Seite 81 - Cloud Migration Version 2012 english

81 
and safeguarding and verifying the integrity of the collected data. During 
analysis, the evidence is carefully analysed and the results objectively 
evaluated; the final conclusions are reviewed. The findings are finalised and 
conclusively documented.
34
Cloud challenges 
Nothing short of the 'data collection' stage constitutes a major Cloud 
challenge for forensic experts. While conventional computer forensics often 
starts with the storage medium in order to construct bit‐by‐bit copies if they 
are lucky, that is nearly impossible to do in the Cloud. For Cloud users, not to 
mention forensics experts, there is usually no way to tell which storage 
media were used to store the data and where they are physically located. 
Forensic data collection in the Cloud calls for alternative, as well as 
qualitative, procedures. The forensic expert must collect the data via logical 
interfaces (e.g. virtual directories, databases). Today, some Cloud providers 
save ‘hashes’ (digital fingerprints) along with each data record, which are 
ready for use in the event of a forensic analysis. Here, however, it is 
important for Cloud users and providers to set down such procedures in 
advance in a Service Level Agreement (SLA). In addition, they also require 
related technical documentation to ensure the credibility of the data. 
A key success factor for computer forensic investigations is the existence of 
sufficient log data. Similar records should also be available for networks, 
systems and applications. The availability of log data to forensic experts and 
the retention period should also be set down in accordance with statute and 
internal agreements. Here, the synchronisation of system times for all 
systems is key. The log data from different systems are often merged for 
analysis purposes. Only with synchronised records can operations be 
reconstructed and the sequence of events understood. 
Cloud providers could even add extra services to their existing Cloud 
services as proactive support for forensic investigations. These service 
packets could offer data versioning, alternative storage of forensic data (e.g. 
copies of emails), automatic hashes, relevant data interfaces as well as 
analysis tools. 
Clouds can span many countries. Forensic investigations can therefore fall 
under different legal systems. This should also be considered, along with 
which measures to take in such cases. Rules for house searches (disclosure 
34
Cf. ‘Computer Forensics: Recognising, detecting and resolving system intrusions’; Alexander 
Geschonneck