Cloud Forensic Services
Digital forensics integrates techniques and methods used to gather and analyze footprints from computer-generated and human activity in a manner that is relevant in a court of law.
The Standard Working Group on Digital Evidence (SWGDE) defines Digital Evidence as “Any information of probative value that is either stored or transmitted in a digital form”.
“Despite the application of sophisticated tools, the forensic process still relies on the examiner's knowledge of the technical aspects of the specimen and understanding of the case and the law.” - Mark Pollitt
Typically in any digital forensics investigation the factors of volume, evidence, and time are of importance as follows:
Volume of potential evidence Potential for evidence to get contaminated (e.g. system rebooting may remove or contaminate critical segments of evidence) Time to identify potential criminal activity (e.g. a crime may be ongoing under the radar for an extended time period) With the cloud computing ecosystem we have to contend with the volume of users proportionally increasing giving an increase in people and processes for investigation Digital evidence must still satisfy the same legal requirements as with conventional system evidence (i.e. it must be Authentic – Reliable – Complete – Believable – Admissible) Within the cloud computing ecosystem we are left with that challenge of traceability and vastness Can Cloud Service Providers (CSP) assure:
The confidentiality of customer sensitive data (i.e. mitigate the risk of accidental or intentional data disclosure, unauthorized access, or leaked data)? Authorized instance deletion with assurance that data will be destroyed according to a defined policy and negate any future discovery risk What processes will be implemented to ensure the integrity of customer data at rest in the event of a subpoena for access to this data for an investigation? Where do we start as investigators? When:
We are dealing with ownership boundaries that are no longer delineated We are faced with limitations on environments where disks, memory, and networks are no longer “walk in and access as needed” We may not be clear where the data is located We may need clarification on who owns the data Making a bit-by-bit copy of evidence will be highly improbable We may face challenges with what tools to use within the cloud Global data centers are impacted by different jurisdictions and possible legal challenges Segregation of duties between the cloud provider and a customer can vary with each service model Interactions between multiple tenants sharing cloud resources vary with each unique deployment models