Digital Forensics in the Cloud: 5 Hot Skills

Forensics in the Cloud: 5 Hot SkillsWhen it comes to collecting forensic evidence from cloud providers and determining whether a data breach has occurred, what used to take two weeks now takes a month for Greg Thompson, vice president of enterprise security services at Scotia Bank.

“Often we find it is a challenge to get sufficient forensic data from the cloud to prove the event or action did occur,” says Thompson, who oversees the forensics team at Scotia bank, the third largest bank in Canada.

Specifically, he finds the move to cloud services more challenging for forensic practitioners than the traditional methods of acquisition of evidence in pursuing an investigation. In addition to not having access to a full suite of forensic data, including net flows, log files and hard drive images in a cloud environment, now there also is a strong dependency on a third party whose system settings and administration may differ. “This often stretches the time-frame needed to make conclusions on a case, as we have to deal with legal implications and inconsistencies in how data is overall collected and maintained.”

Cloud providers often offer their services without fully understanding how their client’s infrastructure operates or what their data collection or access needs are. This lack of understanding makes it imperative for forensics to be involved in managing the front-end relationship with the cloud provider in addressing appropriate agreement covering IT security, data segregation, privacy and access issues.

Because of such changes and challenges – and with a corresponding increase in risks from cybercrimes – information security leaders have a growing demand for forensic practitioners with cloud experience.

“Forensics in the cloud is not necessarily a new field, but requires a new skill set and being able to learn on the fly,” says Rob Lee, curriculum lead for digital forensic training at SANS Institute. “Their strength will be in assuring that they get that information and data out in a manner that is sufficient for their forensic need.”

The 5 Essential Skills

Forensics professionals who want to advance their careers need the following essential skills to succeed:

  • Upstream Intelligence: This refers to information gathered by network service providers to help forensics professionals paint a full defense picture about incidents such as data breaches. In the past, practitioners relied extensively on hard-disk images or pieces of equipment to analyze and dive deeper in investigating an incident. However, with cloud services, experts such as Thompson put emphasis on the practitioner’s knowledge of upstream intelligence to understand better what information service providers can offer for conducting deeper investigative analysis.
  • Legal Skills: The cloud environment is basically pushing forensics professionals to play a more proactive legal role in understanding the uncertainty and remoteness of data available for investigative purposes through third-party service providers. “More and more they need to understand the legality around what information or data can be requested,” Lee says. For instance, forensics practitioners need to be involved with their legal teams to understand how the cloud provider will identify, locate, preserve and provide access to required and deleted information when the need arises.
  • Technical Background: Forensics practitioners need greater technical skills going into the future, Lee says. “The more they focus on understanding programming, network, operating systems and mobile-based technology, the better they will be,” he adds. Just recently, the Casey Anthony murder trial illustrated the need for a strong technical background, as both the defense and prosecution discussed and analyzed the digital forensics evidence discovered in specific technical search terms. “There needs to be a mind-shift from hard-disk analysis and static data to browser-based endpoints such as mobile phones,” Lee adds. This will help professionals understand the different types of data and what is most critical to capture.
  • Soft Skills: As forensic practitioners deal with cloud service providers, they need to develop soft skills such as good collaboration, communication and negotiation skills “to convince external parties that they need to do things to help us,” Thompson says. For instance, the forensics professional can negotiate the turn-around time for requested information with the provider in the event of an incident by challenging their claims of how difficult it is to access information. In addition, from Thompson’s experience, he says that leadership aptitude and the ability to maintain an external network of contacts has proven invaluable for progress in their investigations, as compared to pursuing only the legal channel to get access to data, which often can be cumbersome and time consuming.
  • Collaborative Skills: Forensics practitioners must take a collaborative approach to identifying the needs of IT, information security and legal to understand contractually – What are the risks and challenges they may encounter in accessing data controlled by a third-party service provider? Practitioners need to be aware of the their business needs and security controls practiced by the provider to understand the protocol in the event there is a forensic need or non-forensic data collection need that requires access to information.”The most critical component for forensics is in determining what level and type of information will be needed by organizations and the turn-around time from the time of request for data,” says Cynthia Bateman, director of forensic technology services at KPMG. “They need to plan for such scenarios up-front prior to having a litigation or forensics need.”She further adds that professionals need to address and clarify service level issues upfront with the cloud provider, including, for example, the level of information required, and whether the service provider will capture all file-level meta data and provide access to deleted files that are collected within the environment. “Forensics has to know what its organization’s data collection needs are and will be in the future to address these points.”

Salary & Career Scope

Leading security organizations have a good mix of forensics professionals in their team with diverse backgrounds such as law enforcement, network operations, legal, IT security and IT audit. They recommend practitioners get traditional forensics training and education in academic institutions that offer hands-on programs focused in understanding chain of custody and how an investigation is conducted using appropriate tools and analysis techniques.

Thompson recently hired two professionals from community colleges in Canada that specifically trained in applying forensic investigative techniques and skills on various data types.

Average salary for forensic professionals is around $81,000 in the U.S., according to the salary research and data website PayScale, but specialization in mobile architecture, devices and cloud services could lead to six figure salaries, experts say.

To date, there has been very little research done on the current state of forensic tools, processes and methodologies needed to obtain legally defensible digital evidence in the cloud.

“The future forensics professional therefore has to rely heavily on gathering intelligence, developing a niche expertise and conducting true technical analysis to succeed,” Lee says.

Source: www.govinfosecurity.com

This entry was written by Zac , posted on Saturday February 18 2012at 07:02 pm , filed under Cloud, Digital Forensics, Education & Training and tagged , , , , . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

2 Responses to “Digital Forensics in the Cloud: 5 Hot Skills”

  • H. Carvey says:

    To date, there has been very little research done on the current state of forensic tools, processes and methodologies needed to obtain legally defensible digital evidence in the cloud.

    This is largely due to the fact that infrastructures vary, in construction, size, etc.

    What needs to happen is that an organization must understand it’s DFIR requirements before consulting a cloud provider, and then get those requirements in place in the contract, from the beginning.

  • Adam says:

    Thank you H. Carvey. That is certainly the angle which I have been perusing this from. Identifying that organisations need to understand what they need, want and expect from a Cloud Service Provider and not just assume it’s there when they need. Most importantly ensuring they have their requirements agreed in writing and of course, should an incident occur, ensuring the CSP has the resources and experience to detect, notify, respond and recover from and incident.

    Perhaps you would like to contribute to my recent RFC regarding IaaS Forensics? – http://www.forhacsec.com/2012/12/26/rfc-digital-forensics-within-iaas-environments/

    Regards,

Leave a Reply

You must be logged in to post a comment.