The Challenges of Cloud Forensics

cloud forensics
Image Source: Cloud Times

Computer forensics has an important role in unearthing evidence to solve cyber crimes, or even other crimes where data stored in computers are important to crack the case. The rise of cloud computing has resulted in the emergence of cloud forensics. Although a sub branch of computer forensics, cloud forensics is diametrically different from conventional computer forensics.

It is inevitable that criminals would commit crimes using cloud resources. This is where cloud forensics steps in.

Chain of Dependencies

Unlike, conventional computer forensics, cloud forensics works on a chain of dependencies. The biggest challenge is data residing at a different geographical location, in many cases, across the globe, from the scene of a possible crime. The success of forensics investigation in such cases depends entirely on the cooperation of the cloud services provider. Even then, gathering forensic evidence is difficult, and cloud providers may simply not be able to produce the required data or evidence, even if they want to do so.

  • Each cloud service provider has different data retention and management policies and procedures, and many providers actually have no policy.
  • It may be physically impossible to collect hard evidence from shared servers, located in a foreign country.
  • There would be an entirely different set of legal issues to counter, when servers are at offshore locations.
  • Most communication that involves cloud servers are encrypted. Encryption adds another layer of complexity to an already difficult issue.

As of now, there are no apparent solutions to such issues. The Cloud Forensics Working Group, set up at the National Institute of Standards and Technology (NIST) is working on resolving such issues, and developing best practices.


Another big challenge related to cloud forensics is lack of adequate tools, as cloud forensics is still in a nascent state.

One good tool is the vendor-neutral F-Response, which uses iSCSI protocol to provide read-only mounting of remote devices, to facilitate remote imaging, fast forensic triage, live memory analysis, and more. It offers forensic copies of all data the organization pushes to cloud providers, greatly aiding the process.

As the cloud matures, and more tools become available, the present challenges and complexities related to cloud forensics ought to go away.

Author : Nayab Naseer Date : 28 May 2013