Cloud Forensics Demystified: Decoding cloud investigation complexities for digital forensic professionals

Cloud Forensics Demystified

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Book Project Manager: Ashwini Gowda

Senior Editor: Romy Dias

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Proofreader: Safis Editing

Indexer: Rekha Nair

Production Designer: Vijay Kamble

Senior DevRel Marketing Coordinator: Marylou Dmello

First published: February 2024

Production reference: 1250124

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-80056-441-1

www.packtpub.com

To my parents and my lovely wife, Priya – thank you for your relentless support and love.

– Ganesh Ramakrishnan

I would like to thank my loving family for their continued support, patience, and encouragement throughout the long process of writing this book.

– Mansoor Haqanee

Contributors

About the authors

Ganesh Ramakrishnan is a senior manager at KPMG Canada’s Incident Response team, with over 12 years of incident response experience. He leads a dynamic team focused on responding to and managing incidents for organizations across various industry sectors, working with KPMG’s incident response teams globally. He has led numerous incident response cases, including high-profile ones, and collaborated with law enforcement agencies worldwide. Apart from assisting organizations during crises, Ganesh also helps them prepare for incidents and educates them on handling them.

Ganesh has a master’s in computer application and an MSc in network and information security. He also holds CISSP, SANS GCFA, and SANS GNFA certifications.

My deepest gratitude to my parents for always being there to motivate me and help me overcome any obstacles. Thank you for your unwavering belief in me. To my incredible wife, Priya – thank you for being my constant source of strength and inspiration. Your unwavering support, patience, and encouragement have been remarkable. I cannot thank you enough. Lastly, to my son, Hridhaan – you are why I wake up every day with renewed purpose and enthusiasm. Thank you for reminding me of the joys of life and for being my greatest motivation.

To the two special people who believed in me from the start and supported the idea of writing this book, Hartaj and Alex – thank you for your relentless support.

Finally, I want to thank the Packt team for allowing Mansoor and me to bring this book to life.

Mansoor Haqanee is a manager with KPMG Canada’s Forensic Technology team, with over six years of experience in software development, computer forensics, and incident response. Mansoor has a background in electrical engineering with a bachelor of engineering from Toronto Metropolitan University (formerly Ryerson University). Combining his education with both software development and computer forensic experience, he is equipped to provide organizations with insights into the security of their assets. Mansoor has provided technology consulting services to a wide range of industries in the education, financial services, healthcare, telecommunications, manufacturing, and government sectors, to name a few.

This book is dedicated to my parents, who have always been the roots that keep me grounded and the wings that let me fly. Your sacrifices, love, and wisdom have shaped me in more ways than I can count. To my siblings – thank you for the laughter, the fights, my cute nephews, and your unwavering support. To my partner, Nabila – your love makes every challenge worthwhile. And to my dog, Ace – thank you for the countless walks that cleared my mind. Each of you holds a special place in this journey and my heart.

To Alex, Ganesh, and Chris – your collective wisdom has not only shaped my professional path but has also left an unforgettable mark on my personal growth. Thank you for your generous sharing of knowledge. This book, a milestone in my career, is a testament to the invaluable lessons I’ve learned from each of you.

About the reviewers

Aby Rao, Deputy Chief Information Security Officer (CISO) at a leading financial technology company, oversees multiple security teams with decades of experience in consulting. Specializing in cloud security, IAM, and GRC, Aby actively explores the intersection of cybersecurity with emerging technologies, such as machine learning and artificial intelligence. His diverse skill set and interest in cutting-edge innovations showcase a forward-thinking approach. Aby holds certifications such as CCSK, AWS CCP, CISSP, CISM, CISA, OneTrust Fellow of Privacy Technology, and CDPSE, demonstrating his commitment to staying current in the ever-evolving cybersecurity landscape.

Recognizing the vital role of digital forensics and incident response, I’m committed to contributing in every possible way. I extend heartfelt appreciation to my wife, daughter, and parents for their unwavering support, enabling my modest contribution as a technical reviewer. Special thanks to the authors and the dedicated Packt team – Pavan, Dhruvil, and Ashwini – for their patience and collaborative efforts amid my busy schedule.

Alexander Rau is a partner at one of the big four consulting firms in Canada, focusing on cybersecurity and cyber incident response. Alexander is responsible for leading the firm’s cyber response practice, providing cybersecurity services to support and enable clients to better respond to cyber incidents before, during, and after a cyber breach. With 20+ years of experience in cybersecurity, IT, and privacy, Alexander has provided leadership to a number of multinational organizations, leading and delivering incident response and strategic cybersecurity engagements, practice leadership, and business development. His roles have included cybersecurity evangelism, conducting media interviews, keynote speaking, and panelist engagements.

Table of Contents

Preface

Part 1: Cloud Fundamentals

1

Introduction to the Cloud

Advantages and disadvantages of cloud computing

An overview of cloud services

Cloud deployment models

Cloud adoption success stories

Impact of the cloud and other technologies

Summary

Further reading

2

Trends in Cyber and Privacy Laws and Their Impact on DFIR

The role of a breach counselor (breach coach)

General legal considerations for cloud adoption

eDiscovery considerations and legal guidance

Digital forensics challenges

Legal frameworks for private data

Contractual private data

Regulated private data

Jurisdictional requirements in relation to private data

Legal implications for data retention and deletion

Responsibilities and liabilities of the cloud and their implications for incident response

Jurisdiction and cross-border data transfers

Summary

Further reading

3

Exploring the Major Cloud Providers

Amazon Web Services (AWS)

Amazon Elastic Compute Cloud (EC2)

Amazon Virtual Private Cloud (VPC)

Amazon Simple Storage Service (S3)

AWS Identity and Access Management (IAM)

Amazon Relational Database Service (RDS)

Microsoft Azure

Microsoft Azure virtual machines

Microsoft Azure Virtual Network

Microsoft Azure Blob Storage

Microsoft Azure Active Directory (Azure AD)

Microsoft Azure SQL Database

Google Cloud Platform (GCP)

Google Compute Engine (GCE)

Google Virtual Private Cloud (VPC)

Google Cloud Storage (GCS)

Google Cloud SQL

Other cloud service providers

Summary

Further reading

4

DFIR Investigations – Logs in AWS

VPC flow logs

VPC basics

Sample VPC flow log

DFIR use cases for VPC flow logging

S3 access logs

Logging options

DFIR use cases for S3 monitoring

AWS CloudTrail

Creating a trail

Event data stores

Investigating CloudTrail events

DFIR use cases for CloudTrail logging

AWS CloudWatch

CloudWatch versus CloudTrail

Setting up CloudWatch logging

Querying CloudWatch logs on the AWS console

DFIR use cases for CloudWatch

Amazon GuardDuty

Amazon Detective

Summary

Further reading

Part 2: Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics

5

DFIR Investigations – Logs in Azure

Azure Log Analytics

Azure Virtual Networks

NSG flow logs

Azure Storage

Azure Monitor

Azure Virtual Machines log analysis

Microsoft Defender for Cloud

NSG flow logs

Microsoft Sentinel

Summary

Further reading

6

DFIR Investigations – Logs in GCP

GCP core services

GCP IAM

GCP’s IAM roles and identities

Policy Analyzer

DFIR use cases for Policy Analyzer

GCP Logs Explorer

Overview of log buckets

DFIR use cases for using Logs Explorer

Familiarizing with Logs Explorer

VPC Flow Logs

Enabling VPC Flow Logs

Hunting VPC Flow Logs for malicious activities

Packet Mirroring

Compute Engine logs

GCP’s logging platform

GCP’s default logging

Logging Dataflow pipelines

GCP storage logs

Storage permissions

Storage object logging

Investigating GCP Cloud storage logs

Cloud Security Command Center (Cloud SCC)

IAM roles

Threats and Findings dashboards

GCP Cloud Shell

Summary

Further reading

7

Cloud Productivity Suites

Overview of Microsoft 365 and Google Workspace core services

Microsoft 365

Google Workspace

IAM in Microsoft 365 and Google Workspace

Microsoft 365

Google Workspace

Auditing and compliance features in Microsoft 365 and Google Workspace

Microsoft 365’s Security and Compliance Center (Microsoft Purview)

Google Workspace Admin console and security features

Summary

Further reading

Part 3: Cloud Forensic Analysis – Responding to an Incident in the Cloud

8

The Digital Forensics and Incident Response Process

The basics of the incident response process

Tools and techniques for digital forensic investigations

Prerequisites

Cloud host forensics

Memory forensics

Live forensic analysis and threat hunting

EDR-based threat hunting

Hunting for malware

Common persistence mechanisms

Network forensics

Basic networking concepts

Cloud network forensics – log sources and tools

Network investigation tools

Malware investigations

Setting up your malware analysis lab

Working with packed malware

Binary comparison

Traditional forensics versus cloud forensics

Summary

Further reading

9

Common Attack Vectors and TTPs

MITRE ATT&CK framework

Forensic triage collections

Host-based forensics

Evidence of intrusion

Prefetch analysis

AmCache analysis

ShimCache analysis

Windows Event Logs

Analyzing memory dumps

Misconfigured virtual machine instances

Unnecessary ports left open

Default credentials left unchanged

Outdated or unpatched software

Publicly exposed sensitive data (or metadata)

Misconfigured storage buckets

Public permissions

Exposed API keys or credentials

Improper use of IAM policies

Cloud administrator portal breach

Summary

Further reading

10

Cloud Evidence Acquisition

Forensic acquisition of AWS instance

Step 1 – creating EC2 volume snapshots

Step 2 – acquiring OS memory images

Step 3 – creating a forensic collector instance

Step 4 – creating and attaching infected volume from snapshots

Step 5 – exporting collected images to AWS S3 for offline processing

Forensic acquisition of Microsoft Azure Instances

Step 1 – creating an Azure VM Snapshot

Step 2 – exporting an Azure VM snapshot directly

Step 3 – connecting to an Azure VM for memory imaging

Forensic acquisition of GCP instances

Step 1 – creating a snapshot of the compute engine instance

Step 2 – attaching a snapshot disk for forensic acquisition

Step 3 – connecting to the GCP compute engine instance for memory acquisition

Summary

Further reading

11

Analyzing Compromised Containers

What are containers?

Docker versus Kubernetes

Types of containers and their use cases

Detecting and analyzing compromised containers

About the Kubernetes orchestration platform

Acquiring forensic data and container logs for analysis

Summary

Further reading

12

Analyzing Compromised Cloud Productivity Suites

Business email compromise explained

BEC attack phases

Common types of BECs

Initial scoping and response

Remediation steps

Microsoft 365 incident response

Tooling

Analysis

Google Workspace incident response

Tooling

Analysis

Summary

Further reading

Index

Other Books You May Enjoy

Preface

The cloud has become a crucial platform to store, process, and manage data in the fast-paced world of digital technology. However, it also poses several complex challenges in the domain of digital forensics. Cloud Forensics Demystified is a comprehensive guide that aims to unravel these complexities and provide clarity and insight into the world of cloud forensics.

This book is aimed at professionals and enthusiasts alike, regardless of their prior experience in the field of digital forensics. It starts by establishing a foundational understanding of cloud computing, including its architecture, service models, and deployment types. This background is essential to understanding the unique challenges and opportunities that the cloud presents when it comes to forensic investigations.

The book then shifts focus to the core of cloud forensics, exploring the methodologies and best practices to conduct effective forensic investigations in cloud environments. This includes a detailed examination of data acquisition techniques, artifact analysis, and the legal considerations unique to the cloud. Throughout the book, the balance between technical efficiency and legal compliance is emphasized, reflecting the multifaceted nature of cloud forensics.

One of the unique features of this book is its emphasis on real-world applications. Through case studies and practical scenarios, you are shown how the principles and techniques discussed can be applied in actual forensic investigations. These examples provide a practical context to the theoretical concepts and prepare you for the unpredictable nature of forensic challenges in the cloud.

To ensure that the content remains relevant and up to date, Cloud Forensics Demystified also addresses the latest trends and advancements in cloud technology. This forward-looking perspective equips you with the knowledge needed to anticipate and adapt to the dynamic nature of cloud computing.

The book’s goal is not only to demystify cloud forensics but also to inspire a new generation of forensic experts who are well versed in the nuances of cloud-based investigations. Whether you are a cybersecurity professional, a legal practitioner, an academic, or simply a technology enthusiast, Cloud Forensics Demystified offers a blend of theoretical depth and practical insight, paving your path toward mastering this fascinating field.

As you embark on this journey, you will be equipped with the knowledge and skills necessary to navigate the complexities of digital forensics in the cloud era. Get ready to explore a world where the cloud, once intangible, becomes a tangible source of forensic evidence.

Who this book is for

Cloud Forensics Demystified is a book that is primarily designed for digital forensics practitioners who are looking to broaden their knowledge of cloud-based forensics investigations. However, this book is also suitable for a range of professionals and enthusiasts with varying levels of experience in digital forensics and cloud computing. It is particularly helpful for those who want to learn more about the subject:

Digital Forensics and Incident Response (DFIR) practitioners seeking cloud expertise: This book is aimed at professionals who are already skilled in digital forensics and incident response but want to extend their abilities to work in cloud environments. It covers advanced techniques and strategies to manage cloud-specific challenges and is an essential resource for DFIR experts who want to adapt to the cloud.

Cybersecurity professionals: Those working in cybersecurity can gain valuable insights into conducting forensic investigations in cloud settings, due to the increasing dependence on cloud services.

Digital forensic investigators: This book provides forensic investigators with detailed methodologies to acquire and analyze data in cloud environments.

Legal practitioners: Legal professionals handling digital evidence from cloud sources will gain knowledge about the legal complexities of cloud forensics.

IT and cloud computing professionals: IT and cloud computing professionals can deepen their understanding of the forensic implications of managing cloud services; this is essential for compliance and investigation preparedness.

Academics and students: Educators and students in the fields of cybersecurity, digital forensics, IT, and law will find this book a comprehensive academic resource.

Technology enthusiasts: For those interested in the convergence of technology, law, and security, the book offers an engaging and informative exploration of cloud forensics.

Corporate compliance and risk management professionals: Professionals must understand cloud forensics to effectively mitigate cloud data risks.

What this book covers

Chapter 1, Introduction to the Cloud, presents a fundamental overview of cloud computing, including its architecture, service models (IaaS, PaaS, and SaaS), and deployment types (public, private, and hybrid). Its goal is to refresh or establish basic cloud knowledge, which is essential to comprehend subsequent forensic discussions.

Chapter 2, Trends in Cyber and Privacy Laws and Their Impact on DFIR, provides an in-depth understanding of the legal complexities that arise in cloud-based environments. These complexities include data privacy laws, compliance requirements, and jurisdictional issues. It is crucial to understand the legal framework that governs cloud data and its implications for forensic investigations.

Chapter 3, Exploring the Major Cloud Providers, provides an overview of the major cloud service providers, such as AWS, Azure, and GCP. It explains their unique architectures and services, giving context for how each affects forensic investigations.

Chapter 4, DFIR Investigations – Logs in AWS, provides a detailed guide on conducting DFIR in AWS environments, including accessing, interpreting, and analyzing logs to trace activities and identify security incidents.

Chapter 5, DFIR Investigations – Logs in Azure, focuses on leveraging Azure-specific logging mechanisms for forensic investigations.

Chapter 6, DFIR Investigations – Logs in GCP, is devoted to forensic investigations in GCP, with an emphasis on retrieving and analyzing GCP logs, which are a critical component of investigating incidents in GCP environments.

Chapter 7, Cloud Productivity Suites, discusses the challenges of forensic investigations in cloud-based productivity suites, such as Microsoft 365 and Google Workspace, and explores ways to access and analyze data from these widely used business tools.

Chapter 8, The Digital Forensics and Incident Response Process, provides a comprehensive guide to the DFIR process in cloud environments, including the identification, preservation, analysis, and reporting of digital evidence.

Chapter 9, Common Attack Vectors and TTPs, examines common attack vectors and the tactics, techniques, and procedures (TTPs) used in cloud environments to help anticipate and identify potential security incidents.

Chapter 10, Cloud Evidence Acquisition, discusses the challenges of acquiring digital evidence from cloud environments such as AWS, GCP, and Microsoft Azure, emphasizing the best practices to ensure evidence integrity and legal admissibility.

Chapter 11, Analyzing Compromised Containers, is dedicated to the forensic analysis of compromised containers and Kubernetes platforms in cloud environments. This chapter covers how to identify, collect, and analyze evidence from containers that are increasingly used for cloud-based applications.

Chapter 12, Analyzing Compromised Cloud Productivity Suites, discusses forensic strategies to analyze breaches in cloud-based productivity suites.

Each chapter of Cloud Forensics Demystified builds upon the previous one, creating a comprehensive guide that covers both the theoretical and practical aspects of cloud forensics, tailored to a variety of professional needs and interests.

To get the most out of this book

To get the most out of this book, consider the following approaches:

If you are new to cloud computing, Chapter 1 will provide you with a foundational understanding of basic cloud concepts. This will facilitate your comprehension of the complex topics discussed in later chapters.

Understanding the legal context: It is important to understand the legal context before conducting any forensic work in the cloud. Chapter 2 provides fundamental knowledge on laws and regulations that must be followed in investigations.

Studying specific cloud providers: Gain insights into different cloud service providers by focusing on Chapters 3, 4, 5, and 6. Tailor your learning to the cloud service providers (CSPs) you encounter most in your work or are most interested in.

Hands-on practice: It is recommended to apply the concepts and techniques discussed in the book in a practical setting. This can be done through simulations, training environments, or during actual forensic investigations if you already work in the field.

Focusing on DFIR processes: Chapters 7 and 8 are crucial to understanding the nuances of incident response and investigation in cloud environments. Pay close attention to these whether that’s your primary interest.

Staying updated on attack vectors: Review Chapter 9 to stay ahead of evolving security threats and keep your knowledge current with the latest attack methods.

Mastering evidence acquisition: Chapters 10 to 12 cover evidence acquisition and analysis, crucial for developing practical skills in real-world forensic cases.

Engaging with case studies: Take the time to thoroughly understand practical examples and case studies, as they provide context to theoretical knowledge and valuable understanding of real-world applications.

Participating in community discussions and workshops: Engage with the cybersecurity and digital forensics community. Discussions, workshops, and conferences can provide additional insights and practical perspectives.

Reflecting and applying: After each chapter, take a moment to reflect on how the information applies to your current knowledge, experience, and professional scenarios. Consider writing down key takeaways or how you might implement new strategies in your work.

Approach Cloud Forensics Demystified with a structured mindset to enhance your skills and understanding of cloud forensics.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: Commands such as sort by and limit control the order and the number of records in the output.

A block of code is set as follows:

AzureNetworkAnalytics_CL

| where SubType_s == FlowLog

| extend FlowDirection = iff(FlowDirection_s == 'O', 'Outbound', 'Inbound')

| extend AllowedOrDenied = iff(FlowStatus_s == 'A', 'Allowed', 'Denied')

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

StorageBlobLogs

| where

TimeGenerated > ago(7d)

| project TimeGenerated, OperationName, AuthenticationType, Uri, _ResourceId, CallerIpAddress

Any command-line input or output is written as follows:

$ gsutil iam get gs://test_cf1_test1

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: All virtual networks can be accessed directly from the Virtual networks service on Azure’s Home page.

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Cloud Forensics Demystified, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

Scan the QR code or visit the link below

https://packt.link/free-ebook/9781800564411

Submit your proof of purchase

That’s it! We’ll send your free PDF and other benefits to your email directly

Part 1: Cloud Fundamentals

In this part, we will look at the fundamental aspects of the cloud. This part is specifically useful for familiarizing yourself with the basics of the cloud and legal challenges regarding cloud technologies, especially when it comes to cross-border investigations and complex cloud infrastructure. We will also introduce some prominent cloud service providers, offering various cloud resources.

This part has the following chapters:

Chapter 1, Introduction to the Cloud

Chapter 2, Trends in Cyber and Privacy Laws and Their Impact on DFIR

Chapter 3, Exploring the Major Cloud Providers

1

Introduction to the Cloud

Cloud computing has been around for years – the concept of computing resources being offered to users or customers over the internet. While the concept is not new, it has been offered in various forms and can be deployed in various ways. The benefit of the cloud is that it natively offers scalability, the flexibility of resources (meaning you can choose how powerful resources you need, depending upon computational requirements), and cost-effectiveness, making it easier for organizations to plan for cloud adoption. As a result, organizations are now migrating their critical data and business applications to the cloud, creating new challenges for incident responders when investigating security incidents and data breaches. According to Gartner’s report, 80% of enterprises will be moving to a cloud-only strategy by 2025 and moving away from traditional data centers. Meanwhile, the IDG 2020 Cloud Computing survey indicates that at least 92% of companies are using at least one or more cloud services (for example, Microsoft 365 for emails and so on) for their business operations.

Incident responders need to understand how the cloud works to effectively investigate security incidents. An incident responder is someone or a team who is primarily responsible for handling a security incident related to an Information Technology (IT) system. Incident responders typically will analyze, investigate, contain, and resolve security incidents. Incident responders have a deep understanding of IT computing concepts and carry a deep understanding of investigative procedures, including digital forensics.

This chapter on the cloud will provide you with a quick refresher on cloud computing, covering important topics such as the history of cloud computing; the advantages and disadvantages of cloud computing; cloud services and deployment models; and the impact cloud adoption has had on several key industries.

Cloud evolution goes as far back as the 1960s when the Defense Advanced Research Projects Agency (DARPA) tasked MIT with developing a computing environment that could be used by two or more people. In 1969, American psychologist and computer scientist J.C.R. Licklider, as part of his research in the Advanced Research Project Agency Network (ARPANET), worked on systems that would allow users to connect and share information from anywhere in the world.

Fast-forward to the 1990s, during the mainframe age, when computing resources were provided centrally. The dot-com boom paved the way for web services to be offered over the internet to consumers (Software as a Service (SaaS)). As cloud computing has become more complex and distributed, so have the challenges of managing security incidents and conducting forensic investigations. The ability to collect and analyze data across different cloud environments and deployment models is essential for organizations to respond quickly and effectively to security incidents. The following diagram illustrates the evolution of the cloud from a centralized mainframe model to serverless computing and really highlights the importance of continuously developing your forensic methods when responding to cloud-based security incidents.

Figure 1.1 – Cloud evolution timeline

Advantages and disadvantages of cloud computing

Every technology comes with its own set of complexities and challenges, and there is always a good and bad side of every technological evolution. Here are some of the advantages and disadvantages of cloud computing.

Advantages:

Modernization and innovation: The cloud promotes new innovations. Cloud service providers investing in advanced infrastructural features allows researchers and enthusiasts to research and innovate new solutions, such as Artificial Intelligence (AI), Machine Learning (ML), robotics, and so on.

Scalability: Clearly, a huge advantage of adopting the cloud for organizations is easier scalability of resources. Storage and computational power can be scaled up or down to suit the needs of the organization, applications, or user demands, and all this without any significant hardware or software investments. Cloud scalability is particularly useful for deploying endpoint detection and response (EDR) tools, which can help investigators identify and contain threats and conduct forensics on compromised systems. EDR tools can be resource-intensive, requiring significant computing power and storage capacity to run effectively. With cloud scalability, investigators can quickly allocate additional resources to run EDR (and other forensic) tools on the systems under investigation, allowing them to detect and respond to threats more quickly and efficiently and minimizing business disruption.

Flexibility and reach: You can turn your cloud computing resources on or off; cloud computing offers the flexibility to enable or disable any services based on user demands. Furthermore, you can make your cloud services available through any device with just an internet connection, increasing your application outreach to remote users.