Cloud Computing Forensics: Summary of a NIST Update

The NIST Cloud Computing Forensic Science Working Group recently released changes embodied in the NIST IR 8006, NIST Cloud Computing Forensic Science Challenges, resulting from a joint effort between the public and private sectors. NIST highlighted the digital forensic challenges arising from public cloud computing services’ characteristics and business models. To examine digital forensics in the cloud, the first step was to comprehend cloud computing technology and to identify and explain its essential and exclusive qualities, which have a substantial effect on three areas of operation: regular operations, adverse operations when cloud computing resources are under attack, and operations during criminal exploitation. The second phase of this approach focused on closely assessing the challenges specified in the previous NIST report. This evaluation included analyzing the Cloud Security Alliance’s (CSA’s) Enterprise Architecture, its various functional capabilities and processes, and the potential effect of each challenge on performing a forensic investigation if a specific functional capability or approach was used in an attack or breach or was exploited criminally.

This work examines the potential weaknesses, vulnerabilities, exposures, and cloud technology that could be exploited by criminal activities and how they can be addressed through forensic analysis. The EA is composed of various capabilities that enable a detailed analysis of the impact of each challenge on the forensic process. This work clarified how forensics in the cloud could be accepted similarly to forensics in traditional computing models. In line with the White House Executive Order of May 12, 2021, this document, the associated research, and NIST IR 8006 have proactively addressed the importance of having forensic-ready information systems, including cloud systems, to improve the Nation’s cybersecurity.

Digital forensics is a scientific and technological field that investigates and analyzes digital artifacts found in information systems and networks. It is used mainly for legal and regulatory compliance but can also be used for other purposes. As computer and information science evolve, digital forensics has to adapt to these changes, increasing the number of scenarios that require its application and the complexity of the architecture.

Digital forensics is commonly used to investigate criminal activities in greater detail. Computers provide criminals with a powerful tool to conduct their actions, both the ‘traditional’ such as violent, property, and drug-related crime, and online activities like data breaches, ransomware attacks, cyber-terrorism, illicit cryptocurrency mining, and child pornography. Forensic procedures involve locating and analyzing digital evidence to help solve the crime and support incident response. Forensic methods are also used in civil cases, for example, divorce proceedings, asset discovery, and insurance claims, to determine the presence, absence, and movement of data and money.

The use of forensic techniques could be essential for everyday business operations. For instance, forensic methods may be used to restore data that seemingly has been lost or destroyed on computer hard drives. When responding to an incident, the other aims of utilizing forensic methods may include thwarting potential cyberattacks, avoiding system collapses, or minimizing data loss.

Forensics in incident response can be invaluable in a commercial context, determining the root cause of an outage event. This could encompass anything from component failure to corrupted software or even intentional sabotage. Additionally, forensic methods can provide insights into system configurations, employee data storage and activities, and compliance matters that may not be otherwise accessible.

Several essential authoritative sources guide the design of information systems, which also impact the forensic investigations of the related systems. These frameworks include:

1. The NIST Risk Management Framework (RMF): The NIST Risk Management Framework (RMF) is a comprehensive set of guidelines developed by the National Institute of Standards and Technology (NIST) to help organizations identify, assess, and manage cybersecurity-related risks. It provides an organized approach to security risk management by applying six steps: Categorize, Select, Implement, Assess, Authorize, and Monitor. The framework can be used to assess an organization’s security posture and develop effective measures for mitigating any identified risks.

2. The ISO 27000 series: The ISO 27000 series is an international set of standards that guide best practices for information security management. It outlines principles and processes to ensure the confidentiality, integrity, and availability of data within an organization. The series covers risk assessment, asset management, incident response, and access control. The ISO 27000 series include the following security topics:

a. ISO/IEC 27001: ISO/IEC 27001 is an international standard that outlines best practices for implementing an Information Security Management System (ISMS). It provides organizations with a framework to create, implement, monitor, and improve security measures to protect their information assets. The standard covers risk management, access control, system security, physical security, business continuity, and compliance.

b. ISO/IEC 27002: ISO/IEC 27002 is an international standard that provides best-practice recommendations on information security management. It is designed to help organizations ensure their information’s confidentiality, integrity, and availability by outlining specific control objectives and controls to be implemented. The standards cover various topics, including access control, network security, incident management, business continuity planning, and more.

c. ISO/IEC 27018: ISO/IEC 27018 is an international security standard that protects personally identifiable information (PII) in public cloud services. It specifies requirements for processing PII by cloud service providers, including measures to protect PII from unauthorized disclosure, ensuring appropriate data retention and disposal policies, and providing customers with clear information about the services offered.

d. ISO/IEC 27035: ISO/IEC 27035 is an international security standard for responding to security incidents. It outlines the processes, procedures, and best practices for detecting, investigating, and responding to cyber-attacks and other security incidents. The standard provides an end-to-end framework for incident management from initial detection through post-incident activities such as recovery, containment, eradication, and lessons learned.

e. ISC/IEC 27037: ISO/IEC 27037 is an international security standard that provides guidance and best practices for organizations to handle digital forensics during a security incident. It outlines procedures such as proper evidence handling, the chain of custody, and data acquisition.

3. The IT Infrastructure Library (ITIL) is an international collection of best practices for information technology services management. It provides a framework for organizations to create, deliver and manage IT services to improve customer satisfaction and effectiveness. ITIL includes processes, procedures, and guidance for designing, transitioning, providing, and enhancing the delivery of IT services.

4. Sherwood Applied Business Security Architecture (SABSA): SABSA is a security architecture and framework that provides an effective and comprehensive approach to business risk management. It uses a layered and structured process that combines elements of the Risk Management Framework, Business Impact Analysis, Security Architecture, and Risk Treatment Plan. It helps organizations understand the threats their business faces and the steps they need to take to protect themselves.

5. Open Group Architecture Framework (TOGAF): The Open Group Architecture Framework (TOGAF) is a globally recognized enterprise architecture standard developed by The Open Group. It provides a comprehensive approach to enterprise IT architecture’s design, planning, implementation, and governance. TOGAF includes an extensive set of best practices, guidelines, and processes for designing, developing, and managing an organization’s IT architecture. It also helps organizations identify their current state of IT architecture to define future objectives and strategies for achieving them.

6. Cloud Security Alliance STAR program: The Cloud Security Alliance STAR program is a security standard that provides transparency and assurance around cloud products and services. It enables organizations to assess the security of cloud solutions, compare offerings from different cloud providers, and verify compliance with industry best practices and regulatory requirements. The program consists of self-assessment questionnaires and an attestation process that helps organizations evaluate their existing cloud solutions.

Cloud forensics is a security standard focused on analyzing virtual machines to investigate incidents or determine the cause of a security breach. It involves using techniques that require having real machines to work on by creating processing resources based on hardware and running multiplexed programs to functionally multiply the resources.

Cloud computing offers many benefits to legitimate consumers, such as faster business continuity and disaster recovery, more efficient incident response, improved access to, management of, and archiving of information, and easier collaboration among individuals and groups in different locations.

The Cloud Forensics Reference Architecture

Nine categories identified in the Cloud Forensics Reference Architecture are essential. These include:

1. Architecture: Architecture challenges in cloud forensics involve navigating the diversity, complexity, provenance, multi-tenancy, and data segregation of cloud architectures. Specifically, these challenges include dealing with variability between cloud providers, tenant data compartmentalization and isolation during resource provisioning, managing the proliferation of systems and endpoints that store data, and maintaining accurate and secure provenance for the chain of custody.

2. Data Collection: The major challenges of data collection in cloud forensics include finding forensic evidence in large, distributed, and ever-changing systems; obtaining volatile data; retrieving data from virtual machines; and ensuring the integrity of data shared among multiple computers, locations, and users. Also, imaging all forensic artifacts in the cloud, accessing the data of one tenant without compromising the privacy of other tenants, and recovering deleted data in a shared and distributed virtual environment is daunting.

3. Analysis: The analysis is a key component of cloud forensics, which involves correlating forensic artifacts from multiple cloud providers, reconstructing events from virtual images or storage, verifying metadata integrity, and creating timelines from log data with synchronized timestamps. These activities pose challenges for investigators that must be addressed to carry out their investigations effectively.

4. Anti-forensics: Anti-forensics techniques are employed to hinder or deceive forensic investigations. Cloud forensics faces anti-forensic challenges such as obfuscation, malware deployment, data concealment, and other techniques that can compromise the validity of evidence. Moreover, the use of malware may bypass virtual machine isolation methods.

5. Incident first responders: The challenges faced by first responders in cloud forensics include having confidence in the competence and trustworthiness of cloud providers to act as first responders, difficulty conducting initial triage, and dealing with a large volume of data that must be collected and processed.

6. Role Management: The cloud forensics challenges related to role management are: 1) uniquely identifying the account owner; 2) separating cloud user credentials from physical users; 3) facilitating anonymity and creating false identities online; 4) determining precise data ownership; and 5) authenticating and controlling access.

7. Legal: Cloud forensics legal challenges can be complicated due to issues such as determining the jurisdiction for gaining legal access to data, difficulties in international communication and cooperation during an investigation, relying on cloud providers’ cooperation, competence, and trustworthiness for data acquisition, missing terms in contracts and service-level agreements, and the difficulty of issuing subpoenas without knowledge of where the data is physically located.

8. Standards: The challenges posed to cloud forensics by standards include the absence of minimum/basic Standard Operating Procedures and tools, a lack of interoperability between cloud providers, and a lack of test and validation procedures.

9. Training: The major challenges faced in cloud forensics involve the misuse of digital forensic training materials that are not suitable for cloud forensics, the scarcity of cloud forensic training and expertise for both investigators and instructors, and the limited knowledge about evidence by record-keeping personnel working with cloud providers.

Overview of the Cloud Security Alliance’s Enterprise Architecture

The Cloud Security Alliance’s Enterprise Architecture provides a unified methodology and tools for security architects, enterprise architects, and risk management professionals to access the exact solutions and controls. The following domains are identified in the NIST SP 800–201:

1. Business Operation Support Services (BOSS): BOSS is a cloud IT service that provides functional capabilities to support an organization’s business needs. It enables the business to achieve its objectives by providing compliance, data governance, operational risk management, human resources security, security monitoring, internal investigations, and legal services.

2. Information Technology Operation and Support (ITOS): ITOS capabilities cover IT operation, service delivery, and service support, which are associated with managing the cloud IT services of an organization.

3. Security and Risk Management (S&RM): The cloud IT Security & Risk Management (S&RM) capabilities encompass identity and access management, governance, risk management and compliance (GRC), policies and standards, threat and vulnerability management, as well as infrastructure and data protection, all of which are aimed at protecting cloud IT assets and identifying, assessing, and monitoring cloud IT risks.

4. Presentation Services: The end user interacting with a cloud IT solution can utilize various presentation modalities and platforms, such as endpoints, handwriting, and speech recognition.

5. Application Services: The development and use of cloud applications provided by an organization are associated with these functional capabilities: programming interfaces, security knowledge life cycle, development processes, integration middleware, connectivity, delivery, and abstraction.

6. Information Services: The storage and use of cloud information and data are associated with various functional capabilities, including service delivery, service support, reporting services, IT operations, and support, business operations and support, data governance, user directory services, risk management, and security monitoring.

7. Infrastructure Services: The core functions of cloud IT infrastructure are supported by these functional capabilities, which encompass facilities, hardware, networks, and virtual environments.

Summary

In summary, the NIST Cloud Computing Forensic Reference Architecture (CCFRA) is focused on the following:

1. Analyzing the functional capabilities of the Cloud Security Alliance’s Enterprise Architecture through a set of cloud forensic challenges, such as those identified in NIST IR 8006, is a methodology that can be employed.

2. The results of the methodology mentioned above applied to the CSA’s Enterprise Architecture (EA) and the National Institute of Standards and Technology (NIST) Interagency Report 8006 set of cloud forensic challenges can be aggregated into a single dataset.

The proposed changes to the CCFRA are essential to the Digital Forensics investigator, whether working on a case or supporting an organization’s cybersecurity posture.

References

· Cloud Security Alliance Enterprise Architecture. Available at https://ea.cloudsecurityalliance.org/

· International Organization for Standardization, ISO 2700 Standards. Available at https://www.27000.org/index.htm

· ISO/IEC 27001, Information Technology — Security Techniques — Information 888 Security Management Systems — Requirements, 2013. Available at 889 https://www.iso.org/standard/54534.html

· ISO/IEC 27002, Information Security, Cybersecurity and Privacy Protection — 891 Information Security Controls, 2022. Available at 892 https://www.iso.org/standard/75652.html

· ISO/IEC 27018, Information Technology — Security Techniques — Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors, 2019. Available at https://www.iso.org/standard/76559.html

· ISO/IEC 27035–2, Information Technology — Security Techniques — Information Security Incident Management — Part 2: Guidelines to Plan and Prepare for Incident Response, 2016. Available at https://www.iso.org/standard/62071.html

· ISO/IEC 27037, Information Technology — Security Techniques — Guidelines for Identification, Collection, Acquisition, and Preservation of Digital Evidence, 2012. 901 Available at https://www.iso.org/standard/44381.html

· IT Infrastructure Library (ITIL). Available at https://www.ibm.com/cloud/learn/it-903infrastructure-library

· The SABSA Institute, SABSA Enterprise Security Architecture. Available at https://sabsa.org/

· The Open Group, The TOGAF Standard, Version 9.2. Available at https://www.opengroup.org/togaf

· Cloud Security Alliance — Security, Trust, Assurance and Risk (STAR). Available at https://cloudsecurityalliance.org/star

· NIST Cloud Computing Security Reference Architecture (Draft). (National Institute of Standards and Technology, Gaithersburg, MD). NIST Special Publication (SP) 500–912 299/800–200. Available at https://github.com/usnistgov/CloudSecurityArchitectureTool-CSAT-v0.1/blob/master/Documents/NIST%20SP%20800-200-914

About the Author

Ron McFarland, Ph.D., CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, an MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security, and other Cisco courses. He was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications, including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.

CONTACT Dr. Ron McFarland, Ph.D., MSc, CDNA, CISSP

· CMTC Email: rmcfarland@cmtc.com

· Email: highervista@gmail.com

· LinkedIn: https://www.linkedin.com/in/highervista/

· Website: https://www.highervista.com

· YouTube Channel: https://www.youtube.com/@RonMcFarland/featured

2