Welcome!

Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: @CloudExpo, Microservices Expo

@CloudExpo: Article

Digital Forensic Challenges within Cloud Computing

Will cloud forensics be effective in managing boundaries of responsibility and access?

Proponents of the cloud ecosystem touts its "vastness, flexibility and scalability as advantages for the implementation of cloud services. However, from a digital point of view this can be a veritable forensic challenge as we view the cloud in terms of its scope and diversity.

According to Dr. Stephen Wolthusen[1] "Digital forensics (also referred to at times as computer forensics) encompasses approaches and techniques for gathering and analyzing traces of human and computer-generated activity in such a way that it is suitable in a court of law."

A key challenge to a digital investigator called to pursue an investigation with cloud resources as a subset will be to establish and map computational and storage structures that will fall within the realm of the investigation. Bear in mind that for any system (cloud or otherwise) security incidents will cross boundaries of responsibility and access.[2]

Within the digital forensic process where there is a no one-size-fits-all solution for a digital forensic examination, all forensic evidence must follow the Forensic process of :

Collection - Examination - Analysis - Reporting. Also no matter its environment, forensic evidence must:

  • Be relevant to the issue at hand
  • Be authentic
  • Not be unfairly prejudicial not be hearsay or if hearsay, able to meet the requirements for an exception
  • Be the original or duplicate of the evidence or able to meet an exception to that rule.

Within the cloud computing ecosystem I believe there may be a dilemma in terms of time stamps. A question for cloud vendors would be, with a distributed and "vast" infrastructure how will they ensure synchronized clocks across all their systems? Synchronized clocks across a distributed global system may not be a possibility, and if this supposition holds true, then what other solution will a cloud vendor provide in such an instance?

Another challenge can be with that of reciprocity. Digital forensics within the cloud computing environment can have legal implications within an international jurisdiction which will require corporation from established relationships with legal entities in foreign countries and/or the establishment of new ones if possible.

As with any live forensic examination another challenge will be the establishing of snapshots of the system in operation. But in this case one can question if this is good enough for such a "vast" and possibly globally distributed ecosystem.

Take the instance of malware injected into the kernel space of a system; it is possible that it may be programmed to modify data or functionality...or both, in a variety of ways upon detection of a probe, or simply set to shut-down,obfuscate evidence, or delete pertinent data residues within a set time frame. Can a forensic examiner be notified of this change, or more pertinent can a cloud service provider implement protocols, tools or processes to ensure that such an event can be mitigated in real time? Most likely not, at least for now.

However a solution of sorts to this dilemma can be gleaned from thesis suggested in a paper by Wolthusen [1] which states: Data may be present or available in a given configuration for a limited time or be staged through different levels of storage hierarchies; it is hence important to place bounds on events in question so as to be able to capture events of interest completely.

In terms of the "vast" distributed environment that can comprise a cloud ecosystem under investigation; we have to be aware of the fact that within such an ecosystem, any forensic investigation can cause: parallel or unrelated services to be interrupted to completed halted, infringe on third party rights and cross jurisdictional boundaries and in the case of duplication require infeasible storage volumes. [1]

Aspects of Control within Cloud Computing Service Models:

SaaS: Here the cloud user, dependent on their contracted services with the cloud vendor will only control certain configuration parameters, whilst the cloud vendor maintain control over application\s and underlying infrastructure.

PaaS: Here the cloud vendor controls the cloud infrastructure and runtime environments when the cloud user controls the application.

IaaS: Although a cloud user will have control over their servers with the installed Operating Systems and applications with this cloud offering the cloud vendor will still controls the virtualization infrastructure and at least parts of the network infrastructure.

These aspects will affect how a digital forensic examination is conducted as, every cloud computing environment will have variations. Therefore the degrees of methods/tools protocols etc. implemented in identifying relevant events that support the detection and analysis of attacks have to be crafted accordingly.

Four Forensic Challenges within the Cloud Ecosystem
Grobauer and Schreck [2] identified the following forensic challenges within the cloud computing environment:

  1. Separation of customer's data sources during evidence collection
  2. Adapting forensic analysis methods to the cloud
  3. Improving live analysis techniques
  4. Improving log generation & analysis techniques

Another major challenge is a need to establish a complete understanding of processes, their dependencies and distribution across different systems within the cloud ecosystem. [1]

Wolthusen[1] also states that, "if semantic dependencies must be captured, this must not only capture the immediate data required to reconstruct a view or document or to recreate and reconstruct a process, but also sufficient information to ascertain the semantics of the event at the point in time of the event."

However would not the establishment of such a process potentially impact customers not involved in an investigation that are sharing the cloud-space that is part of a cloud forensic examination?

Despite the semantics and challenges of the Cloud Computing Environment it is my opinion that:

Cloud Computing users must open dialogue with their vendor regarding processes and protocols for successfully handling/managing incidents. These need to be clearly established within the requirements portion, when drafting their service level agreement (SLA).

References

  1. Overcast: Forensic Discovery in Cloud Environments -Stephen D. Wolthusen
  2. Towards Incident Handling in the Cloud:Challenges and Approaches -Bernd Grobauer,Thomas Schreck

More Stories By Jon Shende

Jon RG Shende is an executive with over 18 years of industry experience. He commenced his career, in the medical arena, then moved into the Oil and Gas environment where he was introduced to SCADA and network technologies,also becoming certified in Industrial Pump and Valve repairs. Jon gained global experience over his career working within several verticals to include pharma, medical sales and marketing services as well as within the technology services environment, eventually becoming the youngest VP of an international enterprise. He is a graduate of the University of Oxford, holds a Masters certificate in Business Administration, as well as an MSc in IT Security, specializing in Computer Crime and Forensics with a thesis on security in the Cloud. Jon, well versed with the technology startup and mid sized venture ecosystems, has contributed at the C and Senior Director level for former clients. As an IT Security Executive, Jon has experience with Virtualization,Strategy, Governance,Risk Management, Continuity and Compliance. He was an early adopter of web-services, web-based tools and successfully beta tested a remote assistance and support software for a major telecom. Within the realm of sales, marketing and business development, Jon earned commendations for turnaround strategies within the services and pharma industry. For one pharma contract he was responsibe for bringing low performing districts up to number 1 rankings for consecutive quarters; as well as outperforming quotas from 125% up to 314%. Part of this was achieved by working closely with sales and marketing teams to ensure message and product placement were on point. Professionally he is a Fellow of the BCS Chartered Institute for IT, an HITRUST Certified CSF Practitioner and holds the CITP and CRISC certifications.Jon Shende currently works as a Senior Director for a CSP. A recognised thought Leader, Jon has been invited to speak for the SANs Institute, has spoken at Cloud Expo in New York as well as sat on a panel at Cloud Expo Santa Clara, and has been an Ernst and Young CPE conference speaker. His personal blog is located at http://jonshende.blogspot.com/view/magazine "We are what we repeatedly do. Excellence, therefore, is not an act, but a habit."

IoT & Smart Cities Stories
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
Cell networks have the advantage of long-range communications, reaching an estimated 90% of the world. But cell networks such as 2G, 3G and LTE consume lots of power and were designed for connecting people. They are not optimized for low- or battery-powered devices or for IoT applications with infrequently transmitted data. Cell IoT modules that support narrow-band IoT and 4G cell networks will enable cell connectivity, device management, and app enablement for low-power wide-area network IoT. B...
The hierarchical architecture that distributes "compute" within the network specially at the edge can enable new services by harnessing emerging technologies. But Edge-Compute comes at increased cost that needs to be managed and potentially augmented by creative architecture solutions as there will always a catching-up with the capacity demands. Processing power in smartphones has enhanced YoY and there is increasingly spare compute capacity that can be potentially pooled. Uber has successfully ...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...