Computer Forensics outside the Corporate Network – the Cloudby Jason Hare Executive
Many companies are using cloud-based applications and storage, and
this presents a new set of challenges for information security and for
forensic computer investigations.
More and more companies are outsourcing their IT infrastructure into cloud-based services. An example of this is Office 365, which removes the need for organisations to purchase and maintain IT hardware to run their email system. This can be a quick and cost-effective way of satisfying the organisation’s IT requirements.
An on-site computer forensics exercise can investigate down to the finest digital detail, how a computer has been used (or misused) including which files have been created, accessed or copied – along with investigating web and email history and details of which devices have been plugged into the computer and what they were used for.
However, there are new challenges when computer forensics techniques are applied to the Cloud, such as multi-tenant hosting, synchronization issues, and also methods for separating log data.
In traditional computer forensics, the evidence contained within the media is within the control of local authorities from the moment of seizure. Assuming that the cloud in question may be within the United States or elsewhere, the forensic challenges raised by cloud computing are related to control of the evidence, including collection, preservation and validation.
With cloud computing, the investigator does not have physical control of the media nor the network on which it resides. Many users will have access to a particular cloud. How does the investigator obtain only that portion of the media where the evidence may exist?
When dealing with a cloud-based environment it is important to appreciate that the data may not be under your full control. Firstly, it is worth exploring exactly where their data are being held. If it is on non-EU based servers, there may be data protection and data privacy issues. Also, you should be aware that it will not be possible to ‘turn off’ the device to ensure preservation. There is a risk that the data could be remotely accessed and tampered with.
• Have a response plan in place so that their IT team is able to respond to incidents quickly.
• It is important that information about who has access to what is readily available and that a procedure to revoke access is in place to allow an immediate response, should it be required.
• It can be difficult to acquire data from cloud storage in a forensic manner. However, there are tools and expertise available out there which can assist. Simply copying this information in the traditional way may not be sufficient.
For more information on computer forensics, please call us on 01789 261200 or email email@example.com, or check out http://www.cclgroupltd.com/digital-forensics/corporate/computer-investigations.
Nathan is a digital forensics specialist at CCL Group - the UK’s leading supplier of digital forensics, including: computer forensics corporate network, mobile phone forensics and cell site analysis services, for more information visit www.cclgroupltd.com
Created on Dec 31st 1969 18:00. Viewed 0 times.