81
and safeguarding and verifying the integrity of the collected data. During
analysis, the evidence is carefully analysed and the results objectively
evaluated; the final conclusions are reviewed. The findings are finalised and
conclusively documented.
34
Cloud challenges
Nothing short of the 'data collection' stage constitutes a major Cloud
challenge for forensic experts. While conventional computer forensics often
starts with the storage medium in order to construct bit‐by‐bit copies if they
are lucky, that is nearly impossible to do in the Cloud. For Cloud users, not to
mention forensics experts, there is usually no way to tell which storage
media were used to store the data and where they are physically located.
Forensic data collection in the Cloud calls for alternative, as well as
qualitative, procedures. The forensic expert must collect the data via logical
interfaces (e.g. virtual directories, databases). Today, some Cloud providers
save ‘hashes’ (digital fingerprints) along with each data record, which are
ready for use in the event of a forensic analysis. Here, however, it is
important for Cloud users and providers to set down such procedures in
advance in a Service Level Agreement (SLA). In addition, they also require
related technical documentation to ensure the credibility of the data.
A key success factor for computer forensic investigations is the existence of
sufficient log data. Similar records should also be available for networks,
systems and applications. The availability of log data to forensic experts and
the retention period should also be set down in accordance with statute and
internal agreements. Here, the synchronisation of system times for all
systems is key. The log data from different systems are often merged for
analysis purposes. Only with synchronised records can operations be
reconstructed and the sequence of events understood.
Cloud providers could even add extra services to their existing Cloud
services as proactive support for forensic investigations. These service
packets could offer data versioning, alternative storage of forensic data (e.g.
copies of emails), automatic hashes, relevant data interfaces as well as
analysis tools.
Clouds can span many countries. Forensic investigations can therefore fall
under different legal systems. This should also be considered, along with
which measures to take in such cases. Rules for house searches (disclosure
34
Cf. ‘Computer Forensics: Recognising, detecting and resolving system intrusions’; Alexander
Geschonneck