I'm looking for a number of articles relating to cloud forensics (artifacts), and problems people have come across to date.
In addition to this, any good books regarding this subject will not be ignored.
Many Thanks,
I'm looking for a number of articles relating to cloud forensics (artifacts), and problems people have come across to date.
I'm not clear on what you're looking for…forensics in 'the cloud' can mean a lot of things. For example, are you referring to doing forensics on a server in the cloud? If so, it depends on the implementation…
Yes-applied to various implementations. And also generalist cloud forensics (what scenarios / challenges analysts have come across in clouds to date).
This is a very open ended - info gathering post.
Like I said…depends on the implementation…that, and your contract.
your contract.
Excellent point Harlan. I've been sticking my nose in social media project governance for this exact reason. If you don't get your access to your data spelt out in advance, it's likely not going to be pretty when the crap has hit the fan.
Like I learned in software engineering in Uni… you can pay for it once on the front end, or 3 times on the back end.
research1
This same question has been posted 1 or 2 times already in the Forum.
keydet89 stated the obvious you agree to terms and conditions with a cloud service provider. As a client you can include the right to audit (and this is always just that a very vague clause); you can state you are the owner of you data, and that you want it back if the relationship ends. The question is, can you include a clause to do a forensic investigation of your SP?
That clause is not likely to happen. It's not the trend in cloud services agreements.
As a service provider, think about it. Do you want to have each client come and do a forensic investigation? If that may happen, it may be because the SP agrees to engage an independent investigation firm so that the report satisfies more than one client.
Are you looking at this from a client, Service Provider, Law Enforcement perspective?. It may make more sense for a SP to initiate the forensic investigation to satisfy clients. The other possibility I see is that LE engages you to provide cloud forensics expertise. That's the start.
Then the next question, is forensic investigation of what? Platform, Infrastructure, Application, database, O/S? All these have artifacts.
Today, clients are more concerned with security of data in multitenant environments. Compared to how SPs prevent the neighboor next door (hosted on the same database) from peeking at one's data, forensic investigations may not be too much of a concern.
Clients rely on the right clauses and a SLA, because they allow them to have legal redress if something happens/does not happen.
Cloud forensics, as you can see, is very broad and in its infancy, and will evolve over time.
Hope this gives you a perspective.
Understood. No simple answer.
Has anyone created any advice / documentation / research on how to approach cloud examinations and common artifacts/setups to look out for?
LOL… lol …This really cracks me up lol
Shame man,……You asked for articles or books relating to Cloud Forensics…….
and you get …………nothing……lol
I'm currently also researching on Cloud Forensics,….and have found quite a few books, articles
and some white papers…
It seems that Google is more help on this topic……. roll
Understood. No simple answer.
Has anyone created any advice / documentation / research on how to approach cloud examinations and common artifacts/setups to look out for?
You should probably extend that to 'there are no simple questions either'.
Why should there be common artifacts? There may be in storage clouds, or in compute clouds, or in application clouds. Assuming they build on similar platforms. But you don't really expect Dropbox to produce the same artifacts as SkyDrive. Both are cloud storage clients, but that's about all they have in common. At the server end, things may be more similar … on the assumption that both use the same software to implement the service. But they probably don't. So …
You approach cloud forensics much as you approach any digital forensic investigation into an area you don't anything about, but which circumstances force you to grapple with. If you're faced with imaging and analyzing an IBM Power 795 or a VAX VMS server … or if you deal with those every day, take something like a Ferranti Pegasus … what do you do? Where do you start? Who do you ask? (That makes a rather good job interview question, come to think of it … )
Use your experience to split it into manageable and relevant pieces, and talk to the people who actually use, or have implemented or do manage the things. At first, forensics doesn't enter it you have to understand how it works, and you mostly have to make up your own questions – so you better have a good base of IT knowledge to start from. Once you know how it works, you can put on your black hat, and start asking all those f-word questions. And then begin the artifact identification and the related research into artifact fixation.
For cloud storage forensics, you may want to look at Quick, Martini & Choo Cloud Storage Forensics, published not long ago. It looks only at a fairly limited subset of cloud storage client forensics, and seem to avoid a number of important questions that will pop up in any investigation. But it's a start.