Like the use of forensics at a physical crime scene, digital forensics is the use of science to find critical data in an investigation, extract it from a computer and then analyze it for some purpose. But as more IT resources are moved to the cloud, experts tasked with tracing that data are finding it more difficult to connect a file to a user.
The challenges facing digital forensics experts — whether they be law enforcement investigating a cyber crime or corporate security officers pursuing an internal policy violation — led the National Institute for Standards and Technology to create a cloud computing forensic science working group. And that group released a draft report Monday that for the first time explores in detail the difficulties involved in cloud-based forensics.
“The question arises as cloud computing becomes more popular, how do you do forensics for information that’s in the cloud?” working group co-chair Dr. Martin Herman, said. Herman is also a senior adviser for forensics and IT at NIST.
Whereas traditional digital forensics might occur on a desktop, laptop or physical server and can be applied to law enforcement, criminal justice and less-malicious private cybersecurity and data-tracking issues, the cloud intrinsically poses difficulties in tracing information back to its source.
“If a criminal uses a laptop and might have files that implicate him, he deletes those files. There are various forensic tools that could be used to recover those,” Herman said. “But in a cloud situation, because there’s a shared virtual environment, it’s more likely that another user will actually write over those portions of files marked as deleted.”
Herman pointed to a few of the cloud’s main qualities that make it so difficult to keep track of data. Because servers are geographically distributed to form the cloud, there are immediately issues of jurisdiction.
“Instead of having a single computer somewhere, there are servers geographically distributed and they may even be in different jurisdictions and countries,” Herman said. “If I’m using a cloud, and my data reside in Ireland, and I’m in the U.S., how’s law enforcement going to get its hands on it?”
Likewise, to lessen the strain on certain data centers comprising the cloud, Herman said operators will shift data among servers. Therefore, linking data on one of those servers back to a user is becoming increasingly difficult as the information is much more liquid.
“If law enforcement is going in there and trying to figure out where a person’s data was at a certain point in time, that may be difficult to get,” he said.
That brings a forensic scientist to the question of who owns that data? But because the cloud is based on the property of multi-tenancy — many users sharing the same space — deciphering who is responsible for that piece of storage becomes another difficulty in the investigation.
“If there’s certain data, the questions is: Where was it at what time and who owned it at that time?” Herman questioned. “If it’s a law enforcement situation, you have to make sure that data was owned by the suspect.”
The working group also studied a host of additional challenges, such as a user’s ability to delete a virtual network. In total, experts from academia, industry and government helped the group identify 65 difficulties associated with forensics in the cloud. But Herman said this at least “puts some boundaries around the problem.”
“Our goal is to look at some of the higher priority challenges that are particularly related to technical issues and to examine those in detail and see, if we want to overcome the challenges, what are the gaps in technology and standards that need to be filled?” he said.
And while NIST will take a crack at bridging some of those gaps, the problem is too big for just NIST, or any single group, Herman said. “We’re going to give it to the world, and hopefully people will start solving some of these problems,” he said.
NIST is accepting comments on the cloud forensics draft until July 21.
