NIST Cloud Computing Forensic
Science Working Group
Dr.
Martin Herman
Information Technology Laboratory (ITL)
National Institute of Standards and Technology
NIST Cloud Computing Forensic Science Working Group (NCC-FSWG):
Who We are
• NIST Public Working Group -- Established in November 2012
• Voluntary open membership (international)
• Active participants meet bi-weekly by conference call – Cloud Forensics Practitioners
– Cloud Providers
– Academia
– US Government User Community
– International Participants
• NIST Leadership (Co-chairs Dr. Michaela Iorga and Eric Simmon, and Dr. Martin Herman, NIST Senior Advisor)
• About 190 members in mailing list, with about 10 bi-weekly participants
• Twiki Website: http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/CloudForensics
NCC-FSWG - Goals
• Gather inputs dealing with cloud forensic challenges
• Identify and aggregate published cloud forensic challenges
• Analyze challenges
• Prioritize the challenges
– Based on importance, urgency
– Based on whether solutions involve technology, standards, or measurement methods
• Choose the highest priority challenges and determine gaps in technology, standards and measurements to address these challenges
• Develop a roadmap to address these gaps
NCC-FSWG – Current Status
•
Challenges spreadsheet – aggregation of published
challenges (~65) and analysis
•
White paper describing preliminary analysis of cloud
forensic challenges – progress report
– “NIST Cloud Computing Forensic Science Challenges”
– First draft almost complete and will be released very
shortly for public comments
Contributors to White Paper
• Michaela Iorga • Martin Herman • Eric Simmon • Keyun Ruan • Mike Salim • Josiah Dykstra • Kenneth Zatyko 4/15/2014 11:59 PM 5 • Kristy Westphal • Tony Rutkowski • Fred Cohen • Nancy Landreville • Anil Karmel • Pw Carey • Mark Potter • Ragib Hasan • Bob Jackson • Lon Gowen • Ernesto Rojas • Laura Taylor • Scot Reemelin • Ken Stavinoha • Karla HolmCloud Computing Forensic Science Challenges
• Actor/Stakeholder – identifies the stakeholder(s) who is affected by the challenge
• Action/Operation - identifies the activity that the stakeholder would like to perform
• Object of This Action – identifies the specific item upon which
the action is to be performed
• Reason – identifies the primary challenges that the stakeholder faces in order to perform the specified action on the object
Cloud Computing Forensic Science Challenges
• Each challenge needs to be relevant to the essential
characteristics of the NIST Definition of Cloud Computing*
• Each challenge labeled with one or more relevant characteristic
– OD = On-demand self-service
– BNA = Broad network access
– RP = Resource pooling
– RE = Rapid elasticity
– MS = Measured service
4/15/2014 11:59 PM 7
* Peter Mell, Timothy Grance, “The NIST Definition of Cloud Computing.” NIST SP 800-145, September 2011.
Cloud Computing Forensic Science Challenges
• Patterns of aggregation (or “categories”) emerged
• Challenges related to:
– Architecture
– Data collection
– Analysis of cloud forensic data
– Anti-forensics
– Incident first responders
– Role management
– Legal issues
– Standards
Architecture Challenges
• Issues include diversity, complexity, provenance, multi-tenancy, data segregation, etc.
• Challenge examples
– Dealing with variability in cloud architectures between providers
– Tenant data compartmentalization and isolation during resource provisioning
– Proliferation of system, locations and endpoints that can store data
– Accurate and secure provenance for maintaining and preserving chain of custody
– Infrastructure to support seizure of cloud resources without disrupting other tenants
Data Collection Challenges
• Issues include data integrity, data recovery, data location, imaging, etc.
• Challenge examples
– Locating forensic artifacts in large, distributed and dynamic systems
– Locating and collecting volatile data
– Data collection from virtual machines
– Data integrity in a multi-tenant environment where data are shared among multiple computers in multiple locations and accessible by multiple parties
– Inability to image all the forensic artifacts in the cloud
– Accessing the data of one tenant without breaching the confidentiality of other tenants
– Recovery of deleted data in a shared and distributed virtual environment
Analysis Challenges
•
Issues include correlation, reconstruction, time
synchronization, logs, metadata, timelines, etc.
•
Challenge examples
– Correlation of forensic artifacts across and within cloud providers
– Reconstruction of events from virtual images or storage
– Integrity of metadata
– Timeline analysis of log data including synchronization of
Anti-forensics Challenges
•
Issues include obfuscation, data hiding, malware,
etc.
•
Anti-forensics are a set of techniques used
specifically to prevent or mislead forensic analysis
•
Challenge examples
– The use of obfuscation, malware, data hiding, or other techniques to compromise the integrity of evidence
– Malware may circumvent virtual machine isolation methods
Incident First Responder Challenges
•
Issues include trustworthiness of cloud providers,
response time, reconstruction, etc.
•
Challenge examples
– Confidence, competence, and trustworthiness of the cloud providers to act as first-responders and perform data
collection
– Difficulty in performing initial triage
Role Management Challenges
•
Issues include data owners, identity management,
users, access control, etc.
•
Challenge examples
– Uniquely identifying the owner of an account
– Decoupling between cloud user credentials and physical users
– Ease of anonymity and creating fictitious identities online
– Determining exact ownership of data – Authentication and access control
Legal Challenges
• Issues include jurisdictions, laws, service level agreements,
contracts, subpoenas, international cooperation, privacy, ethics, etc.
• Challenge examples
– Identifying and addressing issues of jurisdictions for legal access to data
– Lack of effective channels for international communication and cooperation during an investigation
– Data acquisition that relies on the cooperation of cloud providers, as well as their competence and trustworthiness
– Missing terms in contracts and service level agreements
– Issuing subpoenas without knowledge of the physical location of data
– Seizure and confiscation of cloud resources may interrupt business continuity of other tenants
Standards Challenges
•
Issues include standard operating procedures,
interoperability, testing, validation, etc.
•
Challenge examples
– Standards challenges in cloud forensics include lack of even minimum/basic SOPs, practices, and tools
– Lack of interoperability among cloud providers
– Lack of test and validation procedures
Training Challenges
•
Issues include forensic investigators, cloud
providers, qualification, certification, etc.
•
Challenge examples
– Misuse of digital forensic training materials that are not applicable to cloud forensics
– Lack of cloud forensic training and expertise for both investigators and instructors
– Limited knowledge by record-keeping personnel in cloud providers about evidence
Cloud Computing Forensic Science Challenges
•
Aggregation led to Mind Map
– Visual representation of – Groups of challenges
– Relationships between challenges
– “Categories” and “sub-categories” of challenges
• E.g., Category: data collection
• Subcategories: Data Integrity and Data Recovery
– “Primary” and “related” categories
• Every challenge could be placed into a “primary” category
• Many challenges could also be placed in “related” categories
Mindmap (RELATED)
Future WG Activity
4/15/2014 11:59 PM 23
• Publish White Paper draft very shortly for public comment
• Further analyze the cloud forensics challenges
• Prioritize the challenges
• Choose the highest priority challenges and determine gaps in
technology, standards and measurements to address these challenges
We welcome new members to the WG!
Send me email if interested.
Dr. Martin Herman
NIST Working Group Twiki web site:
