Cloud Foreniscs

Cloud computing technology has shown massive game-changing potential akin to the ones exhibited by other significant computing technologies such as mainframes, PCs, minicomputers, and even smartphones. It has the ability to radically alter the way information technology services are created, accessed, and manage.

Definitions of Cloud Forensics

Cloud forensics is the application of digital forensics in cloud computing as a subset of network forensics. Basically, it is a cross-discipline between cloud computing and digital forensics

The Three Dimensions of Cloud Forensics

  1. The Technical Dimension – the technical dimension involves a set of tools and procedures needed to carry out the forensic process in cloud computing environments. This includes forensic data collection, elastic/static/live forensics, evidence segregation, investigations in virtualized environments, and pro-active preparations.
  2. The Organizational Dimension – when it comes to forensic investigations in cloud computing environments, two parties are always involved: the cloud consumer and the CSP. When the CSP outsources services to other parties, there is a tendency for the scope of the investigation to widen. When establishing the capacity of an organization to investigate cloud anomalies, each cloud organization need to create a department, permanent or ad hoc that would be in charged of internal and external matters that fulfills the following roles: investigators, IT professionals, incident handlers, legal advisors, and external assistance.
  3. Chain of Dependencies – Cloud Service Providers and majority of cloud apps tend to have dependencies on other CSPs. These dependencies can be highly dynamic, which means investigation in such a situation will depend on the investigations of each link in the chain, as well as the level of complexity of the dependencies. Problems can arise from interruption or corruption in any of the numerous links in the chain or even due to lack of coordination between all the parties involved. Therefore, tight communication and collaboration between the parties involved must be enforced by organizational policies as well as legally binding SLAs.

The chain of Cloud Service Providers, Cloud Customers, with the chain of dependencies between them taken into account, has to collaborate and coordinate with the following parties in order to achieve effective and efficient forensic activities:

  • Law Enforcement – while cloud organizations need to prioritize the availability of service, law enforcement’s top priorities lie in the prosecution of criminals. Where the two different priorities clash is in situations such as evidence collection. These two organizations need to coordinate better in order to improve mutual understanding and resource confiscation.
  • Third Parties – when it comes to auditing and ensuring compliance regarding cloud forensics, cloud organizations need to work closely with third parties.
  • Academia – in Academia’s case, cloud organizations need to lend their help in order to receive up to date training for their internal forensic staff as well as to contribute to the knowledge of the area.

Cloud Crime

The definition of computer crime will be extended to cloud crime, which is basically any crime that involves cloud computing in the sense that cloud can be the subject, object, or tool related to the crimes.

The cloud is considered the object when the target of the crime is the cloud service provider and is directly affected by the act, such as with Distributed Denial of Service (DDOS) attacks that target sections of the cloud or the cloud itself as a whole.

The cloud can be considered the subject of the crime when the criminal act is committed within the cloud environment, such as cases of identity theft of Cloud users’ accounts.

The cloud is considered the tool when it is used to plan or conduct a crime, such as cases when evidence related to the crime is stored and shared in the cloud or a cloud is used to attack other clouds.

Usage of Cloud Forensics

Cloud Forensics has numerous uses, such as:

1. Investigation

  • On cloud crime and policy violations in multi-tenant and multi-jurisdictional environments
  • On suspect transactions, operations, and systems in the cloud for incident response
  • Event reconstructions in the cloud
  • On the acquisition and provision of admissible evidence to the court
  • On collaborating with law enforcement in resource confiscation.

2. Troubleshooting

  • Finding data and hosts physically and virtually in cloud environments
  • Determining the root cause for both trends and isolated incidents, as well as developing new strategies that will help prevent similar events from happening in the future
  • Tracing and monitoring an event, as well as assessing the current state of said event
  • Resolving functional and operational issues in cloud systems
  • Handling security incidents in the cloud

3. Log Monitoring

  • Collection, analysis, and correlation of log entries across multiple systems hosted in the cloud, including but not limited to: audit assists, due diligence, and regulatory compliance

4. Data and System Recovery

  • Recovery of data in the cloud, whether it’s been accidentally or intentionally modified or deleted
  • Decrypting encrypted data in the cloud if the encryption key is already lost
  • Recovery and repair of systems damaged accidentally or intentionally
  • Acquisition of data from cloud systems that are being redeployed, retired or in need of sanitation

5. Due Diligence/Regulatory Compliance

  • Assist organizations in exercising due diligence as well as in complying with requirements related to the protection of sensitive information, maintenance of certain records needed for audit, and notification of parties concerned when confidential information is exposed or compromised.

Challenges to Cloud Forensics

Currently, the establishing forensic capabilities for cloud organizations in the three dimensions defined earlier in this document will be difficult without hurdling several enormous challenges. For instance, the legal dimension currently has no agreements among cloud organizations when it comes to collaborative investigation, and majority of SLAs have no terms and conditions present when it comes to segregation of responsibilities between the cloud service provider and customer. Policies and Cyber laws from different regions must also do their part in order to resolve conflicts and issues arising from multi-jurisdiction investigations.

Challenges Facing Forensic Data Collection

In all situations that involve cloud service and deployment models, the cloud customer tends to encounter issues with decreased access to forensic data depending on the cloud model. For instance, IaaS users may enjoy straightforward and easy access to all data required for forensic investigation, but SaaS customers may won’t be able to access the pertinent data they need.

Lack of access to forensic data means that the cloud customer will be in the dark as to where their data is physically located, and will only be able to specify the location of their data at a higher level of abstraction, typically as a virtual object or container. This is because cloud service providers normally hide the actual physical location of the data in order to help data movement and replication.

Additionally, there is also a lack of definitive terms for use in the Service Level Agreements in order to encourage general forensic readiness in the cloud. Many providers intentionally avoid providing services or interfaces that will help customers gather forensic data in the cloud. For instance, SaaS providers will not provide IP logs or clients accessing content, while IaaS providers will not provide copies of recent Virtual Machine states and disk images. The cloud as it functions right now doesn’t provide end users with access to all the relevant log files and meta data, and limits their ability to audit the operations of the network used by their provider, not to mention conduct real time monitoring on their own networks.

At CFK we have expertise and knowledge to guide you through the whole process of acquiring forensic sound evidence from cloud sources.

Kindly talk to us through This email address is being protected from spambots. You need JavaScript enabled to view it. for an expert advice

"We deliver on promise"


CFK News Scroller

CFK associates is a pan African consulting firm with its headquarter in Nairobi Kenya. We are leaders in digital risks and investigations in the region. We have strong network of associates specializing in different areas of profession.

Our vision is to be the leader and set pace in digital forensics in Africa

Our mission is to provide our clients with world class experience through service provision.

Our slogan: "We deliver on promise"

What is Digital Forensics?

Digital forensics is the scientific process of capturing (imaging) and analyzing information stored in any electronic format, for the purpose of investigating allegations, to find the truth, with no predisposition as to the outcome. It is a highly technical discipline requiring a combination of unique skills relating to computer technology and software, formal investigative experience (law enforcement), proper evidence handling methods, and judgment. Computer forensics can be the key to:

  • Learning the truth
  • Taking appropriate action based on the facts
  • Winning the case.

At CFK we specialize in the listed services:

  • Digital Forensics (Computers and Mobile devices)
  • CyberSecurity Strategies and Management
  • Inappropriate Data Duplication
  • Private Investigation of Cellphone/Mobile Phone
  • Cyber Fraud and Money Laundering Investigation
  • Documents examination
  • Industrial Espionage
  • Online Brand Protection
  • Internal Corporate Investigation
  • Breach of Contract
  • Computer Break-ins
  • Digital Pornography
  • Inappropriate Internet Usage
  • Internet Abuse
  • Inappropriate Email Usage

Area of operation

We operate in the whole of Africa through our extensive network of associates who represents us in their respective countries