The final version of NIST Special Publication (SP) 800-201, NIST Cloud Computing Forensic Reference Architecture, is now available. This document addresses the need to support a cloud system’s forensic readiness, which is the ability to collect digital forensic evidence quickly and effectively with minimal investigation costs by proactively addressing known challenges that could impact such data collection. Forensic readiness supports incident response processes and procedures, secure internal enterprise operations, and criminal justice and civil litigation system functions.
The document presents a reference architecture to help users understand the forensic challenges that might exist for an organization’s cloud system based on its architectural capabilities. The architecture identifies challenges that require mitigation strategies and how a forensic investigator would apply those strategies to a particular forensic investigation. The reference architecture is both a methodology and an initial implementation that can be used by cloud system architects, cloud engineers, forensic practitioners, and cloud consumers to analyze and review their cloud computing architectures for forensic readiness.