Computer Forensics outside the Corporate Network – the Cloud
by Jason Hare ExecutiveMany companies are using cloud-based applications and storage, and
this presents a new set of challenges for information security and for
forensic computer investigations.
More and more companies are
outsourcing their IT infrastructure into cloud-based services. An
example of this is Office 365, which removes the need for organisations
to purchase and maintain IT hardware to run their email system. This can
be a quick and cost-effective way of satisfying the organisation’s IT
requirements.
An on-site computer forensics exercise can
investigate down to the finest digital detail, how a computer has been
used (or misused) including which files have been created, accessed or
copied – along with investigating web and email history and details of
which devices have been plugged into the computer and what they were
used for.
However, there are new challenges when computer
forensics techniques are applied to the Cloud, such as multi-tenant
hosting, synchronization issues, and also methods for separating log
data.
In traditional computer forensics, the evidence contained
within the media is within the control of local authorities from the
moment of seizure. Assuming that the cloud in question may be within the
United States or elsewhere, the forensic challenges raised by cloud
computing are related to control of the evidence, including collection,
preservation and validation.
With cloud computing, the
investigator does not have physical control of the media nor the network
on which it resides. Many users will have access to a particular cloud.
How does the investigator obtain only that portion of the media where
the evidence may exist?
RISKS:
When dealing with a cloud-based
environment it is important to appreciate that the data may not be
under your full control. Firstly, it is worth exploring exactly where
their data are being held. If it is on non-EU based servers, there may
be data protection and data privacy issues. Also, you should be aware
that it will not be possible to ‘turn off’ the device to ensure
preservation. There is a risk that the data could be remotely accessed
and tampered with.
TIPS:
• Have a response plan in place so that their IT team is able to respond to incidents quickly.
•
It is important that information about who has access to what is
readily available and that a procedure to revoke access is in place to
allow an immediate response, should it be required.
• It can be
difficult to acquire data from cloud storage in a forensic manner.
However, there are tools and expertise available out there which can
assist. Simply copying this information in the traditional way may not
be sufficient.
For more information on computer forensics, please
call us on 01789 261200 or email contact@cclgroupltd.com, or check out
http://www.cclgroupltd.com/digital-forensics/corporate/computer-investigations.
Author:
Nathan is a digital forensics specialist at CCL Group - the UK’s leading supplier of digital forensics, including: computer forensics corporate network, mobile phone forensics and cell site analysis services, for more information visit www.cclgroupltd.com
Sponsor Ads
Created on Dec 31st 1969 18:00. Viewed 0 times.