Blog: DFIR

IR & Forensics in the Cloud

Gerard Kerrigan 10 Jan 2020

More and more organisations are moving their business to the cloud. This makes securing data and being able to respond effectively to incidents in cloud environments an important topic.

Having the skills on hand to properly collect digital forensics data  in response to a legal dispute or during a cyber-attack or data breach incident is key to effective defence. So, what are the key factors to understand?

Understand your Cloud Architecture

There are three prominent service delivery models provided by a number of cloud service providers:

  • Infrastructure as a Service (IaaS) which provides basic computer infrastructure such as virtual machines, storage and network functions.
  • Platform as a Service (PaaS) allows for the delivery of an entire computing platform and solution stack as a service such as delivering web applications and services and the deployment of applications without the cost and complexity of managing the underlying hardware and software requirements yourself.
  • Software as a Service (SaaS) which may be considered “on-demand software” where software and associated data may be accessed by users via a web browser.

Where is your Cloud Data

There are four basic Cloud types. Understanding how that effects the levels of data you can access to support a forensic investigation from each type cloud environment will assist in planning for incident response or cloud based forensics investigations:

  • Public Cloud: Is the most common type of cloud offering and pretty much dominated by the likes of Microsoft (M365) Amazon Web Services (AWS) and Google Cloud Platform (GCP). Generally, you will be sharing resources with other businesses in this type of cloud.
  • Private Cloud:  This is infrastructure operated by and solely for a single organisation. They may be locally managed or managed as a service by a third party.
  • Community Cloud: Is a cloud infrastructure shared by several organisations usually with a specific community purpose.
  • Hybrid Cloud: This option combines two or more clouds (private, community, or public) that remain unique entities but are bound together to enable data and application portability for example load-balancing.

Where is Forensic Data Commonly Found in the Cloud?

The first step to understanding this is to know exactly where your data is, and how much direct access you have to it. Which cloud type  you are working with will influence this, for example the lower down the cloud technology stack your provider sits , the more control you will have over the available data. Some examples:

  • In a private cloud, you are more likely that you have direct access to your hardware infrastructure
  • If using a SaaS model over a public cloud, direct evidence collection will be limited to whatever your provider allows access to in the way of logs or other audit reports.

If it is not clear what level of potentially useful forensics data your cloud service provider can make available in the event of an incident, you should approach them and find out. Also, ensure that you know where your data is physically stored. Legal, compliance and regulatory matters may differ depending on where your information is stored.

Incident response and digital forensics in the cloud can be complex. It necessarily demands a greater level of experience than on-premise investigations. You may be surprised by the lack of experienced professionals readily available on the market so do your research and be prepared. Knowledge is power and never more so than when faced with a cyber-attack or data breach.

By default the amount of forensic data on cloud platforms is limited, often only to high level logs with a short history. Enabling forensic auditing functions can significantly increase the amount and quality of forensic data retained by the system. In real world scenarios we encounter, cloud platforms often are misconfigured and forensic log information is limited to a short period (approx. 30 days in most instances) meaning that the period of interest is often missing or incomplete.

Due to the fragmentation it can be hard to direct a particular customer, let alone generically. However … :

Enabling forensic auditing can vary platform to platform and even from version to version, however there is a growing trend to grow and publicise these functions through the management dashboard. Many platforms now come with security setting auditing which scores the platform based on the current configuration and in some instances allows changes to be made in order to secure the system (including enabling forensic auditing). Common on all platforms will be the log retention period which should be set as high as the current platform license allows.