The Coming Storm: Forensics in the Cloud
Cloud computing has increased productivity and decreased IT costs. However, there is a black lining to this particular cloud, as the benefits come at the price of giving up control, visibility and tracking data provenance.
Computer forensics traditionally relies on having physical access to systems, providing examiners with the ability to acquire and interact with hardware such as disks and memory. For example, extracting data from magnetic drives has been a core of computer forensics where examiners establish chain of custody, create a forensically sound image of a drive, and interact with it in a non-volatile state. Mobile devices also store the bulk of their data not on the device itself, but in the Cloud making data retrieval difficult without a court order and involvement of other parties.
In the Cloud where we do not have access to the physical hardware and resources are shared, traditional computer forensic techniques are not easily implemented. When a file is deleted the mapping to that file is destroyed instantly and the space can then be overwritten and can happen rapidly. If an image itself is shutdown it disappears, unless put in a suspended mode where you are still charged for it. Backups of data and images can be made, but given the variables we would need to be able to have snapshots of specific instances in time.
In many cases, unless we are running a private cloud on dedicated servers we control, we may not even know where our data is stored. Cloud data can be stored across multiple data centers around the country, even around the world. Backtracking a piece of data through its lifecycle can be difficult if not impossible. How do you submit a court order to a Cloud provider for forensically sound data, possibly for a crime that happened weeks or months prior? Does your Cloud provider have services to assist with investigations, or even collect the right data to assist you when things go wrong?
It appears that the industry is still struggling with how to deal with these issues, let alone develop standards. In many respects we have opened Pandora’s Box as the benefits of Cloud computing cannot be ignored. In some cases we may not have a choice but to use the Cloud as some tools and applications will only be available utilizing it. What can be done to provide more information and control? Most in the industry look to the importance of logging both onsite within your organizations, as well as with service providers providing more tools to help log critical changes that may be useful in an investigation, identifying breaches proactively.
Data that should be tracked on-site:
- Technical controls to monitor systems and networks under an organizations control
- Ensuring proper collection of log files including access logs, firewalls, usage logs, code deployments, content changes (CMS) and others, particularly those that involve passing data to your Cloud instances
Data that should be collected by providers:
- Technical controls to monitor systems allocated to customers such a logs of transactions, access and others that customers can easily access
- Option for automatic backups of data and images the client can access and control
- Additional technical controls to monitor all all systems and networks that support the cloud services including firewalls, load balancers, security appliances, access logs and other data that could be useful in an investigation
Have you had experience collecting forensic data from the Cloud? Tell us your story, tips and tricks in the comments below.
disk image photo courtesy of Jon Crel