Digital forensic challenges in a cloud computing environment

Cloud computing creates difficulties for digital forensic investigators.

The benefits of cloud computing are well known: distributed and lean processing, resource and cost sharing, and faster integration of technology.  On the other hand, some of the concerns regarding cloud computing include digital forensics, information security, data jurisdiction, privacy and national law.  For many, the benefits of migrating to the cloud outweigh these concerns, therefore the digital forensic community has started to focus on how to adapt current procedures towards cloud computing. This article focuses on the concerns or issues that a cloud computing environment presents to the digital forensic community and businesses.

When data is stored in a cloud computing environment, it is sectioned into single data structures, which in turn are divided into elements.  This makes the process of identifying and acquiring data very difficult. Data that lacks preservation and integrity will prove difficult for digital forensic investigators who need to ensure data is comprehensive, inclusive and verifiable for use in criminal or corporate investigations --  assuming the investigators are able to acquire the data in the first place.

The benefits that have made cloud computing so popular are reasons for concern for digital forensic investigators. First, the cloud is scalable, which means at one point or another, data from several businesses can occupy the same sectors within the storage media.  This creates a dilemma during e-discovery, where the investigator could unknowingly acquire residual data from company X when company Y is being investigated.

The accessibility of data in terms of physical location and personnel access is something all organizations need to consider.  If the data is stored in a country that does not recognize data privacy and security laws, or does not enforce existing laws, investigators could have a difficult time accessing the data to conduct their investigations.  Also, not all data is stored in one location; a company could unknowingly be using cloud servers on several different continents. Even if the data is accessible, the jurisdiction of the data could be in question.  Investigators have to ask if they are even allowed to acquire and investigate data that is stored in a different country.  Next, the location of the data, coupled with a lack of logging or use of anonymous authentication, could make it very difficult to establish and maintain an accurate chain of custody.  This lack of integrity in the data will result in a failed investigation. Therefore, organizations have to be mindful of the contracts they sign with cloud providers, or chances are the physical location of their data will not be in the United States.

The digital forensic community is currently working toward creating new approaches for the extraction of digital evidence from cloud providers that will be admissible in court proceedings or corporate dispositions.  This is not an easy task, and will take a considerable amount of time in order to obtain suitable results.  Traditional computer forensics is not a feasible option; therefore researchers are looking at live forensics as a means of examining a cloud environment. The concerns of locating and identifying the data are proving to be quite challenging, and will take time to perfect.  These challenges are in addition to the jurisdictional and chain of custody concerns. Researchers are beginning to analyze ways to show ownership of manipulated data, which will help with integrity issues. However, the jurisdictional concerns will be for the legal and governance communities to address.   

As with any new technology, the benefits come with concerns, and cloud computing is no different. The cloud has allowed organizations to do more with less, but has created a challenging situation for the digital forensic world. Therefore, organizations need to be very diligent when entering into contracts with cloud service providers.  They need to take the necessary steps to ensure they have access to their data should they encounter an event that needs digital forensics.


About the authors:

Ashley Podhradsky, D. Sc., is an assistant professor in the Computing and Security Program at Drexel University.  Dr. Podhradsky teaches and conducts research in digital forensics and information security. Her research has been recognized in academic conferences and journals within the U.S. and internationally. 

Cindy Casey has an A.A.S. in computer forensics and completed her internship with the Montgomery Country District Attorney’s Office’s Computer Crime Unit. Ms. Casey, a student of Dr. Podhradsky, is currently enrolled in the Computing and Security Technology program at Drexel’s Goodwin College of Technology and Professional Studies.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing