Cloud computing has transformed the IT industry, as services can now be deployed in a fraction of the time that it used to take. Scalable computing solutions have spawned large cloud computing companies such as Amazon Web Services (AWS), Google Cloud and Microsoft Azure. With a click of a button, personnel can create or reset entire infrastructure for a computing resource in three different cloud computer service models: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). These models present three unique challenges to conducting cloud forensic investigations.
Cloud Computing Service Models
With traditional IT services, the owner is responsible for all services from networking equipment to the application itself. Cloud computing offers these SaaS, PaaS and IaaS solutions to make deployment and management of computing resources more efficiently. Let’s examine each of these models in more detail below.
IaaS
The owner is partially responsible for the operating system and all of the middleware, runtime, data and applications in cloud computing IaaS environments. However, the deployment of the operating system, the virtualization and all hardware, storage and networking equipment are managed for the customer by the cloud provider. This model gives the most control over the underlying infrastructure of computing resources to the customer. Examples of IaaS are creating hosts with AWS Elastic Computing Cloud (EC2), Digital Ocean and Rackspace.
PaaS
PaaS is less inclusive in the responsibility of the cloud computing resources. It’s where the owner is only responsible for the data and applications but not the essential cloud infrastructure including network, servers, operating systems or storage. This service model is primarily used by developers creating applications or software. Examples of PaaS are AWS Elastic Beanstalk, Windows Azure and Apache Stratos.
SaaS
SaaS is an all-inclusive cloud computing hosting environment where the application owner provides the application to the cloud provider, and it is hosted and managed entirely by the cloud services provider. Examples of SaaS are Google Apps, Dropbox and Slack. These applications are entirely managed by the Cloud Service Provider (CSP), and the users use the applications largely through a web browser.
Cloud Computing and Forensics
Forensic issues that are unique to cloud computing are jurisdiction, multi-tenancy and dependency on CSPs. Cloud forensics is a subset of digital forensics based on the unique approach to investigating cloud environments. CSPs have servers around the world to host customer data. When a cyber incident happens, legal jurisdiction and the laws that govern the region present unique challenges. A court order issued in a jurisdiction where a data center resides will likely not be applicable to the jurisdiction for a different host in another country. In modern CSP environments, the customer can choose the region in which the data will reside, and this should be chosen carefully. A main concern for an investigator is to ensure that the digital evidence has not been tampered with by third parties so it can be admissible in a court of law. In PaaS and SaaS service models, customers must depend on the cloud service providers for access to the logs as they do not have control over the hardware. In some cases, CSPs will sometimes intentionally hide the details of the logs from customers. In other cases, CSPs have policies that they will not offer services to collect logs. Maintaining a chain of custody is very challenging in a cloud environment versus a traditional forensics’ environment. In traditional forensics environment, the internal security team has control over who is conducting forensics operations on a machine, whereas in cloud forensics, the security team has no control over who the CSP chooses to gather evidence. If they are not trained according to a forensic standard, the chain of custody may not hold in a court of law.
Summary
In cloud computing, there are three service models and at least three challenges unique to cloud forensics. Each service model level for cloud computing shares partial responsibility with the cloud services provider. This relationship causes unique challenges when conducting cloud forensics investigations, as any mishap can prevent evidence from being admissible in a court of law. Since cloud servers can be hosted in several countries, forensic data can be, too. This presents challenges of legal jurisdiction. Cloud services providers do not always operate in your favor when it comes to conducting forensics investigations, as you are costing them time and money for issues that are less concerning to them. These challenges are unique to the subset of the forensics field, cloud forensics.
About the author: Tyler Wall is a Principal Cyber Security Engineer and passionate cybersecurity researcher and IoT hobbyist. He has seven years of security operations experience and has led three security monitoring programs into higher levels of maturity. He is pursuant of a Master of Science in Cybersecurity Management and will be complete January 2020. He also holds current Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Certified Forensic Security Responder (CFSR) certifications. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
