Sleuthing the Cloud: The Challenges of Forensics in Cloud Environments

Robert Meekins, Director, Forensics, Coalfire

More and more companies are embracing Cloud computing for the practicality, efficiency, and economy of outsourcing the housing, maintenance, and monitoring of applications and their associated infrastructure to a third-party provider. As the Cloud becomes more the norm than the exception, there is no lack of choices: Providers such as Amazon (AWS), Microsoft, IBM, and countless others are providing a variety of solutions, from e-commerce sites that process payments and credit cards, to developmental networks used to test and configure operational assets. While the Cloud is highly enabling for today’s enterprise, it can pose some challenges for security forensics experts working to analyze security incidents involving Cloud infrastructure. Forensics experts continue to work to find new ways to gather the data needed for forensics analysis—since the need for Cloud forensics will only continue to grow.

Forensic examiners are trained to capture evidence and examine it in a forensically sound manner, always maintaining the integrity of the evidence. However, cloud computing has introduced several new obstacles to overcome in obtaining a forensically sound image of the evidence. Cloud computing uses Virtual Machines (VMs) and can spread the data over multiple hosting centers. One such obstacle is that the cloud provider can prohibit the client from downloading a copy of the VM, unless it was solely created by the client and uploaded. Further, some cloud hosting solutions utilize VM file formats that are not immediately compatible with forensic processing software and may require conversion to a more open format.

Cloud forensics is really a combination of traditional digital forensics and cloud computing. However, even with the savings and convenience of using cloud infrastructure, many clients are finding that some cloud providers do not provide detailed information about the cloud infrastructure or the security controls in place to protect cloud assets. Many clients have found that once an incident has occurred, obtaining network logs, firewall logs, etc., is quite difficult and not always comprehensive. A review of the various cloud providers’ policies shows a vast difference in the way VMs are handled. 

In the AWS environment, a client has full control over the VM when they have created it and uploaded it to the environment. In that instance, if an incident occurs, the client can download the VM and use it however they see fit. The client can even save the VM in a specific location and provide access to it to their investigators. If the VM is created by AWS, clients are limited and are not permitted to download the VM for investigative purposes. In that instance, the client must investigate the VM while it resides in the cloud. This is where Coalfire’s approach has its advantages.

Coalfire has established a forensics platform in the AWS environment and can access images in that environment without needing to download the image first, allowing us to avoid violating the Cloud Service Provider’s (CSP) terms and agreements. We can now can access a client’s S3 instance and acquire the image for analysis by many of the forensics software suites we deploy. In the event a client suffers an incident in their AWS environment, Coalfire can assist the client by conducting an analysis of the system, all within the AWS environment. This is also a much more efficient means of providing data for forensic examination by avoiding data copy times and shipment of physical storage devices, saving both time and money. Coalfire works closely with many clients who maintain cloud environments to help secure their networks and maintain configurations that will allow for the most beneficial logging. Documenting system and network activities through logging will provide great insight into the security posture of a cloud environment and provide valuable artifacts in the event of a security incident.

Microsoft Azure’s setup is quite different; the client has full control over the VM in all instances. The client can either directly download the VM or provide a link to download the image. Microsoft has even created an application, Microsoft Azure Storage Explorer, to facilitate downloading images. This program provides a GUI interface and a view similar to Windows Explorer. It allows a third-party investigator to download the image as long as the client has provided the appropriate credentials. The client can download the image in all cases.  

With IBM / Softlayer, clients also have full control and can download and/or share the image with others. They support both bare metal and VSI snapshots and can securely store them, making them accessible via remote access. This eliminates most of the complexity for traditional forensics service providers.

Rackspace advises in the event of an incident, the client needs to inquire with their Account Manager to determine how they can obtain an image of the VM. In all cases, the client is responsible for establishing appropriate security controls and logging for the system(s) deployed in the cloud environment.

Coalfire provides forensic services to clients with various types of systems in many kinds of environments. Cloud computing environments pose more obstacles that may hinder the effectiveness of forensics; but we work with our clients to better prepare them to deal with the aftermath of a security incident that involves cloud computing systems. This can provide the answers to important post-incident questions about who was responsible for the attacks, how the system was compromised, and any data that may have been exposed. This in turn provides the roadmap to improve defenses against future attacks.

Robert Meekins


Robert Meekins — Director, Forensics, Coalfire

Recent Posts

Post Topics