An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

# NIST Cloud Computing Forensic Science CCFS

### Overview

NIST has defined cloud computing in NIST SP 800-145 document as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. For more than a decade, cloud computing has offered cost savings both in terms of capital expenses and operational expenses, while leveraging leading-edge technologies to meet the information processing needs of users in the public and private sectors. However, the change in technical operations and control dynamics (both in terms of ownership and management) with respect to IT resources poses new digital forensic science challenges.

To address those challenges, NIST sponsors the NIST Cloud Computing Forensic Science project. The long-term goal of this project is to advance technology, standards, and measurements for cloud computing forensics that will aid further innovation, as well as lead to increased adoption in both government and industry. NIST aims to contribute towards improved accuracy, reliability, scientific validity, and usefulness of cloud forensic science.

In support of this project, NIST has established the Cloud Computing Forensic Science Public Working Group to:

• perform research and identify gaps in technology, standards, and measurements, and
• address the various challenges in cloud forensics.

### Publications and Resources

#### NISTIR 8006, NIST Cloud Forensic Science Challenges

Date Published: August 2020

#### Author(s)

Martin Herman (NIST),  Michaela Iorga (NIST),  Ahsen Michael Salim (American Data Technology),  Robert Jackson (SphereCom Enterprises),  Mark Hurst (SphereCom Enterprises),  Ross Leo (University of Houston-Clear Lake),  Richard Lee (Citizens Financial Group),  Nancy Landreville (MELE Associates),  Anand Kumar Mishra (Malaviya National Institute of Technology),  Yien Wang (Auburn University),  Rodrigo Sardinas (Auburn University)

#### Abstract

This document summarizes the research performed by the members of the NIST Cloud Computing Forensic Science Working Group (NCC FSWG), and aggregates, categorizes, and discusses the forensics challenges faced by experts when responding to incidents that have occurred in a cloud-computing ecosystem. The challenges are presented along with the associated literature that references them. The immediate goal of the document is to begin a dialogue on forensic science concerns in cloud computing ecosystems. The long-term goal of this effort is to gain a deeper understanding of those concerns (challenges) and to identify technologies and standards that can mitigate them.

#### Keywords

cloud computing forensics;  digital forensics;  forensic science;  forensics;  forensics challenges

#### NIST Cloud Computing Forensic Reference Architecture Data

This workbook, available for download here, contains a summary of data analyzed by the NIST Cloud Computing Forensic Science Working Group using a designed methodology that leverages the NISTIR 8006, NIST Cloud Forensic Science Challenges. The dataset constitutes the foundation of the NIST Cloud Computing Forensic Reference Architecture (FRA) and provides a useful starting point for all cloud forensic stakeholders to analyze the impacts of cloud forensic challenges previously reported in NISTIR 8006. The FRA dataset can be found under the "Capabilities vs Challenges" tab of the workbook.

The members of the NCC FSWG employed the methodology of identifying cloud capabilities which could be impacted by a cloud forensic challenge and determining in this way the capabilities that need at least partial mitigation strategies to minimize the risk incurred during operations, and to eliminate potential negative impact on digital forensic investigations if the need arises.  The data is made available as is and all users of the data are encouraged to treat it as an initial implementation of the methodology, but use their own judgment when employing the CC FRA methodology in the context of their cloud system(s) and modify or customize this initial dataset for their specific situations and needs.

For example, if the existing capabilities are not appropriate for the user’s situation, some or all can be removed, and new ones can be added. Similarly, new challenges appropriate for the user’s situation can be added, or those challenges that have been adequately mitigated can be removed. Our architectural methodology has the advantage of helping to focus on how challenges can be mitigated because it considers each challenge specifically in the context of affected capabilities.

The workbook contains 10 tabs, as follows:

1.     Capabilities vs Challenges Data – shows the Cloud Computing Forensic Reference Architecture (CC FRA) Mapping Table (MT) developed by the NIST Cloud Computing Forensic Science Working Group (NCC FSWG) that compares all possible pairings of cloud forensic challenges (62 total challenges) and cloud functional capabilities (347 capabilities). An entry in this MT is YES if the associated challenge affects the associated capability, otherwise the entry is NO. More details about NCC FSWG are available here: https://www.nist.gov/programs-projects/nist-cloud-computing-forensic-science

2.     Challenges Data – describes the 62 cloud forensic challenges used in the CC FRA Mapping Table. These challenges are discussed in detail in the following publication: Herman M, Iorga M, Salim AS, Jackson R, Hurst M, Leo R, Lee R, Landreville N, Mishra AK, Wang Y, Sardinas R (2020). NIST Cloud Computing Forensic Science Challenges. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8006. The report is available here: https://doi.org/10.6028/NIST.IR.8006.

3.     Flow Chart – shows the flow chart that was followed to achieve the mapping displayed in the CC FRA Mapping Table. The answers to the questions in this flow chart guide the user through a consistent and repeatable logical flow towards the final mapping answers, ensuring a uniform method for determining the applicability of a challenge to a particular capability.

4.     BOSS -- Business Operation Support Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.

5.     ITOS -- Information Technology Operation and Support Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.

6.     Presentation Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.

7.     Application Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.

8.     Information Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.

9.     Infrastructure Services – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.

10.    S&RM -- Security and Risk Management – one of the domains covered by the Cloud Security Alliance’s Enterprise Architecture. These domains contain functional capabilities used in the CC FRA Mapping Table.

#### Cloud Security Alliance's Enterprise Architecture

The Cloud Security Alliance’s Enterprise Architecture (CSA’s EA) is both a methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions and controls. These solutions and controls fulfill a set of common requirements that risk managers must assess regarding the operational status of internal IT security and cloud Provider controls. These controls are expressed in terms of security capabilities and designed to create a common roadmap to meet the security needs of businesses.

The CSA's EA (v1.1 or v2.0) is used in the analysis performed which resulted in the development of the NIST Cloud Computing Forensic Reference Architecture (FRA) Data.

### Past Events

#### Contacts

Michaela Iorga
michaela.iorga@nist.gov

Martin Herman (Assoc)
martin.herman@nist.gov

#### Group

Secure Systems and Applications

#### Topics

Technologies: cloud & virtualization

Applications: forensics

#### Related Projects

Created May 31, 2022, Updated July 05, 2022