What You Need to Know About Cloud Forensics
Cloud computing has transformed the IT industry because services can now be deployed for a fraction of the time. Large cloud computer companies such as Amazon Web Services (AWS), Google Cloud and Microsoft Azure have been spawned by scalable computing solutions. By clicking a button, employees can build or reset a whole computer infrastructure in three different cloud-based models: SaaS software, PaaS and Service Infrastructure (IaaS). These models are three unique challenges to conduct forensic cloud research.
Service Models The owner is responsible for all services from networking equipment to the application itself with traditional IT services. Cloud Computing offers these SaaS, PaaS and IaaS solutions to improve the efficiency of computer deployment and management.
Let’s take a closer look at each of these models below.
Partly the operating system and all middleware, runtime, data and applications in cloud computing IaaS environments are the responsibility of the owner. However, the Cloud Provider manages the deployment of the operating system, virtualisation and all hardware, storage and networking equipment for the customer. This model gives the customer the most control over the underlying computing infrastructure. Examples of IaaS include the creation of AWS Elastic Computing Cloud (EC2), Digital Ocean and Rackspace hosts.
PaaS’s responsibility for cloud computing resources is less inclusive. The owner is only responsible for data and apps, but not the key cloud infrastructure, including network, servers, operating systems and storage. This service model is used primarily by applications or software developers. AWS Elastic Beanstalk, Windows Azure and Apache Stratos are examples of PaaS.
SaaS is an all-inclusive cloud hosting environment where the application owner provides a cloud provider with the application and is hosted and administered completely by the cloud service provider. Google Apps, Dropbox and Slack are examples of SaaS. The Cloud Service Provider (CSP) is in full use of these applications and users use the applications largely through a web browser.
Cloud computing and forensics
CSPs are responsible for forensic issues, which are unique to cloud computing. Cloud forensics is a subset of digital forensics that is based on a unique approach to cloud research. CSPs have client data hosting servers worldwide. When there is a cyberincident, law and the laws governing the region pose unique challenges. A court order issued in a jurisdiction in which a data center resides is unlikely to apply to a different host in another country. In modern CSP environments, the customer can select the region in which the data is to be located and carefully selected.
An investigator’s main concern is to ensure that digital evidence is not manipulated by third parties so that it can be accepted at the Court of Justice. In the PaaS and SaaS service models, customers must have access to the logs from the cloud service providers, because they have no hardware control. In some cases, CSPs sometimes intentionally hide customer log details. In other cases, CSPs have policies that do not provide log collection services.
In a cloud environment, maintaining a custody chain is very difficult compared to a traditional forensic environment. In traditional forensics the internal security team can check who performs forensic operations on a machine, while the security team in cloud forensics has no control over the CSP. If they are not trained by a forensic standard, the custody chain can not be held in a court of law.
There are three service models in cloud computing and at least three cloud forensic challenges. Each level of cloud computing service model shares part responsibility with the provider of cloud services. This relationship presents unique challenges in conducting investigations of cloud forensics since any mistake can prevent evidence from being admissible in a court of law.
Since cloud servers can be hosted in several countries, there may also be forensic data. This presents legal jurisdiction challenges. Cloud-based services providers do not always work in your favour, as you cost them time and money for issues which are less relevant to them. These challenges are unique to the cloud forensics subgroup.