Cloud computing technology has shown massive game-changing potential akin to the ones exhibited by other significant computing technologies such as mainframes, PCs, minicomputers, and even smartphones. It has the ability to radically alter the way information technology services are created, accessed, and manage.

Definitions of Cloud Forensics

Cloud forensics is the application of digital forensics in cloud computing as a subset of network forensics. Basically, it is a cross-discipline between cloud computing and digital forensics

The Three Dimensions of Cloud Forensics

  1. The Technical Dimension – the technical dimension involves a set of tools and procedures needed to carry out the forensic process in cloud computing environments. This includes forensic data collection, elastic/static/live forensics, evidence segregation, investigations in virtualized environments, and pro-active preparations.
  2. The Organizational Dimension – when it comes to forensic investigations in cloud computing environments, two parties are always involved: the cloud consumer and the CSP. When the CSP outsources services to other parties, there is a tendency for the scope of the investigation to widen. When establishing the capacity of an organization to investigate cloud anomalies, each cloud organization need to create a department, permanent or ad hoc that would be in charged of internal and external matters that fulfills the following roles: investigators, IT professionals, incident handlers, legal advisors, and external assistance.
  3. Chain of Dependencies – Cloud Service Providers and majority of cloud apps tend to have dependencies on other CSPs. These dependencies can be highly dynamic, which means investigation in such a situation will depend on the investigations of each link in the chain, as well as the level of complexity of the dependencies. Problems can arise from interruption or corruption in any of the numerous links in the chain or even due to lack of coordination between all the parties involved. Therefore, tight communication and collaboration between the parties involved must be enforced by organizational policies as well as legally binding SLAs.

The chain of Cloud Service Providers, Cloud Customers, with the chain of dependencies between them taken into account, has to collaborate and coordinate with the following parties in order to achieve effective and efficient forensic activities:

Cloud Crime

The definition of computer crime will be extended to cloud crime, which is basically any crime that involves cloud computing in the sense that cloud can be the subject, object, or tool related to the crimes.

The cloud is considered the object when the target of the crime is the cloud service provider and is directly affected by the act, such as with Distributed Denial of Service (DDOS) attacks that target sections of the cloud or the cloud itself as a whole.

The cloud can be considered the subject of the crime when the criminal act is committed within the cloud environment, such as cases of identity theft of Cloud users’ accounts.

The cloud is considered the tool when it is used to plan or conduct a crime, such as cases when evidence related to the crime is stored and shared in the cloud or a cloud is used to attack other clouds.

Usage of Cloud Forensics

Cloud Forensics has numerous uses, such as:

1. Investigation

2. Troubleshooting

3. Log Monitoring

4. Data and System Recovery

5. Due Diligence/Regulatory Compliance

Challenges to Cloud Forensics

Currently, the establishing forensic capabilities for cloud organizations in the three dimensions defined earlier in this document will be difficult without hurdling several enormous challenges. For instance, the legal dimension currently has no agreements among cloud organizations when it comes to collaborative investigation, and majority of SLAs have no terms and conditions present when it comes to segregation of responsibilities between the cloud service provider and customer. Policies and Cyber laws from different regions must also do their part in order to resolve conflicts and issues arising from multi-jurisdiction investigations.

Challenges Facing Forensic Data Collection

In all situations that involve cloud service and deployment models, the cloud customer tends to encounter issues with decreased access to forensic data depending on the cloud model. For instance, IaaS users may enjoy straightforward and easy access to all data required for forensic investigation, but SaaS customers may won’t be able to access the pertinent data they need.

Lack of access to forensic data means that the cloud customer will be in the dark as to where their data is physically located, and will only be able to specify the location of their data at a higher level of abstraction, typically as a virtual object or container. This is because cloud service providers normally hide the actual physical location of the data in order to help data movement and replication.

Additionally, there is also a lack of definitive terms for use in the Service Level Agreements in order to encourage general forensic readiness in the cloud. Many providers intentionally avoid providing services or interfaces that will help customers gather forensic data in the cloud. For instance, SaaS providers will not provide IP logs or clients accessing content, while IaaS providers will not provide copies of recent Virtual Machine states and disk images. The cloud as it functions right now doesn’t provide end users with access to all the relevant log files and meta data, and limits their ability to audit the operations of the network used by their provider, not to mention conduct real time monitoring on their own networks.

At CFK we have expertise and knowledge to guide you through the whole process of acquiring forensic sound evidence from cloud sources.

Kindly talk to us through This email address is being protected from spambots. You need JavaScript enabled to view it. for an expert advice

"We deliver on promise"