Cloud Forensics

Saying that computer forensics investigations are necessary in the cloud – or maybe especially in the cloud – to assess risk correctly and arm yourself against attacks effectively might seem like stating the obvious. However, the scientific community has ignored the issue of forensics in cloud environments thus far. Interestingly, some authors pointed out as early as 2009 a lack of publications on the cloud security problem and on corresponding legal issues [1]. This paucity of information was confirmed by other publications [2] [3]. Despite this, the topic is still largely overlooked and a huge amount of work remains for scientists, especially in the field of incident handling in cloud environments [4].

At the same time, many companies are investing heavily in new cloud environments and then migrating services to the cloud. Although debate is increasing on security and data protection problems, the apparent advantages for user seem to take priority.

Problems in Cloud Forensics

One classic problem in forensics is the fact that the evidence is generally characterized by its fragility and volatility. When you are collecting new evidence in particular, you must be careful not to falsify or even destroy the evidence. This problem is not restricted to the digital world but applies equally to, say, forensic medicine. The advantage of collecting digital evidence has always been that the investigator can create a one-to-one copy of the data medium in many scenarios before starting to analyze the evidence. This approach is effective in preventing the destruction of potential evidence by the analysis process, but, in a cloud environment, is typically not so easy to do.

Depending on the service model (SaaS, PaaS, or IaaS [5]) and the extent to which the Cloud Service Provider (CSP) cooperates, users may be able to access potential sources of evidence that are absolutely necessary for an investigation. However, the volume of this evidence is typically very limited, which prevents a complete resolution of the facts of the case.

The context in which the evidence exists is another issue. External forensics investigators might not, at first glance, be able to see how the existing pieces of evidence from the various components of the cloud system correlate. This is also true of legacy IT systems, but the cloud, with its international and cross-national structures, is all the more difficult to analyze and evaluate.

Securing the chain of custody for the evidence is also difficult. The CSP hands over the potential evidence to the user – but how can the user be sure that the evidence is genuine and has not been injected by a malicious third-party? In this context, the term data provenance [6] becomes extremely meaningful: It covers the origins of the piece of data and how it might have been modified, that is, who has viewed or modified piece of data at a particular point in time.

Additionally, using automated forensic tools in today’s cloud environment is difficult or even impossible. You need to individually view and process each case individually because of the lack of standards. And, even if standards did exist you would not be able to rely on the CSP to implement all of them. The danger of jeopardizing your own monopoly on the market would be too big.

Forensics in SaaS Applications

Software-as-a-service (SaaS) applications are becoming increasingly popular. Offerings from Google and Salesforce, for example, show how efficiently and easily applications can be migrated out into the cloud. In terms of application security, CSPs increasingly understand that users set much store by the secure implementation and authentication [7]. Paradoxically, very few CSPs take a proactive approach to incident handling. You can expect the current assurances of cloud security to be followed by a phase in which users learn through painful experience that their cloud-based data wasn’t totally secure after all.

In other words, today’s crop of SaaS applications offers virtually no opportunity to perform forensic investigations. To demonstrate this, we will look at an example that may be fictive but is nonetheless not too far from today’s practical SaaS applications.

Related content

  • Forensic Tools

    Criminals often focus on browsers for various attacks because they are a worthwhile, attractive, and often easy target. However, admins can investigate such attacks with forensic tools that provide the ability to reconstruct browser sessions.

  • Forensic Analysis on Linux

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

  • Malware Analysis
    We show you how to dig deep to find hidden and covert processes, clandestine communications, and signs of misconduct on your network.
  • Acquiring a Memory Image
    Be ready before disaster strikes. In this article we describe some tools you should have on hand to obtain a memory image of an infected system.
  • Splunk Enterprise Security Intelligence Solution Released
comments powered by Disqus