Investigation of Forensic Evidence on Virtual Machines, Networks, and Cloud Computing.
Investigation of Forensic Evidence on Virtual Machines, Networks, and Cloud Computing.
#CloudComputing #CyberforensicTechnologies #FutureCyberforensics
The purpose of this blog post is to provide insight into five focus/topic areas: 1) To understand the general forensic implications brought on by the use of virtual machines (VM), networks, and cloud computing (CC); 2) To identify the types of cloud computing, global organizations, and various locations where cloud providers might store data; 3) To provide an analysis of the general technology choices and contracts for a global organization during any legal action or law enforcement investigations; 4) To understand how indirect and third party risks operations, security, and profits resulting from technology choices within a global environment; and 5) To justify the need for forensic technologies to protect an organization during investigations on third-party networks, virtual machines, and cloud computing. By understanding the background within these five focus areas of the current environment, one can achieve greater confidence and understanding of the future conditions and capabilities in digital forensics. This insight will identify why an organization would want to have a forensic technologist on staff. Based on this future increased demand for forensic technologies and the lack of qualified individuals and staff, organizations will want to update their organizational security model. This new organizational security model will include a high-level technologist or subject matter expert (SME) who has a broad understanding of forensics as it relates to law, the cloud, cybersecurity, incident management and response, malware analysis, digital forensics, and a whole host of other capabilities and skillsets. Because this individual only has a high-level understanding and capability, detailed work will need to be subcontracted (farmed out) to a specialist when specifical skillsets are needed. In particular, one of the future specializations needing subcontracting will be in the gathering and analysis of forensic evidence on virtual machines and networks within the cloud.
The general forensic implications brought on by the use of virtual machines, networks, and cloud computing demonstrate our laws are out of date3 and many data forensic investigators lack the training to keep up with the evergrowing increase in digital evidence complexity6. This increasing complexity increases the likelihood an investigator may come to the wrong conclusion9. The laws which these investigators follow vary greatly in every state and country jurisdiction. These legal variances often create ambiguity in the investigator's ability to determine fact or fiction. To improve upon an investigator's ability to perform forensic analysis of virtualized infrastructures, platforms, and software, developers need to follow best practices to ensure the confidentiality, integrity, and availability of the data or service provided.3 Investigators will look to improve their capabilities and skill sets via training. However, training is very expensive with classes in the U.S. easily costing between $10,000 & $20,000.6 Unfortunately, the U.S. median salary of an information security analyst was around $95,500, and a computer forensic analyst median salary was almost $69,000.4 Due to the pace of technological change and the cost to keep up with the change, one can easily infer that in the future, digital forensics will be performed by a team of specialists as no one person will be able to keep up with the pace and rate of change. Another reason for organizations having a higher probability in having need for a Cybersecurity SME and a high-level digital forensic technologist is because things often do not go smoothly or as expected. In the case of performing digital forensics, there are few standards in place to ensure the confidentiality, availability or integrity of data in a VM or CC environment.
There many types of VM and CC organizations and most are capable of quickly creating local, restricted, or global footprints. These footprints often include data, either at rest or in motion. In either form, the data falls under the jurisdiction of the nation-state, of which the rules, regulations and laws followed or rulings over technological cases vary greatly. As an organization grows, so does their digital footprint, and for the foreseeable future, this growth, in particular, will be in the cloud.5 The reason the cloud enables the growth of an organization is because it affords the digital expansion rapidly and globally.
In 2019, Gartner completed a survey demonstrating over 75% of all of the organizations surveyed have a cloud-first strategy.5 Because of this strategy, organizations will look to leverage more services and service providers. There are many types of service providers, and every organization will need to determine exactly what services they are looking to obtain. For this blog post, the focus is on cloud computing service providers (CCaaS) and most of them offer many if not everything as services (XaaS); sometimes these services number in the thousands.1 All of the big cloud service providers have the capability of storing data in many locations and regions around the world. Many of these clouds have options to limit where data in the cloud is stored and transported. However, this is not a standard service, and often, these types of services have a higher cost. In all of these environments, data owners and forensic investigators will be required to follow the rules and the regulations of the host state where the data resides or in transit.
Understanding the location and the transmission of the correlating is a big challenge for many organizations, and this service is often not available. For those individuals and organizations which need to understand the specific location of their data at rest or in motion and who are willing to pay the cost, general technology choices and in particular CC options and contracts are an option.1 As noted previously, any data owner and any forensic data activities are subject to the laws and regulations of the state(s) to which the data was transported or stored. Although understanding the location of data is the third focus area, in organizations where this is a requirement, it is best to have this as the first requirement and selection factor with determining future contracts.
The fourth focus area is to understand moving to and using the cloud does not come without risks. These risks include the indirect and third party risks to operations, security, profits, reputation, as well as organizational and data integrity resulting from technology choices. Once again, understanding where the data is and where it is going to is important, especially when working with third parties.2 One example where this information is important is in China. China’s Ministry of Public Security (MPS) is tasked with ensuring that everyone and every organization shares their data with the government. If and when requested by the Chinese Government, this may include sharing of the source code. In this case, if a third party developer was working on any part in the development of the code or other technology, the developer is required by law to notify the government. Upon the notification of the Chinese government, the MPS would perform a national security review and only when the review is completed will the technology be allowed to be released to the originating organization.7 To overcome these risks, organizations can take active steps to mitigate the likelihood of being a victim or adversely impacted by geocentric risks. Organizations should conduct an inventory and internal audit of third party organizations and vendors. Next, an organization should define, document, and standardize the vendor and third party selection process, thereby ensuring organizational level requirements are known upfront on day one. The third step in the process is to identify all data owners, individuals with administrative privileges, and the controls to be put into place. Once this information is identified, the fourth step includes working closely with management and all legal and contract teams assigned to this effort who need to know. With management and the internal teams engaged, the team can move to the final step in the process and ensure the organization’s Board has sufficient information necessary to formulate strategic plans of intent.8
By understanding the first four focus areas, an organization can then look to the fifth and final focus area of this blog post, understanding the need for forensic technologies to protect an organization during investigations on third-party networks, virtual machines, and cloud computing. Protection of this data, especially when a third-party is involved, requires a great deal of trust. To ensure the third-party maintains a level of trust, the organization needs to be aware of whom they are trusting and if the organization can achieve non-repudiation. This information can be monitored and measured in service level agreements (SLA), through log analysis, and through the preservation of data. What is important to understand, is that performing a well-researched forensic analysis requires following strict processes more than utilizing specific tools. These processes include ensuring chain of custody, imaging of data, as well as defining the process, technical and physical limitations, or the organization. The outcome defines and presents the investigator's ability to identify and prove intent, opportunity, and capability based on the facts in evidence.10
By understanding five focus areas above, any organization can easily achieve greater confidence and understanding of the future conditions and capabilities in digital forensics. This insight identifies why an organization would want to have a forensic technologist on staff. Based on this future increased demand for forensic technologies and the lack of qualified individuals and staff, organizations will want to update their organizational security model. This new organizational security model will include a high-level technologist or subject matter expert (SME) who has a broad understanding of forensics as it relates to law, the cloud, cybersecurity, incident management and response, malware analysis, digital forensics, to include many other capabilities and skillsets.
Cited Sources:
https://aws.amazon.com/products/ 1
http://www.scirp.org/journal/jcchttp://dx.doi.org/10.4236/jcc.2016.410007 2
https://www.forensicscolleges.com/careers/computer-forensics-examiner 4
https://www.gartner.com/en/information-technology/insights/cloud-strategy 5
https://www.recordedfuture.com/china-cybersecurity-law/ 7
https://doi-org.proxy1.ncu.edu/10.1109/CCAA.2016.7813819 9
Simou, S., Kalloniatis, C., Gritzalis, S., and Mouratidis, H. ( 2016) A survey on cloud forensics challenges and solutions. Security Comm. Networks, 9: 6285– 6314. doi: 10.1002/sec.1688. 10