Cloud forensics involves exploring issues a company and its forensic examiner may face when suffering a breach of company information in the cloud. If they need to collect information from the cloud to determine what happened, to determine what was lost or compromised, for remediation, for civil litigation, or for some other action, what issues will they face? And, how can they collect the data? Although this white paper discusses many legal issues, this is not a legal "how-to" article. The purpose is to provide some insight into cloud forensics.
The use of cloud services has skyrocketed primarily because it is cheaper and more convenient than the alternative. Unfortunately, many companies have entered the cloud without first checking the weather forecast or performing a risk analysis. What happens if the cloud gets stormy, you suffer a breach, and you find yourself in the position of having to conduct digital forensics? What now? Can you collect data yourself? Where is your data? Who else has had access to your data? Is the provider the actual data holder or have they subcontracted? Many of these issues are better addressed before you enter the cloud. Failing that, what can you do?
Challenges of Cloud Forensics
Unlike traditional digital forensics, cloud forensics presents a unique challenge due to the omnipresent nature of "the cloud." Many of these challenges are legal and can be overcome by planning. National Institute of Standards and Technology (NIST) defines the cloud as, "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." Okay, in English, the cloud is a service, like online backup, online software, and other computing services, owned by someone else and not physically resident on your computer, similar to renting a car. It can be accessed from anywhere you have an Internet connection.
Many people mistakenly assume that services such as Gmail, Yahoo, LinkedIn, etc., are cloud services. The primary difference is that those services are free, whereas cloud services require payment by subscribers. This distinction is important, because it provides a clearer description of the cloud. Privacy and legal issues will likely differ for paid and free services, as will the ability to negotiate the terms of service. The absolute necessity to negotiate the terms will be discussed later in this paper.
The four defining characteristics of the cloud are: on-demand self-service, rapid elasticity, location independence, and data replication.
Why You Would Need to Collect Data from a Cloud Provider?
This white paper explores issues a company or forensic examiner may face when collecting information from the cloud with a primary focus on civil litigation or other action as opposed to collecting evidence for criminal prosecution. Much overlap exists between the situations, and some comparisons will be made. Although this paper discusses many legal issues, this is not a legal "how-to" article, as it does not discuss any and every potential issue, tool, technique, etc. The purpose is to provide some insight into cloud forensics. My research on the topic has not yielded a source that provides clear and concise guidance, so I hope this starts the ball rolling. The issues I'll cover include:
Can you collect the data yourself?
Which jurisdiction applies?
Can you compel the disclosure of data?
What tools or techniques are available for compelling information?
Can you prepare for cloud forensics?
Can You Collect the Data Yourself?
Once you suspect an incident has occurred and decide to collect data, you must decide why the data are being collected (e.g., for remediation, court, or some other reason) and, thus, what data need to be collected. If you can easily collect the necessary data in the normal course of business via the company's access to the cloud, you should revert to standard digital forensic techniques following well-established procedures and ensuring a clean chain of custody.
On the other hand, if you have to ask for assistance from the cloud providers, you must identify the provider. Doing so may not initially be obvious, since your company may have changed providers over time, the person who initiated the cloud usage may no longer be with the company, or many other reasons.6 Once the provider is identified, determine where its headquarters and state of incorporation are located. This is necessary so you can determine the applicable jurisdiction and law, as you may have to send legal documents, preservation letters, or litigation holds and subpoenas in order to preserve the data and compel collection.