NIST’s 6-Year Project Identifies Forensic Challenges in Cloud Computing

 

In June 2014, the National Institute of Standards and Technology (NIST) released a report on cloud computing challenges in forensic science. After extensive public comment and adaptation, the federal agency released the final report this month.

While cloud computing is a critical part of most businesses nowadays, it holds a different weight in forensic science applications.

“The validity and reliability of forensic science is crucial in this new context and requires new methodologies for identifying, collecting, preserving, and analyzing evidence in multi-tenant cloud environments that offer rapid provisioning, global elasticity and broad network accessibility,” reads the NIST report.

The NIST Cloud Computing Forensic Science Working Group (NCC FSWG) was established to first identify challenges in the cloud environment and then establish plans for standards and technology research to mitigate said challenges. To do this, they gathered existing literature on the topic, obtained input from a variety of stakeholders in the group, and held small group discussions among participants through phone calls and emails.

Ultimately, NCC FSWG identified 62 challenges (which can be found in Annex A of the report). While the challenges span the spectrum, the majority of the hurdles are technology-based. For ease-of-reading, NIST grouped all the challenges into nine categories:

1. Architecture: Handling the diversity, complexity, multi-tenancy and data segregation of data, as well as accurate and secure provenance for maintaining and preserving chain of custody.
2. Data collection: Addressing data integrity, data recovery and data location, including finding forensic artifacts in large dynamic systems. This also includes the inability to image all forensic artefacts in the cloud.
3. Analysis: Verifying correlation, reconstruction, time synchronization and metadata. Analysis problem areas also include timeline analysis of log data, including synchronization of timestamps.
4. Anti-forensics: Relating to obfuscation, data hiding and malware specifically designed to prevent or mislead forensic analysis. The use of these techniques compromises the integrity of evidence and malware may even circumvent virtual machine isolation methods.
5. Incident first responders: Questioning the confidence, competence and trustworthiness of cloud providers to act as first responders and perform data collection.
6. Role management: Addressing data owners, identity management, users and access controls. Ease of anonymity and creating fictitious identities online is of primary concern.
7. Legal: Addressing jurisdictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy and ethics. In this case, subpoenas would need to be issued without the knowledge of the physical location of data.
8. Standards: Lack of basic standard operating procedures, interoperability among cloud providers, and lack of testing and validation procedures.
9. Training: Lack of cloud forensic training and expertise for both investigators and instructors, and limited knowledge by record-keeping personnel in cloud providers regarding the legal requirements of evidence.

While the challenges and groups are different, there are certain aspects of each that overlap and feel persistent. The variability of cloud providers and their capabilities is of critical concern as the forensic world moves toward the cloud. Logs, in particular, are an important source of forensic analyses, but in the cloud there is an added layer of complexity, given that the quantity and quality of log data is configurable by cloud providers and/or consumers.

“To perform forensic analysis using logs with integrity on which all stakeholders can rely, the logs must be trusted,” reads the report. “Differences in log formats, decentralization of logs among different layers, lack of accessibility to logs, the multi-tenancy nature of clouds, and the need to preserve the chain of custody make log analysis challenging in clouds.”

To rectify this problem, NIST suggests the development of standard forensic protocols that can be adopted by major cloud providers. The protocols must adequately address the needs of first responders, law enforcement, and court systems, while ensuring there will be minimal or no disruption to cloud providers.

NIST acknowledged there is still much research to be conducted in the cyber domain. The NCC FSWG will continue its efforts and initiate more dialogue among stakeholders. Next steps include: (1) further analyzing cloud challenges, (2) prioritizing the challenges, (3) developing a Cloud Forensics Reference Architecture, (4) choosing the highest priority challenges and determining the corresponding gaps in technology and standards that need to be addressed, and (5) developing a roadmap to address these gaps.

“This is necessary to support the U.S. criminal justice and civil litigation systems as well as to provide capabilities for security incident response and internal enterprise operations,” reads the report.