Impact of on-premise to cloud migration on digital forensics
Cloud computing has been on the rise over the past decade. So much so, that the technology is now an integral part of many operations and infrastructure worldwide, as it offers lower costs and better data management, among other benefits.
Some companies have continued using traditional data storage systems, such as on-premise servers. The industry has shown, however, that there has been a massive transition from on-premise to cloud infrastructure.
This trend, unfortunately, has its risks as it brings new opportunities for criminal activities. With its rapid evolution, the technology is replete with many unaddressed issues when it comes to digital forensics, particularly those related to the identification, preservation and acquisition of evidence in the cloud.
The quest for adaptability
Low cost, cloud-based solutions can easily be done by organisations these days. These applications would usually have the ability to channel data from both cloud-based systems and on-premise systems during transition times. This perk, however, might complicate data preservation and analysis situations processes.
Traditional application deployment would have a structured release, whereby organisations can quickly identify any changes or updates in the environment. On the other hand, cloud application deployment can be a wild ride, as it constantly evolves and updates at any given time. Data collection and preservation procedures must keep up to avoid impeding future discovery processes.
Such a fluid environment would add further challenges to ongoing processes, not only in IT and business but also within legal teams, where data ownership and custodianship related to cloud-based data sources and applications will need to be constantly adapted. Some cloud and hosting platforms would allow companies to select the territory where their data would be kept. This, however, would affect the data privacy restrictions and other regulatory considerations.
It is also crucial to have a prior evaluation of the factors that would affect the analysis solution, such as financial impact, analysis location, data volume, or even the tools' availability. Data analysis tools often come along with the cloud hosting package, but make sure that it would be sufficient for your company's standard of procedure for investigations.
The National Institute of Standards and Technology's Cloud Computing Forensic Science Working Group's research on Cloud Computing Forensic Science Challenges maps into nine distinct categories the 65 issues it managed to identify regarding the forensics around cloud computing.
These nine categories are:
- Architecture, which is related to diversity, complexity, provenance, multi-tenancy and data segregation.
- Data collection, which mainly covers data integrity, data recovery, data location and imaging.
- Analysis, including identifying correlation, reconstruction, time synchronisation, logs, metadata and timeline issues.
- Anti-forensics, all challenges relating to obfuscation, data hiding and malware, especially those designed to prevent or mislead forensic analysis.
- Incident first responders, with verification of the trustworthiness of cloud providers, including response time and reconstruction as its focus.
- Role management, this involves data owners, identity management, as well as users and access controls.
- Legal matters, including jurisdictions, relevant laws, service level agreements, contracts, subpoenas, as well as international cooperation, privacy and ethics
- Standards, including standard operating procedures, interoperability, testing and validation.
- Training, to ensure adequate knowledge among forensic investigators and cloud providers.
Deloitte advises that companies would need to add more skills, especially related to forensics, to help them navigate cloud-based applications and data storage.
Cloud forensics vs traditional forensics
Security and privacy have become prevalent issues when discussing cloud computing. Despite the popularity of cloud usage, some companies still want to prioritise forensic preservation and investigation experience related to the on-premise data sources as they transition to cloud-based data solutions.
Some end up relying more on traditional digital forensics, believing that it will cover all sides. Nevertheless, there are stark differences between conventional and cloud forensics. Without the proper knowledge of such differences, these organisations are prone to attackers, yet potentially missing the chance to actually collect the appropriate evidence.
For proper cloud forensics, one must have a blend of skills in digital forensics and cloud computing. In traditional computer forensics, the process is mainly done at the physical crime scene, and the evidence will be brought to be stored or examined under the safekeeping and control of law enforcement, similar to any other criminal case.
However, the location of the data can be vague, and it can also be outside the jurisdiction of your nearest law enforcement. Extracting and getting the evidence to be under the custody of relevant law enforcement can be extra challenging.
Investigators would also need to deal with more computing assets, including both virtual and physical servers, networks, storage devices, or applications — all while the cloud environment continues evolving as with regular days of operations, which may compromise data integrity if analysis and investigation are not performed quickly enough. Poorly collected evidence could just end up inadmissible in the court.
This is why more tech companies are offering cloud forensic services, with several leading players like CISCO, Digital Detective, Oxygen Forensics, Micro Systemation, OpenText, LogRhythm, Paraben, AccessData, Magnet Forensics, Coalfire, Cellebrite, and FireEye dominating the market. Big companies, like IBM, have also started to venture into the market.
IBM's Qradar promises analysis for both on-premise and cloud-based systems, such as SaaS and IaaS environments like Office365, SalesForce.com, Amazon Web Services, Microsoft Azure and Google Cloud.
Another example is Exterro, the industry's first provider of Legal Governance Risk and Compliance (GRC) software. Exterro offers a comprehensive platform so organisations can mitigate risk, manage cost control, and have end-to-end visibility of their GRC processes.
"By focusing on the synergies that exist between privacy, digital forensics, incident response and e-discovery, we were able to generate efficiencies and pave the way for the better utilisation of that data," says CEO & President Bobby Balachandran. "We now unify and automate those workflows across the entire business via one holistic solution, and we're the only company doing that."
Given the current trend, there will doubtless be more cloud forensics service providers entering the market, providing consumers and businesses with an abundance of options. This is progress ‒ even in spite of the multitude of unaddressed problems within cloud forensics itself, with limited answers when it comes to cross border jurisdiction, the chain of custody regarding data acquisition, and the differences in legislation in many parts of the world.