Challenges of Computer Forensics in Cloud and Hosted Environments
It seems like just about every week, I get into a conversation with a customer or account executive asking what our abilities are when it comes to computer forensics in the cloud or in a hosted environment. The answer is always the same: “It depends.”
What I mean is, neither cloud service providers nor hosting providers are particularly friendly about doing computer forensics in their environments or even providing us any of the data we would need to do an investigation. More often than not (meaning almost always), they are not very forthcoming with logs or images of servers.
The usual answer is that they cannot provide such information due to the potential of jeopardizing the privacy and confidentiality of other customer(s) in the shared environment. While this is kind of true in some cases, usually logs can be filtered in such a way as to not present a problem. System images are another thing. Unless the physical machine or virtual machine is dedicated to you, we will undoubtedly see someone else’s data.
When pressed, SOMETIMES we are able to get the data we need, but only after signing a stack of release of liability forms and non-disclosure agreements that exonerate the solution provider from any wrong doing, no matter how negligent. Other times they just tell us to pound sand.
After all, nowhere in the contract of most cloud/hosted solutions providers does it give you the right to investigate how your data was compromised, in the event something like that happened. Moreover, solutions providers have a vested interest in you not finding out what happened or how it happened. That would be revealing the man behind the curtain, and what solutions provider wants that?! There are a lot of dirty secrets in there. They don’t want to run the risk of damaging their reputation and what is typically their illusion of security.
The moral of the story is: make sure you have the ability to investigate breaches in your contract. Cloud/hosting solutions providers are much more malleable and amiable to baking this language into agreements before you have signed an agreement and written them a check rather than afterwards.
Another thing that is important to mention is that many of the cases where we have done this type of investigation and have received the evidence necessary to do it, we have discovered that customers were not receiving what they paid for and expected. In nearly every case where a customer was promised dedicated hardware and told they would “have their own physical server,” it was not true. Usually, it was a virtual machine (at best), or their site was just a virtual site on a shared server.
In situations where it was a virtual machine, it is not a big deal for us because the forensic investigation is very similar for physical or virtual. It just became evident that the hosting provider was lying to the customer. In situations where there is a virtual site on a shared server, it makes for a bit of a mess of an investigation. These situations nearly always lead to confidentiality discussions and delays.
When it comes to doing computer forensic discussions in cloud environments, there really are no end to the problems. For starters, where is/was your data when it was compromised? They can’t tell you. Moreover, they almost never have any logs that are of any use at all. And, even if there are logs, they don’t like to give them to you for confidentiality reasons.
Long story short, if you want to be able to investigate what happened in case of a breach, make sure you have an agreement with your hosting provider that they will retain logs of all access to your data as well as application, system, security and network logs for an agreed upon period of time. Moreover, don’t forget to add that they must provide you or your designee forensic images of servers at your request.