Forensics as it relates to data has always been a tricky area for investigators. As technology becomes more and more sophisticated, it has become harder and harder to ensure the availability of information in forensics investigations. The introduction of sophisticated web attacks has only made it harder to accurately pinpoint the attacks, and cloud has just thrown another wrench into the whole thing. In fact, forensics for cloud and virtualization environments has really become one of those subjects no one wants to address because frankly, it’s not going to be pretty.
A key issue that complicates forensic investigations in virtual or cloud environments is that it concerns data that can be in any of three main states at any given time; at rest, in motion or in application or use. Data at rest is understandably the easier of the three to access as by nature it needs to allocate disk space, which can be accessed even if the data is deleted (provided that the space has not been re-written or allocated by some other means).
Data in motion is a little trickier, especially in virtual and cloud environments as they suddenly take the basic rules of data in motion, that is that when the data is transferred from one place to another it leaves a trail on systems and network devices. Cloud makes it trickier since data can be transferred over a wider area, even on a global level more commonly as a result of regular IT activities such as load balancing etc.
Lastly, if the data is used by an application, or is an application in some form, it’s really not at rest or in motion, it’s being executed. The use of the data can only be caught by doing a snapshot of the system state. Snapshots are perhaps the best tool of all for any forensics investigation because they provide a copy of the state of the machine that was running. This means that a snapshot can be taken and used for investigations while the actual virtual machine keeps running. Unfortunately, the ability to take these snapshots requires access to the infrastructure which may not be part of the cloud service (such as in SaaS or PaaS models)
But the real hindrance to forensics with the movement to cloud models is the involvement of the cloud service provider in the whole process. Involving cloud providers and cloud infrastructure in itself means that there is a loss of control on the part of the investigator. Traditionally the investigators were able to reconstruct scenarios and test hypotheses, but in a dynamic environment like cloud, this is no longer possible. There are simply too many variables involved, and many of them arise from the cloud service provider’s SLA.
Cloud and virtualization are fairly new models for business (yes, you can argue that virtualization has been around for quite some time, but I’m talking about it in a purely cloud-model). Forensic investigators have to rely on the cloud provider to allow them to identify and collect all relevant data to help confirm or deny their investigation. But very few SLAs outline in detail what security measure are in place in the cloud environment and thus, what data is accessible. Are there proper logging controls in place? How long are they kept on record and who can vouch for their integrity? There’s a good chance that until security tools for virtualized environments become more sophisticated, there will be gaps in the information available. If a provider says that full visibility and auditing is available, how can a customer even verify this beyond accepting there is a sentence about it in the SLA?
To sum it up, the real reason that forensics in cloud and virtualized environments is going to be a tough one for awhile is that we just don’t have global standards around it. Cloud itself is still in the very early stages of developing standards and controls, and due to the complexity of trying to balance best practices without hindering the benefits of cloud, it will take time.