NIST Cloud Computing Forum and Workshop VIII
July 2015
Cloud Computing Forensic Science
Posted as a courtesy by:
Dave Sweigert
CISA CISSP HCISPP PMP SEC+
1. NIST Cloud Computing
Forum and Workshop VIII
Dr. Martin Herman
ITL Senior Advisor for Forensics and IT
Information Technology Laboratory (ITL)
National Institute of Standards & Technology
2. NIST Cloud Computing Forum and Workshop VIII
July 2015
Cloud Computing Forensic Science
âąâŻ Application of science and technology to
investigation and establishment of facts of
interest within cloud environments for
â⯠Courtroom
âąâŻ Criminal investigation and prosecution (e.g., child
exploitation, drug dealings, terrorism, cyber attacks,
data breaches, insider theft)
âąâŻ Civil litigation (e.g., e-discovery in lawsuits, insurance
claims)
â⯠Regulatory compliance (e.g., auditing)
â⯠Internal business policy violations
âąâŻ Within an enterprise (e.g., HR privacy violations,
employee computer misuse)
â⯠Cybersecurity (incident response)
âąâŻ Mitigate future cyber attacks, prevent system failure,
minimize data loss
3. NIST Cloud Computing Forum and Workshop VIII
July 2015
NIST Activities
âąâŻ Chair of the Cloud Computing Forensic Science
Working Group
âąâŻ Long-term goals:
â⯠Determine challenges in cloud forensics
âąâŻ Forensics applied to artifacts/evidence found in the
cloud (as opposed to using the cloud to perform
forensic analysis on data from other sources)
âąâŻ Identify, aggregate, analyze challenges
â⯠Prioritize challenges
â⯠Determine gaps in technology, standards and
measurements to address these challenges
â⯠Develop a roadmap to address these challenges
4. NIST Cloud Computing
Forum and Workshop VIII
5. Lack of Transparency
4. Deletion in the Cloud
7. Use of Metadata
1. Confidentiality 3. E-Discovery
8. Geo-location
9. Data Integrity
10. Recovering
Overwritten Data
6. Timestamp
2. Root of Trust
11. Data Chain of Custody
12.Chain of Dependencies13. Resource
Seizure
14.Secure
Provenance
15. Chain of Dependencies
16.Locating Evidence17.Evidence Identification
5. NIST Cloud Computing Forum and Workshop VIII
Cloud Computing Forensic Science
Challenges
âąâŻ Challenges related to:
Architecture
e.g., Segregation of potential
evidence in a multi-tenant system
Data collection
e.g., Recovery of deleted data in a
shared and distributed virtual
environment;
e.g., E-Discovery
Analysis of forensic data
e.g., Evidence correlation across
multiple cloud Providers
Anti-forensics
e.g., Malicious code may
circumvent virtual machine
isolation methods
âąâŻ Challenges related to:
Incident first responders
e.g., Confidence, competence, and
trustworthiness of the cloud
providers to act as first-responders
and perform data collection
Role management
e.g., Ease of anonymity and
creating false personas online
Legal issues
e.g., Ease of anonymity and
creating false personas online
Standards
e.g., Lack of test and validation
procedures
Training
e.g., Lack of test and validation
procedures
7. NIST Cloud Computing Forum and Workshop VIII
July 2015
Assessment
 of
 Importance
Â
8. NIST Cloud Computing Forum and Workshop VIII
Highest Priority Challenges & Scores
10 Confidentiality and PII
9 Root of trust
9 E-discovery
8 Deletion in the cloud
8 Lack of transparency
7 Timestamp synchronization
7 Use of metadata
7 Multiple venues and
geolocations
7 Data integrity and evidence
preservation
6 Recovering overwritten data
6 Cloud confiscation and
resource seizure
6 Potential evidence
segregation
6 Secure provenance
6 Data chain of custody
6 Chain of dependencies
6 Locating evidence
6 Locating storage media
6 Evidence identification
6 Dynamic storage
6 Live forensics
6 Resource abstraction
6 Ambiguous trust boundaries
6 Cloud training for
investigators
From
 NIST
 IR
 8006:
 DRAFT
 NIST
 Cloud
 Compu1ng
 Forensic
 Science
 Challenges
Â
h;p://csrc.nist.gov/publica1ons/PubsNISTIRs.html
Â
Â
Â
9. NIST Cloud Computing Forum and Workshop VIII
Use Case Template
Cloud forensic challenge highlighted by this use case:
Title of use case:
Description of use case:
Forensic evidence relevant to use case:
Relevance to the cloud forensic challenge:
The role of each cloud stakeholder in the forensic
investigation:
Cloud Service Consumer (Enterprise):
Cloud Service Consumer (Individual):
Cloud Service Provider:
Cloud Broker (Technical):
Cloud Broker (Business):
Cloud Carrier:
Cloud Auditor (Law enforcement):
Cloud Auditor (Government regulators):
Cloud Auditor (Accreditation & certification bodies):
Cloud Auditor (Forensics lab practitioners):
How do the cloud stakeholders work together in the
forensic investigation?
The role of client endpoints:
What is effect of different cloud service/deployment
models?
IaaS Public:
IaaS Private:
IaaS Hybrid:
IaaS Community:
PaaS Public:
PaaS Private:
PaaS Hybrid:
PaaS Community:
SaaS Public:
SaaS Private:
SaaS Hybrid:
SaaS Community:
What technical, legal and best practices elements are
needed to achieve a successful forensic investigation in
this use case?
Technical (technology and technical standards):
Legal:
Best practices:
For the technical elements, what are the gaps in
technology and standards?
10. NIST Cloud Computing Forum and Workshop VIII
July 2015
Todayâs Agenda
âąâŻ Will focus on several of the top challenges
â⯠Cloud E-Discovery
â⯠Root of trust
â⯠Deletion in the cloud
â⯠Timestamp synchronization
â⯠Data integrity & evidence preservation
âąâŻ Will also discuss other areas of interest in cloud
forensics
â⯠Data governance in the cloud
â⯠Forensics in stealth and dark clouds
â⯠Cloud forensics architecture