Plan ahead to reduce cloud forensics challenges

Cloud forensics with CSPs

Create a list of questions about cloud forensics and data to ask during preliminary CSP research and/or contract negotiations. Among the most important are the following:

• What kind of data can and will the CSP provide, both regularly -- preferred for larger, more mature forensics teams -- and as needed during investigations? These data types may include the following:
  • Web server logs.
  • Application server logs.
  • Database logs.
  • Virtualization hypervisor host access logs.
  • Virtualization management platform logs and SaaS portal logs.
  • Network captures.
  • Billing records.
  • Management portal logs.
  • API access logs.
  • Cloud or network provider perimeter network logs.
  • Logs from DNS servers.
• What types of evidence are available from the CSP and when, specifically within service-level agreements? What logs and other information are available for container runtime systems and serverless hosting platforms?
• What sort of data retention and disposal lifecycle policies and processes are in place for security events and other related information?
• What forensics and response processes have been implemented to accommodate virtual infrastructure and cloud management platforms internally? For example, does the CSP use VM snapshots for evidence acquisition? How are virtual disk files overwritten for traditional IaaS workloads?

Cloud forensics with your organization's cloud infrastructure

The forensics data handled by CSPs is one part of the equation. Security teams must also adapt forensics tools and practices to the cloud infrastructure they are responsible for. This opens additional cloud forensics challenges, including the following:

• Disk imaging is a common forensics process, and disk copies are standard artifacts. While standard VMs -- among them Elastic Compute Cloud instances and Azure VMs -- offer simple snapshot processes, teams need to build new procedures around these steps, document them and ensure disk images are transferred and stored in accordance with chain-of-custody and evidence integrity practices.
• For most modern security teams, memory images are a mainstay of forensics evidence. Acquiring memory images requires access to the OS kernel in most cases, and this might not be available in a wide variety of cloud workload models -- containers and serverless, in particular. Even for traditional VMs, memory snapshots usually require a pre-installed agent to be present, which might not be practical.
• Most on-premises resources were enabled and ran for months or years, enabling organizations to more readily identify and classify them, as well as acquire forensics evidence on an ad hoc basis. Many cloud workloads are largely ephemeral, lasting only minutes or hours -- or days or weeks at best. This means identifying threats and collecting forensics evidence must be highly automated. Building this continuous monitoring and automated collection strategy can be time-consuming and requires more in-depth cloud skills.

Additionally, cloud security teams should set up a dedicated resource with extensive logging and auditing capabilities where evidence is copied and stored. In the case of a legal challenge, security teams need to demonstrate that cloud forensics evidence was obtained properly, copied safely to a secure location and not tampered with afterward. This requires in-depth cloud knowledge, as well as operational time and effort.

Overall, it's possible to overcome cloud forensics challenges, but organizations must plot their strategies carefully.