Cloud forensics

Cloud computing is the future. This paradigm offers significant economic benefit to the business entities. Due to this advancement, it has its challenges and threats which can jeopardize the business entity. Cloud computing has become a new battlefield for cyber-crime. To investigate these cases we needed cloud forensics.

Cloud forensics is the application of digital forensics in cloud computing as a subset of network forensics to gather and preserve evidence in a way that is suitable for presentation in a court of law.”

Cloud forensic is the amalgamation of all the different forensics(i.e. digital forensics, network forensics, hardware forensics etc. ). It involves interactions among various cloud actors (i.e. cloud providers, cloud consumer, cloud broker, cloud carrier, cloud auditors) to facilitate both internal and external investigations. Legally it is multi-jurisdictional and multi-tenant situations.

Cloud forensics steps

Cloud forensics Steps

· Identification

Identify the improper act or potentially criminal activities have taken place involving IT-based systems. These activities can be a complaint made by an individual, anomalies detected by IDS, monitoring and profiling because of an audit trail, suspicious events in a cloud will depend on the adoption of deployment model(i.e. Private, Public, Community and Hybrid), the form of cloud services(i.e. SaaS, PaaS and IaaS) used and the geographic region opts for deployment.

· Preservation and Collection

Collecting data through all the source without harming its integrity as per legal and forensic standard. Preserve all the evidence and data without tempering its integrity for further investigation. There could be a possibility that data gathering may require an extremely large volume of data storage.

So investigator must address the rules and regulation regarding data protection and privacy issues and their impact on the evidence stored in the cloud. While gathering data from the cloud vendor side always consider about the other user’s or organization’s data. An accurate image of the cloud service data must be obtained for further investigation. An investigator can attempt to preserve data resident in the cloud by serving a legal order to the cloud service provider.

· Detection

By using multiple ways and algorithms (i.e. Filtering, pattern matching) we can detect the suspicious activity or malicious code.

· Analysis

By using some forensic tools we can analyze and investigate the data and crime. Legal authority may ask the question to the organization or an individual to find some evidence. After analyzing the data we must have to share the testimony with the Law enforcement agencies and the victim organization or an individual.

Challenges in cloud forensics:-

· Jurisdictions

· Invigilating external chain of dependencies over external cloud providers

· Different providers have different approaches to cloud computing.

· Lack of international collaboration and legislative mechanism in cross-nation data access & exchange

· Lack of law/regulation and law advisory

· Decreased access to and control over forensic data at all levels from the customer side

· Sometimes lack of forensics expertise

· Each cloud server contains files from many users. It’s hard to isolate an individual user’s data from the others

· Other than cloud service providers there is usually no evidence that links a given data file to a particular suspect

Cloud Forensics Solution

· Forensic Tool Testing

Currently, there are not any full-fledged cloud-specific forensic tools available in the market. Still, forensic experts are using the existing tools to acquire evidence from the cloud environment.

Forensic experts are using below tools for their investigation

1. Encase Enterprise — To collect data remotely from the guest OS layer of cloud. It is best to analyze IaaS data but not the snapshot of data.

2. Accessdata FTK — To collect data remotely from the guest OS layer of cloud.

3. FORST — Open stack cloud computing platform to acquire Api’s logs, Virtual disk and guest firewall logs.

4. UFED cloud analyzer — To analyze cloud data and metadata.

5. Docker Forensics Toolkit & Docker Explorer — Extracts and interprets forensics artefact from dick images of Docker Host System.

6. Diffy (by Netflix)

· Transparency of cloud services and data

Lack of transparency regarding the internal cloud infrastructure. Cloud service providers can not share the detailed internal implementation of their products because it may introduce a threat to their system.


Service level agreements must include clear and precise procedural information on how a forensic investigation would be handled by the investigator and by the cloud service provider in the event of a criminal incident. It should also mention the roles and responsibilities of each party with the legal implication of their actions.

· Forensics-as-a-service

Cloud service providers should provide a mechanism or services through which investigators can conduct in-depth forensic investigations.

Conclusion, this topic intends to share awareness about Cloud forensics.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kumar Shivam

Technical Consultant | Passionate about exploring new Technology | Cyber Security Enthusiast | Technical Blogger | Problem Solver