Cloud Computing & The Impact On Digital Forensic Investigations

Below is an abstract of the research I am currently conducting under the supervision of Dr. Stilianos Vidalis.

I believe it to be a topic that will fuel debate and discussion on the premise that Gartner Consulting, in 2008 suggested that investigating inappropriate or illegal activity may be impossible in Cloud Computing.

 

Abstract

Cloud Computing & The Impact On Digital Forensic Investigations

CLOIDIFIN

Cloud Computing (CC) as a concept and business opportunity is likely to see many organisations experiencing the ‘credit crunch’, embrace the relatively low cost option of CC to ensure continued business viability and sustainability. The pay-as-you-go structure of the CC model that is available is typically suited to SME’s who do not have the resources to completely fulfil their IT requirements. However, as with many opportunities that offer legitimate users enormous benefits, unscrupulous and criminal users will also look to use CC to exploit the many loopholes that may exist within this new concept, design and IT model.

CLOIDIFIN is a research project that will highlight the vulnerabilities of the cloud and the impact it will have on the digital forensic investigation that could ensue following a crime, policy contravention or data compromise episode.

Traditional digital forensic methodologies permit investigators to seize equipment and perform detailed analysis on the media and data recovered. The likelihood therefore, of the data being removed, overwritten, deleted or destroyed by the perpetrator in this case is low. More closely linked to a CC environment would be businesses that own and maintain their own multi-server type infrastructure, though this would be on a far smaller scale in comparison. However, the scale of the cloud and the rate at which data is overwritten is of concern. Live digital forensics is a technique that is also currently in its infancy, which CLOIDIFIN will test to establish suitability. E-discovery and the vendor being subpoenaed to retrieve data of potential evidential value will also be researched and tested for aptness.

Jeff Barr, Amazons cloud evangelist, questioned in October 2008, was unable to answer probing questions regarding what vendors are doing to enable future investigations to proceed effectively. The initial thought is that CC vendors cannot ensure that data which could be used as evidence will be complete, retrievable or verifiable. Therefore, it is possible that evidential artefacts will be unreliable and incomplete.

CLOIDIFIN will research ways of highlighting this weakness and work closely with law enforcement agencies, independent investigators and vendors to minimise the impact this concept will have on investigations and the success rate for prosecutions.

Gartner Consulting (2008), a firm that provides fact-based consulting services that help clients use and manage IT to enable business performance, comments:

Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. “Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation—along with evidence that the vendor has already successfully supported such activities—then your only safe assumption is that investigation and discovery requests will be impossible.”

This statement is what CLOIDIFIN will endeavour to clarify. Whether or not traditional techniques, methodologies and tools are effective at investigating the cloud and if it is impossible to perform such an investigation on this new IT model phenomena.

Written by Stephen J. Biggs under the supervision of Dr Stilianos Vidalis – 2009.