Cloud Computing Forensics (CLOUD FORENSICS) is a subset of Network Forensics.
Just like Conventional Computer Forensics it is the practice of identifying, preserving and collecting original system or data in order to maintain integrity, detecting and recovering anydata or system having connection to crime and analyzing the digital data that is legally admissible.
Digital Forensics
Where does Cloud Forensics Lies
But even though solely having task to solve cloud crimes it includes all the aspects of network forensics as cloud computing is just use of hardware and software over the internet. Network Forensics deals with both private and public network, on which cloud computing is based.
Network Forensics deals with both private and public network, on which cloud computing is based.
So, Cloud Forensics requires advanced technologies, frameworks and tools on top of techniques used for computer forensics based accordingly for different cloud service/deployment models.
FORENSICS FOR DIFFERENT CLOUD SERVICES
IaaS – Infrastructure as a service allows customers to rent IT infrastructure in which they can run several Virtual Machines or software.
PaaS – Platform as a service represents to on-demand testing, developing or managing software environment.
SaaS – Software as a service provides customers on demand software applications over the internet, without people worrying anything about the hardware or interaction with the system.
In case of IaaS investigator scan obtain Virtual Machines and logs which can be used to do forensics task. Whereas in case of PaaS and SaaS as customer have no control over the hardware, they must be dependent on cloud service provider for gaining any information, logs or evidence for the forensics case.
3 Dimensions of Cloud Forensics
THREE-DIMENSIONAL CLOUD FORENSICS
Cloud Forensics address 3 different types of issues which investigating cloud services. Cloud Service Providers tend to store data at multiple copies of data at several different locations to provide redundancy for benefit of its users, which brings different jurisdictions and constraints for different data storage centers. Due to this cloud forensics by default comes with multi-jurisdition setting. And hence always need involvement of Cloud Providers or even the customers like an organization.
TECHNICAL AND LEGAL DIMENSION
Technical dimension involves any technical challenges or obstructions which occurs when dealing with cloud forensics. Main zones when facing difficulties are:
DATA COLLECTION
Collecting data over the internet have different challenges due to presence of different types of networks which lead to presence of different type of cloud. In public cloud due to its presence as a shared service, data is stored on provider’s server which may be present at more than one location and the hardware can be shared with several other users due to which permission need to be taken from every client and provider including governing bodies for collecting forensic data. Whereas in private cloud no involvement of multiple tenants is present, and it is way easier as most permissions belong to private client and rest belong to providers. The data collected from these servers must be collected after following jurisdictions of required area while maintaining all confidentiality.
ELASTIC, STATIC AND LIVE FORENSICS
As cloud computing as highly editable so resources and space can be added and removed which makes it important for investigation tools to be able to fulfill requirements for different situation, hence being elastic is a requirement. Usually require large scale static and live forensics like e-discovery, data examination & analysis tools and other tools to collect volatile data. As in cloud most of the time resources are shared, it becomes necessary to use tools and techniques which can differentiate between different deployment models. Virtualization is a mode which cloud computing uses to distribute resources among their customers, the only way to do full forensic investigation is to capture image and data alike normal physical machine but cause all memory belongs to physical hardware where hypervisor is installed, it is hard for VM image to provide all information about memory.
THE ORGANIZATIONAL DIMENSION
While doing forensics it is important for an organization to provide defined internal staffing structure and any indulgent of stakeholders.
Investigators are people responsible for conducting investigations which need to take jurisdiction and other rules into consideration of every stakeholder including customers.
IT professional are people related to IT including any penetration testers which may contribute to investigation with their expertise and usually are responsible for capturing and maintaining integrity of data.
Incident Handlers are group of IT people specifically responsible for handling any security related issues like breach or attacks, data loss or leaks.
Respective handlers related to incident are required to indulge in case.
Legal advisors are people who know all the rule and jurisdictions and help by collaborating with forensics to maintain regulations. Their job is to provide written statements of all regulations and procedures in case of forensics investigation.
Internal advisors are responsible for any legal questions from external advisors.
External assistance is any external person, client or staff who have any information regarding incident and tends to help.
RESPONSIBILITY AND USE OF CLOUD FORENSICS
INVESTIGATION
Investigation must be done while following all the rules and restrictions.
Investigating a suspect does not allow them to breath his confidentiality till proved guilty.
Everything thing changed or used must be rebuilt as before after investigation is completed.
Must be done in collaboration with internal resources.
TROUBLESHOOTING
Searching for files or data should not affect other users.
Cloud forensic can be used to troubleshoot operational issues in cloud systems.
Any security scene handling.
Finding a root cause of an event.
LOG MONITORING
Collecting and analyzing logs at numerous places and systems
RECOVERY
Recovering any data which was not deliberately deleted.
Un-encrypting the locked data.
Restoring any data which is misplaced or lost.
ISSUES SURROUNDING CLOUD FORENSICS
ARCHITECTURE
Different cloud providers may have different architecture.
Different modes and way of transferring and storing data may be present.
Data can be compartmentalized during resource preventing.
Some architecture promises data segregation which bound how far forensics can go.
COLLECTION
Inability to collect all the data.
Collecting and investigating data of a cloud client wile maintaining integrity of others.
Recovering any deleted data as hardware is continuously in use.
Imaging volatile data as soon resource is free, it is used by someone else. Searching where data is located.
ANALYSIS
Analyzing the data while maintaining the integrity of meta data.
Collection of data specific to the suspect.
Reconstruction of any volatile or non-volatile data.
RIGHTS AND PEOPLE
Hard to find exact owner of data.
Non-availability of tools and rights present.
Trust and integrity of data from internal responders.
Finding real identity of a person as some people use fake identity.
RULES AND LAWS
Identification and maintenance of jurisdiction laws.
Non presence of forensics laws in service level agreements.
