Forensic Investigations in the Cloud

Computer Forensics and Social Media
September 16, 2014
Top Trends in Mobile Forensics Revealed by Cellebrite
October 20, 2014
Show all

Forensic Investigations in the Cloud

If you’re a forensics expert specializing in the digital world, you probably already know that the challenges you’re up against just about grow by the day. While digital solutions are continuously developed to help investigators like yourself, certain challenges can throw unique hurdles in your way. One example of this has been the cloud.

A Recent Report

Over the summer, The National Institute of Standards and Technology (NIST) released a draft report to the public for review and comment that summarizes 65 unique challenges forensics experts now face due to the cloud. These challenges meant everything from gathering to examining to interpreting digital evidence ( can now be tougher than ever or even just about impossible. The report identifies over 60 issues, they all fall under nine main categories, including:

  • Data Collection
  • Data Analysis
  • Architecture
  • Training
  • Standards
  • Anti-Forensics Methods (e.g. Malware and Data Hiding)

For the most part, these challenges also represent legal and organizational hurdles forensics experts will have to learn how to negotiate.

The goal of the report is to gather further information from both the public and private sectors regarding the challenges it highlights. By doing so, the NIST hopes that a consensus can be formed regarding which problems are most prevalent and important to address. Then, the idea is that both sectors can work on actionable solutions for confronting them.

The Main Issue

While the cloud has certainly been an overall benefit to just about anyone who uses a digital device, it has also produced one overriding issue for forensics experts: namely that information is no longer localized like it once was.

Prior to the cloud, if you found a laptop or tablet at a crime scene, you could be reasonably sure that it could be mined for all kinds of data in relation to the incident. Likewise, if it had nothing to offer, you would know for sure after doing a comprehensive study of it.

Now, however, the cloud has changed everything. Information that may have been viewed or otherwise accessed through a device can leave little to no trail because it’s stored elsewhere via the cloud. This means it’s kept under lock and key by a third party that owns the servers and not the person who owns the device in question. It also means investigators have to deal with a number of different computing resources aside from servers, like applications and other digital repositories.

Traditionally, an investigator just had to have physical control over a network or they could rely on a piece of code they’d install into the device they wanted to access. More and more, though, these types of solutions aren’t able to cut it. Without accessing the cloud, a notebook laptop confiscated from a criminal is about as much use as an actual, blank notebook.

The Double-Edged Sword

Compounding this issue is that the cloud is clearly isn’t going away. It provides too many benefits to the end-user, whether we’re talking about a business or individual. These include things like:

  • Convenience
  • Affordability
  • Flexibility

Employing information technology has arguably never been easier thanks to the cloud. So even though it can be used for criminal reasons, it will only increase in importance, influence and scope.

While the challenges facing forensics experts from the cloud are certainly intimidating, they aren’t necessarily insurmountable. Thanks to the efforts of the NIST, experts still have a very good chance of conquering these many issues, if they can first work together on understanding them. The NIST Cloud Computing Forensic Science Challenges report is an inspiring step in the right direction.