Concept of Cloud Forensics

More articles

CA Mayur Joshi
CA Mayur Joshihttp://www.mayurjoshi.com
CA Mayur Joshi is a Forensic Accounting evangelist in India. He is the co-founder of Indiaforensic and is author of 7 books on forensic accounting, fraud investigations and money laundering.

The term Cloud Computing can be defined as a pay-per-use model for enabling convenient, on-demand network access to a shared pool of configurable and reliable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal consumer management effort or service provider interaction.  A Cloud model generally comprises five key characteristics, three delivery models, and four deployment models.

It is a model or concept where infrastructure, platforms, applications, and services are offered up over the internet like any webpage where data and the modifications that can be done to the aforesaid data, are stored online. Existing examples of such web pages include webmail, online backups, hosted services, etc.

The term ‘cloud computing’ thus covers everything from smart data centers, managed hosting, infrastructure, applications, and services offered over a network with the main storage and processing being completed at the cloud service provider(CSP) end, with cheap, thin clients at the other end accessing the service via a browser.

Five Key and Essential Characteristics of Cloud Computing are mentioned below:

1. On-demand self-service.
2. Broad network access.
3. Resource pooling.
4. Rapid elasticity.
5. Measured Service. (Pay-Per-Use in other terms)

There are further Three Service Models:

  1. Cloud Software as a Service (SaaS): Using provider’s applications over a network
  2. Cloud Platform as a Service (PaaS):  Deploy customer-created applications to a cloud.
  3. Cloud Infrastructure as a Service (IaaS): Rent processing, storage, network capacity, and other fundamental computing resources.

It is important to note that in order to be considered as a tool of “cloud computing” the above must be deployed on top of cloud infrastructure that has the key characteristics.
There are four Cloud deployment models as follows:
·         Public Clouds: These are sold to the public or mega-scale infrastructure companies.
·         Community Cloud: These are shared infrastructures for specific communities.
·         Private Cloud: These are enterprise owned or leased
·         Hybrid Cloud: These are composition of two or more cloud computing systems.

One of the advantages about cloud computing is that you basically exist in an on demand system, so if you are served with a preservation letter, or other legal reasons to preserve an environment, you can easily backup your environment and put it onto the cloud for the investigators to use, while the normal course of business happens. This also means that all the data stores or other information that investigators will need will also be cryptographically hashed much easier and much quicker using the on demand resources in  the cloud.

Amazon web services is a good example of this. Amazon Web Services (AWS) can automatically provide a MD5 of every file that is on the system; so when you do a bit by bit copy of the file, everything is carried over with it. Add to that the Meta data that goes along with every file in Microsoft Office, you have a fairly good unimpeachable record of the file that the courts will need. Email stores and exact backups of a person’s computing system are also available as well using this same kind of process.

The forensics tools can also be in their own off shoot of the environment allowing for very tight control over who has access to those tools and how they will be used. There are definite advantages to having a separate investigation environment for all the resources that are on the same cloud. Costs can be contained by making direct DVD copies from the investigation environment as needed or when needed making the process much more portable as well if information has to be turned over to the legal department or other investigators’ concept of using multiple instances for data mining – kind of essence of cloud computing. That opens a lot of new cool possibilities and potentially not so cool liabilities. It may be very interesting experiment in fact.

If we take out forensic limitations that come out of the cloud environment specifics and slightly modify the acquisition procedure (if needed for the case), before documenting the process to acquire evidence, then it can be explained in the court in a logical way. Will it stand in actuality is something that’s to be tested, but assuming that a logical approach was used to gather it in the first place, one can only hope that it wouldn’t be much of problem.

Finally, before we dive into how “the Cloud” will monkey wrench the modern-day computer investigator mindset, we need to reflect on a few of the basics of investigation and forensics:

  • Data has to be collected in a manner that maximizes its integrity.
  • Preserving chain of custody for the “best evidence” is critical to admissibility in a court of law.
  • Conclusions that are derived from evidence should be reproducible by peers through well-accepted methods, within a controlled and similar environment.

If we take these tenets to a cloud context, many questions immediately come to mind…

  • In the heavily virtualized/abstracted world of cloud computing, how can one identify and obtain the data that one needs?
  • In the distributed cloud model, what collateral data can one identify and collect to help one prove (or) disprove of a hypothesis?
  • What data does my provider log?  How long do they keep it?
  • What data will my provider give to me?
  • What knobs can one turn up to get the data that one needs?
  • Does my provider expect me to do this in a self-serve fashion so they are not involved in the interpretation of data?  Do they expect me to use an API that I can use to gather it?
  • If I need to ask my provider for data, how long will it take them to produce it?
  • How/will they vouch for the integrity of the data?
  • How/will they transfer it to me in a way that preserves integrity?
  • What/where exactly is the “best evidence”?
  • What methods and procedures are accepted?

The answers to these questions are complex and are not based upon “The Cloud” itself. That is so because “The Cloud” by itself is not uniform.  Each provider will have their unique approach to their cloud offerings and each in turn will enable a different form and depth of investigation.

Thus in order to comprehend the pro and con of the Cloud system, let us try and understand each service in detail.

- Featured Certification-spot_img

Latest