Cloud Forensics
Forensic Requirements
- ISO develops a set of global digital forensics standards:
- ISO/IEC 27037: Guide for collecting, identifying, and preserving electronic evidence
- ISO/IEC 27041: Guide for incident investigation
- ISO/IEC 27042: Guide for digital evidence analysis
- ISO/IEC 27043: Incident investigation principles and processes
- ISO/IEC 27050-1: Overview and principles for eDiscovery
Cloud Forensic Challenges
- distributed model of cloud presents challenges
- data location
- collection mechanism
- international laws
Collection and Acquisition
- cloud differs from traditional environments
- may be multiple owners of resources
- depending on the cloud service model/deployment model
- could be the customer or provider
- depending on the cloud service model/deployment model
- concern of third-party data due to sharing underlying infrastructure
- can affect forensic collection
- forensic collection may require the involvement of cloud provider
- to enable customer to capture the data sufficiently
- ISO 27037 and 27042 are excellent guides
Evidence Preservation and Management
- coordinate chain of custody process with cloud provider
- best to get counsel from specialized consultants
e-Discovery
eDiscovery refers to the process of identifying and obtaining electronic evidence for either prosecutorial or litigation purposes.
- locating data in the cloud can be difficult
- due to decentralized nature of cloud
- uses multitenant environments
- best to hire expert consultant
- be familiar with laws, SLAs, and other contractual agreements that may impact ability to conduct e-discovery
- especially for international boundaries
- some CSPs offer SaaS e-discovery solutions