White Paper: Digital Investigations in the Cloud - SBL

White Paper: Digital Investigations in the Cloud

Cloud computing is changing the way business is conducted.
Although many see using and sharing software hosted on the
Internet as a natural next step in our exploitation of the World Wide Web, it
can however pose a real challenge to those involved in digital investigations.
Reliance by organisations on third-party providers of ‘ Software as a Service’
(SaaS), ‘Platform as a Service’ (PaaS) and ‘Infrastructure as a Service’ (IaaS)
solutions can significantly hinder the a ility of internal or e ternal forensics
specialists to conduct digital investigations. Whilst none of the associated
problems are insurmountable effective solutions may require considerable
time and cost. This paper examines the practical steps needed to ensure
such investigations can progress unhindered. Also discussed are potential
issues, suggested solutions and the tools required to investigate security
breaches in the Cloud effectively.

Neil Hare-Brown
Chief Executive Officer

Blackthorn© 2013 ‘Digital Investigations in the Cloud’ 1|P a g e

Contents 1
2
Introduction 3
Parting the clouds 4
Corporate investigations in the Cloud 5
Contractual support for investigations 6
Managing disclosure 7
Storm cloud on the horizon? 8
Cloud busting and crime fighting 9
Working towards silver linings 10
The forensic process 11
Conclusion 12
References 13
About Blackthorn
The Author

Thanks to
high-speed
broadband,

‘the Cloud’
is coming of age.

Blackthorn© 2013 ‘Digital Investigations in the Cloud’ 2|P a g e

Introduction been household names. Although
generally not referred to as Cloud
Cloud computing is a rebadge of applications, the functionality provided
services provided by SaaS/PaaS/IaaS by these and similar services
companies, and encompasses the even considerably outshines that of many
older concept of an Application Service corporate applications. Businesses also
Provider (ASP). These organisations are use these applications, finding that
referred to here as Cloud or purchasing via such services can be
Communications Service Providers quick and cost effective.
(CSPs).
As these services move into the
At this point it may be important to business space, they introduce security
draw a distinction between true ‘Cloud’ and investigatory issues (more about
services and ‘managed’ services. this later on).
‘Managed’ services are provided by a
third party but are accessed by the The better-known Cloud/SaaS
customer over a private network applications such as Salesforce.com,
(physical or virtual). Cloud services are Microsoft and NetSuite are also
accessed purely via the Internet. widespread within businesses globally.
However, many of the challenges posed In fact, they are actually not that
to successful digital investigations apply different in terms of the potential risk
equally to both. that their use introduces and the
associated complexities of managing
Many pundits proclaim a new dawn of data ownership and security.
outsourced services. Of course, many of
them have vested interests in Outsourcing computing power to save
proclaiming their significance. However, money and take advantage of other
there is no doubt that thanks to high- efficiencies has driven the PaaS and IaaS
speed broadband ‘the Cloud’ is coming industry. Google Apps and Heroku, now
of age. Simply by going online, part of Salesforce.com, enable
businesses and consumers can access organisations to migrate their
either the services of their own applications and databases outside of
organisation, or one of the many their corporate networks, while
hundreds of thousands of services companies such as Rackspace, Amazon
hosted by third parties – all via the EC2 and GoGrid will take care of the
Internet. hardware and storage components.

For a number of years now, online
services such as Amazon and eBay have

Blackthorn© 2013 ‘Digital Investigations in the Cloud’ 3|P a g e

As one observer quipped, “so operating 3) Corporate investigations
in the Cloud is like outsourcing all your in the Cloud
IT services, except you don’t know
where your data is” - a layman’s When it comes to the use of digital
observation that is perhaps not forensics in corporate investigations,
altogether inaccurate. pre-conditions that support successful
analysis include the following:
2) Parting the clouds
• Well written supplier contracts that
The way in which Cloud computing support not only the implementation
impacts on digital investigations varies and verification of adequate security
greatly depending on the type of measures, but also allow for
analysis needed. However, as you will investigatory actions.
read, most of this impact is procedural
as opposed to technical. In the civil and • A good understanding by the Incident
corporate arena it is largely possible to Management/Forensics Team of the
support digital investigations by technologies delivered by each CSP.
specifying key requirements within
supplier contracts. This is not a simple • Good, established (pre-incident)
task but with the right amount of care relationships between CSPs and
and expertise it should be achievable. corporate investigators and legal teams.
However, when digital forensics are
needed to support criminal • Tested and effective incident response
investigations, the problems introduced plans.
by Cloud computing become more
severe. There are a whole host of security
mechanisms that CSPs and their
As experienced digital investigators and customers should consider. These must
forensics specialists, we at Blackthorn have not only support the day-to-day
worked with corporate clients, CSPs and requirements for confidentiality,
law enforcement agencies and officers. integrity and availability of data hosted
Over the past few years, we have in the Cloud, and accountability for
noticed that more powerful and access to that data – but if implemented
functional computing is generating ever effectively will also significantly increase
greater evidential potential. the chance of a successful digital
forensic investigation.
However, some of the evidence is held
‘server-side’ within the Cloud. Our Organisations such as the Cloud
established relationships with CSPs Security Alliance (CSA), the European
enable us to provide a better service to Network and Information Security
our clients and all the parties involved in Agency (ENISA) and the International
an investigation. Systems Audit & Control

Blackthorn© 2013 ‘Digital Investigations in the Cloud’ 4|P a g e

Association (ISACA) have issued know the ‘who, what, when, where and
guidance in this area and the how’.
international standard for Information
Security Management, ISO/IEC 27001 • Secure remote access
remains a great point of reference for
good practice. There may be regulations Such a service may often be vital when
such as Sarbanes-Oxley or PCI DSS that discovery and data carving activities are
require the implementation of specific needed. Imaging and full acquisition are
controls to protect data. preferred but not always possible or
practical.
Here are a few examples of security,
process and design control that will help As always, the best environment for
digital investigations: digital forensics investigations in the
Cloud is that which is established
• Logging and data retention/backups through good organisational control.
Agreeing Standard Operating
Ensuring that these two important Procedures (SOPs) between the CSP and
aspects of data management are its customers is vital to ensuring
coherently linked together maximises investigations go unhindered, and can
the information available in a complete provide rapid and meaningful results.
chronology. This is achieved by establishing effective
contractual requirements between the
• Use of virtualisation CSP and its customers and by putting in
place an on-going programme of
Smart use of virtual machines will communications and exercises to
enable the rapid collection of data for ensure contractual adherence.
analysis. The virtualisation design
should be confirmed as being forensics Many investigations flounder
friendly. because key technical staff and
the management personnel
• Documentation needed to make decisions are
Both summary and in-depth simply not available.
descriptions of code, configuration,
interfaces and data flow within Cloud-
hosted systems will assist investigators.

• Technical support & senior
management

Many investigations struggle because
key technical staff and the management
personnel needed to make decisions
are simply not available. Ensure you

Blackthorn© 2013 ‘Digital Investigations in the Cloud’ 5|P a g e

4) Contractual support for In addition, many CSPs simply do not
investigations have enough suitably knowledgeable
staff to be able to assist an investigation
Unfortunately, this most fundamental team.
requirement for effective investigations
is often woefully lacking. CSP contracts In many cases, evidence may not only
hardly ever make reference to, let alone be found in a customer’s systems and
embrace, the potential need for data, but may also be identified in the
cooperation in support of digital many infrastructural systems that
investigations. support the customer. These include
firewalls, intrusion detection systems,
This means that when an organisation email filters and event logs from a host
needs to perform digital forensics as of supporting systems. This metadata
part of an investigation into a growing can often provide vital ‘glue’ in putting
range of incidents including data theft, together a chronological timeline of
loss and other misuse, they have to rely events, as well as the creation,
purely on the goodwill and best efforts modification or deletion of evidential
of the CSP. In many cases this has an artefacts.
adverse effect on the investigation.
Damaging security breaches may The best environment for digital
continue needlessly, guilty parties may forensics investigations in the
abscond or never be identified. Losses Cloud is that which is
may be considerable and often established through good
unquantifiable – all for the want of a organisational control.
well-written contract.
CSPs obviously want to provide
We have undertaken many standard contracts for their customers,
investigations where the Data Centre be they small, medium or large
Manager simply is not ready, willing or enterprises. Many of the contracts that
able (unless with authority in triplicate our legal specialists have reviewed are,
from his CEO) to attend to the critical in their opinion, significantly biased in
actions needed to support a digital favour of the CSP with regard to liability
investigation. On far too many occasions for both quality of service, and security.
this has led to significant time being
needlessly added to the investigation. It This oversight gives the ethical and truly
has also risked evidential artefacts being professional CSPs a chance to shine by
lost or damaged. offering their clients well-written
contracts that embrace the need for
security controls, cooperation and
collaboration during investigations as an
inherent part of their service provision,

Blackthorn© 2013 ‘Digital Investigations in the Cloud’ 6|P a g e

whilst still protecting their business as a It is important to understand that if a
supplier. Customers of Cloud-based third party client/partner/supplier
services need to ensure that such (including the CSP) becomes aware of
contractual obligations are both offered certain types of incident then they may
and met. Of course, there is an obvious also be duty bound to disclose them
cost implication here which will impact without the consent or knowledge of
the bottom line of one or both parties. those involved. It would again be good
But it is a cost worth bearing. practice to require this disclosure as
part of a contractual obligation.
5) Managing disclosure Examples of such incidents involve the
reporting of suspicious activity relating
So far, we have discussed the relative to money laundering, or the possession
ease with which corporate of unlawful material.
investigations should take place – as
long as contracts, preparation, planning Before such discoveries are made it is
and communications hurdles are important to know what your duties are
overcome. But there is another with regard to required disclosure of
complication that sometimes occurs. personal or business data held by your
This is the discovery and handling of CSP. Appropriate SOPs can then be
forensic artefacts where some kind of prepared and applied when needed.
disclosure must be made to the relevant
authorities. Losses may be considerable and
often unquantifiable – all for the
Examples of such discoveries include want of a well-written contract.
those relating to:

• Criminal activity (depending on the
possible offences and jurisdiction)

• Incidents that must be disclosed to
regulatory authorities, such as breaches
of privacy related to the loss of, or
unauthorised access to, Personally
Identifiable Information (PII)

• Incidents which the organisation is
contractually obligated to report to their
customers or suppliers, e.g., Payment
Card Industry Data Security Standard
(PCI DSS) incidents

Blackthorn© 2013 ‘Digital Investigations in the Cloud’ 7|P a g e

6) Storm cloud on the horizon? exacerbated by the CSPs very short data
and log retention policies (for
When it comes to effective criminal operational reasons).
investigation there are numerous
barriers to successful Cloud-based One area where national governments
digital forensics investigations by law are now focussing is that of Data
enforcement agencies. Retention (DR), although extended
timescales here are largely aimed at
Firstly, consider CSPs who deliver supporting national law enforcement
services internationally. The problem investigations. This is not particularly
areas here are twofold: helpful when investigating criminal
activity affecting Cloud services
• Cross-jurisdictional issues internationally.
It is generally not permissible for a law
enforcement organisation and its Investigations by law enforcement
appointed digital forensics specialists to officers involving international CSPs are
access systems belonging to companies not, therefore, straightforward.
outside that agency’s jurisdiction. However, the problems are not
insurmountable. This can be seen by
Where cross-jurisdictional and/or those investigations undertaken by
international agreements are in place, leading agencies such as the Serious
these generally require the organisation Organised Crime Agency (SOCA) and the
which has jurisdiction to appoint its own Police Central E-Crime Unit (PCeU) in the
law enforcement and digital forensics UK, as well as the Federal Bureau of
specialists. These specialists then Investigation (FBI) in the United States
provide the results to the law and the Federal Security Service (FSB) in
enforcement agency which made the Russia. However, the level of criminality
original request. Sometimes this data required for such agencies to mobilise is
cannot be relied upon fully because of particularly high. As one would expect,
conflicting or non-existent operating the cost of these investigations is
standards. prohibitive when compared to the
budgets for most digital forensic
• Timescales analysis.
Even when there are mechanisms by
which law enforcement agencies may
collaborate with regard to investigations
requiring digital forensics, the
bureaucracy involved to allow such
collaboration is usually time consuming.
Timescales are so long that the hope of
recovering evidential artefacts
diminishes substantially. This is

Blackthorn© 2013 ‘Digital Investigations in the Cloud’ 8|P a g e

Where investigations have no need to 7) Cloud busting and crime fighting
cross jurisdictional boundaries the
situation becomes less complex, but For law enforcement agencies, their
here the problems increasingly lie in the appointed digital forensics specialists
following areas: and those that govern the jurisdictions
concerned, there are significant hurdles
• Obtaining warrants to overcome. And CSPs need to be
Law enforcement agencies must obtain ready to respond to the increasing
warrants in order to access, seize/image number of warrants and court orders
and forensically analyse evidence in granting access to their systems. Ways
data stored at CSPs. must be found for law enforcement
agencies to serve warrants
• Time and cost internationally via their counterparts.
Significant time and cost is added to the This may involve multiple jurisdictions
process not only for law enforcement simultaneously. The cost issues here will
agencies but also for the CSPs (for which be significant, although possibly
they may not be well compensated, if at overcome with careful use of
all). technology, such as:

• Timescales • Remote warrant execution and
The timescales for technical management through trusted agency
investigations will increase due to counterparts
greater infrastructural complexity.
• Remote analysis tools operated under
Considerations associated with the the supervision of a trusted domicile
presentation of evidence may also add agency, including full audit trail of the
complexity and increase timescales and analysts’ actions
cost. Although the likelihood of digital
evidence being located in the Cloud is • Use of cryptographic digital signatures
increasing, budgets for digital forensics as well as confidential handling controls
are constantly being squeezed. for evidential artefacts and the actions
undertaken to acquire them
Now is not a good time for digital
forensics in law enforcement There are already fledgling technologies
investigations involving the Cloud that may satisfy these points but they
because the costs for investigation are require an additional framework within
high. Ultimately it will be the victims of which to function. This would include:
crime that will suffer – along with public
perception of law enforcement • Agreed international standards for
effectiveness. The challenges for our digital forensics investigations.
international legislators are immense.
• An agreed legislative trust for
international warrant execution.

Blackthorn© 2013 ‘Digital Investigations in the Cloud’ 9|P a g e

8) Working towards silver linings It is certain that most executives of CSPs
would reel at the costs of such a
In order for the corporate and regulation being enforced. However,
government sectors to use Cloud this proposal is undoubtedly an
services successfully, it is essential for interesting approach to solving some of
contractual agreements to be drawn up the problems mentioned earlier.
properly with CSPs, enabling
investigations to take place unhindered Understanding how governments and
and efficiently. their law enforcement agencies seek to
obtain intercepted data will enable
Just as important is that the suitability of mechanisms to be created that allow
contracts is verified and agreed digital forensics to be performed more
procedures are audited. Response plans easily across jurisdictional boundaries. It
for the company-appointed digital is possible that law enforcement
forensics investigators and each CSP agencies such as Interpol will have an
should also be assessed. This level of important role to play in this area.
governance will come with a price tag,
which inexorably, will be built into the Although the likelihood of digital
overall cost of Cloud computing. evidence being located in the
Cloud is increasing, budgets for
For law enforcement agencies, the use digital investigations are
of Cloud services by criminals is looking constantly being squeezed.
like the perfect storm.

Interesting developments in the areas of
lawful interception and consequent data
retention were highlighted in recent
challenges against Blackberry
manufacturer Research In Motion Ltd
(RIM) by the governments of Saudi
Arabia and India. Authorities in these
two countries feel that access to
communications is essential in their
fight against international terrorism and
organised crime.

The United States government has 10 |
suggested that organisations processing
RIM Blackberry communications must
have an office in a US jurisdiction where
an interception warrant can then be
served and acted upon.

Blackthorn© 2013 ‘Digital Investigations in the Cloud’

Page

9) The forensic process planning for both investigations and
business continuity.
The impact on traditional digital forensic
techniques of conducting a Cloud-based The issue of proportionality is a current
investigation is not as significant as you focus of civil courts. This means that
might think. At Blackthorn, we have only data pertinent to the investigation
been dealing with data centre-based should be captured.
examinations for years. It does come
with its own set of interesting Much of the concern around
challenges, but by and large, these are proportionality stems from data
well understood and relatively protection issues and the potential
straightforward to deal with. electronic discovery requirements which
may arise after data capture. Careful
In all investigations, it is critical to be planning and understanding of the
able to rely on every point of contact. If relevant laws is a prerequisite.
everyone involved carries out their
responsibilities in a timely manner, the The number of cyber breaches is
duration of the investigation may be increasing and it is therefore very
curtailed and the outcome affected in a important to ensure good incident
positive way. response readiness and sound
investigative process.
Ensuring that the Data Centre Manager
understands the nature of the
investigation, along with ways in which
they can help, is paramount. Preferably,
this role should be predefined with the
client in a three-way agreement long
before any investigation is warranted.

A key consideration from a technical 11 |
perspective is the distribution of data,
both inside and outside the data centre
itself. The use of clusters and virtual
machines can make life harder and
easier at the same time. Ideally,
preservation of evidence is best
achieved by isolating relevant systems.
Can this be practically achieved?
Moreover, is it planned for? This is
where incident response planning can
make all the difference – and often
there may be a commonality between
Blackthorn© 2013 ‘Digital Investigations in the Cloud’

Page

10) Conclusion Ensuring that the Data Centre
Manager understands the
For those taking advantage of the Cloud nature of the investigation,
computing in their business, enabling along with ways in which they
effective digital forensic investigations is can help, is paramount.
not an impossible task. But it does
require care and solid technical and
legal support from specialists in the
field.

Within Law enforcement, the challenges
are international both in nature and
scale. The solutions may take many
years to evolve before they become
effective, with at least one high-profile
international incident of non-
collaboration an absolute certainty.
Preparation and planning - whether by
international agreement, contract or
tested operating procedures – will be
critical if digital investigations and
forensics in Cloud computing are to be
both possible and practical. This will
take effort, time and money.

The adoption of the Cloud by those
wishing to commit crime and misuse
systems and data for their own ends is
already a growing trend.

However, with the right tools,
professional support and international
legislation, law enforcement agencies
may eventually prevail.

Blackthorn© 2013 ‘Digital Investigations in the Cloud’ 12 |

Page

11) References
Cloud Security Alliance (CSA):
Security Guidance for Critical Areas of Focus in Cloud Computing
v2.1http://www.cloudsecurityalliance.org/csaguide.pdf

European Network and Information Security Agency (ENISA):
Cloud Computing – Benefits, Risks and Recommendations for Information Security
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-
assessment/at_download/fullReport

International Standards Organisation (ISO):
ISO/IEC 27001 – International Standard for Information Security Management
http://www.iso.org/iso/catalogue_detail?csnumber=42103

Information Security Incident Management:
A Methodology
http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030165302

Preparation and planning
will be critical if digital
investigations and forensics
in Cloud computing
environments are to be both
possible and practical.

Blackthorn© 2013 ‘Digital Investigations in the Cloud’ 13 |

Page

12) About Blackthorn

Blackthorn Technologies is a dedicated team of specialists in Digital Forensics and Cyber
Security Investigations. Formerly known as QCC and formed in 1996 by ex-officers of
the UK Metropolitan Police Computer Crime Unit (CCU) and Technical Support Unit
(TSU), their work has produced many tools and publications to assist the Digital
Forensics investigator. We work for law enforcement, government and commercial
rganisations investigating a range of incidents and cases. We have been accredited by
Visa and MasterCard as Qualified Forensics Investigators (QFI) and have designed the
Blackthorn governance, risk and compliance system for management of incidents,
cases, assessments, audits and any other security activity.

13) The Author

Neil Hare-Brown is CEO of Blackthorn. He has over twenty-five years of experience in
information security, risk assessment and digital investigations and in 2007 published a
book on Incident Response published by British Standards (BIP: 0064).

Neil has an MSc in Information Security from Royal Holloway, University of London. He
is a Certified Information Systems Auditor (CISA) and a Certified Information Systems
Security Professional (CISSP).

He is a proud member of the Cloud Security Alliance and British Computer Society, as
well as the City of London Company of Security Professionals.

Blackthorn Technologies Ltd, 14 |
Buchanan House, 24-30 Holborn,

London, EC1N 2XL
www.blackthorn.com
[email protected]
+44 (0)20 7353 9000

Blackthorn© 2013 ‘Digital Investigations in the Cloud’

Page