Cloud forensics is not just a technical issue but, a multi-dimensional issue. In this chapter
we will study all the three dimension characteristics of cloud forensics- Technical dimension,
Organizational dimension and legal dimension. We will also discuss the investigation challenges
faced in each dimension.
As the name suggest, it consist of tools and procedures that are required to perform the
forensic investigation in cloud computing environment. In this section, we will study data
collection, live forensics, evidence segregation, proactive measures and virtualized
Data Collection: This process include the following steps: identifying, labeling, recording and
acquiring forensic data. The forensic data includes artifacts from the customer’s end that reside
on customer premises and the artifacts from service provider’s end that are located in the cloud
service provider infrastructure. Segregation of duties between service providers and customers in
forensic responsibilities become different in different service models, and interaction between
multi-tenants sharing same resources are different in different deployment models. The
collection process should preserve the integrity of data with clearly defined segregation of duties
between the customer and service provider. It should also follow the chain of custody throughout
the investigation process.
Challenges: Now we will study the challenges in data collection process. In every combination
of cloud service model, the cloud customer faces the challenge of decreased access to data.
Access to data varies considerably based on the cloud model that is implemented. This means, 12
cloud customers generally have little or no control of the physical locations of their data. In fact,
they may only be able to specify location at a high level of abstraction, typically as a container.
Service providers intentionally hide data locations from customers to facilitate data movement
and replication. For example, we require IP logs, virtual machine access logs and disk images in
data collection process, all this information is crucial while conducting the investigation, but it is
very difficult to gather these information from cloud servers.
Data storage Elasticity: It is considered to be one of the central attributes to cloud computing.
Elasticity plays a major role in cost reduction. The cloud resources can be provisioned and
released quickly on demand. Also, the resource acquiring and releasing can be automated to
make sure that the application requiring the resource will have that resource at any given point of
Challenges: There are three main cloud forensic challenges in this technical dimension entity,
1. Proliferation of Endpoints: the large number of resources connected to the cloud, the impact
of a crime and the workload of an investigation can be massive.
2. Event-time synchronization: Time synchronization of events is complicated because the data
of interest resides on multiple physical machines in multiple geographical regions, or the data
may be in transit. Thus, making it difficult for the forensics expert to study the series of
events taking place before the intrusion.
3. Retrieve deleted data: Deleted data is an important source of evidence in traditional digital
forensics. In the cloud, the customer who created a data volume often maintains the right to
alter it. When the customer deletes a data item, the removal of the mapping in the domain 13
begins immediately and is typically completed in seconds. Remote access to the deleted data
is not possible without the mapping.
Virtualization: The capability of cloud to provide multi-tenant services at the infrastructure,
platform, or software level is often justified by the ability to provide some form of virtualization
to create economic scale. It is a key technology that is used to implement cloud services. If
Virtual Machine (VM) technology is used in cloud infrastructure, then we must be concerned
about compartmentalization and hardening of those Virtual Machines. Many cloud service
providers’ uses hypervisor to monitor and run the servers. Hypervisor is used to control and
monitor the virtual cloud server without actually going to the physical location of the servers.
Challenges: It is always easy to attack main system rather than attacking multiple systems of
interest. This logic is applied by the attackers and they usually try to attack the hypervisor.
Hypervisor can be compared as the kernel of the old operating system. Due to lack of policies,
procedures, tools and techniques it is very difficult for the forensic investigator to investigate the
hacked hypervisor and gather the important information.
Furthermore, data mirroring over multiple machines in different jurisdictions and the lack
of transparent, real-time information about data locations also contributes more hindrance in the
investigation. There are chances that investigators might unknowingly violate laws and
regulations because of lack of information about data storage jurisdictions. Additionally, it is
very difficult for the cloud service providers to provide exact geographic location of the cloud
server for the piece of data. All these factors clearly indicates that, it is a very challenging task
for a forensic investigator to retrieve information from the cloud.14
Forensic investigation in cloud computing environment involves three entities, these
being- consumer, cloud service provider, and sometimes the third party. Proper organizational
structure is required in order to carry out cloud forensic activities flawlessly and effectively.
Organizational structure includes Service Level Agreements (SLAs) and policies. SLAs
are the terms and conditions signed by two entities that are involved in one business (i.e. Client
and CSP should have one SLA between them that contains all the information of the services
provided by the service providers to the client). Policies are the organizational laws, these are for
the internal staff members. Organizational structure will help us in understanding the set of rules
that should be followed inside the organization in order to secure the information (in our case
It is very important for any organization to secure their systems from internal attacks. For
example, if an organization is using physical servers than they have to secure the server rooms
properly with securities like, physical security, securing from natural calamities, securing from
weather, etc. Similarly, if an organization is using cloud servers than they have to take security
measurements to avoid internal attacks. This is because, most of the time internal attacks are
occurring due to ignorance of the internal staffs. Also, internal staff, customers and external
assistant should be trained enough to help the forensic investigators. If an organization has
experienced forensic investigators and experienced technicians then it would make the
investigation much easier. However, this is not the case in every organization.
Challenges: There are two major challenges faced in establishing forensic capabilities in the
1. Internal Staffing: Many a times the organization uses their internal investigation team.
Internal investigation team is either inexperienced or they do not have sufficient tools to
investigate properly. Moreover, they use the network forensic tools which might not be
sufficient for their investigation. Organizations should either hire the external forensic team
or enhance their in-house forensics labs by getting proper tools. Also, the organization should
hire experienced forensic experts for the cloud investigation, because in cloud investigation
is one of the most challenging task.
2. External Dependency chains: We have studied about third parties involving in cloud services.
Many a times there are more than 3 cloud service providers involved in providing the service
(based on the location). This shows that one CSP is having dependencies over other CSPs. A
cloud forensic investigation thus requires investigations of each individual link in the
dependency chain. Correlation of the activities across CSPs is a major challenge. Lack of
coordination between the CSPs involved can lead to problems. Due to the lack of procedures,
policies and agreements related to cross-provider forensic investigations it is very difficult
for the forensic team to investigate when multiple CSPs are involved.
The legal dimension of cloud forensics defines the policies and service level agreements to
ensure that forensic activities do not breach laws and regulations in the jurisdictions where the
data resides. It should include the policies and procedures that are common and applicable in all
the tenants where the data are accessed and stored. This means, the confidentiality of other
tenants that share the same infrastructure should be preserved.
regarding forensic investigations should be included in SLAs: 16
The services, techniques supported and accesses provided by the CSP to customers during
Trusted boundaries, roles and responsibilities between the service providers and customers
regarding forensic investigations.
The process for conducting investigations in multi-jurisdictional environments without
violating the applicable laws, regulations, and customer confidentiality and privacy policies.
All of the above points about rules, regulations and service level agreement details are ideal,
actually it is not the real scenario in cloud computing and this therefore leads to different legal
challenges in cloud forensic investigation.
Challenges: Legal challenges include identifying and addressing issues of jurisdictions for legal
access of data; lack of effective channels for international communication and cooperation
during an investigation, multi-tenant jurisdiction and missing terms in contracts and service level
Service Level Agreement (SLA): Transparency in the SLA creates the biggest challenge for the
forensic investigators. Due to unawareness in the customers, non- transparency between CSPs
and lack of international laws and regulations, SLAs are not prepared properly by the CSP and
this creates the loop hole in the investigation process.
Multiple Jurisdiction and Tenancy: Laws and regulation differs from country to country or even
part of country and multiple tenancy is the biggest characteristics of cloud computing. Customers
can be connected to the cloud server from different locations. The absence of a worldwide
regulatory body or even a federation of national bodies significantly affects the cloud forensic