This essay examines the most important development in digital forensics. The cloud was chosen in this essay as the most important aspect in this field today. The essay examined the important aspects of the cloud and how they relate to this problem of forensics. Literature is used to support this claim and the essay concludes with recommendations on how to make this technology more practical .
Cloud Computing Digital Forensics
The pace at which technology develops in today's world makes inventions and discoveries very temporary and short-lived. Digital forensics is an area of technological development that has grown significantly in the past few years. Although this system of analysis has changed over its history, today's world provides this technology with a very important challenge that will widen the interests of many people, complicating and confusing a situation, in which is at the infancy of development.
Cloud computing is a relatively new technology that has brought serious questions to the means in which digital forensics is now being handled. The purpose of this essay is to explain how cloud computing is the most important new technology that has been introduced into digital forensics in the last five years. This essay will explain how the cloud and cloud computing has literally opened up a new world of problems for those wishing to utilize digital forensics to simplify matters or to just explain them.
The Cloud
Over the past several years, cloud computing has begun to expand in the business community. Cloud computing is a style of computing which allows and provides for virtualized computer related resources using the Internet. One of its major advantages is that a user does not need to have any knowledge, expertise, or control of the infrastructure. This can become a huge cost savings for those businesses who utilize the services inherent with cloud computing. For instance, some services include online business applications that are accessible through any browser from any computer. The actual software and data resides on servers external to the business itself. As a result, they would not have to invest huge sums of money in software and hardware. Since they do not own the host infrastructure, they only pay the provider for services and resources they consume. There is probably no limit to the types of services that can be obtained via cloud computing.
Regardless of the provider, cloud computing relies on the use of VirtualMachines (VMs) and some combination of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS). VMs are software implementations of a computer which can execute programs like a real computer and can be spawned on any computer as needed. There are two types of VMs: the system VM which supports the execution of a complete operating system, and the process VM which is designed to run a single program supporting a single process.
Although cloud computing may appear to some as attractive to a business, it is not without its own unique problems and concerns. Accessing a remote server to commence an application on the Internet presents several obvious security risks. Customers also may not be able to distinguish what policies and procedures are in place to recover data should a server crash or become compromised.
Digital Forensics and the Cloud
Storage of this information presents new problems for digital forensics. Keeping sensitive corporate data on a remote server raises concerns regarding the privacy and accessibility of that data by unlawful second parties. In this model the business or customer is not completely aware of the physical location of the data. Legal and regulatory requirements and laws may be lacking in the location where the data is actually stored. The long-term feasibility of the data itself and its availability could become a major issue should the provider no longer offer the services due to some unforeseen event such as bankruptcy, going out of business, or merging with another company.
Birk (2011) explained that on the cloud, data is always in motion which presents these type of problems. He suggested that "especially in the SaaS model, the customer does not obtain any control of the underlying operating infrastructure such as network, servers, operating systems etc. Or even the application that is used. This means that no deeper view into the system and its underlying infrastructure is provided to the customer." The constant flow of information makes compiling a forensics report on any given item very difficult.
Legal issues may also hamper digital forensics in dealing with cloud issues. Cloud computing raises some unique law enforcement concerns regarding the location of potential digital evidence and its subsequent forensic analysis. When a savvy and knowledgeable customer or business becomes the target of a criminal investigation, they could migrate their working environment to a cloud environment. This would provide a means for the business to continue its routine operations while the migrated environment is forensically analyzed. The migrated data only represents a temporary snapshot of when it was sent to the cloud. Since the data can be stored anywhere in the world, its scattering could be to a location or country where privacy laws are not readily enforced or non-existent. Establishing a chain of custody for the data would become difficult or impossible if its integrity and authenticity cannot be fully determined.
Ward (2011) agreed when he claimed " if you're investigating a case, you have a responsibility to collect all relevant information, without exception. Cloud computing means that data universe can be larger, more scattered and unstructured, as opposed to being 'controlled' within an organization; as a result, you need to collect from increasing and new cloud data sources and the retrieval process can be more of a challenge."
There are also many troubling potential forensic issues when the customer or user exits a cloud application. Items subject to forensic analysis, such as registry entries, temporary files, and other artifacts are lost, making malicious activity difficult to validate. With the huge amount of potential data flowing in and out of a cloud, how do you identify individual users of individual services provided by a transient host image, particularly when they make expert efforts to cover their tracks? What if the owner of the image decides to engage in malicious behavior, through the host server image, from a third IP address, and then claim someone must have stolen their password to the image?
You’re 86% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.