The advent of cloud computing has introduced a wave of transformation in the way we handle transmission and storage of electronic data. Of course everyone in the world of IT must have come across this statement in one form or another several times by now! Indeed the cloud has a lot to offer including capabilities like unilateral provision of computing, broad network access, shared resources, rapid scaling, metering capability according to usage, etc. One of the major advantages of cloud computing is its capability to offer low cost services with increased efficiency.
While for most, these ‘super powers’ of the cloud prove to be quite valuable and make life easier, it isn’t the same for the actors involved with the investigation. These actors include the digital forensics examiners, cloud-security professionals, law-enforcement officers and cloud auditors.
In a traditional computer forensics investigation, the investigators usually have complete control over the forensic artifacts, as the evidence is physically accessible and can be seized. However, owing to the decentralized and distributed nature of cloud computing, an investigator could face several challenges when performing investigation activities in a cloud ecosystem. These challenges may vary depending on many factors one of which is the type of service model (IaaS, PaaS or Saas) being used.
Let’s take the example of cloud forensics investigation in the IaaS service model (Cybercrime and Cloud Forensics: Applications for Investigation Processes). In theory, every instance created in this service model is a file that can be acquired as an image. However, just relying on image acquisition for an investigation, may result in incomplete evidence if we take into account the elasticity feature of cloud computing. To elaborate, say if the user performs scaling in order to increase or decrease the disk space, there is a probability of deleted data being left behind. Besides, if the disk containing the evidence is a part of a shared resource, this space on the disk may have been previously used by other tenants, therefore resulting in violation of privacy. Moreover, if the data stored is part of a public cloud service, the data could be geographically dispersed thus requiring the involvement of multiple jurisdictions. These are just some of the multiple issues faced by actors involved in cloud computing forensic investigations.
Despite the availability of artifacts such as logs, snapshots, etc. alongwith the capability of some existing tools to remotely acquire evidence from the cloud, one of the most difficult task faced by digital forensic investigators is to preserve the chain of custody and perform forensic analysis with the integrity on which all stakeholders can rely.
Working towards the Solution..
In an attempt to solve such critical issues that are essential for carrying out forensic activities in a cloud ecosystem and obtaining all artifacts lawfully, the NIST Cloud Computing Forensic Science Working Group (NCC FSWG) is working towards identifying emerging standards and technologies. The NIST working group recently released a 51 page draft report that puts forward the daunting challenges the faced by forensic examiners to track down and use digital information stored in the cloud. The draft is open for public comment till 25th August after which the final report will be published.
In this draft report, National Institute of Standards and Technology (NIST) defines Cloud Computing Forensic Science as:-
“.. application of scientific principles, technological practices and derived and proven methods to reconstruct past cloud computing events through identification, collection, preservation, examination, interpretation and reporting of digital evidence.”
The draft report examines 65 different challenges related to forensic investigations in the cloud. To express these challenges in a common format, a formula for normalized sentence syntax is used. It contains four variables which are enclosed within square brackets in the formula given below:
For an [actor/stakeholder], [action/operation] applicable to [object of this action] is challenging because [reason]
Each of the 65 challenges is correlated to one or more of the five essential characteristics of the cloud computing model (on-demand self-service , broad network access, resource pooling, rapid elasticity and measured service) and is categorized into the following nine major groups – Architecture, Data Collection, Analysis, Anti-forensics, Incident First Responders, Role Management, Legal, Standards and Training. These challenges are also logically grouped into subcategories. In addition, all of the challenges fall under one of the three classifications – Timestamp synchronization, Location of digital media or Sensitivity of the data. To facilitate a more detailed understanding and analysis of the challenges identified, a mind map is also provided.
The draft report suggests a requirement for development of standards and technologies to address these challenges. This might include “development of protocols that adequately address the needs of the first responders and court systems while assuring the cloud providers no disruption or minimal disruption to their service(s).”
The challenges laid out in the draft report are only initial steps towards the development of standard procedures and frameworks for investigation in the cloud ecosystem, which are undoubtedly much required at this stage by the actors involved in cloud computing forensics investigations. The initial steps by the NIST working group will be followed by further analysis of the cloud forensics challenges, prioritizing the challenges, choosing the highest priority challenges and determining gaps in technology, standards and measurements to address these challenges, and finally, developing a roadmap in order to address these gaps.