NIST details cloud forensic challenges

Now that so much data has migrated to the cloud, digital forensic investigators trying to retrieve evidence of security breaches or cyber crimes face unique challenges associated with technological, legal or organizational processes.

National Institute of Standards and Technology’s Cloud Computing Forensic Science Working Group has begun to describe and categorize those challenges in a new publication, the NIST Cloud Computing Forensic Science Challenges. It targets digital forensic examiners, developers and researchers, cloud security professionals, law enforcement officers and cloud auditors, and it is intended to help the cloud computing community understand the issues facing digital forensics so it can assist in developing technologies and standards to mitigate those challenges.

According to the working group, cloud forensics uses a hybrid approach that taps into devices used to access cloud services – whether remote, virtual, network, live, large-scale, thin-client, thick-client or end-point -- to discover digital artifacts.

While the challenges span technological, legal, or organizational processes, NIST said the majority of the hurdles were technology based. The report identified 65 challenges and grouped them into nine categories:

  1. Architecture: Dealing with diversity, complexity, provenance, multi-tenancy and data segregation.
  2. Data collection: Addressing data integrity, data recovery, data location and imaging.
  3. Analysis: Identifying correlation, reconstruction, time synchronization, logs, metadata and timeline issues.
  4. Anti-forensics: Relating to obfuscation, data hiding and malware designed to prevent or mislead forensic analysis.
  5. Incident first responders: Verifying the trustworthiness of cloud providers, response time and reconstruction.
  6. Role management: Addressing data owners, identity management, users and access controls.
  7. Legal: Referring to jurisdictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy and ethics
  8. Standards: Describing standard operating procedures, interoperability, testing and validation.
  9. Training: Ensuring forensic investigators and cloud providers have adequate knowledge.

The working group plans to continue its efforts in analyzing and prioritizing forensic cloud challenges, developing a cloud forensics reference architecture, identifying gaps in technology and standards that need to be addressed and developing a roadmap to address those gaps.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected