The National Institute of Standards and Technology has identified 65 forensic science challenges in the cloud, and is working to build a roadmap to overcoming them.
Cloud technology can simplify many computing tasks, but solving a digital crime is not one of them. That's why the National Institute of Standards and Technology (NIST) recently issued a draft report that identifies 65 forensic science challenges in the cloud, with the aim of building a roadmap to overcoming them.
The report, NIST Cloud Computing Forensic Science Challenges, collects and aggregates the problems and is the result of research from NIST's Cloud Computing Forensic Science Working Group.
The 65 challenges reveal the magnitude of the problem that cloud computing presents, though it's not an exhaustive list, said Martin Herman, senior adviser for forensics and IT at the National Institute of Standards and Technology. "It shows that there is a lot work that needs to be done to overcome these challenges," said Herman, who co-chairs the working group.
The cloud environment is unique in that computing resources are separate from users and are pooled using a multi-tenant model, with data flowing among servers, service providers and even countries, according to NIST.
"Here (in the cloud) you have data that you may not even be sure where it is at any point in time," Herman said.
Cloud technology's popularity has grown thanks to its rapidly provisional, elastic and on-demand attributes. But these characteristics make cloud environments particularly challenging for forensic investigators who must find and analyze specific information for the U.S. criminal justice and civil litigation systems, and for private operational needs.
Historically, digital forensics has dealt with one computer feeding into a server in a datacenter, where investigators have full control over the forensic artifacts including hardware and logs that point to the location of data, according to NIST. That has changed with the distributive nature of and diminished control with cloud technology.
"One of the big differences is that, in the traditional forensics, law enforcement will go in and physically seize that hardware and be able to have full control over it. In the cloud, that's just not the case. Everything is remote," Herman said.
The working group that unearthed the 65 challenges is an international body representing government, industry and academia. Group members who volunteered for the effort organized what they found into three categories -- technological, organizational and legal. The majority of the 65 challenges, though, are technological, which falls in line with NIST's own area of expertise.
Some challenges would vex any complex system but are made more challenging by cloud technology, while others can be explained as byproducts of cloud computing, according to NIST.
For instance, rapid elasticity, or quickly scaling resources up or down, is unique to the cloud and results in computing and storage resources that are distributed, Herman said. "That's one of the big advantages of the cloud system -- the user pays for what's needed and the resources are out there provided by a cloud provider," he said.
The challenge comes as service providers move data among these resources -- sometimes located in other cities and countries -- to meet demand, which makes it difficult for investigators to specify locations in subpoenas, and to collect evidence as data changes, moves or disappears, Herman said.
In fact, in a shared environment, there it is a greater likelihood that deleted data is erased as it's overwritten by someone else's data, he said.
Data location is further complicated by data replication or storing the same data on multiple storage devices, making it difficult to track the movement of data and isolate it during forensic investigations.
And when evidence is found and needs extracting, a multi-tenant environment requires law enforcement to carefully examine the data as not to violate the privacy of others sharing that resource, Herman said.
Additional challenges associated with forensics and cloud computing include: the variability in cloud architectures among providers, the correlation of data across cloud providers and the trustworthiness of cloud providers to act as first-responders to perform data collection.
While the group will now issue a final document with feedback from a two-month comment period, ending Aug. 25, its work has just begun. The goal is to understand the most challenging of the 65 issues so that NIST and others can tackle them. After the final report is released, the group will analyze the challenges, prioritize them and find the gaps in technology and standards.
"The gaps is what we're really after," Herman said. "Once we get the gaps that in itself represents some kind of a roadmap for what needs to be done and what kinds of research and technology and standards need to be done in order to overcome challenges in cloud forensics."
To prioritize the challenges, the group will look at the urgency of overcoming each challenge and what overcoming the challenge would mean for stakeholders like consumers, law enforcement and government regulators, Herman said.
It's a multi-step process for the group, which started meeting in late 2012. But the end result is worth it -- NIST says the validity and reliability of forensic science in the cloud context is crucial and that it requires new ways for identifying and analyzing evidence.