The Technical Dimension in Cloud Computing
The technical dimension refers to the tools and procedures used to perform the forensic process in a cloud computing environment. These procedures and tools address the following measures:
- Forensic data collection: It is the process of identifying, labeling, recording, and extracting data from other possible sources of data in the cloud either the client-side or provider-side artifacts. Due to the difference between cloud service and deployment models, duties vary from one service or deploy model to another in the cloud. Therefore, different tools and procedures are to be applied. For example, in public clouds, forensic data might be collected from multiple tenants in the cloud environment. Other considerations regarding data collection in the cloud are prioritizing the collection of highly volatile data while preserving the integrity of data without breaching any laws and regulations under the jurisdictions where the data are collected.
- Elastic, static and live forensics: It is essential for cloud forensics tools to be elastic in order to compete with rapid elasticity of cloud computing. Large scale static and live forensic tools are required to deal with most cases such as e-discovery, data recovery, data acquisition, and evidence analysis tools.
- Evidence segregation: Cloud forensics involves the reverse process of evidence segregation from various shared resources in multi-tenant environment but the underlying cloud infrastructural components such as CPU caches and graphic processing units (GPU) were not designed for strong compartmentalization in a multi-tenant architecture. Therefore, it is necessary to develop tools and procedures in order to be able to segregate evidence among multiple tenants in different deployment models with different service models in the cloud.
- Investigations in virtualized environments: Tools and procedures are required to be developed for investigations in virtualized environments such as hypervisor investigations and evidence retrieval from physical locations of data at a given time stamp.
- Pro-active preparations: Pro-active measures can be taken to facilitate the forensic investigation such as designing forensic-aware cloud applications, tools which pro-actively collect forensic data in the cloud, and conducting regular snapshots to remote storage.
It should be pointed out that the technical dimension encompasses some challenges one might face during an investigation in a case that is associated with a cloud environment. The primary challenge to forensic investigations is the scope and diversity of operations in a cloud computing environment.