Inferring relevance and presence of evidence in service-oriented and SaaS architectures

Gathering forensic evidence in distributed or cloud environments poses a number of legal, administrative, and technical challenges even at relatively coarse levels of granularity. For Software-as-a-Service (SaaS) and related Service-Oriented Architectures (SOA), however, the addition of loose binding lending such architectures their important flexibility and adaptability renders even identifying possible loci of evidence problematic. Moreover, even where the existence of evidence is known, its relevance for a given hypothesis may vary. We describe an approach to identify the existence of potential evidence based on a causality model of control flow, and seek to prioritise relevance based on a probabilistic graph model. This allows not only the explicit formulation of hypotheses and derivation of criteria for locating and retrieving evidence to be evaluated by Bayesian belief networks (BBN), but to minimise the otherwise highly problematic complexity of maximum a posteriori (MAP) hypotheses based on service orchestration and choreography semantics.