Digital Forensics: A Billion-Dollar Market in the Making
Not too long from now, detectives will build cases against criminals not by following them on foot or by car but by trailing them digitally. By mining location data from a suspect's smart car and extracting files from her cloud accounts and communications from her smartphones, law enforcement personnel will break many, many cases. Defense lawyers will have to become data experts as well, knowing how to dig into clients' smart devices to verify their alibis.
Dr. Ragib Hasan, researcher and director of the University of Alabama at Birmingham's Secure and Trustworthy computing lab, has dedicated the past five years to cloud forensics, computer security, data waste, and data provenance (the study of who, what, where, and when of digital files). Last year, the U.S. Department of Homeland Security awarded him more than half a million dollars to develop software and a mobile app for location provenance, which helps people securely record and then prove their physical location history on any given day. The app, which will launch this summer, can be used for alibis in a court of law for defendants to either prove or disprove they were at a certain place at a certain time.
Hasan spoke with Inc. about why digital forensics as an industry will expand in the near future, its challenges, opportunities, and promise.
Why is the digital forensics industry poised to be the next billion-dollar market?
The industry is going to expand dramatically over the next few years because we are entering a new age of computing shaped by the Internet of Things. In the coming years, everything will be smart, including our cars, thermostats, and refrigerators. But this means we will generate and leave a visible trail at every place we visit, on everything we touch, and with everything we do. Therefore, in the next few years, we will be in a position in which every activity, including any law enforcement investigation, will have a digital forensics component. If you want to track a suspect, you're not going to do it the old-fashioned way with DNA forensics. You will be doing digital forensics to see what the suspect was doing in the cloud, where the person's mobile device was located at what time and what he or she was doing, where the person's car had been. All these new applications of digital forensics will be pieces of evidence and will make the industry much bigger, more important, and more valuable in the next few years.
What are some main challenges in the field?
The cloud. In the past, if you had a suspect for terrorism or child pornography charges, you could just go in and grab the person's computers with a warrant, take an image of the disk, and then do all your forensics, and the court would accept it as evidence. But now, the cloud has changed this whole picture: Now, law enforcement can arrest a suspect, but on the person's laptop, phone, tablet, there's nothing. All the data and files are stored in the cloud. The cloud is like a black box; you don't get to see what's inside, and you aren't told where data is stored or who has acess to it. It's a new challenge for law enforcement.
Another challenge, with the proliferating amount of data being produced, is how to prevent leakage from your computers and smart devices. Even junk data or files you delete can reveal sensitive information and be recovered. Also, new challenges are going to arise every time a new smart device is released. We will have to figure out how to gather information from the Internet of Things with forensics.
How can digital forensics deal with the cloud?
Right now, there are no features in the cloud that provide proof that a particular user uploaded a particular file. The cloud is like a motel, where anyone can come in and pay for a room and stay there. A lot of bad guys are inside the cloud already; they can just pay and be close to tons of data, without violating a single law. The same disk is being used for thousands of people [and there are ways to manipulate user logs and plant a file in someone's storage].
But if law enforcement claims you do have this particular illegal file, how do you prove it's not yours? In my research, I have created a few solutions for cloud provenance [for which he earned a Career Award from the National Science Foundation]. We have an algorithm that can prove that you are the person who stored a particular file, say last month, but deleted it since then. I can prove that you have uploaded any file that you uploaded. We have also created solutions for secure log access. How do you securely provide law enforcement access to the logs they collect from the cloud? We created a way for law enforcement to collect logs about users and their activity in the cloud and at the same time maintain a secure chain of custody for the evidence.
Is the law keeping pace with digital forensics?
The law is behind the technology by a decade or more. Only in 2006, the government amended the rules of discovery so that both parties in civil lawsuits can access the other's email, text messages, and data if they are relevant to the case. The judge can give an order and all your records can be subpoenaed. But the law is still vague about how the information can be collected. The judge can pass an order to preserve digital records in their "original form," but it does not define what original form means. What do you preserve? The actual emails? The data from the phone companies?
In terms of the cloud, there are no laws specific to it. We need clear and specific laws that handle who is accountable for lost data in the cloud and make sure clients can access their data if they need to. If a company's servers are not located in the U.S., do we have jurisdiction? What kind of information can clients access about a company's storage details? How do we handle jurisdiction issues? All of these issues need specific laws.
What are other uses for digital forensics?
Location provenance has many applications. It can be used to verify your own location history, but it can also be used for national security and clearance in secured areas. An example for national security is when only certain trusted people and devices are allowed in secured areas, past military checkpoints, and inside certain wings of buildings. Systems will be created that will show you if someone or some device has gone through a checkpoint. This same technology can be used in the food and medicine industries to track supply chains. Maybe you are only willing to buy food or medicine that has come from trustworthy suppliers. How do you know something you're buying came through a well-known supply chain and not a counterfeit one? By the end of this summer, our set of logarithms will be ready to create trustworthy location proofs.