Emerging cloud computing technology is appealing the organizations and individuals to shift their business due to its significant features including processing speed, storage, infinite elasticity, and most prominently mobility which allows the user to access it from anywhere and at any time. All these features compel the user to adopt this emerging technology. In contrast, Cyber criminals have always been in search of finding loopholes in order to exploit the technology for their ill purposes. Digital forensics is a traditional approach that has also been used for a long to find the evidence of these exploitations by preservation, collection, analysis, examination, and present the evidence in a court of law to find the culprits. The traditional technology and the forensics approach do not fit into the cloud environment due to the distributed nature of the structure, where the Cloud Service Provider (CSP) is a key player. Investigator has to depend upon the CSP to accomplish his forensics activities. It is good to understand what is Digital Forensics before jumping into Cloud Forensics
Digital Forensics.
Digital forensics is the method of discovery of digital evidence from digital devices without any compromise on its integrity. In another way, digital forensics is defined as a “Branch of forensics science encompassing the recovery and investigation of material or artifacts found in digital device often conducted as a response to computer crime.”
The digital devices may be a computer, laptop, smartphone, smart watches and wearable, digital cameras, and storage medium. The digital device is vigorous for the creation of digital evidence because it takes one of three parts in cybercrime. To begin with, the substances are booty. Unlike physical criminological crime scenes, it isn’t only a component found at a crime scene; it is regularly the crime scene and can contain an assortment of remnants that can help in an examination. Second, the device contains data (information/ancient rarities) that is proof of a crime. Third, the device may have been utilized to encourage a crime. Thus, “the digital evidence can be determined as the valued information for the investigation perspectives which is received, kept on, and transmitted by the digital devices”.
Digital forensic can be classified as Computer forensics, Mobile forensic, Memory forensics, Network forensics. In order to accomplish the forensics activity, digital forensics has the following phases: Collection, Examination, Analysis, and Reporting.
Cloud Computing
The term cloud computing refers to the sharing or distributing of computing resources among various clients. The NIST defines “cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”.
National Institute of Standard and Technology defines the cloud’s five characteristics, including on-demand self-service, ubiquitous network access, resource pooling, rapid elasticity, and metered service. Three services models (IaaS) in which clients are provided the hardware structure like processing, storage, and network capacity on a rental basis. Platform as a Service (PaaS) allows the client to deploy applications of customers in the cloud. In Software as a Service (SaaS) clients are allowed to use cloud service providers’ applications in a network. There are 4 (Four) Deployment models in the cloud, including Public, Private, Hybrid, and Community cloud. In the Public cloud, the resources are shared among multiple tenants. The infrastructure is placed on the premises of the CSP. The users don’t have control over the location of the infrastructure. In a Private Cloud, the resources including hardware, storage, and networks are delicately provisioned to a single client or a company. The private cloud offers better security. Public and private cloud jointly forms the Hybrid cloud that allows data and application.
Cloud Threats and Attacks
In contrast to the cloud benefits, cybercriminals can make it worse by doing malicious activities. The cloud can be used as a subject, object, and tool. The cloud behaves as an object when the Cloud Service Providers are directly influenced by the distributed denial of service (DDoS) attacks. The cloud plays a role as a subject if criminal activities have been done within the cloud. Identity theft of cloud users is an example of it. The cloud is considered a tool if a crime is committed by using it.
Cloud Security Alliance issued a report top 11 threats to the cloud. The followings are the list of threats according to CSA
- Insufficient identity, credential, access, and key management
- Insecure interfaces and APIs
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insecure software development
- Unsecure third-party resources
- System vulnerabilities
- Accidental cloud data disclosure/disclosure
- Misconfiguration and exploitation of serverless and container workloads
- Organized crime/hackers/APT
- Cloud storage data exfiltration
Cloud Forensics
Cloud forensics is a subset of network forensics. National Institute of Standard and Technology defines the “Application of scientific principles, technological practices and derived and proven methods to reconstruct past cloud computing events through identification, collection, preservation, examination, and reporting of digital evidence”.
Three different aspects of cloud forensics have been coined as Technical, Organizational and Legal. The technical dimension refers to all the procedures and tools which are required to do forensic activities within a cloud environment. It comprises a collection of data, live forensics, virtual environments, evidence segregation, and proactive measures. The organizational dimension encompasses the interaction between the cloud actors (CSP, customer, and legal advisor) in order to accomplish the forensic investigation. The legal dimension encompasses the development of rules, regulations, and agreements to assure that forensic activity is done according to the law.
Challenges in Cloud Forensic
Unlike the traditional digital forensic, where the investigator has full access to the machine and the process to investigate as per requirement, both machine and the process are beyond the access of the investigator. Distributed architecture, deficiency in handling big data, and lack of forensic tools and services are the challenges of the cloud.
In a cloud environment, the Investigator has to depend upon CSP in order to do his forensic activity. The major problem comes across when the virtual evidence in the shape of virtual machine snapshots are needed to be digitized and investigated.
Challenges in Each Forensic Phase
Identification
Unknown physical location
Decentralized data
Data Duplication
Jurisdiction
Dependency Chain
Encryption
Dependence on CSP
Preservation
Chain of custody
Evidence segregation
Distributed storage
Data volatility
Data Integrity
Collection
Inaccessibility
Dependence on CSP
Trust
Multi-Tenancy
Jurisdiction
Deleted Data
Lack of Cloud Forensic Tools
Examination and Analysis
Lack of log framework
Evidence time lining
Encrypted data
Evidence data integration
With the rise of the Internet of Things (IoT), huge migration to the cloud, and the increasing cyber threats increase the significance of cloud forensics. However, the researchers are doing their best to advance in cloud forensics but the rise of technology and proliferation of IoT devices are great challenges for the investigators to date.
