Will cloud forensics be effective in managing boundaries of responsibility and access?
Proponents of the cloud ecosystem touts its "vastness, flexibility and scalability as advantages for the implementation of cloud services. However, from a digital point of view this can be a veritable forensic challenge as we view the cloud in terms of its scope and diversity.
According to Dr. Stephen Wolthusen[1] "Digital forensics (also referred to at times as computer forensics) encompasses approaches and techniques for gathering and analyzing traces of human and computer-generated activity in such a way that it is suitable in a court of law."
A key challenge to a digital investigator called to pursue an investigation with cloud resources as a subset will be to establish and map computational and storage structures that will fall within the realm of the investigation. Bear in mind that for any system (cloud or otherwise) security incidents will cross boundaries of responsibility and access.[2]
Within the digital forensic process where there is a no one-size-fits-all solution for a digital forensic examination, all forensic evidence must follow the Forensic process of :
Collection - Examination - Analysis - Reporting. Also no matter its environment, forensic evidence must:
•Be relevant to the issue at hand
•Be authentic
•Not be unfairly prejudicial not be hearsay or if hearsay, able to meet the requirements for an exception
•Be the original or duplicate of the evidence or able to meet an exception to that rule.
Within the cloud computing ecosystem I believe there may be a dilemma in terms of time stamps. A question for cloud vendors would be, with a distributed and "vast" infrastructure how will they ensure synchronized clocks across all their systems? Synchronized clocks across a distributed global system may not be a possibility, and if this supposition holds true, then what other solution will a cloud vendor provide in such an instance?
Another challenge can be with that of reciprocity. Digital forensics within the cloud computing environment can have legal implications within an international jurisdiction which will require corporation from established relationships with legal entities in foreign countries and/or the establishment of new ones if possible.
As with any live forensic examination another challenge will be the establishing of snapshots of the system in operation. But in this case one can question if this is good enough for such a "vast" and possibly globally distributed ecosystem.
Take the instance of malware injected into the kernel space of a system; it is possible that it may be programmed to modify data or functionality...or both, in a variety of ways upon detection of a probe, or simply set to shut-down,obfuscate evidence, or delete pertinent data residues within a set time frame. Can a forensic examiner be notified of this change, or more pertinent can a cloud service provider implement protocols, tools or processes to ensure that such an event can be mitigated in real time? Most likely not, at least for now.
However a solution of sorts to this dilemma can be gleaned from thesis suggested in a paper by Wolthusen [1] which states: Data may be present or available in a given configuration for a limited time or be staged through different levels of storage hierarchies; it is hence important to place bounds on events in question so as to be able to capture events of interest completely.
In terms of the "vast" distributed environment that can comprise a cloud ecosystem under investigation; we have to be aware of the fact that within such an ecosystem, any forensic investigation can cause: parallel or unrelated services to be interrupted to completed halted, infringe on third party rights and cross jurisdictional boundaries and in the case of duplication require infeasible storage volumes. [1]
Aspects of Control within Cloud Computing Service Models:
SaaS: Here the cloud user, dependent on their contracted services with the cloud vendor will only control certain configuration parameters, whilst the cloud vendor maintain control over application\s and underlying infrastructure.
PaaS: Here the cloud vendor controls the cloud infrastructure and runtime environments when the cloud user controls the application.
IaaS: Although a cloud user will have control over their servers with the installed Operating Systems and applications with this cloud offering the cloud vendor will still controls the virtualization infrastructure and at least parts of the network infrastructure.
These aspects will affect how a digital forensic examination is conducted as, every cloud computing environment will have variations. Therefore the degrees of methods/tools protocols etc. implemented in identifying relevant events that support the detection and analysis of attacks have to be crafted accordingly.
Four Forensic Challenges within the Cloud Ecosystem
Grobauer and Schreck [2] identified the following forensic challenges within the cloud computing environment:
1.Separation of customer's data sources during evidence collection
2.Adapting forensic analysis methods to the cloud
3.Improving live analysis techniques
4.Improving log generation & analysis techniques
Another major challenge is a need to establish a complete understanding of processes, their dependencies and distribution across different systems within the cloud ecosystem. [1]
Wolthusen[1] also states that, "if semantic dependencies must be captured, this must not only capture the immediate data required to reconstruct a view or document or to recreate and reconstruct a process, but also sufficient information to ascertain the semantics of the event at the point in time of the event."
However would not the establishment of such a process potentially impact customers not involved in an investigation that are sharing the cloud-space that is part of a cloud forensic examination?
Despite the semantics and challenges of the Cloud Computing Environment it is my opinion that:
Cloud Computing users must open dialogue with their vendor regarding processes and protocols for successfully handling/managing incidents. These need to be clearly established within the requirements portion, when drafting their service level agreement (SLA).
Proponents of the cloud ecosystem touts its "vastness, flexibility and scalability as advantages for the implementation of cloud services. However, from a digital point of view this can be a veritable forensic challenge as we view the cloud in terms of its scope and diversity.
According to Dr. Stephen Wolthusen[1] "Digital forensics (also referred to at times as computer forensics) encompasses approaches and techniques for gathering and analyzing traces of human and computer-generated activity in such a way that it is suitable in a court of law."
A key challenge to a digital investigator called to pursue an investigation with cloud resources as a subset will be to establish and map computational and storage structures that will fall within the realm of the investigation. Bear in mind that for any system (cloud or otherwise) security incidents will cross boundaries of responsibility and access.[2]
Within the digital forensic process where there is a no one-size-fits-all solution for a digital forensic examination, all forensic evidence must follow the Forensic process of :
Collection - Examination - Analysis - Reporting. Also no matter its environment, forensic evidence must:
•Be relevant to the issue at hand
•Be authentic
•Not be unfairly prejudicial not be hearsay or if hearsay, able to meet the requirements for an exception
•Be the original or duplicate of the evidence or able to meet an exception to that rule.
Within the cloud computing ecosystem I believe there may be a dilemma in terms of time stamps. A question for cloud vendors would be, with a distributed and "vast" infrastructure how will they ensure synchronized clocks across all their systems? Synchronized clocks across a distributed global system may not be a possibility, and if this supposition holds true, then what other solution will a cloud vendor provide in such an instance?
Another challenge can be with that of reciprocity. Digital forensics within the cloud computing environment can have legal implications within an international jurisdiction which will require corporation from established relationships with legal entities in foreign countries and/or the establishment of new ones if possible.
As with any live forensic examination another challenge will be the establishing of snapshots of the system in operation. But in this case one can question if this is good enough for such a "vast" and possibly globally distributed ecosystem.
Take the instance of malware injected into the kernel space of a system; it is possible that it may be programmed to modify data or functionality...or both, in a variety of ways upon detection of a probe, or simply set to shut-down,obfuscate evidence, or delete pertinent data residues within a set time frame. Can a forensic examiner be notified of this change, or more pertinent can a cloud service provider implement protocols, tools or processes to ensure that such an event can be mitigated in real time? Most likely not, at least for now.
However a solution of sorts to this dilemma can be gleaned from thesis suggested in a paper by Wolthusen [1] which states: Data may be present or available in a given configuration for a limited time or be staged through different levels of storage hierarchies; it is hence important to place bounds on events in question so as to be able to capture events of interest completely.
In terms of the "vast" distributed environment that can comprise a cloud ecosystem under investigation; we have to be aware of the fact that within such an ecosystem, any forensic investigation can cause: parallel or unrelated services to be interrupted to completed halted, infringe on third party rights and cross jurisdictional boundaries and in the case of duplication require infeasible storage volumes. [1]
Aspects of Control within Cloud Computing Service Models:
SaaS: Here the cloud user, dependent on their contracted services with the cloud vendor will only control certain configuration parameters, whilst the cloud vendor maintain control over application\s and underlying infrastructure.
PaaS: Here the cloud vendor controls the cloud infrastructure and runtime environments when the cloud user controls the application.
IaaS: Although a cloud user will have control over their servers with the installed Operating Systems and applications with this cloud offering the cloud vendor will still controls the virtualization infrastructure and at least parts of the network infrastructure.
These aspects will affect how a digital forensic examination is conducted as, every cloud computing environment will have variations. Therefore the degrees of methods/tools protocols etc. implemented in identifying relevant events that support the detection and analysis of attacks have to be crafted accordingly.
Four Forensic Challenges within the Cloud Ecosystem
Grobauer and Schreck [2] identified the following forensic challenges within the cloud computing environment:
1.Separation of customer's data sources during evidence collection
2.Adapting forensic analysis methods to the cloud
3.Improving live analysis techniques
4.Improving log generation & analysis techniques
Another major challenge is a need to establish a complete understanding of processes, their dependencies and distribution across different systems within the cloud ecosystem. [1]
Wolthusen[1] also states that, "if semantic dependencies must be captured, this must not only capture the immediate data required to reconstruct a view or document or to recreate and reconstruct a process, but also sufficient information to ascertain the semantics of the event at the point in time of the event."
However would not the establishment of such a process potentially impact customers not involved in an investigation that are sharing the cloud-space that is part of a cloud forensic examination?
Despite the semantics and challenges of the Cloud Computing Environment it is my opinion that:
Cloud Computing users must open dialogue with their vendor regarding processes and protocols for successfully handling/managing incidents. These need to be clearly established within the requirements portion, when drafting their service level agreement (SLA).
No comments:
Post a Comment