Josiah Dykstra, a doctoral candidate about to graduate from the University of Maryland, Baltimore County, who has made cloud forensics a focus of his study, spoke on the panel about what he's finding out in his research.
"Big providers can't keep pace with the number of cases they get," Dykstra said. There's little that's "built in" today to help cloud providers in a multi-tenant environment through processes such as obtaining firewall logs to deliver to law enforcement or attorneys asking for them. "Cloud providers want law enforcement to do it themselves," said Dykstra, noting Amazon, for instance, has no incentive to expand cloud forensics capabilities unless it's possible to make money from it.
Eric Hibbard, chief technology officer, security and privacy, at Hitachi Data Systems, agreed that cloud providers "really don't want to get into this" and a deep level of cloud forensics remains somewhat unusual. He acknowledged cloud providers would rather hide behind explanations such as "we don't keep that, we don't do that."
If a judge orders that certain evidence be obtained, and it happens to be in a cloud service, the court may hold a hearing with witnesses from both sides arguing how easy it is to obtain it, Hibbard pointed out. And if a virtual-machine image is provided, it may lead to more questions, such as is the email trail missing.
And if there is some suspicion that a cloud provider was hacked, perhaps due to some vulnerability, recourse is probably going to be difficult in terms of getting digital forensics.
"It's a 'best effort' and all that," said Day, noting that "individual cloud VMs get popped all the time." There have been known to be exploits in which a compromised VM could allow the attacker to get access to the underlying hypervisor. There's a lot of concern about memory and traffic but "you may not know how the intruder got in" and the forensics on it can be "dodgy," he acknowledged. But Terremark can do preservation of VMs through network storage. Some customers -- mostly government agencies -- are very concerned about what data might remain on drives and put specifications in contracts to be informed that drives are securely destroyed.
When asked if a criminal who knows a subpoena is coming might in theory be able to completely wipe his own traces, Day said, "Not directly." But what cloud-service providers do to try and preserve digital evidence varies widely across the industry, according to Dykstra. In the end, some take drives and shred them and some may throw them away in dumpsters.
Encryption plays a dual role in a cloud service. It can make data more secure for the customer but harder for law enforcement to get if the cloud service provider doesn't require the customer to provide an encryption key for it. Sometimes law enforcement will attempt to brute force decrypt, and other times law enforcement has been smart enough to ask for data residing in memory, said Day.
Sign up for CIO Asia eNewsletters.