Digital Forensics on Cloud Computing

Cloud computing raises some unique law enforcement concerns regarding the location of potential digital evidence, its preservation, and its subsequent forensic analysis. Since the data can be stored anywhere in the world, its dispersal could be to a location or country where privacy laws are not readily enforced or non-existent. Establishing a chain of custody for the data would become difficult or impossible if its integrity and authenticity cannot be fully determined (where was it stored, who had access to view it, was there data leakage, commingling of data, etc.) Items subject to forensic analysis, such as registry entries, temporary files, and other artifacts (which are stored in the virtual environment) are lost, making malicious activity difficult to substantiate. There is need to answers questions like

“…with the huge amount of potential data flowing in and out of a cloud, how do we identify individual users of individual services provided by a transient host image, particularly when they make expert efforts to cover their tracks? And what if the owner of the image decides to engage in malicious behaviour, through the host server image, from a third IP address, and then claim someone must have stolen their password or keypair to the image?”

Further forensic issues concern the potential effect the cloud services could have on the digital data itself and how the forensic examiner can explain, in a creditable manner, all these real and potential indiscretions to the court. Many forensic examiners recognize that “there is no fool proof, universal method for extracting evidence in an admissible fashion from cloud-based applications, and in some cases, very little evidence is available to extract. Or stated another way, the challenge for forensic examiners and law enforcement is to determine the “who, what, when, where, how, and why” of cloud-based criminal activity. A Brief specification on “Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing” is provided by Cloud Security Alliance (CSA).