Forensics in the cloud

Question

I recently did a university module on digital forensics and learned a lot about the process, and techniques, of digital forensics investigations.

We didn't actually cover the cloud although I couldn't stop thinking about how it would work. Although we can access the virtual machine image, and all of the files/logs etc on them afterwards, there are a couple of things we don't have access to.

First of all the physical disk (both RAM and the physical hard drive the VM was hosted on), and the network logs, are out of bounds to a user from a remote location. But I was wondering what else there might be that I haven't thought of which would be of use to a forensics investigator?

https://www.google.com/#q=dd+nc – user1801810 Apr 25 '14 at 02:06 — user1801810, Apr 25 '14 at 02:06

score 2 · Accepted Answer · answered Apr 24 '14 at 13:29

The logs of the cloud service provider themselves would be the most valuable. The cloud service provider is going to keep logs about the state of the system that extend beyond what is available to the user and would provide a lot of insight in to an intrusion.

Keep in mind that not all cloud services use virtual machines either. They can be as simple as different users on the same service. You are pretty much at the mercy of the cloud service's logging, but that generally will be better than private industry since cloud services have to focus on up-time for their business, which means finding problems early, which generally means extensive logging.

Full disclosure, I am a senior software developer on the architecture team for a cloud/SAAS provider. — AJ Henderson, Apr 24 '14 at 13:31

Forensics in the cloud

1 Answers1