Digital forensics is a methodology that combines elements of law and computer science to gather and analyze data from computer systems, applications, networks, and storage devices in a way to be used as evidence in a court of law.
Traditionally, digital forensics involves two categories: static forensics, which involves the analysis of static data in hard drives obtained from traditional formalized acquisition procedures, and live forensics, which involves the analysis of the system memory and other relevant data while the system being analyzed is running.
The digital forensic process can be broken into four distinct phases: (a) collection of artifacts (both digital evidence and supporting material); (b) preservation of original artifacts in a reliable, complete, accurate, and verifiable way; (c) filtering analysis of artifacts for the removal or inclusion of items that are considered of value; (d) presentation phase where the evidence is presented to support the investigation.
The use of digital forensics in cloud computing environments is known as cloud forensics. Data generated by digital devices, which are developing quickly, require enormous computational power to be analyzed. The idea of a “Forensic Cloud” is put forth to free up an investigator’s time for investigation-specific tasks. Cloud service providers have not yet developed forensic capabilities that will aid in any criminal investigations.
Traditional forensics methods, like static and live forensics, can help trace the problem fairly easily, especially in cases where data centers are nearby. However, a cloud model poses unique challenges like the ones listed below:
- Storage systems are no longer local and may break local laws.
- There are multiple tenants’ files on each cloud server.
- Even if data belonging to a specific suspect is found, it can be challenging to distinguish it from tenant data.
- Data reconstruction after being deleted. Aside from the cloud service provider, there is typically no proof connecting a specific data file to a specific suspect in digital forensics because the information is hard to find, the acquisition is difficult if it cannot be found, and analysis cannot take place without acquisition.
Cloud forensic process
Identification is reporting misuse of the Cloud or malicious activity such as deleting files, illegal use of storing files, and so on. The forensic process begins with identifying the digital evidence. The evidence in a cloud could be the image of virtual machines, files stored in cloud servers, and logs from cloud service providers (CSP). The identification process consists of two steps: incident identification and evidence identification. Incident identification reports malicious activity from a customer, organization, or Cloud service provider (CSP). This step requires identifying all the machines and file systems that likely contain the related evidence. The evidence identification step concerns the digital artifact that should be presented in court. This step requires identifying the evidence in the media, such as cloud servers, mobile devices, and network devices.
2. Collection/Acquisition and Preservation
Data collection and acquisition is a crucial phase of the forensic procedure. Any errors that may occur will affect the whole investigation process. The temporary nature of cloud computing and the physical inaccessibility of evidence artifacts makes the evidence collection procedure difficult in the cloud environment. In addition, physical seizure of all the servers in cloud computing may be impossible due to the amount of hardware involved, the multi-tenancy, or the data being physically located in another jurisdiction. The data collection phase should also consider the preservation phase for collecting evidence.
Preservation is the protection of the integrity of the evidence throughout the investigation process. Evidence preservation is a continuous process until the evidence is presented in court. Therefore, the evidence’s integrity should be maintained, ensuring the data’s originality throughout the investigation lifecycle.
3. Examination/Processing and Analysis
The examination and analysis phase comes after collecting and preserving the digital evidence. The examination is defined as “Forensic tools and techniques appropriate to the collected data types are executed to identify and extract the relevant information from the collected data while protecting its integrity.” Suppose the evidence extracted from the analysis phase may not be admissible or inadequate in a court of law. In that case, the process should go back to the first phase, the evidence identification, and then go through the process again.
4. Results Dissemination
This phase consists of the report findings step and the presentation findings step. Digital evidence and analytical reports are presented to the court in this phase. NIST defined Reporting as a process that “describes the actions performed, determines what other actions need to be performed, and recommends improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process.” The report should include information on all processes, tools, and applications.
Cloud forensic opportunities
Cloud forensics has several advantages over traditional digital forensics in terms of large (petabytes) storage for accumulating valuable forensic data and resources for high computation capability. The FaaS model is specifically made to help forensic investigators when they centrally analyze a large volume of data that is either physically inaccessible or at an unidentified physical location. Data are continuously collected by investigators and sent to a centralized system. Investigators can examine a small subset of traces from enormous stacks.
- Cost Efficiency: When used on a large scale with more established frameworks and procedures, cloud forensics will also become cost-effective as cloud platforms, infrastructure, and services continue to develop and become more cost-effective.
- Data Recovery: Data availability will rise as cloud vendors continue to widen their reach and invest in building more regional data centers. When data is replicated throughout the data center, silos will be less likely to form, and recovery will be simpler.
- Policies and Frameworks: Due to the ongoing evolution of cloud computing, there are opportunities for digital forensics to set uniform policies, create mature frameworks and standards, and support cybercrime investigations.