“The validity and reliability of forensic science is crucial in this new context and requires new methodologies for identifying, collecting, preserving, and analyzing evidence in multi-tenant cloud environments that offer rapid provisioning, global elasticity and broad network accessibility,” reads the NIST report.
The NIST Cloud ComputingCloud Computing - software, applications and digital storage that is accessed on the Internet through a web browser or desktop or mobile app. The software and user’s data are stored on servers at a remote location.... Forensic ScienceForensic science is a method that applies a scientific process and technical approaches to study traces rooted in criminal activity or a litigious civil or administrative matter. Forensic science, also known as criminalistics, is a field... Working Group (NCC FSWG) was established to first identify challenges in the cloud environment and then establish plans for standards and technology research to mitigate said challenges. To do this, they gathered existing literature on the topic, obtained input from a variety of stakeholders in the group, and held small group discussions among participants through phone calls and emails.
Ultimately, NCC FSWG identified 62 challenges (which can be found in Annex A of the report). While the challenges span the spectrum, the majority of the hurdles are technology-based. For ease-of-reading, NIST grouped all the challenges into nine categories:
- Architecture: Handling the diversity, complexity, multi-tenancy and data segregation of data, as well as accurate and secure provenance for maintaining and preserving chain of custody.
- DataInformation in analog or digital form that can be transmitted or processed. collection: Addressing data integrity, data recovery and data location, including finding forensic artifacts in large dynamic systems. This also includes the inability to image all forensic artefacts in the cloud.
- Analysis: Verifying correlation, reconstruction, time synchronization and metadata. Analysis problem areas also include timeline analysis of log data, including synchronization of timestamps.
- Anti-forensics: Relating to obfuscation, data hiding and malware specifically designed to prevent or mislead forensic analysis. The use of these techniques compromises the integrity of evidence and malware may even circumvent virtual machine isolation methods.
- Incident first responders: Questioning the confidence, competence and trustworthiness of cloud providers to act as first responders and perform data collection.
- Role management: Addressing data owners, identity management, users and access controls. Ease of anonymity and creating fictitious identities online is of primary concern.
- Legal: Addressing jurisdictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy and ethics. In this case, subpoenas would need to be issued without the knowledge of the physical location of data.
- Standards: Lack of basic standard operating procedures, interoperability among cloud providers, and lack of testing and validation procedures.
- Training: Lack of cloud forensic training and expertise for both investigators and instructors, and limited knowledge by record-keeping personnel in cloud providers regarding the legal requirements of evidence.
While the challenges and groups are different, there are certain aspects of each that overlap and feel persistent. The variability of cloud providers and their capabilities is of critical concern as the forensic world moves toward the cloud. Logs, in particular, are an important source of forensic analyses, but in the cloud there is an added layer of complexity, given that the quantity and quality of log data is configurable by cloud providers and/or consumers.
“To perform forensic analysis using logs with integrity on which all stakeholders can rely, the logs must be trusted,” reads the report. “Differences in log formats, decentralization of logs among different layers, lack of accessibility to logs, the multi-tenancy nature of clouds, and the need to preserve the chain of custody make log analysis challenging in clouds.”
To rectify this problem, NIST suggests the development of standard forensic protocols that can be adopted by major cloud providers. The protocols must adequately address the needs of first responders, law enforcement, and court systems, while ensuring there will be minimal or no disruption to cloud providers.
NIST acknowledged there is still much research to be conducted in the cyber domain. The NCC FSWG will continue its efforts and initiate more dialogue among stakeholders. Next steps include:
(1) further analyzing cloud challenges,
(2) prioritizing the challenges,
(3) developing a Cloud Forensics Reference Architecture,
(4) choosing the highest priority challenges and determining the corresponding gaps in technology and standards that need to be addressed, and
(5) developing a roadmap to address these gaps.
“This is necessary to support the U.S. criminal justice and civil litigation systems as well as to provide capabilities for security incident response and internal enterprise operations,” reads the report.
Source: NIST’s 6-Year Project Identifies Forensic Challenges in Cloud Computing
