Forensics is the art of applying scientific techniques or tests to gather data/evidence to determine the exact cause/nature of a crime and its detection thereby helping the law enforcement agencies to mete justice.
Digital forensics is a discipline that deals with the collection and analysis of systemic data and evidence after an incident or data breach has occurred in an organization. Due to the manifold increase in the sophisticated and organized cyber-attacks on both significant individuals/corporates and governmental agencies, the need for forensic professionals is on the rise and an utmost, top priority necessity in the cybersecurity domain.
The advent and rapid adoption of Cloud Computing spearheaded by the Work from Anywhere environment due to the pandemic, has now given rise to Forensics as A Service (FAAS).
Forensics As a Service offers innovative and cost effective, efficient solutions to enterprises to address the growing challenges of the digital forensics community in the industry. Establishing a dedicated top of the class Forensics facility is a capital intensive, skill intensive and time-consuming process. Many a times, Multiple law enforcement agencies and individuals and most body corporates do not have the wherewithal to setup a dedicated space for conducting forensics analysis, and this is where FaaS services bridge the gap. This paper will provide an overview of the state of Forensics as a Service (FaaS) solutions, steps followed in the detection of data thefts and recovery, and a list of the key players dominant in this segment.
Digital Forensics analysis is described as the process of collecting digital evidence for performing criminal investigations while protecting and maintaining the confidentiality and integrity of the data. Organizations are having to deal with the complexity of AI, Big Data, migration issues and analysis of various physical hardware devices used and the distributed Cloud architectures. Since Forensic analysis has to be done sequentially to trace the origin of cybercrimes, one of the most significant challenges of digital forensics is the multitude of software and hardware logs generated by systems. Customers and law enforcement agencies greatly benefit from using Forensics as a Service (FaaS) solutions, mainly because they help in solving/resolving cyber-crime incidents while cognizing data privacy concerns and legal boundaries involved with different cases. Modern cloud providers now provide users with digital forensics tools and their data analysis services, which allow users to not worry about executing distributed code in the background when running various applications.
Challenges Faced by Cloud and Digital Forensics
Forensics as a Service (FaaS) is a relatively very new concept in the cyber security domain. That is because of a lack of cost-effective models available worldwide. FaaS solutions aim to bridge and resolve the complexities associated with distributed Cloud architectures and virtualization when collecting and analysing the multitudes of data being churned.
Following is a list of the major challenges faced by digital forensics on the Cloud:
- Network Device Accessibility - Most networked devices run in virtualized and compartmentalized environments. Most often, users/forensic teams generally don’t have physical access to them when incidents occur.
- Data Collection - Every cloud vendor has its own data collection method, and it isn’t easy to categorize or generalize information-gathering methods. The data collection methods employed by vendors/service providers also depend on the law of the land from where the service is being provided and the law of the land where the service is being consumed.
- Service Level Agreements (SLAs) – Service Level Agreements (SLAs) are legally binding documents that state the terms and conditions of the services to be provided/availed and the acceptable quality levels as per the contract agreed upon by the Cloud vendors/Service Providers and customers. These SLA agreements must be updated and compulsorily include details of forensics support, forensics tools used for investigations, and other information related to protecting end-to-end users and service providers from multi-jurisdictional and multi-tenant challenges.
- Mapping Network Hops – Hop-by-hop mapping is not easily possible for Cloud routing architectures since they use multiple hosts.
- Data validity – Even if forensics evidence is collected by isolating data, it is challenging to prove and validate the integrity and verity of the source/s of origin of the data.
- On-demand Scalability Issues – Forensics tools aren’t designed to scale with an organization’s needs, and this is a problem that developers have to address.
- Loss of data – Sudden shutdowns of virtual machines, failure of hardware or physical devices on networks, and prolonged downtime due to operational issues can lead to loss of data. Often it has been observed that there are not enough data backup measures in place which automatically act in such cases.
- Anti-forensics techniques – Anti-forensics techniques like hiding evidence, deleting data, spoofing messages, evidence tampering, and misleading forensics investigators prove to be a challenge in the forensics community. Social engineering tactics involved with these crimes are difficult to solve or figure out.
Issues with Cloud Forensics
Cloud forensics suffers from multi-tenancy issues and an overdependence on CSPs. For PaaS and SaaS services, customers do not have access to data logs since their information is hosted on Cloud architectures. Another obstacle that has been observed are the legal jurisdiction and regional laws that govern various regulations which can hinder/ prevent in-depth investigations. Customers do not have access to the physical hardware, networks, and servers where their data is hosted. Many Cloud vendors have policies that state that they are not willing to provide file logs in exchange for opting for a subscription. Each service model in the Cloud environment has its own unique set of challenges. The relationship between customers and Cloud vendors can also prevent FaaS professionals from doing complete investigations owing to data privacy norms and obligations in place.
Additionally, cloud services can host a victim’s data across multiple data centres, countries, and jurisdictions, which further adds to the complexity of challenges faced by investigators. Cloud vendors are not very cooperative when they are notified of forensics investigations, and forensics experts have a tough time getting them to operate in their favour to examine digital evidence.
The Forensics as a Service Model
The biggest challenge with the FaaS model is failure to comply with ACPO guidelines while performing investigations in Cloud environments. FaaS research primarily deals with analysing log files on computers or using forensics tools with Cloud services. There is no explanation when it comes to specific architectures used for performing forensics analysis. FaaS services are ideal for examining virtualized components on the Cloud like networks, hardware drivers, firewalls, and routers.
The difference between Cloud Forensics and normal digital forensics is the amount of computational resources and processing capabilities possessed by Cloud vendors over traditional IT systems, which let users save critical forensics data for analysis.
A typical FAAS involves the below steps:
- Initial Assessment
The initial assessment is when forensics investigators analyse the extent of damages incurred and the state of cybercrime scenes.
- Digital Evidence Acquisition & Recovery
They document the crime, gather information using various methods like questionnaires, in person interviews, system log reviews etc, and make every effort to collect digital evidence which can be used for forensics analysis. The next step is isolating the evidence, preserving it, and ensuring its integrity is well-maintained, becoming tamper-proof. Forensics experts will scrape through Cloud environments, corporate networks, and all devices connected to them in this phase.
- Forensic Examination and Analysis
Any fragmented piece/s of evidence is/are reconstructed during the examination process. Forensics investigators begin analysing the data they have gathered and thoroughly review it. By this stage, they can determine how the crime took place, what methods were employed, and how to track down the perpetrators based on digital footprints left behind.
- Forensics Reporting
A record of all the collected, examined, and analysed data and evidence is consolidated and made available, and a report is generated. This is then shared with the hirer, albeit the law enforcement agencies /individuals utilizing the service.
If any individual/s or reference/s were found involved in the digital crime, they have to be approached and consent taken from them to testify and provide an expert testimony during the legal proceedings. The same has to be documented too.
Criminal or Civil Litigation Support
Now the information reports are ready, and forensics investigators present them to the judge/presiding officer. Witnesses join the case and showcase their findings or experiences as well to support claims.
Types of Forensics as a Service (FaaS) Solutions
In today’s world, forensics as a service (FaaS) solutions have proven invaluable in settling various crimes and civil disputes. The most popular types of forensics as a service (FaaS) solution are:
Imaging and Erasure Services – Erasure services make data completely unrecoverable while imaging services trace digital artifacts and reconstruct them bit-by-bit. Disk imaging is used for secure data backups, and erased media can be reused without revealing previously stored information.
Mobile Forensics – Mobile forensics involve retrieving digital evidence from SMS, phone call logs, contacts, calendars and notes, and MMS messages. Data recovery from compromised mobile devices can be made using various forensics techniques, including monitoring remote access activity, keyword searches, and usage logs.
Computer Forensics – These deal with static data but may not be limited to dynamic networks. Memory forensics is a part of computer forensics and involves collecting evidence from RAM, including storage media, hardware, and other computer systems.
There is a challenge with Cloud hosting providers since Cloud environments offer limited access controls, which makes conducting forensic investigations difficult. Cloud forensics is superior to regular digital forensics as it has greater computational power and processing capabilities. Doing forensics investigations on Cloud hosting providers is problematic since most provide persistent storage facilities which users take advantage of to create multiple Virtual Machines (VMs). Digital Forensics as a Service can help companies reduce backlogs, free up time, and analyse evidence in efficient ways. More time is spent initially performing administrative tasks since forensics investigators do not have the rights or access to take jurisdiction of their investigative environments. Digital crimes conducted on a broader scale face the problem of collaborating with multiple forensics investigators to solve them. A multi-tier Cloud architecture can provide Forensics as a Service (FaaS) to improve cost efficiency and reduce the amount of time taken to carry out in-depth investigations.
About the Author:
Dr. Lopa Mudraa is a leading cybersecurity revivalist who has more than 18 years of experience in the cybersecurity and risk management and governance domains and is known to possess an excellent accomplishment of presenting value as a business enabler by transforming Security & Privacy to business USP. She is responsible for boosting the confidence of various business organizations by providing a safe and secure platform that facilitates several operations and helps explore new avenues of revenue generation to achieve the desired goals. Dr. Lopa Mudraa is specialized in various cyber security domains such as Risk-based Audit Lifecycle Management, Including Tech-Audit & Standardization & Compliance Program Lifecycle Management, Cyber Defense Program Management, etc., and holds various certifications such as CHFI, C|CISO, CRISC, CISM, QSA, RSA Archer Admin, LA ISO 27001:2013, etc.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.