The difference between traditional computer forensics and cloud forensics could not be starker. The cloud is becoming more widely used by companies across the globe, but few of these companies have included cloud forensics in their cyber-security investments.
Many companies still mistakenly believe that traditional forensics is enough but without investment into cloud forensics, businesses could find themselves unable to prosecute attackers, collect evidence on what actually happened, and or have their case fully presented in court.
What Exactly is the Cloud in 2020?
Before we dive straight into cloud forensics, it’s important that you have a clear understanding of the nature of the cloud. The cloud is essentially a variety of digital services that are accessed over the internet. Cloud users can range from huge multi-nationals to solo individuals, and usage purposes can vary from streaming television to software development, to storing personal photos.
As some of this data can be classified or extremely private, consumers and businesses go to great lengths to make sure their cloud service is stored securely online. As it stands, there are three different types of cloud service, each of which provides a specific type of service over the internet:
SaaS - Software as a Service - SaaS provides on-demand software to users. Data is hosted locally and accessed by users over a client, such as a browser.
IaaS - Infrastructure as a Service - IaaS provides essential computer infrastructure (such as a virtual environment) as a service alongside network functions and storage.
PaaS - Platform as a Service - PaaS provides an entire computer platform over the internet. Capabilities include the ability to develop and deliver entire applications over the internet. Grants access to enormous computing power without having to pay for the actual hardware or hosting.
Cloud types can be further differentiated between private, public, community, and hybrid - each of which determines the level and types of access available. The type of access will depend on the user and the company involved. Many individuals and companies have fallen in love with the ease of cloud use, and it is looking to become increasingly widespread.
What is Cloud Forensics?
Cloud forensics is a blend of digital forensics and cloud computing. It is directly responsible for investigating crimes that are committed using the cloud. Traditional computer forensics is a process by which media is collected at the crime scene, or where the media was obtained; it includes the practice of persevering the data, the validation of said data, and the interpretation, analysis, documentation, and presentation of the results in the courtroom. In short, it is very similar to any other form of forensics.
In most traditional computer forensics, any evidence that has been discovered within the media will be under the control of the relevant law enforcement. This is where the divide between cloud and traditional forensics begins.
In the cloud, the data can potentially exist anywhere on earth, and potentially outside of your law enforcement jurisdiction. This can result in control of the evidence (and the process of validating it) becoming incredibly challenging.
Put simply, cloud forensics combines the realities of cloud computing with digital forensics, which focuses on collecting media from a cloud environment. This requires investigators to work with multiple computing assets, such as virtual and physical servers, networks, storage devices, applications, and much more. For most of these situations, the cloud environment will remain live and capable of change.
Despite this wide array of different assets and jurisdiction challenges, the end result must stay the same: evidence must be presented in a court of law.
While there are many other steps that need to be taken to improve cloud security, this is one area that businesses cannot overlook.
What Is The Cost of Not Implementing Cloud Forensics?
The chief concern for any cloud forensics investigator is the preservation of evidence, especially against tampering by any third parties. This is what allows evidence to be admissible in court. In SaaS and PaaS cloud models, customers are dependent on cloud service providers for access to any usage logs as they do not have access to the physical hardware (let alone control over it).
In some instances, cloud service providers have been known to hide logs from customers or hold policies that state logs cannot be collected. This is a strange business practice, given how concerned most consumers are with control over their data, privacy, and anonymity online, but it is an obstacle faced by consumers nonetheless.
It is because of this that maintaining a clear chain of custody in a cloud infrastructure is extremely difficult. In traditional forensics, investigators would have complete control of the evidence concerned.
In cloud forensics, the investigators may not have full control over who the cloud service provider allows to collect evidence. If the person(s) allowed aren’t properly trained, the chain of custody or evidence may be inadmissible in court.
This could lead to companies or individuals' entire case being thrown out, even if they were an entirely innocent victim of a damaging cloud-based crime.
Conclusion
Due to cloud computing's three different service models and further distinctions between who is allowed access, there are incredibly unique challenges to cloud forensics that cannot be seen in any other field of forensics.
As cloud servers are often located in multiple different counties, the data required by forensic investigators can be as well. This immediately presents the investigators with the obstacle of legal jurisdiction. Cloud services can also be reluctant to help you when it comes to conducting an investigation. After all, what may be an issue for you might not be an issue at all for them, and your investigation could further cost them time and money.
Despite these issues, if businesses take time to properly implement cloud forensics, they will vastly increase their chances of increasing their cybersecurity and see their case in court properly ruled.