Cloud Forensics: What is it? And Why is it so important?

By -

Cloud Computing has transformed the way IT performs, it has changed the way IT services are created, managed, performed and outsourced. It is a new dimension in computing which is just as amusing to some as it is exciting to so many.



Despite being there for a while it (Cloud Computing) is still perceived as relatively new due to the recent innovations and adoption by many known tech firms which caught people’s attention. The revolution that Cloud Computing is on its way of achieving is nothing short of those in the past such as the Mainframes, Personal Computers and SmartPhones.

Gartner has predicted that, the public Cloud Service market is going to reach $131 billion this year, which is 18.5 percent growth from 2012 ($111 billion). Companies are setting budgets and planning strategies for their services. But among all this, a very important, perhaps the most important part about this technology is being overlooked and maybe, it still doesn’t have the much needed attention and awareness. That part is Cloud Forensic.

When the internet connected people all over the world, many didn’t know that they could be a victim of what is known today as, cyber-crime.  And cloud computing is one technology which cannot be utilized without using Internet. Cloud service is still evolving and it is the perfect time to pay attention to cloud forensics which will help in preventing and fighting the wrongful and illegal activities related to it.

Of course we have pretty competent Forensics department, but does it really have the expertise to deal with the crime committed over the cloud? What makes matters worse is that cloud computing is rising at an unbelievable speed while Cloud Forensics is just beginning, and the cloud security risks are increasing day by day.

Cloud Forensics

Cloud Forensics is cross-discipline between Cloud Computing and Digital Forensics. Cloud Forensics is actually an application within Digital Forensics which oversees the crime committed over the cloud and investigates on it. Cloud computing is based on huge network, which spreads globally. Hence, Cloud Forensics is said to be a subset of Network Forensics. The basic technique still remains as the forensic investigation of network.

The cloud service providers and the customers have yet to define or establish forensic capabilities that will support the investigation in case if any crime is committed. There are 3 main dimensions of Cloud Forensics which need to understood and addressed by the Cloud Service Providers and the Customers. In order to analyze the domain of Cloud Forensics more comprehensively, it is necessary to understand that it is no more only a technical issue, it is a multi-dimensional issue. There are 3 main dimensions involved in Cloud Forensics which are Technical, Organizational and Legal.

Technical Dimension

The Technical Dimension consists of tools that are required to perform forensic investigations in Cloud Computing environment. These include data collection, live forensics, evidence segregation, virtualized environments and proactive measures. Data collections as name suggests is a process of gathering data, labeling it and record it.

The data include the one stored in the infrastructure located at the providers end as well as the one stored at the customers end. They should also be time stamped with the snapshots being taken at regular intervals. The tools and procedures may be developed and may vary as per the cloud deployment and service model being used.

Organizational Dimension

The Organizational Dimension comes into being when two parties are involved: the cloud consumer and the Cloud Service Provider. The investigation widens when the Cloud Service Provider outsources their services.

The Cloud Service Provider must communicate with third-parties for their expertise in the Investigation. They may hire IT professionals who are experts in systems, networks, security, ethical hacking, cloud architects and cloud security who can assist investigators at crime scenes. Incident Handlers, who respond to data leakage and loss, breach of confidentiality, denial of service attacks, insider attacks, and malicious code infections. Legal Advisors will ensure no laws are violated during the ongoing investigations, and that the confidentiality of customers other the one affected is maintained and are also responsible for drafting SLA’s to cover all jurisdictions. Legal Advisors are also responsible for communicating with external law enforcement agencies during the investigations.

Legal Dimension

The Legal Dimension requires development of regulations and agreement to ensure that the forensic activities do not breach laws and regulations in the jurisdictions where the data resides. The confidentiality of other clients using the same infrastructure should also not be compromised.

An SLA (Service Level Agreement) between the cloud user and cloud service provider defines terms and guidelines which helps the ongoing forensic investigations, which are:

  1. Service, Access and Technique’s must be provided by CSP’s to customers during investigations.
  2. Trust boundaries, roles and responsibilities between the customer and the CSP must be defined clearly.
  3. No rules should be violated, no customer data should be compromised, and the privacy policies should be adhered in multi-jurisdictional environments, during the investigation.


As of now, there are no agreements between the Cloud service provider and the customer about the segregation of responsibilities in case of an investigation. For Data Collection, the cloud customer might not have complete access to their data if it is under investigation, however, if it is an IaaS (Infrastructure as a Service) customer, they won’t face such an issue.

The cloud customers do not have access to the log files either. In cloud computing, the data resides in multiple machines in multiple geographic locations. If the data is deleted, it becomes the primary source of evidence in digital forensics. In Cloud Forensics, it becomes a challenge to recover the deleted data, identify its owner, and use the data for event reconstruction.


Cost Effectiveness: Similar to Cloud Computing which is cost-effective and cheaper at larger scale, Cloud Forensics too is cheaper when implemented at larger scale.

Data Abundance: Owing to the fact that the data is replicated and stored over multiple data centers and servers, it is possible that the data might not be completely deleted and may be available for forensics and if case if deleted, might be possible to recover too.

Policies and standards: Cloud Computing is still evolving and hence is at an early stage, which makes this a perfect time for Cloud Forensics to lay foundations for their policies and standards.

Forensics as a Service: FaaS or Forensics as a Service can be developed which can be of huge help in solving crimes related to cloud or help in other various cyber-crime investigations.



Cloud Forensics may not be the need of the hour but it will certainly be in future, based on the pace at which cloud computing in growing and conquering everyone.  The limitations are but small obstacles which can be worked upon since the cloud is still in early stages. Security has always been the most important aspect of computing. There is a lot of work to be done and a lot more information has to be considered before Cloud Forensics is implemented.

This article is based on the research paper: Cloud forensics: An overview.

Photo Credit – David Bolton/Flickr

Subscribe to our Mailing List
We promise to never spam.

Get all the interesting stories delivered straight to Inbox.

Darshik Jariwala is an IT Professional from Canada, with 3+ years of experience and knowledge in various verticals in the IT industry. In his leisure time, he loves writing Blogs, Reading, watching Movies, occasional Photography and most of all having coffee with friends. You can also befriend him on , and .

1 Comment to Cloud Forensics: What is it? And Why is it so important?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.