The Malta Digital Innovation Authority (MDIA) has recently published a guideline relating to the Forensic Node, an essential mechanism of an Innovative Technology Arrangement (ITA) which keeps track of the ITA’s behaviour. The main objective of this document is to specify the requirements necessary for this Forensic Node which is an intrinsic element of the certification process of ITAs by the MDIA.

The guidelines are a means of guiding ITA certification applicants as to what the minimal guarantees in their Forensic Node should be, as well as serving as a point of reference for Systems Auditors. For the latter, the document specifies the tools needed for an evaluation of the adequacy of the infrastructure proposed in an ITA’s blueprint.

Purpose of the Forensic Node

The Forensic Node stores all relevant information on the run time behaviour of the ITA in real-time including, but not limited to, transactions carried on the DLT components of the ITA. Parts of an ITA may include an Off-DLT Application Layer. Therefore, any relevant information or events relating, and accessible, to the ITA on this layer are also to be stored on the Forensic Node. Such information and events may include relevant interactions with the front-end, as well as information stored on an off-chain database core to the ongoing ITA functionality.

It is important to note that, due to the comprehensive and possibly sensitive nature of the information stored on the Forensic Node, there is no requirement for such an apparatus to be a DLT node or to reside on a DLT.

For an ITA certification applicant to achieve the purpose of the Forensic Node, such a mechanism must be an integral part of the infrastructure to ensure an audit trail of all relevant ITA and related events, as well as any related data. This should be carried out in a manner which ensures that:

  1. All relevant events and data are recorded faithfully in real-time on the Forensic Node, without the risk of omission or corruption;
  2. Information is written in a manner which guarantees access to the information stored in a tamper-proof and accurate manner. In turn, this is to be faithful to the originally recorded information and should go on to ensure that no data or information may be delegated or changed;
  3. Processes are in place to ensure timely access to this information by the Technical Administrator in a manner that can be demonstrated to be faithful to the original events, as well as any data recorded on the Forensic Node.

In cases where the creation and upkeep of a Forensic Node is not feasible in technical terms, technical reasons why this requirement cannot be met must be provided to the MDIA. The Applicant in turn must find an alternate technical arrangement that is deemed acceptable to the MDIA wherein all necessary ITA information is stored and synchronized in Malta in real-time and in a tamperproof manner.

Requirements of the Forensic Node

The functionality of ITAs, as a general fact, varies widely. Given that the sort of transactions and data handled, amongst other factors, vary from one ITA to another, the Forensic Node’s infrastructural requirements would also vary. However, the purpose of the Forensic Node is the same in every case.

With this in mind, the manner in which the ITA will satisfy the requirements and purposes of the Forensic Node will vary depending on the ITA functionality. Nonetheless, there are standard practical requirements which such a mechanism must meet under all circumstances:

  • the Forensic Node must be wholly based in Malta in a tier 3 or above data centre and must be accessible to the Technical Administrator of the ITA at all times;
  • documented procedures detailing how the Technical Administrator has access to the data sorted on the Forensic Node should be available. These should include access to the keys due to the possibility of encrypted data being stored on the Forensic Node, and the method in which access shall be granted by the Technical Administrator to the relevant authorities or law enforcement agencies upon request.

These guidelines are also particularly relevant in light of the recent consultation document issued by the MFSA which stated that the live replication server required of all VFA Service Providers must be setup in adherence to the MDIA’s Forensic Node Guidelines and that it will be within scope of the audits carried out by Systems Auditors as approved by the MDIA.