Why Cloud Computing and Hosted Environments Can Make Forensic Investigations Challenging

Daniel Tobok
E: daniel@cytelligence.com

Posted on: January 9, 2019

While there are similarities between cloud computing and hosted environments, there are also some key differences. Both platforms are vulnerable to breaches, and there are significant challenges in applying forensic investigation techniques to find out what happened in the event of a breach and establishing a plan to prevent one from happening again.

Cloud computing services provide on-demand IT resources, such as computer power, storage, database access, or applications, accessed through the internet. Cloud computing allows businesses to access computer services without making an upfront hardware investment and scale services as their business needs change.

In a hosted environment, dedicated servers are hosted offsite. Your connection may be through the internet or a direct connection, but the hardware is not shared. In a cloud computing environment, storage and server space are often shared among other business to low costs, due to economies of scale.

Cyber Attack Vulnerability

Cloud-based services, whether true cloud computing or in a hosted environment are attractive to hackers, with major breaches even occurring at large tech companies. Yahoo! had 3 billion accounts compromised, while Oracle had a cloud-based breach in August 2016 that attacked its retail payment terminals, compromising customer credit card data. To protect your data, it’s critical you work with companies that take cyber security seriously and can provide expert forensic investigations in the even of a breach.

The Challenges of Forensic Investigation Techniques

Once a breach happens, cloud-based and cloud-hosted service providers aren’t generally welcoming of investigations into their environments. In many cases, some will drag their feet on providing data, such as image or servers or server logs.

In cloud computing, hosting companies don’t want to compromise the confidentiality of other clients on shared servers. While logs may be filtered to protect data, unless a server is dedicated to you, system images will likely show data from other clients. Cloud companies are also often reluctant to release any data, because it may display information they simply don’t want you to know. For example, you might think your data is being hosted on a dedicated cloud serve, but instead it’s ended up on a virtual site on a shared server.

Forensic Data As Evidence

Even if you can follow the trail and uncover where and how a data breach occurred (and ultimately who did it), the evidence must meet strict compliance guidelines to be used in any criminal proceeding or court case. The forensic team must identify and maintain the integrity of the data. In a cloud environment, data may be stored across machines that aren’t readily accessible by investigators, since there isn’t physical access to any hardware.

Because servers are shared in cloud computing, making sure the data is specific to the target company is critical. With mixed data, it may be difficult to isolate the needed data. It may also be difficult to pinpoint exactly where in the cloud a breach has occurred.

Make Sure You’ve Done the Work Necessary to Protect Yourself

If you want to be able to investigate a breach, especially if your data is stored in a cloud environment, you need to make sure you have an agreement with your service provider that stipulates they will retain data logs.

This includes application, system, security and networks logs for a determined period of time. It’s also suggested that you ensure you are granted access to your data in the event of a breach. Make sure these stipulations are in writing or you risk not having access to your data in the event of a breach.