Cloud forensics is a branch of digital forensics that applies investigative techniques to collecting and evaluating critical evidence in cloud computing environments following a security incident. Sources of this forensic evidence include runtime execution data, cloud service provider logs, and artifacts like disk and memory snapshots, and it’s the job of forensic investigators to collect and analyze all this information.
How does cloud forensics make your cloud environments safer?
Cloud forensics serves several essential purposes:
Understanding the scope of cyberattacks and breaches along with their root cause
Implementing effective mitigation and prevention strategies
Aiding in legal proceedings, insurance claims, and criminal investigations
One of the most important things to know about digital forensics in general, and cloud forensics in particular, is that the mechanisms to carry out forensic analysis must be in place before an attack or a breach occurs. The last thing that organizations need in the middle of a security incident is to realize that critical data is not available.
How to Prepare for a Cloud Cyberattack: An Actionable Incident Response Plan Template
A quickstart guide to creating a robust incident response plan – designed specifically for companies with cloud-based deployments
Download Template
Cloud forensics vs. digital forensics: What’s the difference?
Cloud forensics is an offshoot of digital forensics, which has been around since the dawn of cybercrime. (Unfortunately, that means almost back to the dawn of the internet, way back in 1988.)
Digital forensics began with simple, common-sense techniques like collecting activity logs, monitoring network traffic, and scanning physical drives. Several factors have made it difficult for traditional digital forensics tools such as endpoint detection and response (EDR) to accommodate modern cloud infrastructures:
Scope of data: Data is highly distributed in the cloud, stored in unknown locations over which you don’t necessarily have control.
Varied attack surface: Cloud resources and assets can include virtual machines, containers, serverless functions, VPCs, identities, storage, and applications, and each of these resource types requires a different approach for forensic analysis.
Scale of data: Cloud environments can quickly scale far beyond the data storage and analysis limitations of traditional forensic tools.
Ephemerality: With cloud computing, compute instances and storage can be reallocated instantly, meaning that critical data can easily be lost.
In short, all of the benefits of cloud that we enjoy every single day introduce a new set of forensic hurdles.
When data is stored in the cloud, investigators need specially adapted methods to extract and preserve forensic data. In addition, reconstructing timelines—an important element in any forensic analysis—becomes very difficult across multiple and diverse data sources, such as reconciling CSP activity logs with device runtime activity. Data sources are also often separated by multiple time zones if data is distributed worldwide.
Beyond dealing with these challenges, there’s a greater need now than ever for digital and cloud forensics due to increasing cybercrime and the growing sophistication of attacks. Effective digital forensics now demands navigating a diverse range of devices and data sources.
For all these reasons, data collection and analysis methods have to be updated to handle the scale and complexity of cloud forensic investigations.
Cloud forensics investigation process
All cloud forensics solutions follow three essential steps:
1. Data acquisition
During this stage, evidence is gathered that will aid in the investigative process. This should be done as quickly as possible once the security incident has been identified. Data will be aggregated from a wide variety of sources: audit logs like AWS CloudTrail, Azure Activity Logs, or GCP Audit Logs; network traffic from either runtime sensors or VPC Flow logs; memory dumps; and more. Data acquisition must be set up in advance, and the cloud forensics solution you choose must provide suitable storage and handling so that all data collected can be considered valid evidence.
2. Examination
During this stage, designated file system assets are tested for any modifications (add, delete, modify). The solution will be looking to identify tell-tale signs left by an attacker that could lead to future compromise, such as hidden files and malware droppers (a category of Trojan horse). This process can be aided with a file integrity monitoring tool.
All critical environments and storage must be tested to determine the presence of viruses and other malware. Persistence checks are also critical at this stage, identifying processes and accounts (such as secret backdoors) that leave your organization compromised or exposed to future attacks, including changes to system settings or network configurations. In the cloud, identity plays a major role in this analysis, and examination of CSP IAM activity is key to ensuring persistence is eliminated.
3. Analysis and reporting
During this stage, the solution interprets and reports on findings after examining all the relevant data. It will provide as much information as possible to aid in classifying the incident (type, timeline, methods, and scope, meaning what exactly has been compromised). It will also analyze data that could help identify the perpetrator: IP, country, tell-tale indicators of compromise (IoCs), techniques, or tools associated with known threat actors.
Forensic analysis provides insights in five essential categories:
| Category | Examples of relevant data points for forensics |
|---|---|
| Initial access | User ID, IP address, login attempts, login credentials used |
| Lateral movement | Signs of privilege escalation, container escape, suspicious network traffic, other IOCs |
| Persistence | Process creation, startup and/or backdoor scripts, suspicious processes, autorun locations |
| Breach impact | Least privilege IAM violation (e.g., access granted to sensitive resources), evidence of unauthorized access, file properties, encrypted/cleartext storage |
| Future prevention | Accounts used, exposed cloud services, access controls, container privileges, encrypted/cleartext data storage, misconfigurations |
When it comes to reporting, all results must be clear, concise, and actionable. A cloud forensics report should provide recommendations or mitigation strategies wherever possible: vulnerabilities to address, suggestions to remedy misconfigurations, additional controls needed, and other types of weaknesses. It can also provide recovery and restoration steps, where possible.
Reporting the results of cloud forensics techniques provides useful evidence to security investigation or legal teams, arming you to take appropriate next steps.
Real-life example: Cloud forensics in action
In this simulation of an actual attack scenario on a development environment running an Apache Web server on Google Cloud Platform’s (GCP) Kubernetes Engine (GKE), the forensics workflow was triggered by a runtime alert of a possible reverse shell attack taking place on a website-hosting pod. The runtime sensor flagged suspicious behavior that would have essentially handed control over part of the system to the attackers.
Here’s how the cloud forensics solution kicked into action, going through each of the stages mentioned above.
1. Data acquisition in action
The environment has been prepared ahead of time to collect cloud provider audit logs, network flow logs, container orchestration logs, and workload runtime events. When the suspicious activity is detected, previously defined automation playbooks immediately begin gathering image snapshots and other forensic artifacts before ephemeral data is lost.
2. Examination in action
File system, malware, and persistence analysis revealed the attacker’s IP address in the reverse shell command line, indicating that initial access was via the WordPress web interface. Searching for this IP address in the Apache logs indicated that the threat actor’s IP address had accessed the web interface, including an admin login and a file upload request.
The file upload enabled privilege escalation, and the attacker attempted to escape the container to gain direct access to the host. Once this succeeded, the attacker attempted to create a pod. Though this failed, an inspection of Docker images and containers revealed that the attacker had managed to create a privileged container that could execute a backdoor at startup. This attacker had also performed lateral movement and succeeded in exfiltrating privileged user data.
3. Analysis and reporting in action
Using cloud forensics tools, the team was able to derive a great deal of helpful information about this breach:
| Category | Examples of evidence collected |
|---|---|
| Initial access point | Weak WordPress credentials were used to gain access |
| Spread of attack | Lateral movement via container escape, sensitive data accessed |
| Persistence achieved | YES – privileged pod created providing backdoor access |
| Breach impact | SERIOUS – S3 data event logs show a GetObject request from a malicious pod to the client-records bucket, indicating that sensitive client data was successfully exfiltrated |
| Future prevention | Take steps to secure weak WordPress credentials, exposed admin panel, internet-facing service on a privileged container, and sensitive data stored in cleartext in an S3 bucket |
Types of cloud forensics tools and technologies
Following a security breach, rapid identification of the root cause and potential impact (blast radius) is crucial for security and incident response teams. Unless suitable tools are in place, this can be a long, laborious task, heavily reliant on manual labor. In ephemeral cloud environments, this slow process may result in loss of critical data.
Automated cloud forensics capabilities are an essential part of cloud investigation and response automation (CIRA). CIRA is a relatively new approach to the unique challenges of cloud security that automates forensic tasks and uses AI to analyze huge amounts of data in real time, empowering organizations to proactively identify and respond to security threats within their cloud infrastructure. This lets you respond faster to incidents, saving time, money, and your organization’s reputation.
There are several types of tools that you can use to aid in forensic analysis of incidents in your cloud environments:
Cloud provider tools: Management consoles to collect and analyze IAM audit logs, snapshots of virtual machines, and other artifacts for further analysis
Network analysis tools: Capture and analyze network traffic for suspicious activity
Log analysis tools: Parse and analyze cloud platform logs
Memory forensics tools: Acquire and analyze the contents of a cloud instance’s memory
Data carving tools: Extract deleted or fragmented data from cloud storage for additional data
Virtual machine image analysis tools: Analyze virtual machine disks and extract evidence from the guest operating system
Some cloud providers have introduced their own native cloud forensics tools. Amazon has published a comprehensive guide to digital forensics in AWS cloud environments. Google Cloud also offers configuration tips to provide for forensic analysis. However, these tools are generally limited to resources hosted by that cloud provider.
Given the incredible complexity of full cloud forensic analysis, tools and platforms that automate at least some of these steps across cloud platforms are probably your best investment.
Any solution must maintain the number one rule of cloud forensics “Do no harm.” That means preserving evidence integrity—along with a documented chain of custody for all evidence—so that you have an unaltered record for investigation and potential legal proceedings.
How Wiz supports you with full cloud forensics capabilities
Thorough incident reviews and postmortems are essential elements of your security program. They help you create targeted remediation plans, take preventive measures, and speed up compliance efforts, hardening your overall security posture.
Wiz is a CNAPP solution that simplifies your entire security stack, ensuring that nothing falls through the cracks, thanks to its fully automated cloud forensics capabilities:
Faster incident response, preserving evidence for minimal downtime and pinpoint investigation accuracy
Secure chain of custody for efficient work and reliable evidence
Forensics across cloud and container environments from different providers: AWS, Azure, GCP, OCI, Alibaba Cloud, VMware vSphere, Kubernetes, and Red Hat OpenShift
Wiz automates evidence collection to give you the data you need when you need it for immediate investigation, along with a secure chain of custody, maintaining the integrity of raw log data.
And because Wiz is built for the complexities of cloud, you’ll also get automation playbooks to streamline incident response, quickly gather intel, isolate threats, and harden your defenses—all at scale. Wiz empowers your security teams to investigate incidents faster, collaborate more effectively, and minimize business disruptions.
Get a demo now to see how simple it is to partner with Wiz and achieve complete security for your entire cloud environment.
Learn what makes Wiz the platform to enable your cloud security operation
