Digital Forensics is not an elephant, it is a process and not just one process, but a group of tasks and processes in investigation. Examiners now perform targeted examinations using forensic tools and databases of known files, selecting specific files and data types for review while ignoring files of irrelevant type and content. Despite the application of sophisticated tools, the forensic process still relies on the examiner's knowledge of the technical aspects of the specimen and understanding of the case and the law - Mark Pollitt.
As has been established in articles by various authors including myself, this re-branded model of computing now called cloud computing proposes benefits that can improve productivity, harness high-speed systems which can manage large data sets as well as systems implementations, and could have a net positive impact on the operational budget (scaling, elasticity) of some small and midsized enterprises.
Of course there is the possibility that a private cloud for a small enterprise may not warrant its cost, in comparison to that of harnessing the benefits of a public cloud offering. For a larger enterprise with say multiple and/or international locations, a private cloud infrastructure can provide an added cost benefit that whilst not as cheap as a public cloud offering, would offset that cost variance in terms of the risk profile of systems being moved into a private cloud e.g. critical databases, transactional and/or processing systems, as well as potential compliance concerns.
If however an enterprise chooses to utilize a public cloud offering there will be the added complications for information security, in terms of procedural and legal standpoints. This leads us to the point that, with a public cloud system; we no longer have the traditional defined security perimeter.
This new cloud security perimeter can now be any place, on any device, where people will access an enterprise provided network, resources, and systems.
With regard to digital forensics and the e-discovery process, this new cloud security perimeter stemming from the trend with which data is now accessed via the internet and housed and consumed on multiple systems and devices internationally, will pose some serious challenges(legally and technically) with the potential to complicate a security investigation. For example defining incident response, access rules, and policies governing access as well as support processes.
Traditional network forensics metrics will not give a complete picture of what can occur within the cloud computing environment; for instance there could be limitations in terms of focus only on data going into and out of systems which an enterprise has access to, and as we know this generally stops at the gateway into the cloud.
In terms of network forensics, packet capture and analysis is important; with the cloud ecosystem there is the real possibility of an increase in the vast amount of data that may need to be processed. This will only increase the workload on the digital investigator who will most likely have more than a plateful of hex patterns, network metadata, and logs to analyze, as is the case with a traditional system analysis.
This increased volume can severely cripple an investigation; more so if a forensic investigator does not completely understand the cloud ecosystem's architecture, its complex linkages that bridge cloud services and an enterprise's systems in addition to how these systems impact an enterprise in terms of potential ingress points that can lead to systems compromise.
The cloud, while a boon to enterprise CapEx/OpEx, is also a gold-mine for crackers who can set up systems for attack with as little as $50—with products like Amazon Web Services (AWS), an Amazon Machine Image (AMI) either Linux or Windows can run a virtual machine which can be set up to do whatever an end-user wants it to do, that is, within the confines of the virtualized world; this environment is owned by the end-user (a cracker in this case) from the operating system up. Of course the IAAS and other hardware systems, IDS/IPS, firewalls, remain under the control of and belong to the cloud service provider.
With regard to say conducting a forensic investigation on a virtualized server, there is that potential loss of data that can be relevant to an investigation once an image is stopped or a virtualized server is shut down, with minimal chance of retrieving a specific image from its virtualized server.
As mentioned there are several merits for the case to adopt a cloud service; however, from a digital forensics point of view an understanding of the inherent limitations of such a system needs to be clearly understood and properly reviewed and scoped by an enterprises IT Security team regarding how such an implementation will adapt to their current security model. These metrics may vary based on the selected cloud provider the enterprise will use.
Gathered data can then assist the enterprise security on how to mitigate the potential for compromise and other risk that can affect the enterprises operations stemming from this added environment. This in turn can potentially alleviate the pains of a digital forensics investigation with cloud computing overtures.
Digital forensic expert Nicole Bebee stated, "No research has been published on how cloud computing environments affect digital artifacts, and legal issues related to cloud computing environments."
Of note is the fact that with the top CSPs (Amazon, Rackspace, Azure) one can find common attributes from which a security manager can tweak the enterprises security policies.
Some things of note that will impact a forensic investigation within the cloud ecosystem are:
- A network forensics investigator is limited to tools on the box rather than the entire network, however if a proper ISO is made of the machine image, then all the standard information in the machine image's ISO should be available as it would with any other server in a data center.
- Lack of access to network routers, load balancers, and other networked components.
- No access to large firewall installations.
- There are challenges in mapping known hops from instance to instance which will remain static across the cloud-routing schema.
- System Administrators can build and tear down virtual machines (VMs) at will. This can influence an enterprise’s security policy and plans as new rules and regulations will have to be implemented as we work with cloud servers and services that are suspected of being compromised.
- An enterprise’s threat environment should be treated with the same mindset for the cloud ecosystem as it would for any exposed service that is offered across the Internet.
- With the cloud ecosystem, an advantage with regard to forensics is the ability for a digital investigator to store very large log files on a storage instance or in a very large database for easy data retrieval and discovery.
- An enterprise has to be open to the fact that there will be a risk of data being damaged, accessed, altered, or denied by the CSP.
- Routing information that is not already on "the box" will be difficult to obtain within this ecosystem.
- For encrypted disks, wouldn't it be theoretically feasible to spin up "n" cloud instances to help crack the encryption? According to Dan Morrill this can be an expensive process.
As those of us who are students and practitioners within the field of digital forensic know, any advances in this area tend to be primarily reactionary in nature and most likely developed to respond to a specific incident or subset of incidents. This can pose a major challenge in the traditional systems; one can only imagine what can occur when faced with a distributed cloud ecosystem.
In terms of digital forensics, any tool that will make an examiner’s job easier, improve results, reduce false positives, and generate data that is relevant, pertinent, and can be admitted in a court of law will be of value.
Special thanks to Mark Pollitt for his valuable insight.
- Politt MM. Six blind men from Indostan. Digital forensics research workshop (DFRWS); 2004.
- Digital Forensics:Defining a Research Agenda -Nance, Hay Bishop 2009;978-0-7695-3450-3/09 IEEE
- Dan Morrill- 10 things to think about with cloud-computing and forensics
Jon Shende is a business executive who started out in the medical arena, then moved into the Oil and Gas environment where he was introduced to SCADA and network technologies 19 years ago. He gained expertise working within several verticals to include marketing, sales, and technical services eventually becoming the youngest VP of an international enterprise. Academically he holds a post graduate certificate in Business Administration, is an Oxford (Advanced Computing) Graduate, and also completed an MSc in IT Security at RHUL with a thesis on Cloud Computing examining Federated Identity Management. Jon is also well versed with virtualization technologies, risk management as well as IT Security to name a few and has used web-services and web-based tools for job related projects over the last few years. He has served as a technical management consultant, technical presenter, and client adviser. Read Jon's blog at http://jonshende.blogspot.com.