Skip to the main content.
TRY NOW
TRY NOW

3 min read

Digital Forensics in the Cloud

Picture of Evren Pazoglu Evren Pazoglu : Tue, Nov 22, '22

DFIR Products & Solutions
Featured Image

Cloud computing has become an integral part of our business infrastructure. In this blog, we will talk about the improvements of digital forensics in the cloud.

We use cloud computing primarily for application development, providing and brokering services, and storing business and customer data. Cloud computing has become so embedded in our business systems that we use it unconsciously; almost all services we get from the internet completely or partially use cloud computing. Mail, music, video, social media, web sites all use cloud computing.

Cloud computing has enormous data storage and computing power. Inevitably, the data being stored in the Cloud has become a very attractive target to cyber attackers.

According to Check Point's 2022 Cloud Security Report, 27% of organizations have experienced a security incident in their public cloud infrastructure within the last 12 months. Since every minute is critical in any cyber incident, enterprises need to be prepared to respond immediately to minimize the impact of the incident.

Cloud Computing Threats

digital-forensics-cloud

The main motivations of the attackers are generally money, hacktivism is very rare these days, and state-sponsored espionage, while growing, is still rare.

The attacker's main objectives are usually to seize the data to sell in the black market, encrypting it using ransomware to extort a payment from the data owner, or misusing breached infrastructure to create spam, DDoS attacks, phishing campaigns or crypto mining.

Even though Cloud computing has many advantages, it comes with many security challenges and threats. These threats lead to lots of vulnerabilities in cloud computing systems for Enterprises. The root cause of these threats is generally based on identity and access management misconfigurations, lack of understanding of cloud infrastructure, and lack of cloud strategy and visibility.

Cloud management is designed for easy use and data sharing, which can sometimes cause mistakes. These small mistakes may create vulnerabilities. Since everybody can access public cloud resources by design, attackers can easily access the management console or applications directly by taking advantage of improperly-configured security or compromised credentials.

Although the use of cloud computing seems easy, it is actually very sophisticated. Lack of system knowledge or understanding of cloud security and secure architecture, not creating a proper separation of duties for checks and balances, need to know and least privileges, or providing too many privileges to users can cause vulnerabilities. And attackers can take advantage of them to exfiltrate data or misuse cloud computing infrastructure.

Cloud DFIR

Cloud DFIR is a new branch of Digital Forensics and Incident Response that investigates cloud resources and responds to cloud-related incidents to solves cases faster.

DFIR professionals have been responding to the computer-related incident for more than 40 years, but when we come to the Cloud, some of these legacy tactics and tools that have worked in the past are no longer applicable. A change of perspective towards forensics, available tools and techniques for responding to cyber incidents in the cloud are required.

Cloud Forensics can be broadly divided into the main cloud service models; IaaS, PaaS, and SaaS.

Investigating the virtual machines used in IaaS and PaaS has similarities to traditional physical machines on premise; investigators can use many the same methods and tools. In addition, there is a requirement to easily access and acquire identity access and Netflow logs for cloud forensics.

Cloud computing provides many different data sources for investigation, but most of these data are logs. The logs are essential; however, when we investigate a physical or virtual machine directly, we can access lots of forensically sound data rather than logs. We can acquire lots of forensically sound data from disk, memory, and registry, carve deleted files, and investigate file systems, files, and folders to discover new evidence.

However, when we want to investigate SaaS applications like Office 365, Google Workspace, Slack, Zoom, Teams etc. the methods and tools need to be changed for cloud forensics. To effectively investigate this SaaS applications in the cloud investigators need tools that not only provide full log visibility but also provide the context around log structure, which logs are significant to the investigation and how to analyze them.

Even if cloud forensics methods are not the same as traditional forensics, almost all cloud-related incidents also relate to endpoints or on-premise devices. When the investigators start a case they need to acquire and access forensic data from both Cloud and on-premise devices and consolidate all those data to deepen the case and speed up the investigation process. One platform for all data collection, analysis, presentation, and collaboration can help the investigators save time, simplify the process and shorten the investigation and response process.

Conclusion

The use of cloud computing, the move of enterprises to the Cloud, and expanding existing cloud resources are increasing globally. This increase will lead to a rise in cloud-related incidents and the need for cloud forensics will increase proportionally.

The rise of the Cloud DFIR requirements is inevitable, so the sooner we start to implement the right tools for this, the faster we can adapt to the growing threats.

You can join our Cloud Forensics wait list here.