Cloud Computing: Another Digital Forensic Challenge
Over the past several years, cloud computing has begun to expand in the business community. For those unfamiliar with the terminology, cloud computing is a style of computing which allows and provides for scalable and virtualized computer related resources using the Internet. One of its major advantages is that a business does not need to have any knowledge, expertise, or control of the infrastructure. Obviously, this can become a huge cost savings for those businesses who utilize the services inherent with cloud computing. For instance, some services include online business applications that are accessible through any browser from any computer. The actual software and data resides on servers external to the business itself. It is easy to understand how this becomes very attractive to businesses; they would not have to invest huge sums of money in software and hardware. Since they do not own the host infrastructure, they only pay the provider for services and resources they consume (analogous to paying the water utility company for the amount of water used each month). There is probably no limit to the types of services that can be obtained via cloud computing. Some of these include:
- Compute facilities provide computational services so that users can use central processing unit (CPU) cycles without buying computers.
- Storage services provide a way to store data and documents without having to continually grow farms of storage networks and servers.
- SaaS companies offer CRM services through their multi tenant shared facilities so clients can manage their customers without buying software.
These represent only the beginning of options for delivering all kinds of complex capabilities to both businesses and individuals.1
Cloud computing providers usually offer a variety of services. Some of those providers include VMware, Sun Microsystems, Rackspace US, IBM, Amazon, Google, BMC, Microsoft, Ubuntu, and Yahoo.,2
Irrespective of the provider, cloud computing relies on the use of VirtualMachines (VMs) and some combination of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS). VMs are software implementations of a computer which can execute programs like a real computer and can be spawned on any computer as needed. There are two types of VMs: the system VM which supports the execution of a complete operating system, and the process VM which is designed to run a single program supporting a single process.3
Security and Forensic Issues Concerning Cloud Computing
Although cloud computing might appear attractive to a business, it is not without its own unique problems and concerns. Accessing a remote server to initiate an application via the Internet presents several obvious security risks. Storage of sensitive corporate data on a remote server raises concerns regarding the privacy and accessibility of that data by an unauthorized second party. The business or customer is not generally aware of the physical location of the data. Likewise, they may not be able to discern what policies/procedures are in place to recover data should a server crash or become compromised. Legal and regulatory requirements and compliances may be lacking in the location(s) where the data is actually stored. The long-term viability of the data itself and its availability could become a major issue should the provider no longer offer the services due to bankruptcy, going out of business, or merging with another company.
As one would expect, cloud computing raises some unique law enforcement concerns regarding the location of potential digital evidence, its preservation, and its subsequent forensic analysis. For instance, if a customer or business becomes the target of a criminal investigation, they could migrate their working environment to a cloud environment. This would provide a means for the business to continue its routine operations while the migrated environment is forensically analyzed.4 However, this is not without risk. The migrated data only represents a “snapshot” of when it was sent to the cloud. Since the data can be stored anywhere in the world, its dispersal could be to a location or country where privacy laws are not readily enforced or non-existent. Establishing a chain of custody for the data would become difficult or impossible if its integrity and authenticity cannot be fully determined (where was it stored,who had access to view it,was there data leakage, commingling of data, etc.). There are also potential forensic issues when the customer or user exits a cloud application. Items subject to forensic analysis, such as registry entries, temporary files, and other artifacts (which are stored in the virtual environment) are lost,making malicious activity difficult to substantiate:
“…with the huge amount of potential data flowing in and out of a cloud, how do you identify individual users of individual services provided by a transient host image, particularly when they make expert efforts to cover their tracks? And what if the owner of the image decides to engage in malicious behavior, through the host server image, from a third IP address, and then claim someone must have stolen their password or keypair to the image?”5
Further forensic issues concern the potential effect the cloud services could have on the digital data itself and how the forensic examiner can explain, in a creditable manner, all these real and potential indiscretions to the court.Many forensic examiners recognize that “there is no foolproof, universal method for extracting evidence in an admissible fashion from cloud-based applications, and in some cases, very little evidence is available to extract. As such, cloud computing represents just one of the fast-paced technological developments that is presenting an ongoing challenge to legislators, law enforcement officials, and computer forensic analysts.”6 Or stated another way, the challenge for forensic examiners and law enforcement is to determine the “who, what, when, where, how, and why” of cloud-based criminal activity.
- http://blog.badera.us/2008/08/computer-forensics-cloud-computing. html.
John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation.An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Forensic Evidence” published by Humana Press.