The use of cloud services has skyrocketed primarily because it is cheaper and more convenient than the alternative. Unfortunately, many companies have entered the cloud without first checking the weather forecast or performing a risk analysis. What happens if the cloud gets stormy, you suffer a breach, and you find yourself in the position of having to conduct digital forensics? What now? Can you collect data yourself? Where is your data? Who else has had access to your data? Is the provider the actual data holder or have they subcontracted? Many of these issues are better addressed before you enter the cloud. Failing that, what can you do?
Challenges of Cloud Forensics
Unlike traditional digital forensics, cloud forensics presents a unique challenge due to the omnipresent nature of “the cloud.” Many of these challenges are legal and can be overcome by planning. NIST[1] defines the cloud as, “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”[2] Okay, in English, the cloud is a service, like online backup, online software, and other computing services, owned by someone else and not physically resident on your computer, similar to renting a car. It can be accessed from anywhere you have an Internet connection.
Many people mistakenly assume that services such as Gmail, Yahoo, LinkedIn, etc., are cloud services. The primary difference is that those services are free, whereas cloud services require payment by subscribers. This distinction is important, because it provides a clearer description of the cloud. Privacy and legal issues will likely differ for paid and free services, as will the ability to negotiate the terms of service. The absolute necessity to negotiate the terms will be discussed later in this paper.
The four defining characteristics of the cloud are: on-demand self-service,[3] rapid elasticity,[4] location independence,[5] and data replication.[6]
Why You Would Need to Collect Data from a Cloud Provider?
This series explores issues a company or forensic examiner may face when collecting information from the cloud with a primary focus on civil litigation or other action as opposed to collecting evidence for criminal prosecution. Much overlap exists between the situations, and some comparisons will be made.
Although this paper discusses many legal issues, this is not a legal “how-to” article, as it does not discuss any and every potential issue, tool, technique, etc. The purpose is to provide some insight into cloud forensics. My research on the topic has not yielded a source that provides clear and concise guidance, so I hope this starts the ball rolling. The issues I’ll cover include:
- Can you collect the data yourself?
- Which jurisdiction applies?
- Can you compel the disclosure of data?
- What tools or techniques are available for compelling information?
Can you prepare for cloud forensics?
[1] NIST is the acronym for National Institute of Standards and Technology.
[1] Mell, P., & Grance, T., Definition of Cloud Computing: NIST Special Publication 800–1, (2011) at http://csrc.nist.gov/publications/nistpubs/800–145/SP800-145.pdf. Hereinafter NIST.
[1] On-demand self-service in the cloud context refers to the customer being able to add and delete services as he/she sees fit, quickly and easily. Techopedia at https://www.techopedia.com/definition/27915/on-demand-self-service.
[1] Rapid elasticity is the ability to scale or add and remove resources both up and down as needed. Cloud Computing Glossary at http://cloudglossary.com/home/id.Rapid-Elasticity/i.html.
[1]Location independence, just as the name conveys, allows the customer to be anywhere in the world where he/she has access to an Internet connection and access his or her cloud services, e.g., office, storage, etc. ReliScore.com at http://reliscore.com/blog/cloud-computing-the-very-basics/.
[1] Data replication involves sharing information to ensure consistency between redundant resources, such as software or hardware components, to improve reliability, fault-tolerance, or accessibility. Wikipedia at https://en.wikipedia.org/wiki/Data_replication. See NIST at Note 3.
Reproduced from Global Knowledge White Paper: Legal Issues of Cloud Forensics
Legal Issues of Cloud Forensics Series
- Legal Issues of Cloud Forensics — Part 1