NIST details cloud forensic challenges

Now that so much data has migrated to the cloud, digital forensic investigators trying to retrieve evidence of security breaches or cyber crimes face unique challenges associated with technological, legal or organizational processes.

National Institute of Standards and Technology’s Cloud Computing Forensic Science Working Group has begun to describe and categorize those challenges in a new publication, the NIST Cloud Computing Forensic Science Challenges. It targets digital forensic examiners, developers and researchers, cloud security professionals, law enforcement officers and cloud auditors, and it is intended to help the cloud computing community understand the issues facing digital forensics so it can assist in developing technologies and standards to mitigate those challenges.

According to the working group, cloud forensics uses a hybrid approach that taps into devices used to access cloud services – whether remote, virtual, network, live, large-scale, thin-client, thick-client or end-point -- to discover digital artifacts.

While the challenges span technological, legal, or organizational processes, NIST said the majority of the hurdles were technology based. The report identified 65 challenges and grouped them into nine categories:

  1. Architecture: Dealing with diversity, complexity, provenance, multi-tenancy and data segregation.
  2. Data collection: Addressing data integrity, data recovery, data location and imaging.
  3. Analysis: Identifying correlation, reconstruction, time synchronization, logs, metadata and timeline issues.
  4. Anti-forensics: Relating to obfuscation, data hiding and malware designed to prevent or mislead forensic analysis.
  5. Incident first responders: Verifying the trustworthiness of cloud providers, response time and reconstruction.
  6. Role management: Addressing data owners, identity management, users and access controls.
  7. Legal: Referring to jurisdictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy and ethics
  8. Standards: Describing standard operating procedures, interoperability, testing and validation.
  9. Training: Ensuring forensic investigators and cloud providers have adequate knowledge.

The working group plans to continue its efforts in analyzing and prioritizing forensic cloud challenges, developing a cloud forensics reference architecture, identifying gaps in technology and standards that need to be addressed and developing a roadmap to address those gaps.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.