How The Cloud has changed digital forensics and incident reponse

We recently published an article about how the cloud changed detection. In this follow-up, we explore how Digital Forensics and Incident Response (DFIR) practitioners can expand the scope of their operations through strategic preparation and the manipulation of existing functionalities in cloud platforms.

It’s almost a cliché to say, but cloud DFIR is a different ball game compared to its on-premises precursor. The things that forensic investigators and incident responders can achieve are more expansive, as are the variables and dependencies that might prevent their investigations from proceeding at all. In fact, for established responders, learning how to conduct investigations in the cloud can mean absorbing a whole new set of first principles.

Budgets, third party-contracts, relationship management, and the assignment of roles and responsibilities all take on a new importance for investigative work when we shift to the cloud. If these crucial dependencies are not factored into an organization’s understanding of DFIR work, then investigations can be derailed or held up. But if they are accounted for—and if they are used to build a human web of trust—then DFIR professionals can leverage cloud technologies to improve the speed and range of their investigations like never before.

In this article, we cover 2 ways in which SaaS platforms can facilitate DFIR work. First, however, we need to explore the broader strategic considerations upon which successful cloud DFIR work depends.

Strategic considerations

One big change to DFIR in the cloud is that battles can now increasingly be won before engagements take place. Strategic preparation—particularly on the technological front—is more feasible than ever before. At the same time, the cloud has not simplified the challenges of preparing people and processes for an incident. Organizations which do well in this arena therefore tend to have a solid strategic plan encompassing people, process, and technology. There are multiple factors to consider here, but the 3 most important can be summarized as follows:

  1. Roles and responsibilities. These are key to all forensic work in SaaS platforms, and are the kind of topic that organizations should discuss with their DFIR consultants if they are already paying for a readiness service. The right people must be allocated the correct roles in the relevant platforms, and this needs to be done in advance to build that human web of trust on which investigations rely.
  2. Policies. Organizations can, and should, enforce the segregation of duty that an investigation necessitates in the form of clearly defined policies for case members and workflows (while always being aware of the licensing requirements associated with this).
  3. Budgeting. Resource and cost estimation requires strategic forethought. DFIR work relies upon evidence retention and computational power. Most of the CSPs now offer cost forecasting as a standard feature, and it is important for organizations to leverage this so that they can anticipate and manage the costs of doing forensic work.

Once these strategic factors have been considered, investigators and responders can begin to make use of cloud functionality in ways that assist their work.

What the cloud can offer

As anybody who has ever had to run an investigation in an on-premise network can attest, serious bottlenecks can hold up the process of acquiring reliable evidence. Logs have to be collected from multiple sources: laptops; phones; various discrete environments. Furthermore, it can also be hard to determine whether logs even exist. As is true across the infosec space, there has also been a serious skills shortage in this area for some time, and many organizations do not have the in-house knowledge to collect evidence.

As a result, myriad solutions have emerged to offer evidence extraction and analysis in the form of both tooling and services. In practice, however, the tools are usually costly and inaccessible (forensic and eDiscovery solutions are among the worst offenders when it comes to UX, licensing friendliness, and ease of deployment/upkeep). Meanwhile, the servitized offerings tend to have their own problems in the form of activation barriers.

It is in the context of these existing problems that the cloud offers such exciting potential. With clear strategic preparation, investigators can use cloud platforms to collect artifacts in a way that is both easier and more reliable than was ever possible on on-premises. Below, we give two examples of how this might happen.

Case study 1: streamlining insider threat investigations 

Imagine that a long-time employee becomes a person of interest in an internal investigation at ACME Corporation after suspected insider trading. Ideally, most responder time would be invested in evaluating potential avenues of investigation by collecting and processing staple artifacts like mailbox container files and key office application files. In a perfect world, this information would be used by ACME Corporation to generate relevant supporting data sets like dictionaries that could further assist in the process.

In practice, however, things don’t work like this. Instead, investigators working with on-premise infrastructure spend their time waiting for data to be released, for agents on laptops to come to life, and for other experts to gain (often physical) access to the case information that they need to review.

How could a cloud SaaS solution such as Office 365 change things for the forensic investigators at ACME Corporation?

Email collection. In a fully SaaS environment, 2 key obstacles are removed. On the one hand the operational responsibilities of issuing the eDiscovery queries and exporting them for review can be kept strictly to case-related personnel. This eliminates the need to disclose case metadata to unrelated parties, such as messaging and end-user computing teams. The logistics of the search platform, which are a common source of pain, are also externalized to the SaaS provider. Accordingly, the person requesting the investigation need only worry about remaining within compliance and cost boundaries.

Audit and tracing logs. The level of detail provided by audit logging is clearly mapped to license tiers in Office 365. License assignment can therefore be used as an effective means to automatically augment visibility on individuals of interest.

Native eDiscovery offerings. Traditionally, evidence processing involved exporting large amounts of data into a tool—or even a third-party—to perform eDiscovery work. This is no longer necessary for platforms like Office 365, which include viable eDiscovery platforms. Another key benefit is that Office 365’s native integration of Azure Information Protection tags and policies enables forensic investigators to pinpoint violations of corporate policy in a way that would not be possible using a third-party tool.

Office artifacts. The desktop Office application supports cloud storage as the default save option, which means that Office documents of interest to the investigation are far more likely to be available, even if platform encryption has been enforced. Moreover, they will be available in the version(s) of interest to investigators. SaaS platforms have also radically simplified the enforcement of evidence retention, for example by enabling legal holds to apply across the entire platform, rather than just across email. This is especially relevant when the insiders under investigation are non-technical, as they are less likely to be aware that their documents are subject to enhanced retention in the cloud.

In summary, if an insider is under investigation, a SaaS platform such as O365 can be utilized to both quickly gather the evidence, and retain it in accordance with legal requirements.

Case study 2: commencing valuable response work faster

Real-time incident response can be very complex, no more so than when it comes to the logistics of data acquisition.

EDR solutions have long been able to acquire artifacts from machines of interest, while enterprise-wide searches or hunts are also slowly becoming commonplace. Unfortunately, however, an agent cannot solve all our problems by itself. Once an artifact has been spotted and acquisition requested from the network, the agent and the chosen storage target must cooperate. In real incident scenarios this can lead to a lot of IT operations and admin work being done just so that responders can begin their investigation.

Cloud environments, by contrast, offer exciting possibilities. The following three points can help to illustrate.

  1. In cloud compute environments such as Amazon's EC2, both target storage and networking are outsourced to a reliable third party. This means that incident response teams can focus on providing quality requirements to administrators to effectively perform data transfers or reach target hosts for interrogation.
  2. Minimizing time spent doing infrastructure work to enable response. There are now countless open-source tools available for doing response work on machine-friendly data sets, and it is no longer a challenge to parse common formats such as XML and JSON variants. However, making log analysis platforms available at the right scale, capacity, and configuration is a very different story.
  3. Tools like Azure Sentinel, for example, bring a few crucial components together: log analytics and manipulating; reporting; automation of workflows. This means that a single responder can punctuate their triage by setting up live reports and alerts based on case logic, then establish automation workflows based on repetitive tasks.
  4. Native log formats and tools can be leveraged to accelerate log review. Traditionally, once a log was determined to exist, and the source was not present in a corporate SIEM, there was a lengthy process of transferring, ad-hoc parsing, making the parsed logs available, and dealing with resource bottlenecks. This process had to be repeated time and again with much time spent adjusting for minor variations in format and file sizes.
  5. As fun as this can be, it is no task for the middle of an incident. If, however, an organization utilizes standard log formats as well as provider log analysis infrastructure, they can face only one of these challenges. Once the log source is known to exist, provisioning a log workspace and issuing queries against it can take a matter of minutes.

When contracts make everybody unhappy

What we’ve written here is broadly true for SaaS offerings such as Office 365, but there are other SaaS platforms which are likely to cause investigators headaches. The most intractable problems emerge when contracts with third-party service providers frustrate investigative progress. Sometimes, for example, requests for logs and data are not factored into contracts. Other times, licensing models place log retention behind a paywall. Very occasionally, uncooperative vendors will funnel all requests for information through their legal teams.

In the short term, there’s not much that can be done about this until the contract is replaced or renewed. Security teams should factor such blockages into their forensics strategies, and they could consider communicating these to the wider business ahead of potential incidents. Often, however, the most effective long-term strategy available to security teams will be to lobby the wider business for greater access to logs when it comes to choosing providers and signing contracts.

Final thoughts

Cloud platforms can help remove many of the operational logistics associated with DFIR work if investigators and responders start thinking with a new set of first principles. These principles encompass both pre-engagement strategic considerations, and a willingness to make use of the capacities built into SaaS offerings.

If we keep doing DFIR as we did on-premises, we will only frustrate ourselves: advances in DFIR will involve all of us thinking in a cloud-native way.

Reading time: 14 min


  • 10/2021
Jorge Lamarca (Cloud Security Researcher) with contributions from Joani Green (Incident Responder)