Cloud providers may soon be asked to adopt protocols to help law enforcement meet the challenges of collecting and analyzing data in the cloud. The National Institute of Standards and Technology (NIST) issued a draft report in June titled “NIST Cloud Computing Forensic Science Challenges,” which identifies 65 challenges posed by cloud computing to forensic examiners.
The report also attempts to begin the process of identifying methods of mitigating those challenges, and technologies, standards and measurements to be used in cloud investigations.
The NIST Cloud Computing Forensic Science Working Group authored the report, and was drawn from a variety of groups and companies related to cloud computing, information science, and security, including the Department of Defense, Cisco, and Ernst & Young. The NIST has been a part of US Federal Government efforts to broadly address cybersecurity.
The report says that while digital forensic investigations pose technical, legal, and organizational challenges, the cloud exacerbates many challenges while introducing new ones. In particular the NIST identifies advanced hypervisors and geographical independence as potential sources of new challenges.
“…Distinctive features of cloud computing, such as segregation of duties among cloud actors, inability to acquire network logs from the load balancer or routers, multi-tenancy, and rapid elasticity introduce unique scenarios for digital investigations,” the report says.
The 65 challenges identifies are broken down into nine categories: architecture; data collection; analysis; anti-forensics (which includes data hiding and malware); incident first responders; role management; legal; standards; and training.
The preliminary analysis section of the report discusses the challenges cloud ecosystems pose to obtaining a useful degree of visibility or control from a fixed outside vantage point. This leads to the suggestion that cloud forensics require different access to cloud data, as the report says:
“…Forensic protocols need to be developed that can be adopted by the major cloud providers. These protocols must adequately address the needs of the first responders and court systems while assuring the cloud Providers no disruption or minimal disruption to their service(s). On the technology front, an example of a current need is the ability to lawfully perform remote digital forensics collections that will lower the costs of travel. In essence, this will involve moving forensic images electronically from the cloud Provider to a forensics lab. Better yet would be performing the forensics in a scientifically sound manner in the cloud itself.”
Many cloud providers and end-users will oppose both ideas. The NIST and federal government agencies will likely move with caution as they seek to improve cloud forensic practices while rebuilding trust in privacy protections damaged by government surveillance practices.