Many companies are using cloud-based applications and storage, and this presents a new set of challenges for information security and for forensic computer investigations, for more information visit http://www.cclgroupltd.com/digital-forensics/corporate/computer-investigations

1. Computer Forensics outside the Corporate Network – the Cloud
More and more companies are outsourcing their IT infrastructure into cloud-based
services. An example of this is Office 365, which removes the need for organisations to
purchase and maintain IT hardware to run their email system. This can be a quick and
cost-effective way of satisfying the organisation’s IT requirements.
An on-site computer forensics exercise can investigate down to the finest digital detail,
how a computer has been used (or misused) including which files have been created,
accessed or copied – along with investigating web and email history and details of which
devices have been plugged into the computer and what they were used for.
However, there are new challenges when computer forensics techniques are applied to
the Cloud, such as multi-tenant hosting, synchronization issues, and also methods for
separating log data.
In traditional computer forensics, the evidence contained within the media is within the
control of local authorities from the moment of seizure. Assuming that the cloud in
question may be within the United States or elsewhere, the forensic challenges raised by
cloud computing are related to control of the evidence, including collection, preservation
and validation.
With cloud computing, the investigator does not have physical control of the media nor
the network on which it resides. Many users will have access to a particular cloud. How
does the investigator obtain only that portion of the media where the evidence may
exist?
RISKS:
When dealing with a cloud-based environment it is important to appreciate that the data
may not be under your full control. Firstly, it is worth exploring exactly where their data
are being held. If it is on non-EU based servers, there may be data protection and data
privacy issues. Also, you should be aware that it will not be possible to ‘turn off’ the
device to ensure preservation. There is a risk that the data could be remotely accessed
and tampered with.
TIPS:
 Have a response plan in place so that their IT team is able to respond to incidents
quickly.
 It is important that information about who has access to what is readily available and
that a procedure to revoke access is in place to allow an immediate response, should
it be required.
 It can be difficult to acquire data from cloud storage in a forensic manner. However,
there are tools and expertise available out there which can assist. Simply copying
this information in the traditional way may not be sufficient.
For more information on computer forensics, please call us on 01789 261200 or email
contact@cclgroupltd.com, or check out http://www.cclgroupltd.com/digital-
forensics/corporate/computer-investigations.
Nathan is a digital forensics specialist at CCL Group - the UK’s leading supplier of digital
forensics, including: computer forensics corporate network, mobile phone forensics
and cell site analysis services.