Cloud Forensic Investigation: Dimensions, Challenges & Solutions

MailXaminer | April 15th, 2019 | Forensics

Nowadays, Cloud Computing is one of the most rapidly evolving technological solution. It can be defined as a model for enabling convenient and on-demand network access to a shared pool of configurable computing resources that can be easily managed with minimum effort or cloud service provider interaction. Talking about the cloud forensic investigation in contrast to Cloud Computing, it can be defined as one of the vital methods for the collection, preservation, validation, identification, interpretation, analysis, documentation and presentation of digital evidence in the cloud service environment. In this blog, we are going to discussing the Cloud Forensics Challenges, Dimensions, and solutions.

Moreover, Cloud Forensics is cross-discipline between Digital Forensics and Cloud Computing. Now, in order to analyze the domain of Cloud Forensic in depth, it is important to understand that it is a multi-dimensional issue. There are 3 major dimensions of Cloud Forensics, which must be known and understood to the Service Providers and Customers. The dimensions involve Technical, Organizational, and Legal Dimensions.

1) Technical Dimension

The Technical Dimension contains cloud forensics tools which are required to carry out investigations in the Computing environment. Basically, it includes data collection, evidence segregation, live forensics, virtualized environments, and proactive measure. In Data Collection, data is gathered, labeled and recorded in a systematic way. Data stored in the infrastructure located at the provider’s end and the customers end both are collected. However, the tool and procedures which are developed may vary according to the cloud deployment and service model being used.

2) Organizational Dimension

In Organizational Dimension two parties are involved the Cloud Service Provider and the Consumer. The scope of investigation increase when the service provider outsources its services.

To perform the cloud forensic investigation process in an accurate way the service provider must communicate with third-parties. IT professionals who are experts in networks, security, systems, ethical hacking, cloud security, and cloud architects must be hired to assist investigators at the crime scenes. Incident Handlers responds to data leakage and loss, denial of service attacks, breach of confidentiality, insider attacks, and malicious code infections. Additionally, Legal Advisor will have to make sure that no laws are violated during the ongoing investigations. Moreover, Legal Advisor is also responsible for communicating with external law enforcement agencies during the investigations.

3) Legal Dimension

The development of regulations and agreement is required in the Legal Dimension. This is to ensure that the forensic activities do not break the laws and regulations in the jurisdictions where data resides. Moreover, the confidentiality of the other clients using the same infrastructure should not be compromised. SLA is a Service Legal Agreement between the cloud user and service provider which defines the terms and guidelines. This helps in the ongoing forensic investigations in the cloud service environment, which are:

  • During the investigations, Service, Access, Technique’s must be provided by CSP’s t the customers.
  • Roles, Trust Boundaries and Responsibility between the customer and the CSP must be defined clearly.
  • No customer data should be compromised and no rules should be violated.
  • During the investigation, privacy policies should adhere to a multi-jurisdictional environment.

Let Us Check Out Some Cloud Forensics Challenges

While dealing with the subjects related to cloud forensic investigation, there are a plethora of challenges which occur frequently. Some of the possible challenges may include:

  • Log files cannot be accessed by cloud customers.
  • No agreements between the Cloud Service provider and the customer related to the segregation of responsibilities in the scenarios of the investigation.
  • The cloud customer might not have to complete access to their data to collect valid data if it is under investigation.
  • In Cloud computing, data is stored in multiple machines in different geographic locations. If the data is deleted then it becomes a challenging task to recover the deleted data, identify its owner and make use of the data for the event reconstruction.
  • Fragmented data and artifacts are presents whose metadata has been altered.

Issue Related to Conducting Digital Forensic Investigations In Cloud

In this section, some of the additional cloud forensics challenges and issues are described, which can affect the quality of the evidence retrieved in the cloud. Moreover, it can also affect the credibility and admissibility of the recovered artifacts in the court of law.

  • Multi-Tenancy

Multi-tenancy permits the various client to share a physical server and use services offered by the common cloud computing hardware and software simultaneously. In some scenarios, multi-tenant infrastructures are the sharing of resources is extensive and involves multiple potentially vulnerable interfaces. The cloud service provider is often not willing to give access to shared memory to the investigator as it may contain data belonging to other customers. If such data is released then it could violate confidentiality and privacy agreements.

  • Data Provenance

The ownership and process history of data objects is recorded in Data Provenance which is important for a cloud forensic investigation. The degree to which data provenance can be implemented in a cloud environment depends on the type of cloud model. For Example, The ancestry of the data artifact in the case of SaaS implementation may be difficult to trace. This is because the service provider would not give access to application and system log files to the investigator.

  • Multi-Jurisdictional Issues

Data stored in a cloud service environment is often distributed over several locations to promote fault tolerance and efficiency of access. However, data distribution raises the issue of jurisdiction, which can present problems in legal proceedings. The situation becomes worse when the data resides in another country. Confidentiality and privacy laws differ from one country to another.

Cloud Forensic Solution

There are many unresolvable problems and challenges are exist in the cloud forensic investigation process. In this section, we are going to discuss some solution that will help to enhance the forensic investigation.

  • Testing the Forensic Tools

In the current situation, no cloud-specific forensic tools sets are available. So all the cloud data acquisition and evaluation studies are based on the existing digital forensic tools. The cloud customers and service providers reside in different zones, Which may lead to the creation of different metadata. The proper testing of cloud forensics tools and using the method for correlation of data will be beneficial and also help to reduce the investigation gaps.

  • Cloud Service & Data Transparency

The information about the internal working of the cloud service environment is very valuable in the investigation process but the exposure of internal structure may cause a very serious negative impact on the data. To avoid this and protect the cloud data the service providers provide only a little information about the environment.

The purpose of making the cloud services more transparent during the cloud forensic investigation is to allow the customer and provider to check whether the cloud service is running as agreed upon b by both parties. While a problem occurs this will also help to determine which parties should responsible for it.

  • Service Level Agreement

The service level agreement contains the legal implications and precise procedural information about how the investigator should conduct the investigation process. In which each role was clearly defined so that each should be aware of their responsibility, capability, and limitations.

  • Forensics as Service Model

In this model, the cloud service provider is responsible for the acquisition of forensic data. This service is implemented by a cloud provider with small changes in the existing infrastructure. Which assure that the high quality forensic investigation could be conducted.

Final Words

The rapid growth in the number of cloud storage users leads to automatic  increases in the importance of the cloud forensic investigation. There are several challenges are occur while conducting the investigation. These cloud forensics challenges are occurring due to the highly dynamic, distributed, multi-jurisdictional and multi-tenant nature of the cloud environments. To deal with all the issues, one can opt for solutions such as cloud forensic Tools Testing, Transparency of Cloud Services and Data, Service Level Agreement, Forensic-as-a-Service, etc. to enable high-quality of forensic investigation in the cloud service environment.