NIST details cloud forensic challenges

Now that so much data has migrated to the cloud, digital forensic investigators trying to retrieve evidence of security breaches or cyber crimes face unique challenges associated with technological, legal or organizational processes.

National Institute of Standards and Technology’s Cloud Computing Forensic Science Working Group has begun to describe and categorize those challenges in a new publication, the NIST Cloud Computing Forensic Science Challenges. It targets digital forensic examiners, developers and researchers, cloud security professionals, law enforcement officers and cloud auditors, and it is intended to help the cloud computing community understand the issues facing digital forensics so it can assist in developing technologies and standards to mitigate those challenges.

According to the working group, cloud forensics uses a hybrid approach that taps into devices used to access cloud services – whether remote, virtual, network, live, large-scale, thin-client, thick-client or end-point -- to discover digital artifacts.

While the challenges span technological, legal, or organizational processes, NIST said the majority of the hurdles were technology based. The report identified 65 challenges and grouped them into nine categories:

  1. Architecture: Dealing with diversity, complexity, provenance, multi-tenancy and data segregation.
  2. Data collection: Addressing data integrity, data recovery, data location and imaging.
  3. Analysis: Identifying correlation, reconstruction, time synchronization, logs, metadata and timeline issues.
  4. Anti-forensics: Relating to obfuscation, data hiding and malware designed to prevent or mislead forensic analysis.
  5. Incident first responders: Verifying the trustworthiness of cloud providers, response time and reconstruction.
  6. Role management: Addressing data owners, identity management, users and access controls.
  7. Legal: Referring to jurisdictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy and ethics
  8. Standards: Describing standard operating procedures, interoperability, testing and validation.
  9. Training: Ensuring forensic investigators and cloud providers have adequate knowledge.

The working group plans to continue its efforts in analyzing and prioritizing forensic cloud challenges, developing a cloud forensics reference architecture, identifying gaps in technology and standards that need to be addressed and developing a roadmap to address those gaps.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • automated processes (Nikolay Klimenko/

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected