Overcoming the Cloud Forensic ChallengeWhy Conventional Approaches Don't Work in the Cloud
A big challenge examiners face in conducting forensic investigations in the cloud is that they don't have access to the servers. That's just one problem the National Institute of Standards and Technology is addressing.
"Many of the traditional approaches are going to be more difficult to apply, and in some cases they won't work in the cloud," says Martin Herman, senior adviser for forensics and IT at the National Institute of Standards and Technology.
Herman co-chairs NIST's cloud computing forensic science working group, which has identified scores of challenges forensic experts face in applying their craft in the cloud. NIST has taken 65 of the challenges and published a draft report, NIST Interagency Report 8006: NIST Cloud Computing Forensic Science Challenges. The report aggregates, categorizes and discusses the forensics challenges faced by experts when responding to incidents that have occurred in a cloud-computing ecosystem.
The immediate goal of the draft report is to begin a dialogue on forensic science concerns in cloud computing ecosystems. The long-term goal is to gain a deeper understanding of those concerns and to identify technologies and standards that can mitigate them.
The working group broke up the challenges into three groups: legal, organizational and technical. The NIST report focuses primarily on the technical challenges.
Server's Physical Location
A cloud provider's server could be physically located just about anywhere, and that presents a big problem for forensics examiners. "If someone's data was sitting in the European Union, how does U.S. law enforcement get access to it or vice versa?" Herman asks. "They can't just go in and seize the computer as often is done in traditional forensics."
But it's not just physical access to hardware that makes cloud forensics so difficult. Data being examined could flow among multiple servers operated by multiple cloud providers, each with different information systems architectures. Just as significant differences exist in how Windows, Linux, and other operating systems create and handle events, the report says, different architectures and configurations for virtual machines can be found from different manufacturers, and each has its own event definition and logging systems.
At this point, NIST and the working group have raised more questions than provided answers on how to conduct forensics in the cloud.
Take, for instance, trying to recover critical data. The data in the cloud could have moved around among multiple devices. "When you do that with multiple users sharing [a cloud server]," Herman asks, "how can you be sure which user owned which data at which point in time?"
Defining the Challenge
Among other questions - and challenges - the report raises: attributing deleted data when a server hosts a large number of users; synchronizing timestamps among multiple machines when each device shows a different time; unifying different log formats; and losing metadata as information flows among machines.
One perplexing challenge forensic examiners face in the cloud is detecting a malicious act. A typical computer attack occurs through sequences of incremental steps where each step in an attack exploits would appear to be a small vulnerability. But forensics investigators in the cloud won't find a single "ah-ha" moment where an attack is launched and a system is compromised. Instead, NIST says, they'll likely find a series of small changes, most appearing benign, made across dozens of systems and applications to enable an attacker to penetrate a cloud.
"We are going to analyze a very small set of the highest priority challenges and look for gaps in technology and standards,' Herman says. "And once we identify those gaps, it will give us some kind of roadmap for how to address those challenges."
At that point, NIST could begin to develop standards on cloud forensics if it determines they're necessary. Herman, meanwhile, says it could take years for experts to devise solutions and standards to meet the challenges of cloud computing forensics.