Tips for good Cloud Forensics

Cloud Computing continues to be an integral part of most businesses. About 90% of companies have a hybrid architecture, which means that at least part of its IT infrastructure is hosted in the cloud. This adds a lot of conveniences but also some complexity. One area that adds complexity is when it comes to your forensic investigations, cloud forensics is an intersection between cloud computing and computer forensics.

Why is cloud forensics important?

Just because your infrastructure is in the cloud doesn’t mean that you are not responsible for cyber attacks that happen on those machines. Just like you are responsible for the IT infrastructure on your premise, you need to be able to investigate security incidents that occur in the cloud. This is important for proper resolution of the incident at hand but having this capability is also important for passing audits and regulatory compliance. Also, if you use an MSP then you need to ensure that they will be handling the investigation properly and understand what responsibilities lie with you and which are their responsibilities.

Considerations for Cloud Forensics:

1) Isolate the box: You need to have the means to isolate any cloud machine from the network, since it’s not as simple as just unplugging the network cable. You need to have staff that understands how to do this when needed and have their contact information readily available.

2) Know how to make copies: It’s important to understand how to clone an instance in cloud forensic. Typically you never want to do forensic work on the original copy of a machine so it’s important that your organization has the capability to make complete copies of any instance that you have in the cloud for forensic work to be done effectively.

3) Jurisdiction: If you’re doing any type of forensic work for a law enforcement agency then you may run into an issue of jurisdiction based on where the server is physically located. Even if it’s a US company you are doing the investigation for or to, if it’s not physically located in the US, you may run into problems getting authorization to do work on that machine.

4) Analysis: A big issue with cloud infrastructure that may be in another time zone is time synchronization when it comes to logs and building an overall timeline of what has happened. This can be tricky because initially the timeline won’t make sense if the machines aren’t in the same time zone and work must be done to organize everything into one coherent timeline.

5) Vendor Contracts: If your company uses a managed service provider (MSP) a company that will be handling the incident response on your behalf for cloud based incidents, then you need to have clear statements of work that outline who will be doing which activities, (whether it’s your responsibility or there’s), how quickly they will be responding and what work will be done. This is to ensure you are happy with the results and the depth of their investigation.

One good place for learning more about cloud forensics is the Cloud Security Alliance (CSA), which is an organization dedicated to helping people secure their cloud infrastructure. They have published a whitepaper on conducting forensic investigations in cloud environments.

How to get more free content

If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.