No Jitter is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

CSI for the Cloud

Cloud computing is a service you cannot ignore. Gartner predicts that cloud service revenue will be about $150 billion in 2013. With all of this comes the growing amount of data that will be accumulated, and the implications of the use of the cloud for situations that require forensic analysis. The amount of data that needs to be analyzed can be tens to hundreds of gigabytes in a single investigation.

The forensic professional's goal is to obtain information that can be used in court, and cloud computing expands the scale of digital forensic activities. It also creates new cybercrime investigations with new challenges.

Cloud forensics means new experts with new tools. Cloud forensics is a combination of digital forensics and cloud computing. Cloud computing, by definition, means sharing resources such as networks, storage, servers, applications, and other services. The sharing is performed by the cloud service and it involves multiple enterprises using common solutions.

A major value of cloud computing is its ability to reconfigure resources quickly. This means that resources can change almost instantly, which in turn means that virtualization compounds the forensic data location problem.

XaaS Models and Forensics
The Infrastructure as a Service (IaaS) model produces the fewest obstacles for the forensic expert. It is basically providing a physical data center outside the enterprise, but with all of the enterprise's work performed by enterprise staff. The management of the operating system may be shared.

Platform as a Service (PaaS) adds the management of the runtime and middleware by the service provider. This adds to the complexity faced by the forensic professional.

Software as a Service (SaaS) effectively outsources the entire IT operation. The enterprise becomes a subscriber to the service. SaaS is the most difficult environment for the forensic professional to operate within because most of the control of the applications and data is with the SaaS service provider.

The structure of your cloud provider's business will depend on the business model they are working under. A SaaS provider can easily be running its service on an IaaS or PaaS cloud, therefore you will be really working with two providers, not one for forensic purposes. A third-party reseller may be the face of the cloud service, adding another layer to the arrangement.

Next page: Elements of cloud forensics

Three Elements to Cloud Forensics
The first element of cloud forensics is, as expected, technical. This includes the tool set that is used for forensics discovery. There are also procedures that need to be followed. The technical element includes collecting the data, the data examination, analysis, and reporting as evidence.

The second element deals with the organization where the customer and the cloud service provider (CSP) are the principals in the investigation. If the CSP uses another service to complete their offering, then the scope of the investigation widens. The enterprise should establish one or more persons on staff to represent the enterprise during investigations. Outside experts may also become part of the enterprise's team.

The third element can be called the chain of dependencies. If as is true of many SaaS providers, the physical data center is an IaaS or PaaS, then CSPs are dependent on other CSPs. This will force close communications and collaboration among the parties to ensure that SLAs are enforced and the chain of evidence data is not compromised.

Challenges for Cloud Forensic Investigations
Cloud forensics will be developed by expanding the tools and procedures already in place for digital forensics. Additional challenges will be encountered when the cloud is involved, including:

* Forensic data collection--Ready access to data decreases as the enterprise moves from an IaaS to PaaS to a SaaS environment

* Elastic, static, and live forensics--The number of devices involved in the cloud service, including the endpoints, compounds the discovery and collation of data. Time synchronization (time stamps) and reporting formats can be barriers to data analysis.

* Evidence segregation--This relates to the problem of virtualization. How does the investigator know what is where and when things occurred?

* The expertise of the cloud and enterprise staffs--The skills and knowledge for conducting cloud forensic operations are relatively hard to locate and hire.

* External chain of dependency--There is a need to formulate and standardize how to work with CSPs who in turn work with other CSPs.

* Service level agreements--Transparency may be limited by the CSP if they are not making the enterprise fully aware of the details of the service performance that is being offered.

* Multiple legal jurisdictions--The rules and regulations will vary sometimes by state and certainly by country. Who is the primary authority may be hard to determine. It is also possible that more than one jurisdiction will expect to be the primary legal authority.

The cloud will grow rapidly. The enterprise has little long-term experience with cloud services; there will be a learning curve. Many forms of services, especially for SaaS, will create a wide range of issues to be faced by forensic investigators. If there are a number of legal issues that arise soon, these may dampen the enthusiasm by enterprises for cloud services, and slow its growth.