Cloud Forensics – The Concept
The concept of cloud forensics is easier to explain than to implement. Unlike cloud forensics, a traditional setup would require backup of all the data on physical entities such as DVDs, portable HDDs, etc. for use by people involved in forensics. A normal, traditional setup may also be asked to stop functioning so that records are not changed while forensics is being completed.
For cloud forensics, one can easily replicate the entire process on the backup servers as clouds are always on-demand services. These backup servers can be used by investigators to reconstruct crime and for investigation while the normal business is carried out using main servers. Some additional expenses may be incurred but that is better than the costs of backing up entire data onto physical entities or stopping activities altogether.
Another benefit of using clouds is that forensics personnel have access to a larger amount of data for proper investigations. Cloud computing and cloud storage always involve the creation of logs by both the consumer and the cloud service provider. Thus, cloud forensics offer more data to the investigators who make better use of their skills to determine a crime.
However, cloud forensics are not as easy as they seem; the reason being the ignorance of cloud providers or their attitude toward forensics. Different cloud providers use different approaches and cannot easily identify the information that needs to be provided to the people involved in forensics. They may or may not offer all the required data to the investigators. The following section sheds more light on cloud forensics.
Image Courtesy: https://www.marketspaceadvisory.com/cloud/
Cloud Forensics – Factors Involved
According to a whitepaper presented by RiskPro, cloud forensics becomes a delicate issue as there are several questions involved, other than the jurisdiction and its acceptance of different material as evidence. Some of the very basic factors are:
- Data has to be collected without losing its integrity;
- Preserving the data in custody is critical to its acceptance by different jurisdictions across the world;
- The conclusions that are derived should be in a reproducible manner. The jurisdictions/courts may want the cloud forensics' team to reproduce the conclusions using different methods.
According to RiskPro, "if we take these factors to a cloud context, many questions immediately come to mind." Some of them are mentioned below:
- How to identify and procure the data required?
- What kind of data is logged by the cloud service provider and what is the duration for which they keep it?
- How to access the data required?
- Will the cloud provider be involved in interpretation of data or will the investigators have to do it in a self-serve manner?
- What data would be accepted in courts and what would be a waste of time?
As each cloud provider has their own unique approach for cloud offerings, they tend to create different types of logs that may or may not suit the above factors and questions. Additionally, several cloud operators would not want to get involved, thereby leaving everything to the investigators and the clients. This may make the task very difficult.
Thus, for cloud forensics, the investigators will have to check with the service provider to see the kind of logs they create and keep. They also need to check the availability of these logs for forensic purposes. The cloud provider needs to cooperate fully for a proper cloud forensics analysis.
To deal with such circumstances, Microsoft asks for uniformity across different cloud providers and urges different governments to adopt a uniform method so that cloud computing becomes easier. If this is achieved, cloud forensics will also become easier. For more on Microsoft's perspective on cloud computing, please read the excerpts of Microsoft's whitepaper on the Cloud.
The above discusses cloud forensics in a very brief manner. If you wish to contribute or have any questions, please feel free to use the comments section below.
Reference: RiskPro's Whitepaper on Cloud Forensics retrieved at https://www.riskpro.co.in/index.php/fraudtoday/more-about-fraudtoday/77-white-paper-on-cloud-forensics