Nowadays, Cloud Computing is one of the most rapidly evolving technological solution. It can be defined as a model for enabling convenient and on-demand network access to a shared pool of configurable computing resources that can be easily managed with minimum effort or cloud service provider interaction. Talking about the cloud forensic investigation in contrast to Cloud Computing, it can be defined as one of the vital methods for the collection, preservation, validation, identification, interpretation, analysis, documentation and presentation of digital evidence in the cloud service environment. In this blog, we are going to discussing the Cloud Forensics Challenges, Dimensions, and solutions.
Moreover, Cloud Forensics is cross-discipline between Digital Forensics and Cloud Computing. Now, in order to analyze the domain of Cloud Forensic in depth, it is important to understand that it is a multi-dimensional issue. There are 3 major dimensions of Cloud Forensics, which must be known and understood to the Service Providers and Customers. The dimensions involve Technical, Organizational, and Legal Dimensions.
The Technical Dimension contains cloud forensics tools which are required to carry out investigations in the Computing environment. Basically, it includes data collection, evidence segregation, live forensics, virtualized environments, and proactive measure. In Data Collection, data is gathered, labeled and recorded in a systematic way. Data stored in the infrastructure located at the provider’s end and the customers end both are collected. However, the tool and procedures which are developed may vary according to the cloud deployment and service model being used.
In Organizational Dimension two parties are involved the Cloud Service Provider and the Consumer. The scope of investigation increase when the service provider outsources its services.
To perform the cloud forensic investigation process in an accurate way the service provider must communicate with third-parties. IT professionals who are experts in networks, security, systems, ethical hacking, cloud security, and cloud architects must be hired to assist investigators at the crime scenes. Incident Handlers responds to data leakage and loss, denial of service attacks, breach of confidentiality, insider attacks, and malicious code infections. Additionally, Legal Advisor will have to make sure that no laws are violated during the ongoing investigations. Moreover, Legal Advisor is also responsible for communicating with external law enforcement agencies during the investigations.
The development of regulations and agreement is required in the Legal Dimension. This is to ensure that the forensic activities do not break the laws and regulations in the jurisdictions where data resides. Moreover, the confidentiality of the other clients using the same infrastructure should not be compromised. SLA is a Service Legal Agreement between the cloud user and service provider which defines the terms and guidelines. This helps in the ongoing forensic investigations in the cloud service environment, which are:
While dealing with the subjects related to cloud forensic investigation, there are a plethora of challenges which occur frequently. Some of the possible challenges may include:
In this section, some of the additional cloud forensics challenges and issues are described, which can affect the quality of the evidence retrieved in the cloud. Moreover, it can also affect the credibility and admissibility of the recovered artifacts in the court of law.
Multi-tenancy permits the various client to share a physical server and use services offered by the common cloud computing hardware and software simultaneously. In some scenarios, multi-tenant infrastructures are the sharing of resources is extensive and involves multiple potentially vulnerable interfaces. The cloud service provider is often not willing to give access to shared memory to the investigator as it may contain data belonging to other customers. If such data is released then it could violate confidentiality and privacy agreements.
The ownership and process history of data objects is recorded in Data Provenance which is important for a cloud forensic investigation. The degree to which data provenance can be implemented in a cloud environment depends on the type of cloud model. For Example, The ancestry of the data artifact in the case of SaaS implementation may be difficult to trace. This is because the service provider would not give access to application and system log files to the investigator.
Data stored in a cloud service environment is often distributed over several locations to promote fault tolerance and efficiency of access. However, data distribution raises the issue of jurisdiction, which can present problems in legal proceedings. The situation becomes worse when the data resides in another country. Confidentiality and privacy laws differ from one country to another.
There are many unresolvable problems and challenges are exist in the cloud forensic investigation process. In this section, we are going to discuss some solution that will help to enhance the forensic investigation.
In the current situation, no cloud-specific forensic tools sets are available. So all the cloud data acquisition and evaluation studies are based on the existing digital forensic tools. The cloud customers and service providers reside in different zones, Which may lead to the creation of different metadata. The proper testing of cloud forensics tools and using the method for correlation of data will be beneficial and also help to reduce the investigation gaps.
The information about the internal working of the cloud service environment is very valuable in the investigation process but the exposure of internal structure may cause a very serious negative impact on the data. To avoid this and protect the cloud data the service providers provide only a little information about the environment.
The purpose of making the cloud services more transparent during the cloud forensic investigation is to allow the customer and provider to check whether the cloud service is running as agreed upon b by both parties. While a problem occurs this will also help to determine which parties should responsible for it.
The service level agreement contains the legal implications and precise procedural information about how the investigator should conduct the investigation process. In which each role was clearly defined so that each should be aware of their responsibility, capability, and limitations.
In this model, the cloud service provider is responsible for the acquisition of forensic data. This service is implemented by a cloud provider with small changes in the existing infrastructure. Which assure that the high quality forensic investigation could be conducted.
The rapid growth in the number of cloud storage users leads to automatic increases in the importance of the cloud forensic investigation. There are several challenges are occur while conducting the investigation. These cloud forensics challenges are occurring due to the highly dynamic, distributed, multi-jurisdictional and multi-tenant nature of the cloud environments. To deal with all the issues, one can opt for solutions such as cloud forensic Tools Testing, Transparency of Cloud Services and Data, Service Level Agreement, Forensic-as-a-Service, etc. to enable high-quality of forensic investigation in the cloud service environment.