NIST has defined cloud computing in NIST SP 800-145 document as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. For more than a decade, cloud computing has offered cost savings both in terms of capital expenses and operational expenses, while leveraging leading-edge technologies to meet the information processing needs of users in the public and private sectors. However, the change in technical operations and control dynamics (both in terms of ownership and management) with respect to IT resources poses new digital forensic science challenges.
To address those challenges, NIST sponsors the NIST Cloud Computing Forensic Science project. The long-term goal of this project is to advance technology, standards, and measurements for cloud computing forensics that will aid further innovation, as well as lead to increased adoption in both government and industry. NIST aims to contribute towards improved accuracy, reliability, scientific validity, and usefulness of cloud forensic science.
In support of this project, NIST has established the Cloud Computing Forensic Science Public Working Group to:
Publication: NISTIR 8006 (DOI) or Local Download
Date Published: August 2020
Martin Herman (NIST), Michaela Iorga (NIST), Ahsen Michael Salim (American Data Technology), Robert Jackson (SphereCom Enterprises), Mark Hurst (SphereCom Enterprises), Ross Leo (University of Houston-Clear Lake), Richard Lee (Citizens Financial Group), Nancy Landreville (MELE Associates), Anand Kumar Mishra (Malaviya National Institute of Technology), Yien Wang (Auburn University), Rodrigo Sardinas (Auburn University)
This document summarizes research performed by the members of the NIST Cloud Computing Forensic Science Working Group and presents the NIST Cloud Computing Forensic Reference Architecture (CC FRA, also referred to as FRA for the sake of brevity), whose goal is to provide support for a cloud system’s forensic readiness. The CC FRA is meant to help users understand which cloud forensic challenges might exist for an organization’s cloud system. It identifies challenges that require at least partial mitigation strategies and how a forensic investigator would apply that to a particular forensic investigation. The CC FRA presented here is both a methodology and an initial implementation. Users are encouraged to customize this initial implementation for their specific situations and needs.
cloud computing forensics; digital forensics; forensic science; forensics; forensics challenges
Publication: SP 800-201 (DOI) or Local Download
Supplemental material: NIST Cloud Computing Forensic Reference Architecture Data (see below)
Date Published: July 1st, 2024
Martin Herman (NIST), Michaela Iorga (NIST), Ahsen Michael Salim (American Data Technology), Robert Jackson (SphereCom Enterprises), Mark Hurst (SphereCom Enterprises), Ross Leo (University of Houston-Clear Lake), Anand Kumar Mishra (National Institute of Technology Sikkim), Nancy Landreville (University of Maryland Global Campus), Yien Wang (Auburn University)
This document summarizes the research performed by the members of the NIST Cloud Computing Forensic Science Working Group (NCC FSWG), and aggregates, categorizes, and discusses the forensics challenges faced by experts when responding to incidents that have occurred in a cloud-computing ecosystem. The challenges are presented along with the associated literature that references them. The immediate goal of the document is to begin a dialogue on forensic science concerns in cloud computing ecosystems. The long-term goal of this effort is to gain a deeper understanding of those concerns (challenges) and to identify technologies and standards that can mitigate them.
civil litigation; criminal investigation; cybersecurity; digital forensics; enterprise architecture; enterprise operations; forensic readiness; incident response
This workbook, available for download here, contains a summary of data analyzed by the NIST Cloud Computing Forensic Science Working Group using a designed methodology that leverages the NISTIR 8006, NIST Cloud Forensic Science Challenges. The dataset constitutes the foundation of the NIST Cloud Computing Forensic Reference Architecture (FRA) and provides a useful starting point for all cloud forensic stakeholders to analyze the impacts of cloud forensic challenges previously reported in NISTIR 8006. The FRA dataset can be found under the "Capabilities vs Challenges" tab of the workbook.
The members of the NCC FSWG employed the methodology of identifying cloud capabilities which could be impacted by a cloud forensic challenge and determining in this way the capabilities that need at least partial mitigation strategies to minimize the risk incurred during operations, and to eliminate potential negative impact on digital forensic investigations if the need arises. The data is made available `as is` and all users of the data are encouraged to treat it as an initial implementation of the methodology, but use their own judgment when employing the CC FRA methodology in the context of their cloud system(s) and modify or customize this initial dataset for their specific situations and needs.
For example, if the existing capabilities are not appropriate for the user’s situation, some or all can be removed, and new ones can be added. Similarly, new challenges appropriate for the user’s situation can be added, or those challenges that have been adequately mitigated can be removed. Our architectural methodology has the advantage of helping to focus on how challenges can be mitigated because it considers each challenge specifically in the context of affected capabilities.
The workbook contains 10 tabs, as follows:
1. Capabilities vs Challenges Data – shows the Cloud Computing Forensic Reference Architecture (CC FRA) Mapping Table (MT) developed by the NIST Cloud Computing Forensic Science Working Group (NCC FSWG) that compares all possible pairings of cloud forensic challenges (62 total challenges) and cloud functional capabilities (347 capabilities). An entry in this MT is YES if the associated challenge affects the associated capability, otherwise the entry is NO. More details about NCC FSWG are available here: https://www.nist.gov/programs-projects/nist-cloud-computing-forensic-science
2. Challenges Data – describes the 62 cloud forensic challenges used in the CC FRA Mapping Table. These challenges are discussed in detail in the following publication: Herman M, Iorga M, Salim AS, Jackson R, Hurst M, Leo R, Lee R, Landreville N, Mishra AK, Wang Y, Sardinas R (2020). NIST Cloud Computing Forensic Science Challenges. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8006. The report is available here: https://doi.org/10.6028/NIST.IR.8006.
3. Flow Chart – shows the flow chart that was followed to achieve the mapping displayed in the CC FRA Mapping Table. The answers to the questions in this flow chart guide the user through a consistent and repeatable logical flow towards the final mapping answers, ensuring a uniform method for determining the applicability of a challenge to a particular capability.
4. BOSS -- Business Operation Support Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.
5. ITOS -- Information Technology Operation and Support Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.
6. Presentation Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.
7. Application Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.
8. Information Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.
9. Infrastructure Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.
10. S&RM -- Security and Risk Management – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.
The Cloud Security Alliance’s Enterprise Architecture (CSA’s EA) is both a methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions and controls. These solutions and controls fulfill a set of common requirements that risk managers must assess regarding the operational status of internal IT security and cloud Provider controls. These controls are expressed in terms of security capabilities and designed to create a common roadmap to meet the security needs of businesses.
The CSA's EA (v1.1 or v2.0) is used in the analysis performed which resulted in the development of the NIST Cloud Computing Forensic Reference Architecture (FRA) Data.