The emerging field of cloud computing forensics

Don’t look now, but criminals are using public cloud services. 'Cloud cop' could be a real opportunity for those interested in both law enforcement and cloud.

The emerging field of cloud computing forensics

We’ve all watched those prime-time crime dramas or true crime documentaries where the crime was not solved by the detective with 20 years of experience, but the man or woman who did computer forensics. Maybe the hero cracked into a smartphone to determine if someone’s alibi held up or if they were near the crime scene. Or they examined a computer hard drive to find evidence that was used in court to convict a felon.

What happens when all this moves to the cloud? Cloud forensics, of course.

[ Also on InfoWorld: 9 career pitfalls every software developer should avoid ]

This career path keeps popping up more often these days. Recruiters are pinging me for candidate leads for many of these jobs being posted by state, local, and federal governments. Many may not pay the best, but they may let you carry a badge and become a true law enforcement agent. Instead of a gun, you have a laptop and a great deal of cloud computing knowledge to find evidence of a crime.

Traditional technology forensics investigates tools and technologies that you can see and hold. Cloud computing is another beast entirely, and many law enforcement agencies are not prepared to investigate crimes that may be occurring in the cloud. At the very least, cloud computing forensics is about five times more complex than traditional technology forensics.

Here are just a few things people moving into cloud computing forensics need to figure out:

In traditional computing forensics, the environment is frozen as assets are confiscated for analysis back in the forensics lab. In the cloud, that typically can’t be done. You’re examining a target platform that’s not stable. Thousands of other processes and people are using the same hardware that you’re attempting to analyze.

What about showing up with a warrant to confiscate the server? If you’re allowed to, there is the issue that others also own data on the same server, and you may be exposing yourself to legal liability if that data is breached or if it’s regulated data, such as HIPAA information.

Also, you’ll have to work within the jurisdiction where that server is physically located. If it’s in another country, the legal minefield may be too daunting to cross. Indeed, some criminals have chosen the cloud because they can hide data on cloud servers in countries where these types of warrants are not allowed. Or they target a cloud provider that will fight warrants in court, which could delay an investigation by months, even years.

This does not mean that cloud computing forensics is helpless. Other means would be tracking the cloud billing data, operations logs, and other assets that many cloud provider keep to assist their customers in understanding what happens on their cloud platforms.

Records include cloud services used, their purpose, time on services, or storage used. Cloud providers may even hold on to deleted files in case the customers need to recover them. This data becomes the primary tool of cloud forensics experts, and although it’s limited to what the cloud provider virtually shows them, there typically is much more than traditional computing devices.

I suspect that as cloud computing forensics grows, the number of tools and approaches will increase. Moreover, the cloud providers are going to have to provide some assistance to law enforcement, and this will include policies and procedures for dealing with crime in the cloud.

As in any other profession, those who choose a cloud forensics career path will end up with a great deal of experience that will improve their effectiveness at finding evidence that may be needed to support legal cases. If that interests you, I’m sure a recruiter out there wants to speak with you.

Copyright © 2022 IDG Communications, Inc.