As a cross between cloud computing and digital forensics, the term "cloud forensics" refers to the gathering of digital forensic data from a cloud infrastructure. Incident response and digital forensics have long been critical components of computer crimes investigations, yet with the rapid evolution of cloud computing, these tasks have become quite a bit more challenging.
Maintaining constant, open communications and a good relationship with a cloud provider is mandatory in order to obtain the information necessary for successful auditing and analysis of the collected data.
In a local environment, forensic evidence includes information gathered from log files, data stored on a disk, network traffic and intrusion markers, to name a few. The basic difference between analyzing a local environment versus analyzing a cloud service is that with the local computer, information can be gathered by simply entering the system and analyzing it. When the cloud is involved, however, the machine cannot be accessed physically, only some parts of the computer are available through the cloud application interface.
In this tip, we'll begin with a brief explanation of the cloud, followed by an exploration of why cloud forensics is becoming more critical than ever, and the challenges with obtaining information from different cloud services and deployment models. Finally we'll discuss best practices for establishing a good rapport with cloud providers to ensure cloud forensics success.
Let's start by exploring the different deployment and service models of the cloud. In cloud computing, there are five different deployment models:
- Private cloud -- In this deployment, the organization runs its own private cloud to which it has complete access. The cloud is situated behind a firewall and the organization provides access to users as it sees fit while preserving the privacy of the data stored in the cloud.
- Public cloud -- In a public cloud, services are provided to the public via the Internet. Examples of the public cloud include Amazon Web Services, Google Computer Engine and Microsoft Azure. In a public cloud, a virtualized environment is commonly used.
- Community cloud -- The services of a community cloud are accessible by several organizations, lowering the costs as compared to a private cloud. Community clouds are either on-premise or off-premise and can be managed by the organizations as a group or by a third-party provider.
- Hybrid cloud -- In a hybrid cloud, services are mixed between private, in-house deployments and public cloud services. This approach helps organizations enjoy the cost-benefits of the cloud without relying completely on a third-party provider.
- Distributed cloud -- The services of a distributed cloud are dispersed across several machines at different locations but are connected to the same network.
There are three main public cloud computing service models commonly used by enterprises today. These include:
- Infrastructure as a Service (IaaS), which provides the entire infrastructure (e.g., physical/virtual machines, firewalls, load balancers and hypervisors)
- Platform as a Service (PaaS), which provides a platform (e.g., an operating system, database and Web server)
- Software as a Service (SaaS), which provides an organization access to a service, while the service provider manages it
The importance of cloud network forensics
The importance of cloud network forensics cannot be denied. Forensics help not only detect when attackers are attempting to hack into cloud services, but also enable organizations to block and prevent such attacks.
When network forensics is involved, an attack has already occurred and the organization needs to gather evidence from a pile of data to determine who the hacker was, how the hacker attacked the service and what information the attacker obtained. Network forensic investigators must scrutinize the collected data -- such as filesystems, processes, registry and network traffic -- to come to these conclusions.
The basic difference in cloud forensic process is limitation to the data the network forensics examiner has. The biggest handicap is working with limited data, since the investigator must most often work with virtual images rather than physical machines. A large part of data acquisition must also be provided by the cloud provider, which may or may not offer the required data. Easing the process somewhat is that cloud forensics rely on the same kinds of tools as the traditional forensics process. In the last few years, cloud forensics has skyrocketed, so new tools specifically built for cloud forensics will probably be written in the years to come.
Collecting data from the cloud
-- Digital Forensics in the Cloud, Shams Zawoad, University of Alabama at Birmingham, Ragib Hasan, University of Alabama at Birmingham.
-- Pentest Magazine, Vol.1, No.4, Issue 04/2011(04) August, Aaron Bryson, Great Pen Test Coverage: Too Close For Missiles, Switching to Bullets.
Different types of information can be collected depending on which cloud service model an enterprise uses. The table to the right shows which information organizations can get their hands on when using SaaS, PaaS, IaaS or a local private network.
Clearly, when conducting a cloud network forensics analysis, organizations do not have access to the same information in cloud environments as they do when performing forensics analysis on a local computer.
Cloud data collection: Working with service providers
To bridge the gap, enterprises must contact their cloud providers to obtain information for analysis, including application logs, database logs or network logs. Maintaining constant, open communications and a good relationship with a cloud provider is mandatory in order to obtain the information necessary for successful auditing and analysis of the collected data.
See Infosec Institute’s overview of cloud forensics
Unfortunately, many cloud providers aren't worried about their clients' investigations and won't always be overly cooperative. Either that or they don't have a knowledgeable and/or responsive security team in place to assist with the gathering of data needed by forensics investigators. In some cases, cloud providers might even deliver incorrect information that can't be used in a court of law. It may seem far-fetched, but it can be extremely difficult for cloud providers to locate and supply the right information; the complexity in an enterprise environment pales in comparison to cloud provider environments. Oftentimes, an organization's data is located in multiple data centers across the world and nobody really knows where it is. And, not to mention, that data is not stored separately from the data of other organizations, making it difficult for the provider to determine which logs belong to which enterprise.
It is critical to be extremely careful when choosing a cloud provider. Depending on the competence of a cloud provider, the cloud network investigation of an enterprise could be a huge success or a complete failure.
When evaluating cloud providers, organizations cannot just blindly believe anything they say. If providers say they are secure, enterprises should ask them about what and how they tested in their infrastructure. Organizations should also ask where the data is located and who has access to it. An important criterion is also the cooperation with the IT department when a security breach occurs. We know that a forensic examiner must work closely with the cloud provider in order to get the required information regarding the breach -- it's a great advantage if the provider has their own security team.
As the adoption rates of the cloud and cloud services accelerate, the importance of cloud network forensics will only continue to grow. It is critical that organizations carefully read any agreements before creating contracts and adopting cloud services to ensure that if or when the day comes that a cloud forensics investigation must be performed, their service providers are not a roadblock to its efficiency and success.
About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance as well as security-related concepts: system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages and constantly writes security-related articles at his own website at www.proteansec.com.
Lukan is also a security researcher for the InfoSec Institute, an IT training company that’s been in business since 1998. Over the years Infosec Institute has helped more than 18,000 individuals with their professional development needs, providing hands-on training in virtually every area of information security.