Sunday, March 6, 2011

Forensics in Cloud Computing

Nowadays almost every considerable proportion of our day to day business operations are conducted via computer, it is likely that you use a range of software, such as a word processor, email client, accounting package and client relationship management tool and endless things. There is usually a purchase cost involved in licensed software, and that extend to further costs and man hours associated with repairing, updating and upgrading the software as and when necessary. But since there could be hundreds, thousands or even millions of subscribers, it is possible for the application to be offered with no user-end maintenance required at a comparatively low cost. With cloud computing, the application is hosted on a central server, which means that updates and maintenance can be carried out by the provider, and the costs spread between all the users in the form of a subscription fee. 'Cloud computing' addresses this issue by moving away from 'software' applications installed on the client's computer and instead offering access to the applications via the internet, Proponents of the cloud ecosystem touts its "vastness, flexibility and scalability as advantages for the implementation of cloud services.

However, from a digital point of view this can be a veritable forensic challenge as we view the cloud in terms of its scope and diversity. Within the digital forensic process where there is a no one-size-fits-all solution for a digital forensic examination, all forensic evidence must follow the Forensic process of Collection - Examination - Analysis - Reporting.

Within the cloud computing ecosystem there may be a dilemma in terms of time stamps. A question for cloud vendors would be, with a distributed and "vast" infrastructure how will they ensure synchronized clocks across all their systems? Synchronized clocks across a distributed global system may not be a possibility, and if this supposition holds true, then what other solution will a cloud vendor provide in such an instance? Another challenge can be with that of reciprocity. Digital forensics within the cloud computing environment can have legal implications within an international jurisdiction which will require corporation from established relationships with legal entities in foreign countries and/or the establishment of new ones if possible.

As with any live forensic examination another challenge will be the establishing of snapshots of the system in operation. But in this case one can question if this is good enough for such a "vast" and possibly globally distributed ecosystem. Take the instance of malware injected into the kernel space of a system; it is possible that it may be programmed to modify data or functionality...or both, in a variety of ways upon detection of a probe, or simply set to shut-down, obfuscate evidence, or delete pertinent data residues within a set time frame. Can a forensic examiner be notified of this change, or more pertinent can a cloud service provider implement protocols, tools or processes to ensure that such an event can be mitigated in real time? At least, not for now.

However a solution of sorts to this dilemma can be gleaned from thesis suggested in a paper by Wolthusen states that: Data may be present or available in a given configuration for a limited time or be staged through different levels of storage hierarchies; it is hence important to place bounds on events in question so as to be able to capture events of interest completely.

In terms of the "vast" distributed environment that can comprise a cloud ecosystem under investigation; we have to be aware of the fact that within such an ecosystem, any forensic investigation can cause: parallel or unrelated services to be interrupted to completed halted, infringe on third party rights and cross jurisdictional boundaries and in the case of duplication require infeasible storage volumes. A key challenge to a digital investigator called to pursue an investigation with cloud resources as a subset will be to establish and map computational and storage structures that will fall within the realm of the investigation. Bear in mind that for any system (cloud or otherwise) security incidents will cross boundaries of responsibility and access. As increasing numbers of businesses move their operations into the cloud, computer crime investigators are not only presented with new benefits, but also problems. Computer forensic investigations involve the scientific analysis of computer equipment to recover legally admissible evidence. In an instance where the security of a firm's digital data has been compromised, computer forensics experts might be called in to analyse each computer terminal involved for evidence, the first stage of which is to carefully replicate the contents of each drive exactly so that original evidence cannot be contaminated.
This process can be very time consuming but if the information is all stored within the cloud, then a simple click of the mouse could potentially produce an exact image of the current state of the firm's data, allowing the investigation to progress much more quickly. However, there is also a downside to cloud computing. If an application is accessed via the cloud, registry entries (which record user activity) and other useful artifacts such as temporary files will be stored within the virtual environment and so lost when the user exits, making evidence traditionally stored on the hard drive potentially unrecoverable. In response to this, some commentators have suggested that the information could be provided by the application vendor on request from law enforcement officials, but this too poses problems. The recovery of computer-based evidence in the UK must follow a strict, auditable procedure as laid out by the Association of Chief Police Officers, so it may be that information extracted by non-experts could be unintentionally contaminated and thus rendered inadmissible in a court of law. In addition, while the confiscation of physical computer equipment following an arrest is relatively straightforward, the legal process required to gain access to private data held online is more complicated, so this could put a delay on investigations where the recovery of evidence is typically time critical.

At present, there is no foolproof, universal method for extracting evidence in an admissible fashion from cloud-based applications, and in some cases, very little evidence is available to extract. As such, cloud computing represents just one of the fast-paced technological developments that is presenting an ongoing challenge to legislators, law enforcement officials and computer forensic analysts think that cloud computing would add to the complexity of your computer forensics program? The resounding answer to this is no, by leveraging the inbuilt abilities of cloud computing, computer forensics becomes an “on demand” service. One of the very nice things about cloud computing is that you basically exist in an on demand system, so if you are served with a preservation letter, or other legal reasons to preserve an environment, you can easily backup your environment and put it onto the cloud for the investigators to use, while the normal course of business happens. This also means that all the data stores or other information that investigators will require also be cryptographically hashed much easier and much quicker using the on demand resources in the cloud.

The forensics tools can also be in their own off shoot of the environment allowing for very tight control over who has access to those tools and how they will be used. There are definite advantages to having a separate investigation environment for all the resources that are on the same cloud. Costs can be contained by making direct DVD copies from the investigation environment as needed or when needed making the process much more portable as well if information has to be turned over to the legal department or other investigators. This is the reason that cloud computing is compelling, a near instant backup of an environment with the ability to expand and contract at will rather than leaving resources in the data center unused waiting for something that might happen infrequently. This kind of on demand service also runs at the speed of the cloud making the process much quicker when doing a bit by bit copy. These realizable advantages to cloud computing security as a service will also make the business office happier because they are only paying for space they are using, and can allocate waiting resources for something else saving the company money in the longer run.

No comments:

Post a Comment