The emerging field of cloud computing forensics

We’ve all seen those prime-time crime dramas or true-crime documentaries where the crime wasn’t solved by a detective with 20 years of experience, but by a man or woman who did computer forensics. Perhaps the hero hacked into a smartphone to see if someone’s alibi held up or if they were near the crime scene. Or they examined a computer hard drive to find evidence that was used in court to convict a felon.

What happens when all this goes to the cloud? Cloud forensics of course.

[ Also on InfoWorld: 9 career pitfalls every software developer should avoid ]

This career path is popping up more and more often these days. Recruiters ping me to find candidates for many of these jobs that are advertised by state, local, and federal governments. Many may not pay the best, but they may let you wear a badge and become a real law enforcement officer. Instead of a gun you have a laptop and lots of cloud computing knowledge to find evidence of a crime.

Traditional technology forensics examines tools and technology that you can see and own. Cloud computing is a different beast altogether, and many law enforcement agencies are unprepared to investigate crimes that may take place in the cloud. Cloud computing forensics is at least five times more complex than traditional technology forensics.

Here are just a few things folks getting into cloud computing forensics need to figure out:

In traditional computer forensics, the environment is frozen as assets are seized for analysis in the forensic lab. This is usually not possible in the cloud. You are investigating a target platform that is not stable. Thousands of other processes and people use the same hardware that you are trying to analyze.

What if you show up with a warrant to confiscate the server? If you are allowed to do so, the problem is that others also have data on the same server and you may expose yourself to legal liability if that data is breached or if it is regulated data such as HIPAA information.

Also, you must operate within the jurisdiction where this server is physically located. When it comes to another country, the legal minefield can be too daunting to cross. In fact, some criminals have chosen the cloud because they can hide data on cloud servers in countries that don’t allow these types of warrants. Or they target a cloud provider that will challenge warrants in court, which could delay an investigation by months or even years.

That doesn’t mean cloud computing forensics are helpless. Other means would be tracking the cloud billing data, operational logs, and other assets that many cloud providers keep to help their customers understand what’s happening on their cloud platforms.

Records include cloud services used, their purpose, time spent on services, or storage space used. Cloud providers can even keep deleted files in case customers need to recover them. This data is becoming the primary tool of cloud forensics professionals, and while limited to what the cloud provider shows them virtually, there’s usually much more to it than traditional computing devices.

I suspect that as cloud computing forensics grows, the number of tools and approaches will increase. Additionally, cloud providers need to provide some assistance to law enforcement, and that includes policies and procedures for dealing with crime in the cloud.

As in any other profession, those who choose a career path in cloud forensics will end up gaining a great deal of experience that will improve their effectiveness in finding evidence that may be needed to support legal cases. If this interests you, I’m sure a recruiter out there would like to speak to you.

Copyright © 2022 IDG Communications, Inc.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *