Digital forensics integrates techniques and methods used to gather and analyze footprints from computer-generated and human activity in a manner that is relevant in a court of law.

The Standard Working Group on Digital Evidence (SWGDE) defines Digital Evidence as “Any information of probative value that is either stored or transmitted in a digital form”.

“Despite the application of sophisticated tools, the forensic process still relies on the examiner's knowledge of the technical aspects of the specimen and understanding of the case and the law.” - Mark Pollitt

Typically in any digital forensics investigation the factors of volume, evidence, and time are of importance as follows:

• Volume of potential evidence
• Potential for evidence to get contaminated (e.g. system rebooting may remove or contaminate critical segments of evidence)
• Time to identify potential criminal activity (e.g. a crime may be ongoing under the radar for an extended time period)
• With the cloud computing ecosystem we have to contend with the volume of users proportionally increasing giving an increase in people and processes for investigation
• Digital evidence must still satisfy the same legal requirements as with conventional system evidence (i.e. it must be Authentic – Reliable – Complete – Believable – Admissible)
• Within the cloud computing ecosystem we are left with that challenge of traceability and vastness

Can Cloud Service Providers (CSP) assure:

• The confidentiality of customer sensitive data (i.e. mitigate the risk of accidental or intentional data disclosure, unauthorized access, or leaked data)?
• Authorized instance deletion with assurance that data will be destroyed according to a defined policy and negate any future discovery risk
• What processes will be implemented to ensure the integrity of customer data at rest in the event of a subpoena for access to this data for an investigation?

Where do we start as investigators? When:

• We are dealing with ownership boundaries that are no longer delineated
• We are faced with limitations on environments where disks, memory, and networks are no longer “walk in and access as needed”
• We may not be clear where the data is located
• We may need clarification on who owns the data
• Making a bit-by-bit copy of evidence will be highly improbable
• We may face challenges with what tools to use within the cloud
• Global data centers are impacted by different jurisdictions and possible legal challenges
• Segregation of duties between the cloud provider and a customer can vary with each service model
• Interactions between multiple tenants sharing cloud resources vary with each unique deployment models

A Cloud Forensics as a Service (FRaaS) model can have an impact on forensics and data integrity in the cloud in that:

• The cloud has the potential to ease the facilitation of a forensic examination via the promise of data consolidation.
• We can leverage dedicated cloud storage to mitigate the archival capability challenge, to preserve the integrity of metadata.
• CSPs can dedicate resources for forensic purposes solely.
• Instance snapshots can be taken at an agreed upon time (per an SLA and policies).
• There can also be an agreed upon time period to retain these instances as the volume grows per a Cloud Security Policy requirement (both CSP and customer must be involved).
• A process exists to retain sampling of instance snapshots as the volume of the snapshots grow.
• There must be a policy and a defined process for evaluation of these samples for integrity prior to selection for archiving by CSP (forensic or otherwise).
• The FraaS will include items listed above (an instance collection process, a repository for instances, in addition to those mentioned above) and is demonstrated in the Forensic as a Service (FraaS) model below.

Click for larger image.

Jon RG Shende is an executive with over 20 years of business experience. Maintaining a fine balance between his business skills and technology, Jon integrates his passion as an avid researcher within the fields of IT security, cloud, and digital forensics with practical business goals and objectives. Professionally he is a Fellow and Chartered IT Professional of the BCS Chartered Institute for IT, an HITRUST Certified CSF Practitioner, and holds the CRISC certification. His personal blog is located at http://jonshende.blogspot.com/view/magazine