 Risk analysis Low risk Jonas 100% 2020-12-01 1
1.4 Plan delivery Goal Jonas 100% 2020-12-07 1
1.5 Peer review Hig risk Reviewer 100% 2020-12-14 1
2.Research
2.1 Read Low risk Jonas 100% 2021-01-14 14
2.2 Notes Low risk Jonas 100% 2021-01-28 10
2.3 Review Low risk Jonas 100% 2021-02-07 3
2.4 Plan update Low risk Jonas 100% 2021-02-10 1
3.Architecture
3.1 Viewpoints Mid risk Jonas 100% 2021-02-11 3
3.2 Views Mid risk Jonas 100% 2021-02-14 10
3.3 Validation Mid risk Jonas 100% 2021-02-24 2
3.4 Review Mid risk Jonas 100% 2021-02-26 3
3.5 Peer Review Hig risk Reviewer 100% 2021-03-01 1
3.6 Plan update Low risk Jonas 100% 2021-03-05 1
3.7 Architecture delivery Goal Jonas 100% 2021-03-06 1
4.Dynamic modeling
4.1 System dynamics Hig risk Jonas 0% 2021-03-07 4
4.2 Agent dynamics Hig risk Jonas 0% 2021-03-11 4
4.3 Validation Hig risk Jonas 0% 2021-03-15 3
4.4 Review Hig risk Jonas 0% 2021-03-18 3
4.5 Plan update Low risk Jonas 0% 2021-03-21 3
4.6 Dynamic delivery Goal Jonas 0% 2021-03-24 1
5.Experiment
5.1 Tool Hig risk Jonas 100% 2021-03-25 5
5.2 Measures Hig risk Jonas 100% 2021-03-30 3
5.3 Peer review Hig risk Reviewer 100% 2021-04-02 1
5.4 Run Experiment Hig risk Jonas 100% 2021-04-03 5
5.5 Collect data Mid risk Jonas 100% 2021-04-08 5
5.6 Aggregate data Mid risk Jonas 100% 2021-04-13 5
5.7 Evaluate Mid risk Jonas 100% 2021-04-18 3
5.8 Review Low risk Jonas 100% 2021-04-23 3
5.9 Plan update Low risk Jonas 100% 2021-04-26 3
5.10 Experiment delivery Goal Jonas 100% 2021-04-29 1
6.Report
6.1 Write Draft Hig risk Jonas 100% 2021-04-30 7
6.2 Review Draft Low risk Jonas 100% 2021-05-07 3
6.3 Peer review Draft Hig risk Reviewer 100% 2021-05-10 1
6.4 Write Final report Mid risk Jonas 100% 2021-05-11 14
6.5 Review Final report Low risk Jonas 100% 2021-05-25 3
6.6 Peer Review Final Hig risk Reviewer 100% 2021-05-28 1
6.6 Master Thesis delivery Goal Jonas 100% 2021-05-29 1
Table 1 - Detailed plan of activities
1.6.4 Communication plan
• The project will send current material or report several days in advance, before each
supervisor review
• The project will prepare a presentation for each peer review
• Each peer review will be booked in advance
• Each review will be a Zoom meeting no longer than 1 hour
JONAS HENRIKSSON 12AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
• All feedback and issues will be noted with actions
1.7 Risk analysis
Identified risks are also opportunities; it's essential to identify the hazards and plan mitigations for
those, as in Table 2. A project can assess the risks in architectural models using a framework
(Rasmussen, 2020). That's out of scope for this work.
Task Risk Cons Mitigate
Plan No plan, Missing tasks, Can't deliver a report Peer review of plan, detailed
Long sprints (Mid) on time, fail to late planning, focused purpose
and goal, timeboxed
activities, short sprints
Workflow Waterfall workflow (High) Engineered solution Agile work process, Fail Fast,
fails in the end Demo and feedback,
Skeleton solution, Peer
review
Peer review Not enough review of Low-quality report Plan and commit reviewer(s)
milestones paper (Med) in advance
Modeling Viewpoints,views,dynamics Experiment data low Test and validate models
(High) quality iteratively
Experiments Measures, Model, Tools Experiment data low Test and validate
(High) quality experiments iteratively
New tools More work than planned Engineer solution Learn about new areas as
and (High) fails, missed soon as identified
subjects deadlines
Table 2 - Risk analysis
1.8 System quality attribute evaluation
How does a project choose among alternatives that all fulfill the requirement? Compare their values
on relevant system quality attributes and correlate their rating on a simple scale: 0 (Low) – 3
(High). System quality attributes can be found in standards (Mistrik, Bahsoon, Eeles, Roshandel, &
Stal, 2014). This project decided to choose some of the suggestions but also added some qualities.
JONAS HENRIKSSON 13AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
More standardized evaluation methods, e.g. Attribute Driven Design (ADD) presented by (Mistrik,
Bahsoon, Eeles, Roshandel, & Stal, 2014). That's out of the scope of this paper. It's also a risk in
that an extensive evaluation method hinders organic and agile evolution. In this assignment, a
simplified process and scale are used than ADD.
This project set the score by the experience as an expert. That creates prepared and concrete input
for discussions with stakeholders; more engaging, not so abstract. One can always scale up the
research and data collection using the more formal ADD.
The suggested simplified and engaging method can be used by experienced teams and is more
agile than a more heavy waterfall theoretical investigation that risks missing its goal in the end. The
most crucial suggestion is to find efficient means with structured methods.
List of relevant qualities for AUTOMLA:
• Interoperability
o Collaboration
• Willingness
• Autonomy
• Security
o Confidentiality
o Integrity
o Availability
o Vulnerability
• Serviceability
• Agility
• Simplicity
• Operability
• Conceptual
• Technical
JONAS HENRIKSSON 14AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
2 Related work
This master thesis is a continuation of the short project Automated cross-border mutual legal
assistance system (AUTOMLA). That paper's related work was from published articles and trusted
web services like Elsevier or IEEE Xplore.
This section explains concepts such as:
• Legal systems
• Cloud architecture
• Metadata and provenance
• Cloud forensics
• System-of-systems (SoS)
• Incident Command System
o Fusion center
• Enterprise Architecture Modeling Language
• Ontology overview
2.1 Legal systems and transborder treaties
Cloud service providers exist on all continents in distributed datacenters running all sorts of
software. Datacenters execute in different kinds of political and legal systems around the planet.
Decentralized political systems like US federated states, European Union (EU) or a centralized
society like China or Russia.
One way to differentiate those societies is to compare their legal systems. The US follows the
system of common6 law, where the lawyer does the heavy lifting. In a centralized state like China,
the judge decides in most cases. That also enables automated Internet courts (China Government,
2020).
The US data centers are regulated by local federal state laws, not controlled by a common data
protection law like the EU's GDPR7. China has no clear direction, like GDPR, that protects its citizen's
data and privacy (Roberts, et al., 2020). Laws and regulations give constraints on how to get access
to the digital assets, of various information classifications, in the cloud data center.
6
Common law is the body of law derived from judicial decisions of courts.
7
General Data Protection Regulation is guidelined restrictions on collecting and processing personal
information in EU.
JONAS HENRIKSSON 15AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
An investigator needs a search warrant to recover suspected criminal data in computers or
electronic media in the US. It's most probably not like that in China (Roberts, et al., 2020).
To do transborder investigations, you need international treaties between countries like the
Budapest Convention8. The US has signed the Convention on Cybercrime9 but not China. But they
both have Interpol offices, which is another option for law enforcement's transborder cooperation
(Interpol, 2020). In the EU, there is ENISA10 for partnership on national-level agencies and
investigation.
To further expand international openness following standards that enable technical and legal
interoperability, frameworks such as European Interoperability Framework11 or NATO
Interoperability Standards and Profiles12.
IEEE defines interoperability as "…the ability to exchange data and to make use of these data within
the receiving system." It's not enough to exchange information to fulfill interoperability; there must
be action on data as well.
2.2 The powers of the Cloud
This section describes the generic recognized definitions of the Cloud environment.
(NIST, 2020) defines "cloud computing as a model for enabling ubiquitous[13], convenient, on-
demand network access to a shared pool of configurable computing resources (e.g., networks,
servers, storage, applications and services) that can be rapidly provisioned and released with
minimal management effort or [Cloud] service Provider interaction." (p. 3).
The rapid provision and release are the emergent capabilities for the Cloud. A business can deploy
and remove systems with as little as a valid credit card.
Service models presented by (Almulla, Iraqi, & Jones, 2014):
• Software as a service (SaaS), e.g. Microsoft Office 365
• Platform as a service (PaaS), the development platform is provided as a service, e.g.
Microsoft Azure
8
(European Union, 2020)
9
Convention on cybercrime and Budapest convention [Treaty 185] is the same and about enabling
transborder cooperation between nations.
10
https://www.enisa.europa.eu/
11
https://ec.europa.eu/isa2/home_en
12
https://nhqc3s.hq.nato.int/Apps/Architecture/NISP/
13
Ubiquitous computing is the concept when computing can appear anytime and everywhere.
JONAS HENRIKSSON 16AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
• Infrastructure as a service (IaaS), storage and hardware are delivered as a service, e.g.
Amazon Simple Storage (S3)
Deployment models:
• Public, is owned by CSP
• Private, is owned by the user
• Community, shared between organizations
• Hybrid, a combination of public and private Cloud
Each deployment model of cloud services can be provided as SaaS, PaaS or IaaS. (pp. 8-9).
The cloud environment is built on top of a distributed system of data14 that can span all over the
planet across the continents. The data center is, in the end, one of the forensic targets and
challenges for law enforcement.
2.2.1 Software-defined datacenter
Software-defined data center (SDDC) abstracts computing, storage and network. This means an
added abstraction layer that presents hardware as software; the data center and infrastructure can
be coded and controlled for fast, repeatable deployment and removal.
"In general software-defined systems are characterized by properties such as being agile,
programmable, manageable, configurable, interoperable, adaptable and protectable…assume a
large network of hardware and software elements that have Internet-based communication
framework…" (Thames & Schaefer, 2016)
There is an isolating between hardware and software, the data-plane separation from the control
plane. Hosts, networks and storage reside in the lower data plane and the management of the data
plane resides in the upper-level control plane.
(Thames & Schaefer, 2016) "Now we have the foundations to create the agile Industry 4.0
application, which is community-driven by Social Product Development (SPD)" (p. 14).
This fast-paced SoS "provisioned and released with minimal management effort", as stated by
(NIST, 2020) is both a blessing and a curse for the cybercrime investigator. It includes an agile
process and an adaptable software-defined platform version handled by code that communities can
develop and deploy with different goals.
14
System of data includes backup systems and distributed filesystems
JONAS HENRIKSSON 17AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
2.3 Metadata and provenance
Metadata enables unique tagging by URI15 of all CSP assets, including metadata about data origin
and complete history.
(Haque, 2018) defines that "Provenance refers to the [metadata] record describing the origin and
other historical information about a piece of data." (p. 47)
(Miller, 1998) explains that "[Resource Definition Framework] RDF defines a resource as an object
that is uniquely identifiable by a Uniform Resource Identifier (URI)…" (p. 16)
The RDF system standardized record format of metadata can be used in evidence acquisition by the
cybercrime investigator. This standard can uniquely mark all assets in all physical or logical
datacenter architectural layers, regardless of the cloud CSP service model used, e.g. in a service
model like SaaS. The RDF system will be accessible through a query language used in investigations
or other external audits (Haque, 2018).
The need for standardized metadata is one of the core requirements to tag a unique digital asset in
the CSP. That said, everything within the data center or region can be uniquely logged and
traceable. The cybercrime investigator must have this metadata that shows how records were
produced in a timeline of events. Metadata should be added in all sorts of processes, also in the
temporal16 handling of data, which is one of the more challenging data-handling areas.
Example implementations using metadata are Google Structured17 Data.
2.4 Cloud Forensics
Cloud forensics is about recovering and securing digital evidence from datacenters and devices
connected as subscribers18 to services within CSPs.
(Ruan, Carthy, Kechadi, & Crosbie, 2011) defines "Cloud forensics is a cross-discipline of cloud
computing and digital forensics." (p. 36)
(NIST, 2020) explains the forensic system as "Cloud computing forensic science is the application of
scientific principles, technological practices and derived and proven methods to reconstruct past
cloud computing events [emphasis added] through the identification, acquisition, preservation,
examination, interpretation and reporting of potential digital evidence." (p. 3).
15
URI is a string of characters that unambiguously identifies a particular resource.
16
Temporal data represents a state in time of a dataset. Records in a database are never deleted.
17
https://developers.google.com/search/docs/guides/sd-policies
18
A subscriber has entered an agreement with CSP, e.g. a Service Level Agreement (SLA)
JONAS HENRIKSSON 18AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
(NIST, 2020) continues, "Technically, it consists of a hybrid forensic approach (e.g., remote, virtual,
network, live, large-scale, thin-client, thick-client, including endpoint devices used to access cloud
services) to the discovery of digital evidence. Organizationally, it involves interactions among cloud
Actors (i.e., Provider, Consumer, Broker, Carrier, Auditor) to facilitate internal and external
investigations. Legally, it often implies multi-jurisdictional[19] and multitenant [20] situations." (p. 3).
Now we see the challenge between cross-border sovereign societies. Laws that must protect an
individual's human rights for privacy in all carriers of data. Cybercrime investigations require teams
to have fast direct access to the suspected cloud subscriber's information. There is a need for
AUTOMLA.
The forensic cloud process:
• Evidence integrity by hashing artifacts
• Live acquisition: data-in-transit and data-in-execution
• Timestamped Evidence
• Storage: data-at-rest
In-transit and data-in-execution are challenging, maintaining data integrity compared to data-at-
rest. There will also be a difference in logging formats, e.g. some logs in different formats like
binary or text.
(Svantesson & Zwieten, 2016) defines several constraints that must be considered when seeking
access to evidence via direct contact with cloud providers.
"… (1) the Country of the investigating LEA, (2) the state of incorporation of the cloud provider, (3)
the existence of subsidiaries in the land of the investigating LEA, (4) the nationality (or habitual
Residence) of the person to whom the data relates (to the extent ascertainable), (5) how access is
sought (i.e. voluntarily or through the legal process) and (6) the location of the data (to the extent
ascertainable), (7) the nationality of the suspect(s), (8) the nationality of the victim(s), (9) the
location(s) of the suspect(s) at the time of the crime, (10) the location(s) of the victim(s) at the
time of the crime, (11) the habitual residence of the suspect(s), (12) the habitual residence of the
victim(s) and (13) the availability of alternative means of gaining access to the data, such as via
MLA or through direct access by the investigating LEA. Furthermore, in some situations we also
need to consider (14) the habitual residence of the witness(es) as well as (15) the location of the
witness(es) whose data is sought." (pp. 674-675)
• The constraints can be used as rules in system engineering the AUTOMLA
• There are many moving parts within the cross-border process and access to evidence in the
Cloud
19
Multi-jurisdictional is the cross-border transaction between different legal systems.
20
Multi-tenant is when one or many software applications operate in a shared environment.
JONAS HENRIKSSON 19AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
2.5 System-of-systems (SoS)
System-of-systems (SoS) are connected with constituent systems. The SoS serves a higher goal
than the individual system. Autonomous systems have independent management and system
ownership. A well-designed constituent element can join or leave an SoS without breaking changes.
The system can be technical or organizational (Boardman & Sauser, 2006).
(Boardman & Sauser, 2006) further defines: "… an SoS is much more because its parts, acting as
autonomous systems, forming their own connections and rejoicing in their diversity, lead to
enhanced emergence…" (p. 121)
Typical applications of SoS and collaboration (Maier, 1998) are Network-centric warfare, global
online companies like Airbnb or Fusion center mentioned in this paper. Those examples have
constituent systems collaborating in an SoS, which serves a higher purpose and common goal.
2.6 Incident Command System
Incident Command System is defined as "ICS specifies an organizational structure for incident
management that integrates and coordinates a combination of procedures, personnel, equipment,
facilities and communications" (FEMA, 2020, pp. 10-14). FEMA further suggests organization with
Incident Commander as overall responsible for the incident with helping departments Operations,
Planning, Logistics and Finance. Operations direct all resources, Planning develops action plans,
Logistics provides resources and Finance monitors costs.
2.6.1 Fusion center
The Fusion center is an ICS and governmental multi-stakeholder SoS with strategic, tactical and
operational capabilities. The powers are enabled by utilizing information sharing between
governmental agencies within e-government (Sangki, 2018). Law enforcement can be one of those
agencies as an element of the country-wide Fusion-center SoS.
(Department of Homeland Security, 2020) defines "Fusion Centers are state-owned and operated
centers that serve as focal points in states and major urban areas for the receipt, analysis,
gathering and sharing of threat-related information between State, Local, Tribal and Territorial
(SLTT), federal and private sector partners."
The US has a network of fusion centers, New Zealand has one. New Zealand is also part of the
intelligence alliance Five Eyes21 and surveillance program ECHELON22. It is a treaty for cooperation
21
https://en.wikipedia.org/wiki/Five_Eyes
22
https://en.wikipedia.org/wiki/ECHELON
JONAS HENRIKSSON 20AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA) in signals intelligence and operations between Australia, United Kingdom, Canada, United States and New Zealand. (New Zealand Customs, 2020) describes, "Within [Fusion] centers like ITOC, staff from several agencies are located together for quick, easy cooperation between agencies for joint purposes. Staff can access their own agency's information systems and share information in accordance with the existing law to coordinate multi-agency operations." (p. 36) A Fusion center must have security systems that restrict data access, logging of all activities and audit center activities. Creating user roles with correct credentials can be tricky if one person has several organizational hats. In a scenario where one key person gets sick, the credentials need to be transferred from one person to another in a controlled manner, regulated processes and traceable routines. A center must have interfaces for governmental audits. 2.7 Enterprise Architecture Modeling Language Architecture is defined in standard ISO-42010: "…(system⟩ fundamental concepts or properties of a system in its environment embodied in its elements, relationships and in the principles of its design and evolution". (Lankhorst, 2017) explains that stakeholders related to architecture have interests and concerns on the impact of the architecture. An architect needs to: • be aware of concerns and discuss them with stakeholders • explain the architecture to all kinds of stakeholders (Lankhorst, 2017) I have used ArchiMate® Enterprise Architecture Modeling Language as a standardized description. (The Open Group, 2021) states: "The ArchiMate® Specification, a standard of The Open Group, is an open and independent modeling language for Enterprise Architecture that is supported by different tool vendors and consulting firms. The ArchiMate Specification provides instruments to enable Enterprise Architects to describe, analyze and visualize the relationships among business domains in an unambiguous way." A standardized language enables interoperability. The purpose of modeling is to communicate ideas; it's tough to reach a perfect and valid model. This also aligns with an agile approach, "just enough, just in time" (Hosiaisluoma, 2021). His cookbook guides how to model "who, why, what, where and how" from abstract motivating ideas to technical viewpoints and products. The holistic enterprise approach, described in his book, is through the concept of "everything as a service". JONAS HENRIKSSON 21
AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA) 2.8 Ontology overview Interpol defines ontology in their review paper about digital evidence as "Ontologies refer to a shared understanding of a domain of interest and use as a unifying framework in solving problems." (Reedy, 2020). Ontology enables information sharing and reuse, so system developers only have to create specialized knowledge and reasoners that solve specific tasks. This would also facilitate building complex systems more cheaply (Neches, et al., 1991). Standardized terminology is needed in Enterprise modeling for global interoperability. You can develop the vocabulary for Digital forensics (Karie & Kebande, 2016). The meaning and semantics of a specific domain like Digital Forensic can be expressed in Semantic networks. Semantic networks enable interoperability reasoning in a logic-based representation (Nichols, 2019). JONAS HENRIKSSON 22
AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
3 AUTOMLA
AUTOMLA is an SoS that interacts with sovereign Fusion centers through a gateway. Access
rules are harmonized from agreed-upon international treaties. ICS capabilities can differ, but
they must follow the AUTOMLA API standard contract, the emergent proposed property. As
shown in Figure 5, a sample country like China can add strong powers like an integrated Fusion
AI that coordinates incident response events. China's legal system enables easier AI23
development and deployment (Roberts, et al., 2020). Like Sweden, a small country has not
suggested Fusion AI because of stronger privacy regulations within the EU (STOA - European
Parliament, 2020).
Figure 5 – Example environment China with AUTOMLA and Fusion AI
23
Suggested read AI: ”Artificial Intelligence: A Modern Approach” (Russell & Norvig, 2009)
JONAS HENRIKSSON 23AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
Definitions for Figure 5
System Description
The international system agreed on federated API for automated
cross-border mutual legal assistance procedures.
AUTOMLA request attributes: Residence of the suspect(s), the
residency of the victim(s), Country of investigating LEA, Country of
AUTOMLA Cloud provider, Location of the crime, Residence and location of
witness(es), Information classification, Location of data, Type of MLA
sought.
A gateway act as an information router in AUTOMLA between
governmental systems within and between countries.
AI can automatically coordinate and target government goals
through pattern recognition, classification and audit. AI can assist
multi-stakeholder Fusion teams24 on a strategic, tactical and
Fusion AI
operational level. AI process Fusion centers accessed and managed
information. E.g. databases, surveillance {video,images,mobile logs,
system logs}, e.t.c.
Ministry of Justice or Business, Police, Serious Fraud Office (SFO),
Governmental systems
National Cyber Security Center, e.t.c.
Voluntary private organizations that monitor privacy issues, e.g.
NetSafe
cyberbullying.
Citizens and cooperations are not an element of the governmental
Public Fusion center. They can be monitored, e.g. by customs, but is not
the primary target.
Fusion center targets criminal activities; it's not an element of the
Criminal
governmental Fusion center SoS.
Table 3 - Definitions environment AUTOMLA
24
Suggested read about strategy, tactical and operational: What Is Threat Intelligence? (Recorded Future,
2020)
JONAS HENRIKSSON 24AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
Sample investigation scenario
Step Description
Case Start Cybercrime event occurred
Discovery of
Information seeking
facts
Preliminary A preliminary report finds that data is in the Cloud, warrant needed to
report enter CSP resources.
Investigator seeks permission for AUTOMLA. Permission granted and the
investigator enters the given ID, the victim and suspect's residence,
Request for location25 of the crime, home and crime location of witnesses,
AUTOMLA information class, type of warrant sought, Cloud provider, case
description. Investigator sends a request for an investigation cloud
service provider (RFICSP26).
AUTOMLA connects through a gateway to the other country's Fusion
Gateway
center.
Fusion center Fusion center in transborder country grants or revokes requests for
grants or revoke RFICSP. The handling of the request depends on the level of classified
request information and the type of crime. Some requests are fully automated.
Fusion center Fusion center grants permission for RFICSP. Investigators can now start
grants RFICSP the Digital Forensic Process (Årnes, 2018).
Investigators have found crucial evidence and documented a timelined
Investigator chain of custody. The court can make a verdict by the court (west) or
writes the final judge (east). The case is closed: documents, evidence artifacts, e.t.c are
report and the archived automatically. A request to close the investigation is sent from
case is finished. a court of law to the local Fusion center. All involved Fusion centers
revoke granted permissions.
Case End Information about the case is released to Fusion AI.
Table 4 - Sample investigation scenario
25
The problem of ”where” is a complex issue in cyberspace (Yar & Steinmetz, 2019)
26
This is a strucured data used in AUTOMLA
JONAS HENRIKSSON 25AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
3.1 Architecture
The architecture of AUTOMLA visualizes Who, Why, What, Where
• Who: Stakeholders
• Why: Driver, Goal
• What: Requirement, Capabilities, Business Service, Application Service, Resources
• Where: Location, Deployment
Sections in suggested architecture visualized as components in Figure 6:
• Motivation27
• Collaboration
o Service Level Agreement
• Business functions and entities
• Semantic network
• Technical viewpoint
• Security
Technical
Semantic network
Business functions
• Entities
Collaboration
• Service Level Agreement
Security
Figure 6 – Components of AUTOMLA
• 27
Motivation is a driver, not a component
JONAS HENRIKSSON 26AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA) 3.2 Motivation AUTOMLA The overall stakeholder of mutual legal assistance is the government and the highly motivated actor is homeland security. As shown in Figure 7, Homeland security has a mission in securing threats or the immediate push of those hazards (Department Homeland Security, 2021). An Incident Command Center's responsible role is the Incident Response Commander, who is in charge of Planning, Operations, Finance and Jurisdiction. The fusion center needs critical capabilities being situation-aware, investigations using digital forensics and mutual legal assistance from cooperating countries. There is a cost associated with incidents, investigations and operations. The finance department is vital to follow up on economic impact and budgets. All sorts of priorities are affected by economics. The Jurisdiction department has all expertise regarding legal agreements to foreign located fusion centers. The main driver for AUTOMLA is Willingness to cooperate. Suggested measures for the countries' willingness are participation in the Budapest Convention on Cybercrime, Interpol, overall government spending, and cyber risk (NordVPN, 2020). It's not likely that a country with a small budget spends all money on units for cybercrime. Spendings on cybercrime are probably hidden costs. If you can't reach agreements, there is no cooperation and without the willingness to cooperate, there is no incentive for mutual legal agreements. The AUTOMLA API has a rich interaction between AUTOMLA service providers and service consumers in a high level of willingness. In the lowest degree of willingness, there is no API interaction or contract at all. Where is the highest risk, a system with low - or high interaction? There is a need for standardization and certification to mitigate that risk. The value of AUTOMLA is trust in cybercrime cooperation where data is of high quality with stored errands as a system of record (Inmon, Linstedt, & Levins, 2019). The system must have a high degree of confidentiality, integrity and availability as an interlinked service resource. To lower the overall cost of operations, the degree of automation needs to be high. The system elements should be independently integrated, so agile development teams can evolve the system in increments and not as a monolith with risky "big bang" deployments (Erder & Pureur, 2015). JONAS HENRIKSSON 27
AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
Figure 7 – Motivation AUTOMLA
Fundamental constraints AUTOMLA (Svantesson & Zwieten, 2016)
• Fusion centers have to comply with appropriate legal processes, resulting in an obligation to
comply with or endure legitimate law enforcement measures.
• Fusion center has to be respectful of the human rights (such as privacy) of their customers,
protection of personal data
• Different rules are needed for different types of data as the degree of data privacy
sensitivity varies.
• A distinction between access to stored (historical) data and live data is necessary.
• Digital evidence stored on foreign servers is frequently relevant concerning downright
domestic crimes.
JONAS HENRIKSSON 28AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
• Fusion centers must be transparent about how many requests for access they get, from
where those requests originate, what those requests relate to, how many requests result in
access being granted, etc.
• Fusion centers need to be transparent in their terms of use regarding how they interact with
LEAs, including how they treat the information they receive as part of data requests.
• Fusion centers need to be transparent in informing the affected user where data is
communicated to LEAs unless there are strong reasons not to notify the user.
• The urgency of data access will vary from case to case.
• Individuals have a general interest in crimes being detected, investigated, and prevented
and served in criminal justice.
• Victims of crime have a particular interest in crimes being detected, investigated, and
prevented and served in criminal justice.
• States have to be good world citizens to help legitimate law enforcement actions in other
countries.
• States have to act against criminal activities within their jurisdiction to prevent those illegal
activities from affecting other States or their citizens.
• In the context of cloud computing, data is frequently distributed over more than one server,
either as duplicates or simply by the fact that it is broken into small parts.
• Appropriate procedural safeguards ensuring the legitimacy of data requests must be
established.
Non-fundamental constraints (Svantesson & Zwieten, 2016)
• Budapest convention
• Consensus between similar legal systems
• Separate from intelligence services
• Type of crime limits to limit the number of requests, privacy concerns
• Cost of handling over information
• How information is handed over, evidence in court
JONAS HENRIKSSON 29AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
3.3 Collaboration AUTOMLA
The federated network of collaborating countries consists of nodes that are managed and operated
independently. An alternative to a collaborative SoS is a directed and centrally managed global
network (Maier, 1998). All interoperability systems that take part in AUTOMLA need to be prepared
by agreements, technical API and gateway before they are ready as an active part of the SoS.
There are also preparation procedures when a country leaves as an active part of the SoS. Country-
to-country agreements and willingness regulate cooperation between sovereign nodes. Technical
contracts are exposed as API through a gateway. There is an API owned by each party (country)
behind the gateway, with supporting automated business functions for mutual legal agreements.
The diagram in Figure 8 is an example of three collaborating countries which is part of an SoS that
can expand into a giant universe with additional collaborating nodes.
Figure 8 - SoS Collaboration for managerial and sovereign operational independence
The value of collaboration increases proportional as the number of incident response nodes is
added to the universal AUTOMLA network. This is according to Metcalfe's law28. This is also a strong
incentive as an active part of the SoS.
28
https://en.wikipedia.org/wiki/Metcalfe%27s_law
JONAS HENRIKSSON 30AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
Fusion centers within a country are connected to government functions using the same open-
sourced technology and gateway connections as in the global network. All links within a country are
not exposed globally. The cross-country agreements are only revealed through the federated
AUTOMLA gateway API, as the diagram in Figure 9 suggests.
Figure 9 – Example SoS Fusion center for Incident Response and Collaboration
Metcalfe's law and the added value for each node can be applied within countries collaborating
services.
3.4 Service Level Agreement
Service Level Agreements (SLA) and sanctions are the glue that stops a party in AUTOMLA from
being opportunistic and only collaborates when it gains its selfish interests.
Suggested overview for SLA by (Verma, 2004):
• Definition of parties
• Descriptions of service
• Obligations in performance
• Procedure for reporting problems (incident response)
• The time frame for problem resolution
• Consequences for the service provider not meeting its obligations
• Escape clauses
JONAS HENRIKSSON 31AUTOMATED CROSS-BORDER MUTUAL LEGAL ASSISTANCE IN DIGITAL FORENSIC (AUTOMLA)
3.5 Business functions AUTOMLA
As shown in Figure 10, the main business functions that handle AUTOMLA are Request, Review,
Update, Recall and Query.
1. The request for cross-border MLA suggests standardized information (RFICSP):
• incident details
• contact details
• country of investigating LEA
• cloud provider
• subscriber account to whom data relates
• nationality of subscriber
• source and destination IP- and MAC-address
• location of data
• nationality of suspects
• nationality of victims
• location of the suspect at the time of the crime
• location of the victim of the crime
• residence of suspect
• residence of victim
• alternate means of gaining access to data
• home of the witness.
2. Review of the MLA
• Impact of the case
• Estimate cost of investigation
• Set case status approve, decline, decline - request for information
i. If approved, then alter authentication status in AUTOMLA API Contract to
"investigate"
ii. If "decline", then archive request
iii. If "request for information", important information is missing in the errand
3. Update MLA request, e.g. missing information
4. Recall MLA request aborts and archives the errand
5. Query MLA request returns information for the errand
JONAS HENRIKSSON 32You can also read
