On-Premises vs. Cloud Forensics – SY0-601 CompTIA Security+ : 4.5

Performing forensics in the cloud provides additional challenges to the security professional. In this video, you’ll learn about right-to-audit clauses, regulatory issues, and data breach notification laws.


Up to this point, we have been describing our digital forensics process with devices that would be in our possession. It would be a computer, a laptop, a mobile device of some kind, but we also need to think about how we perform digital forensics to devices that may be in the cloud. Obviously cloud-based services are not in our immediate possession, we don’t have physical access to these devices. In fact, we may have very limited access to this particular device because it is located in another facility, that is somewhere in the cloud.

It might also be very difficult to associate cloud-based data to one specific user. There are many people accessing this cloud-based service simultaneously, and picking out an individual’s piece of data may add additional complexity to the forensics process. And there might also be legal issues associated with this cloud-based data, especially since the rules and regulations around this data may be different depending on where you are in the world, and where the data may be located.

Before you put into a position where you would need to access this cloud-based data for forensics purposes, it would be valuable to have already created an agreement on how this data could be accessed. So if you’re working with a cloud provider, or a business partner, it will be useful to qualify how the data should be shared and how the outsourcing agreement would work. We might also have a concern about how safe this data might be at a third party provider. So it’s not uncommon to work with that provider to create a right to audit clause in the agreement. That would give you permission to know where the data is being held, how the data is being accessed over the internet, and what security features may be in place to protect that data.

As the initial contract with the cloud provider is being created, a right to audit clause can be added that would specify how you would be able to create a security audit of that data. Everyone would agree to those terms and conditions and the contract will be signed. This would allow you access to perform security audits and to make sure the data’s safe, well before you would run into the situation where a security breach might occur.

The technology behind cloud computing is evolving rapidly, and the legal system is trying to catch up with all of these changes with the technology. This is why it’s going to be important for forensics professionals to work very closely with the legal team, especially if they’re looking at data that may be located in a different location. The regulations regarding the use and access to data in one location may be very different than the rules in another location. And if we’re describing a cloud-based application, the data may be located in a completely different country.

In that particular case, the physical location of the data center may determine the legal jurisdiction for that data. From a forensics perspective, this could work against you when you’re trying to perform any type of analysis. For example, some countries don’t allow any type of electronic searches if the search is coming from outside of their country. So it may be very important to include your legal team as you’re stepping through the process of digital forensics in these cloud-based locations.

Another concern are the notification laws associated with data breaches and how they would affect you depending on where the data may be located. Many states or countries have laws or regulations that state, if any consumer data happens to be breached, then the consumers must be informed of that situation. And like the legal issues we have regarding where the data is stored, the data breach notification laws may be different depending on where that data would be stored. If you have a cloud-based application, you may be storing information from all countries into a single database and a breach of that data may have a very broad impact on who gets notified.

You might also find that the notification requirements might be very different depending on the geography. There might be rules and regulations regarding the type of data that is breached, and what type of notification should be made. So if the breach is only someone’s name or email, is that different than if it’s their name, email address, and telephone number. It’s also important to know who needs to be notified if a breach occurs, and how quickly you would need to notify them after a breach has been identified.