The Basics of Cloud Forensics

This article is a summary of the research paper “Cloud forensics: An overview“.

Cloud computing is said to be a game changing technologies in the recent history of computing. Unfortunately, due to its young age, cloud companies don’t have yet any process that allows for a set procedure on how to investigate or go about cloud issues. Due to this absence, they have no means of ensuring the robustness and suitability of cloud services when it comes to supporting investigations of criminal activity.


Cloud computing technology has shown massive game-changing potential akin to the ones exhibited by other significant computing technologies such as mainframes, PCs, minicomputers, and even smartphones. It has the ability to radically alter the way information technology services are created, accessed, and manage.

The 2009 F5 cloud computing survey has recently revealed that 66% of IT managers from their sample have dedicated budgets for the cloud, with 71% expecting cloud computing budgets to grow larger over the next two years. On the other hand, the number of crimes related to computers and the Internet has grown over the last decade, which in turn resulted in an equal increase in companies that want to assist law enforcement by using digital evidence to determine the perpetrators, methods, victims, and timing of computer crime. This resulted in digital forensics evolving enough to assure proper representation of cyber crime evidence data in court. However, with storage capacity outpacing network bandwidth and latency improvements, forensic data is starting to grow exponentially to the point that it makes it harder to process them in a timely manner.

With the rise of cloud computing, the problem with scale for digital forensics has been exacerbated, and what’s even worse, it has also created a new avenue for cybercrime investigation with different challenges. Digital forensic practitioners must then try to adopt and extend their digital forensic skills and tools into cloud computing environments as well as help cloud organizations and cloud consumers in establishing and developing forensic capability, as well as reduce cloud security risks. Not doing so will result in a lot of difficulties when it comes to carrying out investigations on critical incidents that happen in the Cloud, including criminal intrusions and policy violations.

Definitions of Cloud Forensics

Cloud forensics is the application of digital forensics in cloud computing as a subset of network forensics. Basically, it is a cross-discipline between cloud computing and digital forensics. As per the official definition of NIST:

“Digital Forensics is the application of science to the identification, examination, collection, and analysis of data while preserving the information and maintaining a strict chain of custody for the data.”

Cloud forensics can also be considered as a subset of network forensics, since network forensics deals with forensic investigations in any kind of network, be they private or public. Cloud computing, in turn, is based on broad network access, and thus follow the main principles found in the network forensic process with some techniques custom tailored for the cloud computing environment.

The Three Dimensions of Cloud Forensics

  1. The Technical Dimension – the technical dimension involves a set of tools and procedures needed to carry out the forensic process in cloud computing environments. This includes forensic data collection, elastic/static/live forensics, evidence segregation, investigations in virtualized environments, and pro-active preparations.
  2. The Organizational Dimension – when it comes to forensic investigations in cloud computing environments, two parties are always involved: the cloud consumer and the CSP. When the CSP outsources services to other parties, there is a tendency for the scope of the investigation to widen. When establishing the capacity of an organization to investigate cloud anomalies, each cloud organization need to create a department, permanent or ad hoc that would be in charged of internal and external matters that fulfills the following roles: investigators, IT professionals, incident handlers, legal advisors, and external assistance.
  3. Chain of Dependencies – Cloud Service Providers and majority of cloud apps tend to have dependencies on other CSPs. These dependencies can be highly dynamic, which means investigation in such a situation will depend on the investigations of each link in the chain, as well as the level of complexity of the dependencies. Problems can arise from interruption or corruption in any of the numerous links in the chain or even due to lack of coordination between all the parties involved. Therefore, tight communication and collaboration between the parties involved must be enforced by organizational policies as well as legally binding SLAs.

The chain of Cloud Service Providers, Cloud Customers, with the chain of dependencies between them taken into account, has to collaborate and coordinate with the following parties in order to achieve effective and efficient forensic activities:

  • Law Enforcement – while cloud organizations need to prioritize the availability of service, law enforcement’s top priorities lie in the prosecution of criminals. Where the two different priorities clash is in situations such as evidence collection. These two organizations need to coordinate better in order to improve mutual understanding and resource confiscation.
  • Third Parties – when it comes to auditing and ensuring compliance regarding cloud forensics, cloud organizations need to work closely with third parties.
  • Academia – in Academia’s case, cloud organizations need to lend their help in order to receive up to date training for their internal forensic staff as well as to contribute to the knowledge of the area.

The Legal Dimension

The legal dimension has several aspects. First is the the multi-jurisdiction and multi-tenancy challenges, which are considered as top level concerns among digital forensic experts, and are both amplified by the Cloud. Regulations and agreements must be secured in the legal dimension of cloud forensics in order to ensure that the investigations will not violate any laws or regulations in the area where the data is physically stored. Measures must also be taken to ensure that the privacy of other individuals or organization sharing the infrastructure will not be compromised or violated throughout the forensic activity.

Another aspect of the legal dimension is the Service Level Agreement or SLA, which defines the terms of use between the cloud customer and the cloud service provider. The following terms need to be amended to existing SLAs in order to help make forensic investigations smoother:

  1. The customer must be provided service, access, and techniques by the CSP when it comes to forensic investigation.
  2. Trust boundaries, responsibilities, and roles between the customer and the CSP must be defined clearly during forensic investigation.
  3. Legal regulations, confidentiality of customer data, and privacy issues must be addressed during a multi-jurisdictional forensic investigation, as well as in a multi-tenant environment.

Cloud Crime

The definition of computer crime will be extended to cloud crime, which is basically any crime that involves cloud computing in the sense that cloud can be the subject, object, or tool related to the crimes.

The cloud is considered the object when the target of the crime is the cloud service provider and is directly affected by the act, such as with Distributed Denial of Service (DDOS) attacks that target sections of the cloud or the cloud itself as a whole.

The cloud can be considered the subject of the crime when the criminal act is committed within the cloud environment, such as cases of identity theft of Cloud users’ accounts.

The cloud is considered the tool when it is used to plan or conduct a crime, such as cases when evidence related to the crime is stored and shared in the cloud or a cloud is used to attack other clouds.

Usage of Cloud Forensics

Cloud Forensics has numerous uses, such as:

1. Investigation

  • On cloud crime and policy violations in multi-tenant and multi-jurisdictional environments
  • On suspect transactions, operations, and systems in the cloud for incident response
  • Event reconstructions in the cloud
  • On the acquisition and provision of admissible evidence to the court
  • On collaborating with law enforcement in resource confiscation.

2. Troubleshooting

  • Finding data and hosts physically and virtually in cloud environments
  • Determining the root cause for both trends and isolated incidents, as well as developing new strategies that will help prevent similar events from happening in the future
  • Tracing and monitoring an event, as well as assessing the current state of said event
  • Resolving functional and operational issues in cloud systems
  • Handling security incidents in the cloud

3. Log Monitoring

  • Collection, analysis, and correlation of log entries across multiple systems hosted in the cloud, including but not limited to: audit assists, due diligence, and regulatory compliance

4. Data and System Recovery

  • Recovery of data in the cloud, whether it’s been accidentally or intentionally modified or deleted
  • Decrypting encrypted data in the cloud if the encryption key is already lost
  • Recovery and repair of systems damaged accidentally or intentionally
  • Acquisition of data from cloud systems that are being redeployed, retired or in need of sanitation

5. Due Diligence/Regulatory Compliance

  • Assist organizations in exercising due diligence as well as in complying with requirements related to the protection of sensitive information, maintenance of certain records needed for audit, and notification of parties concerned when confidential information is exposed or compromised.

Challenges Facing Forensic Data Collection

In all situations that involve cloud service and deployment models, the cloud customer tends to encounter issues with decreased access to forensic data depending on the cloud model. For instance, IaaS users may enjoy straightforward and easy access to all data required for forensic investigation, but SaaS customers may won’t be able to access the pertinent data they need.

Lack of access to forensic data means that the cloud customer will be in the dark as to where their data is physically located, and will only be able to specify the location of their data at a higher level of abstraction, typically as a virtual object or container. This is because cloud service providers normally hide the actual physical location of the data in order to help data movement and replication.

Additionally, there is also a lack of definitive terms for use in the Service Level Agreements in order to encourage general forensic readiness in the cloud. Many providers intentionally avoid providing services or interfaces that will help customers gather forensic data in the cloud. For instance, SaaS providers will not provide IP logs or clients accessing content, while IaaS providers will not provide copies of recent Virtual Machine states and disk images. The cloud as it functions right now doesn’t provide end users with access to all the relevant log files and meta data, and limits their ability to audit the operations of the network used by their provider, not to mention conduct real time monitoring on their own networks.

Challenges Faced by Elastic, Static, and Live Forensics

The sheer number of endpoints, particularly mobile ones, is one of the biggest challenges for data discovery and evidence collation. The sheer number of resources connected to the cloud has a tendency to make the impact of crimes and the workload of investigation even larger. Time synchronization itself is vital when it comes to the audit logs used as source of evidence in the investigations. Accurate time synchronization being one of the major issues during network forensics, which is exacerbated by the fact that a cloud environment needs to synchronize timestamps that is consistent with different devices located all over different time zones, between equipment, and remote web clients that include numerous end points.

Like time synchronization, the consolidation of log formats is a traditional issue in network forensics, which is once again made worse by the scale issues inherent in the cloud, making it even more difficult to consolidate the log formats or make them cross-compatible with each other due to the massive resources present in the cloud. What’s even troubling is the fact that some providers intentionally create proprietary log formats, which introduce major roadblocks in joint investigations.

Similar to other technical forensics, removed data in the cloud is considered as a vital piece of evidence. However, problems are present in the cloud with regard to this aspect. For instance, Amazon’s AWS gives the right to change the original snapshot only to the AWS account that created the volume. Once the AWS account owner deletes data within the domain, the removal of the mapping starts immediately and is completed within seconds. After that, there is no longer any way to access the deleted data remotely, and the storage space once occupied by said data is made available for future write operations, and it is very likely that the storage space will be overwritten by newly stored data. While some deleted data may still be recoverable from the snapshot even after deletion, the challenge is in recovering them, identifying the ownership, and using the information as a means of plotting out what happened in the cloud.

Challenges in Evidence Segregation

In a cloud environment, the various instances of virtual machines running on the same physical machine are completely isolated from each other via hypervisor. The instances are treated as if they are on completely separate physical hosts, and as such, will have no access to each other despite being hosted on the same machine. There needs to be improvements in the cloud technology regarding provisioning and deprovisioning in order to allow the providers and law enforcement agencies to maintain the segregation without breaching the confidentiality of other tenants sharing the same physical hardware, while also ensuring the admissibility of the evidence.

Challenges in Virtualized Environments

Cloud Computing, in essence, provides data and computing power redundancy by replicating and distributing resources. A lot of CSPs do this by using different instances of a cloud computer environment within a virtualized environment, with each instance running as a stand alone virtual machine that is monitored and maintained by a hypervisor. This means attackers can target the hypervisor, and doing so successfully gives them free reign to all the machines being managed by it. For cloud investigators and law enforcement agencies, there is a huge lack of policies, techniques, and procedures on the hypervisor level that will facilitate investigation.

Challenges in Internal Staffing

At the moment, most cloud organizations are only dealing with investigations using conventional network forensic tools and staffing, or worse – they are simply neglecting the issue. The major challenge in establishing an organizational structure in cloud forensics is finding the right amount of expertise and relevant legal experience within the available manpower.

Challenges in External Chain of Dependency

As mentioned earlier in this document, CSPs and most cloud-related applications have dependencies on other CSPs. This means investigation in the chain of dependencies between CSPs will rely on the investigations of each link in the dependency chain, which means any corruption, interruption, or even ineptness between all the parties involved can lead to big problems for the entire investigation. There are currently no tools, policies, procedures, or agreements that address cross-provider investigations.

Challenges with the Service Level Agreements

Due to the lack of customer awareness, and a general lack of CSP transparency and international regulations, most cloud customers end up not being aware of what has happened in the cloud in cases where their data is lost of compromised due to criminal activity.

Challenges with Multi-Jurisdiction and Multi-Tenancy

This is basically rooted in the fact that legislations in all the countries and states that the cloud and its customers reside in differ vastly, which means investigations can be hampered due to said differences in law and jurisdiction.


1. Cost Effectiveness – much like the cloud technology, which makes things less expensive when implemented on a larger scale, cloud forensic services and security will be more cost effective when implemented on a global scale.

2. Data Abundance – due to providers’ practice of keeping redundant copies of data to ensure robustness, cloud investigators will be able to take advantage of the abundance of data, especially since the redundancy makes it harder to completely delete data and improves the likelihood of recovering deleted data.

3. Setting of Standards and Policies – when it comes to technology, forensics are usually treated as afterthoughts and bandage solutions, only being created after the technologies have matured, but with cloud computing, there is an opportunity to lay the foundation for policies and standards while the technology is still in its infancy.

4. Forensics as a Service – the concept of FaaS is slowly emerging in cloud computing and showing the advantages of a cloud platform for large scale digital forensics. The emerging models include established information security vendors adopting their methods to include services delivered via cloud, with start-up information security companies playing as pure CSPs and providing security only as a cloud service instead of providing conventional client/server security suites for networks, applications, and hosts. Similarly, Forensics as a Cloud Service can be developed in the same way in order to ensure massive computing power that will facilitate investigations of cyber crime on all levels.

Conclusion and Future Work

The rapid advancements and increase in popularity of cloud technology is certainly pushing digital forensics to a whole new level. Many existing challenges may be exacerbated by the cloud technology, such as various jurisdictional issues and lack of international coordination, but the environment also brings unique opportunities for foundational policies and standards. The cloud is both a new battlefield for cybercrime, as well as a new breeding ground for novel investigative approaches. Much like any new technology and area of research, there is much to be done and every info in this document merely points people towards the right direction.

This article is a summary of the research paper “Cloud forensics: An overview“, by Keyun Ruan, Prof. Joe Carthy, Prof. Tahar Kechadi and Mark Crosbie.