Forensics in the Cloud Rob Lee of SANS Institute on Unique Challenges, Careers
Getting into digital forensics today requires a jack-of-all-trades to be able to work with emerging technology, such as the cloud, says Rob Lee of SANS Institute.

"The more that you could focus in on computer science topics, to understand programming, network-based technology and mobile-based technology, the better off you're going to be," Lee says in an interview with's Tom Field [transcript below].

Forensics in the cloud, not necessarily a new field, requires a new skill set and being able to learn on the fly. Analysts also need to be proficient in mobile devices, operating systems, network forensics and the common hacking methodology just to be able to even take a shot at it, says Lee. "It's too much for a single individual to swallow initially."

The main change is forensics analysts are moving away from hard-disk analysis and static data to reaching different data storage areas, from the cloud to browser-based endpoints such as mobile phones.

Individuals are realizing it is much more difficult than they ever envisioned, and the best way to enter the field is to receive a computer science degree, Lee explains. From there, learning proper analysis techniques will allow individuals to piece together different artifacts to explain what actually happened during an investigation.

In an exclusive interview on digital forensics in the cloud, Lee discusses:

  • Identifying and overcoming key challenges;
  • The new skills required for forensics in the cloud;
  • Advice for those looking to shift their career into forensics.

Lee, curriculum lead for digital forensic training at SANS Institute, has more than 13 years experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on Information Operations. Later, he was a member of the Air Force Office of Special Investigations where he conducted computer crime investigations, incident response, and computer forensics.

In past roles, he directly worked with a variety of government agencies in the law enforcement, Dept. of Defense, and intelligence communities where he was the technical lead for a vulnerability discovery and exploit development team, lead for a cyber forensics branch, and led a computer forensic and security software development team. Rob also coauthored the bestselling book, Know Your Enemy, 2nd Edition.

TOM FIELD: Why don't you update us on what your current projects are please?

ROB LEE: I'm actually in the process of re-releasing SANS Institute's investigative forensics toolkit, called SIFT, 2.1. It's a compodium of digital forensics capabilities, open source and freeware tools into a single platform that a lot of individuals that have come to rely on almost near as much as in case or [indiscernible] from access data and guidance software. That's about to be released in the next week and I've been doing the final touchups on that. And as a part of that I'm also doing a lot of research and development surrounding timeline analysis, really trying to bring that up to a much easier way to incorporate that into digital forensics investigations for the average investigator.

FIELD: We've spoken a number of times in the past about digital forensics. What do you see as some of the latest trends in the field?

LEE: It's kind of interesting now. In the digital forensics world, especially over the past week, there have been a lot of discussions over what happened at the Casey Anthony trial. Especially considering, there's a small movement in the digital forensics world I don't think a lot of people picked up on. It basically was the analyst's accuracy versus the tool accuracy, the discussion between the cash-back tool as well as the analysis tool. Basically, it hinged on the fact whether Casey Anthony did a search for chloroform 84 times or whether she only did it once. And the result of that was the defense was correct. There was only one search that was accomplished on chloroform, so there is a lot of back and forth on whether this was an analyst issue. Was this the misinterpretation of the data? Was it the tools problem? There are a lot of discussions going on in the industry right now regarding tool accuracy versus analyst accuracy, so it's been quite eye-opening.

Forensics in the Cloud

FIELD: The topic we want to talk about today is forensics in the cloud, and it's a new area. What do you see as some of the key challenges here?

LEE: You said it's a new area and I almost pull back there a little bit, especially when it comes to digital forensics. Digital forensics investigators have to a certain extent already been doing cloud forensics for many years now. They probably never even realized they were doing it though. But whenever you're dealing with webmail, or if you're doing investigations against an e-mail server or e-mail-to-e-mail, most investigators are actually already doing to a certain extent cloud forensics. I actually made a joke at the SANS Digital Forensics Summit that occurred this past summer. I said "everyone in here, if you've done an e-mail case on webmail, or an email-to-email server, you could put cloud forensics down on your resume." Because to a certain extent the challenge basically means that you're moving from traditional hard-disk analysis, static, all the information self-contained, to where you're going to need to reach out to these data storage areas and be able to pull the data down locally. On top of that you would potentially need to examine the local data storage on that same hard drive to see how someone accessed remote cloud data. Most of business is browser-based and for a lot of the capabilities that are out there, you're looking for the artifacts that would point you to where these data storage locations potentially might be.

There are some challenges in it but most investigators may not have realized that some of the solutions that they have already put together for doing webmail investigations or remote e-mail servers are very similar to some of the challenges that they're going to find when they start moving toward more data, local data, files, chats and streaming data, to be able to examine that as well locally.

FIELD: You make a good point because investigators certainly have been in the cloud. I think what's different now is you get a lot more information from potential clients and sources that you're investigating that's in the cloud.

LEE: I totally agree with that.

Overcoming Challenges

FIELD: So how do you overcome these challenges? You've got more data there than ever before and you've got the challenges you've outlined. What are the ways that investigators are getting over these hurdles?

LEE: It's a good question. It's a slight mindset shift that needs to occur. For many years, analysts have felt that the only way to perform perfect forensics was to have access to the original hard drive. But in this instance, you're not going to be able to say it's all-encompassing of the data from just that one system because of all the remote locations where the data can be stored. So, I think there's going to be a reduction on the necessity to do the standard tag-and-bag, remove-the-hard-drive approach for cases involving mobile devices and [table computers] that have a major connection into the cloud.

My iPad for example, I have multiple different locations on it, from dropbox to iDisk to web-based e-mail that it's connected to. Those artifacts, what I'm doing to access those are still potentially being stored on that tablet. But when we start taking a look, how are we going to forensicate that effectively? You're going to need to say, "Okay, we now know that Rob stores data on an iDisk." If you're law enforcement you'd say, "I need to generate a lead to go grab that data." Now if you're not law enforcement you might be able to still locally examine these artifacts to be able to determine that at least I had access to those artifacts remotely, even though you might not get access, which brings up a second point.

If you're the actual owner of the data, remote storage locations, e-mail, disk storage, whatever you're potentially moving out there, and you're working through these cloud providers, what are your terms of service that allow you to access the data? What if you have a situation that has occurred in the past year and other situations where you have email archives and you potentially need to access them quickly? What if the opposite is also true in the security world where you potentially need to worry about offloading that data as quickly as possible? For example, most terms of service agreements fully focus on availability. But what if something catastrophic happens, such as a data breach, and you want to tell the cloud provider "Stop all access to my data now. Take it offline." What is their response time for that? You have both issues there. We have data accessibility so I can get to it for forensics and you also have a security concern. It's like stop the flow of water in case of a flood. How do we potentially cause that to occur at the quickest possible time? It's a fascinating amount of discussions that are currently going on out there in the industry, both on the forensics as well as IT security side.

New Skills Needed

FIELD: Given this landscape, what kinds of new skills do you find that are required of forensics investigators?

LEE: This is a very difficult question. Unlike where you've said you need to analyze a Windows operating system, or you need to understand how mobile device architecture works, to a certain extent you have to be even more of a jack of all trades to understand and stay abreast with all the new technologies that are out there. If you've seen an artifact remotely on a browser on a machine, you need to be able to have enough wherewithal to be able to investigate what specifically does that mean and what is that data storage location. There may be cloud providers that are very, very small that no one knows about that you're going to be the first one to investigate those artifacts. To a certain extent, the skills required are flexibility and a major capacity to learn on the fly. You can't point to a certain area that says "Focus on learning X." It's almost impossible at this point. You almost need to be skilled in mobile devices, operating systems, network forensics, as well as the common hacking methodology in order for you to be able to even take a shot at it. But it's too much for a single individual to swallow initially. So I usually say you need to be flexible, you need to basically be very comfortable learning on the fly, and as a result of that that would probably grant you the greatest latitude in doing these types of investigations.

FIELD: You made a good point up front referencing the Casey Anthony trial because certainly public instances like that make this profession a lot more visible, and so you've got people who are interested in this now that might not have been. What advice would you offer to someone who is looking to start or maybe shift their career into digital forensics today?

LEE: I think the technology has become so complex, and the science surrounding it, that it's no longer something that someone can just easily pick up. I think that the amount of training and education that is necessitating proper analysis is needed and the more that you could focus in on computer science topics, to understand programming, network-based technology and mobile-based technology, the better off you're going to be. I think we're shifting away from anyone with a little bit of training can do forensics, moving into, "Wow, this is hard." There is major room for error here and in order to do this accurately and so we're not having issues as a profession or industry with people not trusting us, I think we need a lot of individuals focusing in on the science behind it and proper analysis in order to do that.

I'm not saying that we're in a transition right now where I think a lot of individuals were realizing this is much more difficult than they ever envisioned, just based on the discussions I'm seeing go back and forth on a lot of the groups right now in the computer forensics world. So to a certain extent, if you're just breaking into it, if you're law enforcement and don't have much of a computer background, I'd say really consider going to get your computer science degree would greatly help out. If you already have a comp. science degree and you're looking at getting into the field, I would say you need to learn proper analysis techniques, the gum shoe-type things, the lead analysis, and be able to piece together different pieces of artifacts to tell the effective story of what actually happened based in fact on the machine.

Around the Network