Skip to main content

Challenges of Computer Forensics in Cloud and Hosted Environments

February 03, 2015

It seems like just about every week, I get into a conversation with a customer or account executive asking what our abilities are when it comes to computer forensics in the cloud or in a hosted environment. The answer is always the same: “It depends.”

What I mean is, neither cloud service providers nor hosting providers are particularly friendly about doing computer forensics in their environments or even providing us any of the data we would need to do an investigation. More often than not (meaning almost always), they are not very forthcoming with logs or images of servers.

The usual answer is that they cannot provide such information due to the potential of jeopardizing the privacy and confidentiality of other customer(s) in the shared environment. While this is kind of true in some cases, usually logs can be filtered in such a way as to not present a problem. System images are another thing. Unless the physical machine or virtual machine is dedicated to you, we will undoubtedly see someone else’s data.

When pressed, SOMETIMES we are able to get the data we need, but only after signing a stack of release of liability forms and non-disclosure agreements that exonerate the solution provider from any wrong doing, no matter how negligent. Other times they just tell us to pound sand.

After all, nowhere in the contract of most cloud/hosted solutions providers does it give you the right to investigate how your data was compromised, in the event something like that happened. Moreover, solutions providers have a vested interest in you not finding out what happened or how it happened. That would be revealing the man behind the curtain, and what solutions provider wants that?! There are a lot of dirty secrets in there. They don’t want to run the risk of damaging their reputation and what is typically their illusion of security.

The moral of the story is: make sure you have the ability to investigate breaches in your contract. Cloud/hosting solutions providers are much more malleable and amiable to baking this language into agreements before you have signed an agreement and written them a check rather than afterwards.

Another thing that is important to mention is that many of the cases where we have done this type of investigation and have received the evidence necessary to do it, we have discovered that customers were not receiving what they paid for and expected. In nearly every case where a customer was promised dedicated hardware and told they would “have their own physical server,” it was not true. Usually, it was a virtual machine (at best), or their site was just a virtual site on a shared server.

In situations where it was a virtual machine, it is not a big deal for us because the forensic investigation is very similar for physical or virtual. It just became evident that the hosting provider was lying to the customer. In situations where there is a virtual site on a shared server, it makes for a bit of a mess of an investigation. These situations nearly always lead to confidentiality discussions and delays.

When it comes to doing computer forensic discussions in cloud environments, there really are no end to the problems. For starters, where is/was your data when it was compromised? They can’t tell you. Moreover, they almost never have any logs that are of any use at all. And, even if there are logs, they don’t like to give them to you for confidentiality reasons.

Long story short, if you want to be able to investigate what happened in case of a breach, make sure you have an agreement with your hosting provider that they will retain logs of all access to your data as well as application, system, security and network logs for an agreed upon period of time. Moreover, don’t forget to add that they must provide you or your designee forensic images of servers at your request.

Related Blogs

January 06, 2015

The Future of Forensics

I have wanted to write this article for a couple years now. I have been talking about enterprise forensics problems and limitations for about 10 years...

See Details

March 05, 2015

Why do they call it DLP?

I always have to ask myself every time I hear the acronym “DLP.” Why do they call it that? There is no “prevention” in most DLP. It should be called D...

See Details

February 23, 2015

The Diminishing Efficacy of Network Security | Optiv

I am an old-school network security guy, and it pains me to see the rapid decline of network security solutions due to the advancement of detection ev...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

July 21, 2015

Data Security Solutions

Learn how we can help secure your date throughout its lifecycle.

See Details

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.