NIST クラウドコンピューティング環境でのフォレンジックの課題についての整理

こんにちは、丸山満彦です。

NISTがクラウドコンピューティング環境でのフォレンジックの課題について整理をした文書を公開しています。2014年にドラフトが発行されてから、約6年かけて最終化されたという感じでしょうか？

色々と参考となる文献からの情報をまとめているという意味では助かりますね。。。まだ、よく読んでいませんが・・・

 

● NIST - ITL
・2020.08.25 NISTIR 8006 NIST Cloud Computing Forensic Science Challenges

・ [PDF] NISTIR 8006

---

Abstract

This document summarizes the research performed by the members of the NIST Cloud Computing Forensic Science Working Group, and aggregates, categorizes, and discusses the forensics challenges faced by experts when responding to incidents that have occurred in a cloud-computing ecosystem. The challenges are presented along with the associated literature that references them. The immediate goal of the document is to begin a dialogue on forensic science concerns in cloud computing ecosystems. The long-term goal of this effort is to gain a deeper understanding of those concerns (challenges) and to identify technologies and standards that can mitigate them.

---

 

  

Executive Summary

The National Institute of Standards and Technology (NIST) has been designated by the Federal Chief Information Officer (CIO) to accelerate the Federal Government’s secure adoption of cloud computing by leading efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders.

Consistent with NIST’s mission,1 the NIST Cloud Computing Program (NCCP) has developed the NIST Cloud Computing Standards Roadmap [1] as one of many mechanisms in support of the U.S. Government’s (USG’s) secure and effective adoption of cloud computing technology2 to reduce costs and improve services. Standards are critical to ensure cost-effective and easy migration, to ensure that mission-critical requirements can be met, and to reduce the risk that sizable investments may become prematurely technologically obsolete. Standards are key elements required to ensure a level playing field in the global marketplace. The importance of setting standards in close relation with private sector involvement is highlighted in a memorandum from the Office of Management and Budget (OMB), M-12-08 [2], dated January 17, 2012.

With the rapid adoption of cloud computing technology, a need has arisen for the application of digital forensic science to this domain. The validity and reliability of forensic science is crucial in this new context and requires new methodologies for identifying, collecting, preserving, and analyzing evidence in multi-tenant cloud3 environments that offer rapid provisioning, global elasticity, and broad network accessibility. This is necessary to support the U.S. criminal justice and civil litigation systems as well as to provide capabilities for security incident response and internal enterprise operations.

The NIST Cloud Computing Forensic Science Working Group (NCC FSWG) was established to research forensic science challenges in the cloud environment and to develop plans for standards and technology research to mitigate the challenges that cannot be addressed by current technology and methods. The NCC FSWG has surveyed existing literature and defined a set of challenges related to cloud computing forensics. These challenges, along with associated literature, are presented in this document. The document also provides a preliminary analysis of these challenges by including: (1) the relationship between each challenge to the five essential characteristics of cloud computing as defined in the NIST cloud computing model [3], (2) how the challenges correlate to cloud technology, and (3) nine categories to which the challenges belong. In addition, the analysis considers logging data, data in media, and issues associated with time, location, and sensitive data.

 

1 This effort is consistent with the NIST role per the National Technology Transfer and Advancement Act (NTTAA) of 1995, which became law in March 1996.

2 NIST Definition of Cloud Computing, NIST Special Publication (SP) 800-145 [3]: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

3 The NIST definition of cloud computing [3] requires that The Provider’s computing resources are pooled to serve multiple Consumers using a multi-tenant model…

 

[1] Hogan M, Liu F, Sokol A, Tong J (2011) NIST Cloud Computing Standards Roadmap. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 500-291. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=909024

[2] Executive Office of the President (2012), Principles for Federal Engagement in Standards Activities to Address National Priorities, January 17, 2012 https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2012/m-12- 08_1.pdf

[3] Mell P, Grance T (2011) The NIST Definition of Cloud Computing. (National Institute of Standards and Technology, Gaithersburg, MD),

 

---

 

Table of Contents

EXECUTIVE SUMMARY

1 INTRODUCTION
 1.1 DOCUMENT GOALS
 1.2 AUDIENCE

2 OVERVIEW
 2.1 CLOUD COMPUTING FORENSIC SCIENCE
 2.2 DEFINING WHAT CONSTITUTES A CHALLENGE FOR CLOUD COMPUTING FORENSICS

3 CLOUD FORENSIC CHALLENGES
 3.1 COLLECTION AND AGGREGATION OF FORENSIC SCIENCE CHALLENGES
 3.2 ANALYSIS AND CATEGORIZATION OF THE CHALLENGES
  3.2.1 Relevance of Essential Cloud Characteristics
  3.2.2 Correlation Between Cloud Technology and Forensic Science Challenges
  3.2.3 Categorization of Challenges

4 ADDITIONAL ANALYSIS OF THE CHALLENGES
 4.1 ADDITIONAL OBSERVATIONS

5 CONCLUSIONS

REFERENCES

APPENDIX A: ACRONYMS
APPENDIX B: GLOSSARY

ANNEX A: CLOUD FORENSIC CHALLENGES
ANNEX B: CSA’S ENTERPRISE ARCHITECTURE (TCI V2.0)
ANNEX C: MIND MAPS

Table of Figures

Figure 1: CSA’s Enterprise Architecture
Figure 2: Mind Map – Categories and Subcategories
Figure 3: Mind Map – Primary Categories
Figure 4: Mind Map – Related Categories

 

---

1 Introduction

Cloud computing has revolutionized the methods by which digital data is stored, processed, and transmitted. One of the most daunting new challenges is how to perform digital forensics in various types of cloud computing environments. The challenges associated with conducting forensics in different cloud deployment models, which may cross geographic or legal boundaries, have become an issue.
NIST carries out many research activities related to forensic science. The goals of these activities are to improve the accuracy, reliability, and scientific validity of forensic science methods and practices through advances in its measurements and standards infrastructure. As part of these activities, the NIST Cloud Computing Forensic Science Working Group (NCC FSWG) is identifying emerging standards and technologies that would help solve challenges, that is, the most pressing problems fundamental to carrying out forensics in a cloud computing environment to lawfully obtain (e.g., via warrant or subpoena) all relevant artifacts, as well as to provide capabilities for security incident response and internal enterprise operations.
The cloud exacerbates many technological, organizational, and legal challenges already faced by digital forensic examiners. Several of these challenges—such as those associated with data replication, location transparency, and multi-tenancy—are somewhat unique to cloud computing forensics [4], [72]. The NCC FSWG has collected and aggregated a list of cloud forensic challenges (see Annex A) that are introduced and discussed in this document. Future work will involve identifying gaps in technology and standards related to the challenges that need to be addressed and developing possible technological and standards approaches to mitigate these challenges.

1.1 Document Goals

This document is intended to serve as a basis for a dialogue on forensic science concerns in cloud Ecosystems4 and as a starting point for understanding those concerns (challenges) with the intent of allowing the cloud computing community to identify the technologies and standards that can mitigate these challenges.

1.2 Audience

The primary audience for this document includes digital forensic examiners, developers and researchers, cloud security professionals, law enforcement officers, and cloud Auditors. However, given the breadth and depth of this topic, many other stakeholders—such as cloud policy makers, executives, and the general user population of cloud Consumers—may also be interested in certain aspects of this document.

 

4 The term Ecosystems is capitalized here for consistency with the capitalization of cloud-related terms in other NIST
publications. Other terms to be capitalized in this report include cloud Actor, Provider, Consumer, Auditor, Broker and
Carrier.

---

 

Various process models have been developed for digital forensics, including the following eight

distinctive steps and attributes [5]:

1. Search authority. Legal authority is required to conduct a search and/or seizure of data.
   
   
2. Chain of custody. In legal contexts, chronological documentation of access and handling of evidentiary items is required to avoid allegations of evidence tampering or misconduct.

3. Imaging/hashing function. When items containing potential digital evidence are found, each should be carefully duplicated and then hashed to validate the integrity of the copy.

4. Validated tools. When possible, tools used for forensics should be validated to ensure reliability and correctness.

5. Analysis. Forensic analysis is the execution of investigative and analytical techniques to examine, analyze, and interpret the evidentiary artifacts retrieved.

6. Repeatability and reproducibility (quality assurance). The procedures and conclusions of forensic analysis should be repeatable and reproducible by the same or other forensic analysts [6].

7. Reporting. The forensic analyst must document his or her analytical procedure and conclusions for use by others.

8. Presentation. In most cases, the forensic analyst will present his or her findings and conclusions to a court or other audience.

---

 

• Architecture (e.g., diversity, complexity, provenance, multi-tenancy, data segregation).
  Architecture challenges in cloud forensics include:
  
  • Dealing with variability in cloud architectures between Providers
  • Tenant data compartmentalization and isolation during resource provisioning
  • Proliferation of systems, locations, and endpoints that can store data
  • Accurate and secure provenance for maintaining and preserving chain of custody
• Data collection (e.g., data integrity, data recovery, data location, imaging).
  Data collection challenges in cloud forensics include:
  
  • Locating forensic artifacts in large, distributed, and dynamic systems
  • Locating and collecting volatile data
  • Data collection from virtual machines
  • Data integrity in a multi-tenant environment where data is shared among multiple computers in multiple locations and accessible by multiple parties
  • Inability to image all of the forensic artifacts in the cloud
  • Accessing the data of one tenant without breaching the confidentiality of other tenants
  • Recovery of deleted data in a shared and distributed virtual environment
• Analysis (e.g., correlation, reconstruction, time synchronization, logs, metadata, timelines).
  Analysis challenges in cloud forensics include:
  
  • Correlation of forensic artifacts across and within cloud Providers
  • Reconstruction of events from virtual images or storage
  • Integrity of metadata
  • Timeline analysis of log data, including synchronization of timestamps
• Anti-forensics (e.g., obfuscation, data hiding, malware).
  Anti-forensics are a set of techniques used specifically to prevent or mislead forensic analysis. Anti-forensic challenges in cloud forensics include:
  
  • The use of obfuscation, malware, data hiding, or other techniques to compromise the integrity of evidence
  • Malware may circumvent virtual machine isolation methods
• Incident first responders (e.g., trustworthiness of cloud Providers, response time, reconstruction).
  Incident first responder challenges in cloud forensics include:
  
  • Confidence, competence, and trustworthiness of the cloud Providers to act as first responders and perform data collection
  • Difficulty in performing initial triage
  • Processing a large volume of collected forensic artifacts
• Role management (e.g., data owners, identity management, users, access control).
  Role management challenges in cloud forensics include:
  
  • Uniquely identifying the owner of an account
  • Decoupling between cloud user credentials and physical users
  • Ease of anonymity and creating fictitious identities online
  • Determining exact ownership of data
  • Authentication and access control
• Legal (e.g., jurisdictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy, ethics).
  Legal challenges in cloud forensics include:
  
  • Identifying and addressing issues of jurisdictions for legal access to data
  • Lack of effective channels for international communication and cooperation during an investigation
  • Data acquisition that relies on the cooperation of cloud Providers, as well as their competence and trustworthiness
  • Missing terms in contracts and service level agreements
  • Issuing subpoenas without knowledge of the physical location of data
• Standards (e.g., standard operating procedures, interoperability, testing, validation).
  Standards challenges in cloud forensics include:
  
  • Lack of even minimum/basic SOPs, practices, and tools
  • Lack of interoperability among cloud Providers
  • Lack of test and validation procedures
• Training (e.g., forensic investigators, cloud Providers, qualification, certification).
  Training challenges in cloud forensics include:
  
  • Misuse of digital forensic training materials that are not applicable to cloud forensics
  • Lack of cloud forensic training and expertise for both investigators and instructors
  • Limited knowledge by record-keeping personnel in cloud Providers about evidence