Cloud forensics: new practice emerges out of necessity

Digital forensics is complicated enough, now imagine trying to investigate servers and disks under someone else's control, and even on the other side of the world.

In the past two years, we have seen an explosion in applications for cloud computing, for both enterprises and individuals seeking additional capabilities and more storage. Add to that the rise of social media, which is a form of cloud computing in itself.

For law enforcement and investigators, it no longer means vital evidence is sitting on the hard drives of corporate or individual computers that can be impounded and dissected.  Evidence may be sitting out on a cloud somewhere, perhaps in another land.

To meet this challenge, a new practice is emerging: "cloud forensics." The National Institute of Justice, the research arm of the US Department of Justice, is beginning to focus resources on this area.

As reported by TechTarget's George Lawton, US courts, law enforcement and criminologists are just beginning to grasp the extent of the challenge, as lawsuits and investigations already have become more complex due to digitization of information. Studies are confirming that the costs of electronic investigations and discovery are growing at a clip of close to 50% a year.

Consider some of the challenges in finding and preparing evidence from the cloud, described by Lawton:

"In traditional computer forensics, the evidence contained within the media is within the control of law enforcement from the moment of seizure. Assuming that the cloud in question is within the United States, the forensic challenges raised by cloud computing are related to control of the evidence, including collection, preservation and validation. 'With cloud computing, law enforcement does not have physical control of the media nor the network on which it resides,' said [NIJ physical scientist Martin] Novak. 'Many users will have access to a particular cloud. How does law enforcement seize only that portion of the media where the evidence may exist? How will they know if they have gotten everything that they will need during the analysis, interpretation, documentation and presentation phases?'"

Removal of evidence from foreign jurisdictions -- where many cloud storage sites reside -- adds another tricky dimension to the problem.

A new generation of e-discovery tools may help ease some of the pain associated with cloud forensics. And we're likely to see the rise of a new class of professionals specializing in cloud forensics in the years to come.

Note: Keyun Ruan, a PhD candidate at the Centre for Cyber Crime Investigation in Ireland (quoted in Lawton's article), maintains a blog on the topic of cloud forensics, and also has a PowerPoint presentation which  explores the background and challenges.

This post was originally published on