As January 2019 comes to an end, it is helpful to look at some of the trends in forensics that will continue to mature as this year unfolds. Twenty nineteen, however, brings two primary areas to the front of discussion for many organizations: Cloud Forensics and Forensics as a Service.

With Cloud computing continuing to be a large area for growth, it is not a surprise it remains as one of the more controversial areas of digital forensics.  Cloud computing can no longer be considered a new technology as it has significantly changed the business and operating models for many industries for many years now. The Cloud has allowed business to become more agile and competitive, and there is no sign of this slowing.  The cloud has made security, privacy and availability requirements at a level that was not easily achievable in the past by many organizations. While these are positive areas for business, they equate to difficult barriers in digital forensics.

Data is moving and we have to keep up with those changes. Digital forensics is not just about a local drive or device anymore.

-Commented Amber Schroader, CEO of Paraben Corporation

In this area of debate, it is always on whether or not cloud computing makes forensics easier or more difficult.   The positive view of cloud computing points out that the data that is managed by cloud service providers offer many advantages, such as distribution across multiple data centers and geographic regions. This means that evidence left by criminals is potentially harder to destroy because it could be synchronized in multiple places, making the collection of artifacts and their analysis more likely.  The negative view of this debate points out that cloud platforms reduce, or in some cases eliminate, the ability of the investigator to have physical control over the data and its location.  Additionally, the lack of standard interfaces and the very real issues of dealing with multiple ownership rights and jurisdictions make the investigation of attacks in cloud environments far more difficult and time-consuming. The legal community has yet to determine how to deal with this border less data and how to standardize the collection of the information.

Many of the digital forensics tools that are tailored to discovering evidence are expected to reside on the suspect’s device but offer limited features for investigating unknown and complex environments, including big data–like sources such as the cloud. Consequently, the majority of forensic software is unsuitable for identifying anomalies in an automatic or unattended way. This is where the gap exists and is being pushed back to the cloud provider for the production of data. The unknown collection process that varies from provider to provider truly creates a cloud gap if what it produces is truly forensic-grade.

The next area is about forensics as a service or FaaS. The unfortunate reality of the DFIR industry is that pursuing cybercrimes often requires complex investigations that frequently span borders, both national and international, and are often subjected to different jurisdictions and legal systems.  This, combined with the huge volume and complexity of information, as well as complex hardware/software systems, raises evolving challenges. Digital forensic investigators must be ready and able to be effective in multiple disciplines that span several fields, including law, computer science, networking, criminal justice, and data mining.

These challenges combined with cloud issues are creating a new opportunity where digital forensics is provided as a utility or forensics as a service (FaaS).   FaaS has a number of potential benefits, including concentrating the necessary forensics software in a single direction at a single area of focus. In addition, this allows the investigators to concentrate on specific areas of expertise while software might be processing the data.  Additionally, FaaS investigations can leverage virtualization and software-defined networking techniques without the need to maintain resource-consuming systems. The adjustment that needs to be done in the industry of DFIR and by the examiners is one of collaboration with multiple examiners pooling skills to be able to offer a FaaS on demand as a team instead of one firm attempting to fill in the gaps of many SME.

As a result of these trends and with cybercrime on a constant rise that is difficult to keep up with, technology and examiners have to evolve and innovate more than ever before.

Greg Kipper, VP of Cyber & Cyber-Futurist