Cloud computing and forensics

Collin Greenland, Guest Columnist

The emergence and proliferation of cloud computing over the years have resulted in shifts in data processing and data-storage patterns. Though offering certain advantages for us, it also introduces certain vulnerabilities and challenges, not only for companies and individuals, but also digital investigators charged with the tasks of preventing /investigating or prosecuting data-related crimes committed by perpetrators who gain access to computing infrastructure, platforms and software applications on demand, via 'utility type' services similar to accessing an electricity grid.

Typically, users of cloud computing outsource data management or computer applications to a service provider in which data are stored across various servers, often without control or knowledge of the exact location of the data. This remote service, accessed via the Internet, allows information to be stored and processed in a 'cloud' by remote and very-large-scale date centres, with individuals and organisations then able to access resources to suit their own particular business requirements. These days, the examples are innumerable and may include email services such as gmail and hotmail, data storage or sharing services such as DropBox and Megaupload, application services such as Google Docs, and development platforms such as Amazon AWS.

Cloud computing is already an important part of the Internet landscape and the American market and advisory firm International Data Corporation (IDC), which specialises in information technology, tele-communications, and consumer technology, has stated that it has the potential to become one of the most transformative computing technologies, following in the footsteps of mainframes, minicomputers, personal computers, the World Wide Web and smartphones. In fact, Frank Gens from IDC claimed that spending on cloud computing is growing at five times the rate of traditional on-premises information technology and it is radically changing how information technology services are created, delivered, accessed and managed. Fore-casts also point to cloud computing services generating approximately one-third of the net new growth within the IT industry. Another of the world's leading information technology research and advisory company, Gartner Inc., claims that the worldwide cloud services market will reach $150.1 billion this year.

Cloud Forensics

The emergence/proliferation of cloud computing has not only exacerbated the problem of scale for digital forensic investigators, but also creates a brand new front for cyber-crime investigations with the associated challenges. Possibly the world's largest government forensic investigator, the FBI, has pointed out that the size of the average digital forensic case grew at the rate of 35 per cent per year from 83 GB in 2003 to 277 GB in 2007. As a result, IT doyens such as T V. Roussev, L. Wang, G. Richard and L. Marziale pointed out that the amount of forensic data that must be processed is outgrowing the ability to process it in a timely manner.

Accordingly, cloud-based entities - cloud service providers (CSPs) and cloud customers; IT practitioners, auditors, forensic accountants and law enforcement personnel must consider the establishment of forensic capabilities that can help reduce cloud security risks through cloud forensics. Best regarded as a cross discipline of cloud computing and digital forensics, cloud forensics relies heavily on the latter which is the application of computer science principles to recover electronic evidence for presentation in a court of law or other suitable forum.

The nature of cloud forensics is more multidimensional than merely technical as the various technical, organisational and legal dimensions provide corresponding challenges to investigators hitherto not experienced in early network digital forensics. Technically, for example, investigators must be equipped with relevant procedures and tools needed to perform the forensic process in a cloud-computing environment such as data collection, live forensics, evidence segregation, virtualised environments and proactive measures.

Since rapid elasticity is one of the essential characteristics of cloud computing, cloud forensics tools must be similarly elastic and can be provisioned and deprovisioned on demand and should include large-scale static and live forensic tools for data acquisition, data recovery, evidence examination and evidence analysis.

Organisationally, a forensic investigation in a cloud-computing environment involves at least two entities: the CSP and the cloud customer, but the scope of the investigation widens when a CSP outsources services to other parties. Many CSPs and most cloud applications often have dependencies on other CSPs. The dependencies in a chain of CSPs/customers can be highly dynamic and in such situations, cloud forensic investigations may depend on investigations of each link in the chain.

Challenges and opportunities

These multi-dimensional issues (technical, organisational and legal) understandably, provide challenges that space prevent elaborating in this article. These include issues concerning forensic data collection, live forensics, evidence segregation, virtualised environments, internal staffing, external dependency chains, service level agreements and multiple jurisdictions and tenancy. For example, the presence of multiple jurisdictions and multi-tenancy in cloud computing pose significant challenges to forensic investigations, as each jurisdiction imposes different requirements regarding data access and retrieval, evidence recovery without breaching tenant rights, evidence admissibility and chain of custody. The absence of a worldwide regula-tory body, or even a federation of national bodies, significantly impacts the effectiveness of cloud forensic investigations.

However, despite these challenges facing cloud forensics, there are several opportunities that can be leveraged to advance forensic investigations.

While cloud computing is widening the horizons of digital forensics, the multidimensional opportunities offered by cloud forensics still exceed the corresponding investigative challenges and allow for significant advances in the efficacy and speed of forensic investigations.

Collin Greenland is a forensic accountant. Email:cgreeny.collin@gmail.com