Reading Time: 4 minutes

Perfect security is an outcome that every organization and cybersecurity professional aims to achieve. Unfortunately, our reality is full of headlines that show us the exact opposite. You might be wondering, do all of them relate back to cloud forensics? To help put things into perspective, take a look at what a recent report by Netrix showed us — 39% of healthcare organizations suffered ransomware attacks in the cloud in 2020. In fact, the report goes on to say that due to a cloud breach, one in four healthcare organizations was fined for non-compliance and 1 in 10 was sued.

Cloud computing is a widely accepted technology that provides data centre resources to the user on a pay-per-use basis. A forensic analyst, in this context, should know where and how the data is stored or processed. When it comes to cloud deployment, the task of monitoring user activity is becoming a necessity. Additionally, presenting digital forensic in case of legal actions requires implementing a cloud forensics framework in the new or existing data centres.

Cloud Computing Fundamentals

Cloud Computing and Forensics

Cloud forensics is a subset of digital forensics that requires a unique approach to investigate cloud environments. Cloud forensic stakeholders consist of private enterprises, government members, law enforcement, etc. Cloud forensic investigators are expected to know the roles and responsibilities of each stakeholder to perform an investigation effectively. By knowing the background and roles of each stakeholder, cloud forensic investigators will be able to categorize the reports and allocation process based on legal, technical, and organizational understanding. While signing the contract, the classification helps in managing and defining the tasks with reference to the cloud.

As a cloud forensic investigator, the main challenge for you is to ensure the security of the digital evidence and make sure it is not tampered with by third parties. The evidence should be stored in an admissible manner so that it can be produced in a court of law. In the PaaS (Platform-as-a-Service) and SaaS (Software-as-a-Service) cloud computing service model, users are dependent on the cloud service providers (CSPs). They do not have access to their logs due to a lack of control over hardware. The accessibility to the log files will be defined in the service policies. CSPs sometimes hide the logs from customers intentionally due to security reasons, whereas, in a few cases, the policies clearly obstruct offering log access service.

In comparison to the traditional forensic environment, maintaining a chain of custody is challenging in cloud technology. The internal security team in a traditional setting controls the forensic investigators, but they have no control over the ones hired by CSP to investigate. The risk factor is that if the appointed investigator by CSP is not trained to forensic standard levels, the chain of custody may fall in a court of law.

Every cloud service model shares a defined responsibility with the cloud service provider and comes with at least one challenge when conducting cloud forensic investigations. This relationship creates distinct challenges to cloud forensic investigators as it may complicate the collection of evidence from being admissible in a court of law. CSPs do not always support cloud forensic investigations if their responsibility is negligible. All these challenges require a certified and skilled cloud forensic investigator who can perform investigations effectively.

What Happens If Cloud Forensics Is Overlooked?

Tampered evidence is every cloud data forensics investigator’s biggest nightmare. Imagine spending hours collecting data with utter precision only to have someone else tamper with it on the cloud, leaving the data inadmissible in court. This is a possibility in most SaaS and PaaS cloud models that depend on cloud service providers, as they do not have access to physical hardware.

In a traditional scenario, the forensic investigator would assume complete control of the cloud infrastructure, allowing them to extract all the data they require. However, in certain cases, due to the lack of a clear chain of custody, the investigator might find themselves facing a scenario where the cloud service provider hides logs from the customer or states that the log data cannot be accessed.

In these cases, the cloud service provider might assist by extracting information themselves. Yet again, if the person is not sufficiently trained, the extracted data could prove inadmissible in court.

To avoid such a scenario, it is important that any person dealing with the extraction of data be trained in computer forensics.

EC-Council’s certification and training program, Computer Hacking Forensic Investigator (CHFI), covers cloud computing as a part of the program. The program is vendor-neutral and is designed by practicing computer forensic investigators from the industry. With 14 comprehensive modules and 39 labs, CHFI covers all the required job-ready skills to be an accomplished Computer Forensics Investigator.