Forensic Readiness for users of SaaS and Cloud Services

For many years we have spent much of our time examining digital systems that have been the subject of compromise. In the early 2000’s we were among the first in the UK to promote the phrase “Forensic Readiness” as a measure of an organisations capability to preserve, collect, protect and analyse digital evidence to a level of rigour and correctness necessary for it to be presented and used in legal matters ranging from internal security processes to criminal trials in a court of law.

While the terminology was new, the underlying requirements had first been identified and then enshrined in Australian Government mandatory compliance statements for (new) IT systems many years before. We cannot say how effectively those requirements had been implemented over time but we wish that others had followed Australia’s lead earlier.

Typically at that time, the scope and interfaces of most IT systems could be readily identified and mapped and the ownership of relevant domains and associated policies confirmed; as a result it was relatively straightforward to define how the forensic readiness requirements would be complied with.

The environment in which we operate today is clearly very different. Cloud computing, and in particular the provision of Software as a Service is ubiquitous and the practice of digital forensic analysis now has to span a wide variety of elements including, at one extreme, physical devices such as laptops and mobile phones, dedicated servers, networking equipment and at the other virtualised elements owned and operated by third parties that might, at worst, disappear pending an investigation. It is rare now that a commercial client of a cloud services provider can mandate their own forensic readiness requirements, typically at best they get to choose from a variety of levels of audit data that the provider can make available.

So what do these changes mean for us? In our white paper we explore how Forensic Readiness levels generally, in our opinion, have been eroded in some cases leading to failure of a company’s ability to properly investigate and remediate security compromises; and how we should regain the initiative through defining good practice for SaaS and Cloud providers and their clients.