NIST Calls for Standards to Improve Forensic Capabilities in the Cloud  

A new report from the National Institute of Standards and Technology catalogs how use of the cloud hampers the ability of law enforcement and auditors to conduct investigations and notes how providers of the technology benefit from a lack of standard operating procedures.

“Unlike a traditional computing environment to which the forensic examiner might have access to perform experiments, in the cloud, the details of what logs are produced, what other records are produced and/or kept, and where they might be found are opaque except through the testimony of representatives of the Provider,” the report reads. “In many cases, these individuals are custodians of the records but do not have detailed knowledge of technologies or actual records that might be found if sought after. Indeed, companies benefit from not keeping such records or having custodians with only limited knowledge.”

The report released this week was produced under the agency’s remit from the federal chief information officer to help advance the adoption of secure cloud technology by working with industry to develop standards and guidelines for their operation. Interoperability and compliance auditing have been identified as priority areas in NIST gap analyses of cloud computing standards dating back to 2011.

“If cloud providers were to keep better records that might be sought after as evidence and had more knowledgeable custodians, they might be on the hook for finding and processing the extra records that are found,” Martin Herman, senior adviser for forensics and information technology at NIST and an author of the report, told Nextgov. “This would require that the provider use more resources, not only in personnel but also for computational activities such as correlating potential evidence.”

Accessibility and reliability of logs was a major issue discussed in the document which more broadly notes a “lack of even minimum/basic SOPs, practices, and tools” to facilitate interoperability, testing and validation. 

“If there were more standards, including interoperability standards, then the cloud providers wouldn’t be asked to do as much work during forensic investigations. It would be easier for outside forensic investigators to do the work instead,” Herman said.

But there are other issues. The document notes that “data that is not stored in storage media cannot be seized; it can only be collected in real-time by placing sensors into the real-time environment.”

And cloud providers are generally hesitant to share the kind of information that would guide such efforts to success.

“In most cloud environments, such intelligence is hard to come by, and most providers do not want to reveal the specifics of their operations,” the report reads. “A cloud infrastructure may be composed of leased time on hundreds of systems around the globe, owned and operated by scores of different providers. With records spread across such an infrastructure, even knowing where to look to place sensors is enormously problematic.”

In all, the report listed 62 challenges for forensics in cloud environments, many of which it said will need technological, organizational and legal fixes. 

Service level agreements, for example, may not spell out requirements that the cloud provider maintain and/or produce pertinent evidence within specified time constraints.

And in multitenant cloud environments, there are technical concerns around pursuing warrants and accessing the data of one customer without breaching the confidentiality of their neighbors.

The interoperability piece is important not just from cloud provider to cloud provider, but also among other actors in the ecosystem–cloud carriers, consumers, brokers and auditors—whose duties are currently segregated, the report said.

The NIST document said standard methods of collecting and preserving evidence are “necessary to support the U.S. criminal justice and civil litigation systems as well as to provide capabilities for security incident response and internal enterprise operations.” It notes that with sources of evidence dispersed across various devices, servers, switches and routers in a networked environment that crosses political borders, digital forensics standards are needed “now more than ever.”