Forensics in the Cloud

Rob Lee of SANS Institute on Unique Challenges, Careers

Getting into digital forensics today requires a jack-of-all-trades to be able to work with emerging technology, such as the cloud, says Rob Lee of SANS Institute.

"The more that you could focus in on computer science topics, to understand programming, network-based technology and mobile-based technology, the better off you're going to be," Lee says in an interview with's Tom Field [transcript below].

Forensics in the cloud, not necessarily a new field, requires a new skill set and being able to learn on the fly. Analysts also need to be proficient in mobile devices, operating systems, network forensics and the common hacking methodology just to be able to even take a shot at it, says Lee. "It's too much for a single individual to swallow initially."

The main change is forensics analysts are moving away from hard-disk analysis and static data to reaching different data storage areas, from the cloud to browser-based endpoints such as mobile phones.

Individuals are realizing it is much more difficult than they ever envisioned, and the best way to enter the field is to receive a computer science degree, Lee explains. From there, learning proper analysis techniques will allow individuals to piece together different artifacts to explain what actually happened during an investigation.

In an exclusive interview on digital forensics in the cloud, Lee discusses:

  • Identifying and overcoming key challenges;
  • The new skills required for forensics in the cloud;
  • Advice for those looking to shift their career into forensics.

Lee, curriculum lead for digital forensic training at SANS Institute, has more than 13 years experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on Information Operations. Later, he was a member of the Air Force Office of Special Investigations where he conducted computer crime investigations, incident response, and computer forensics.

In past roles, he directly worked with a variety of government agencies in the law enforcement, Dept. of Defense, and intelligence communities where he was the technical lead for a vulnerability discovery and exploit development team, lead for a cyber forensics branch, and led a computer forensic and security software development team. Rob also coauthored the bestselling book, Know Your Enemy, 2nd Edition.

TOM FIELD: Why don't you update us on what your current projects are please?

ROB LEE: I'm actually in the process of re-releasing SANS Institute's investigative forensics toolkit, called SIFT, 2.1. It's a compodium of digital forensics capabilities, open source and freeware tools into a single platform that a lot of individuals that have come to rely on almost near as much as in case or [indiscernible] from access data and guidance software. That's about to be released in the next week and I've been doing the final touchups on that. And as a part of that I'm also doing a lot of research and development surrounding timeline analysis, really trying to bring that up to a much easier way to incorporate that into digital forensics investigations for the average investigator.

FIELD: We've spoken a number of times in the past about digital forensics. What do you see as some of the latest trends in the field?

Around the Network