I Replay, Therefore I Am

Event driven software architectures (enabled by serverless code services like Amazon’s Lambda) pose an interesting question for forensic IT. Does data generated by replaying events constitute evidence of the last time the events were played? Philosophically, the answer seems to run into the induction problem. If all I’ve seen is white swans does that mean that only white swans exist? There is, of course, currently unknown, unknowable and uncertain elements to the world we are experiencing and observing. The same could be said of IT infrastructure.

Interestingly, an affirmative answer to the forensic IT question offers a potential answer to cause and effect being more than custom. Hume posits there is no rationale other than custom to infer a causal relationship between two phenomena observed sequentially, such as one billiard ball hitting another and causing it to move. Establishing fact, in this case scientific fact, stems from an underlying assumption that consistently observed phenomena can be peeled back into smaller sets of events (“laws of nature”) which operate on a stable, unchanging infrastructure. The data which comes into existence from replaying the events constitutes actual evidence. It can be considered fact.

However, uncertainty exists. The infrastructure, as it were, is not unchanging. We can, of course, make reasonable assumptions on the sources of uncertainty/instability in a controlled IT environment. And plugging those holes is likely the foundation for a solid argument for the evidentiary value of data derived from replaying events. But quantum mechanics and importantly, the ever changing, highly disruptable landscape of business and battlespaces demonstrate the existence of uncertainty in many facets of our lives.

The idea of event driven architecture and the challenge it poses to forensic IT provides an opportunity to probe uncertainty and leverage it. Recognizing that replaying the same events may not always yield the same facts is a valuable skill for leveraging uncertainty. Further, there is value in understanding that new events, or combinations of events, played on the same ‘infrastructure’ can yield the same results as previous events replayed, such as higher market share or strategic dominance of a battlespace. This is because there are as yet unknown or even unknowable elements to the infrastructure. It can pay to test the infrastructure and probe for the unknown.

[Incidentally, Netflix’ Simian Army does just that in a completely non-philosophical way. It tests the infrastructure. It would be interesting and potentially valuable to study how specific designs of Netflix’ infrastructure, and designs of the Simian Army agents, interact to produce/uncover previous unknowns.]