Network & Cloud Forensics

Network Forensics Fundamentals

Network Forensics

Network Forensics is the process of collecting, preserving, and analyzing network-related evidence to investigate cyber incidents. It focuses on examining network traffic, packet captures (PCAPs), firewall logs, IDS/IPS alerts, and flow data to reconstruct what happened on the network.
The primary goal is to identify intrusion methods, attacker behavior, data exfiltration, and timelines while maintaining evidentiary integrity. Network forensics is typically conducted after or during an incident and plays a critical role in incident response, legal investigations, and compliance.

Network Security

Network Security focuses on protecting networks from unauthorized access, attacks, and misuse. It involves deploying and managing firewalls, intrusion detection and prevention systems, access controls, monitoring tools, and security policies to prevent threats.
The objective of network security is to detect, block, and mitigate attacks in real time, reducing risk and maintaining availability, confidentiality, and integrity of network resources. Network security is proactive and continuous, forming the first line of defense against cyber threats.

Difference Between Network Forensics and Network Security

Aspect	Network Forensics	Network Security
Core Objective	Investigation and evidence analysis	Protection and threat prevention
Approach	Reactive and analytical	Proactive and defensive
Time Focus	Post-incident or during incident	Real-time and continuous
Data Used	PCAPs, logs, historical traffic	Live traffic, alerts, security events
Outcome	Timelines, findings, forensic reports	Blocked threats, secured network
Legal Role	High (court-admissible evidence)	Limited

Types of network evidence

Network evidence consists of data generated during network communication that can be collected and analyzed to investigate cyber incidents. These evidence types help reconstruct attacker behavior, identify compromised systems, and establish timelines.

1. Packet Capture (PCAP) Data

Packet captures record actual network packets transmitted over a network. PCAPs allow investigators to analyze protocols, payloads, session behavior, and timing. This evidence is crucial for identifying malware communication, data exfiltration, and command-and-control activity.

2. Network Flow Data (NetFlow, sFlow, IPFIX)

Flow data summarizes network communication without capturing payload content. It provides details such as source and destination IPs, ports, protocols, timestamps, and data volume. Flow data is useful for identifying traffic patterns, lateral movement, and suspicious connections.

3. Firewall Logs

Firewall logs record allowed and blocked network connections. These logs help determine which traffic passed through the network perimeter, identify unauthorized access attempts, and correlate external and internal communications during an incident.

4. IDS/IPS Logs and Alerts

Intrusion Detection and Prevention Systems generate alerts for known attack signatures and anomalous behavior. These logs provide indicators of exploitation attempts, malware activity, and policy violations.

5. DNS Logs

DNS logs record domain name resolution requests and responses. They are critical for detecting malicious domains, phishing infrastructure, DNS tunneling, and command-and-control communication.

6. Proxy and Web Gateway Logs

Proxy logs capture user web activity, including URLs accessed, download events, and upload activity. These logs are valuable for investigating phishing, malware delivery, insider misuse, and data exfiltration.

7. Router and Switch Logs

Network devices generate logs related to routing events, interface activity, and access control. These logs assist in identifying network path changes, internal scanning, and lateral movement.

8. VPN Logs

VPN logs provide details of remote connections, including user authentication, session duration, and assigned IP addresses. They are essential for investigating unauthorized remote access and credential compromise.

9. Wireless Network Evidence

Wireless logs include association records, authentication attempts, and access point logs. This evidence helps identify rogue devices, unauthorized access, and Wi-Fi-based attacks.

10. Cloud Network Logs

Cloud platforms generate network-related evidence such as VPC Flow Logs, cloud firewall logs, and load balancer logs. These logs are crucial for investigating cloud-based attacks and data movement.

Live vs post-incident network analysis

Live Network Analysis

Live network analysis is performed while a cyber incident is ongoing or when suspicious activity is actively occurring on the network. It focuses on monitoring real-time network traffic, alerts, and logs to detect, contain, and understand malicious behavior as it happens.
The primary goal is immediate visibility and response, such as identifying command-and-control traffic, stopping data exfiltration, and preventing further damage. Because evidence is volatile, live analysis must be conducted carefully to avoid altering or losing critical data.

Post-Incident Network Analysis

Post-incident network analysis is conducted after the incident has been contained or completed. It relies on historical data, including PCAPs, firewall logs, IDS/IPS alerts, DNS records, and flow data collected during or before the incident.
The objective is to reconstruct the full attack timeline, identify root cause, determine impact, and produce forensically sound evidence for reporting, legal action, or compliance requirements.

Difference Between Live and Post-Incident Network Analysis

Aspect	Live Network Analysis	Post-Incident Network Analysis
Timing	During an active incident	After the incident
Focus	Detection and containment	Investigation and reconstruction
Data Used	Real-time traffic and alerts	Stored PCAPs and logs
Evidence Volatility	Very high	Lower
Impact Risk	Higher (may affect systems)	Minimal
Legal Use	Limited	High (court-admissible)

Network attack lifecycle

The Network Attack Lifecycle describes the stages an attacker typically follows to compromise a network, maintain access, and achieve their objective. Understanding this lifecycle helps investigators detect, analyze, and reconstruct cyber attacks using network evidence.

1. Reconnaissance

In this stage, the attacker gathers information about the target network. This includes identifying IP ranges, open ports, services, domains, and employee information.
Network Evidence: Scanning traffic, DNS queries, repeated connection attempts, OS fingerprinting patterns.

2. Initial Access

The attacker gains entry into the network using techniques such as phishing, exploiting vulnerabilities, stolen credentials, or misconfigured services.
Network Evidence: Suspicious inbound connections, malicious URLs, exploit traffic, abnormal authentication attempts.

3. Establishing Persistence

Once inside, the attacker establishes mechanisms to maintain access even after reboots or credential changes.
Network Evidence: Repeated outbound connections, beaconing traffic, unauthorized VPN or remote access activity.

4. Privilege Escalation

The attacker attempts to gain higher-level access to control more systems and sensitive data.
Network Evidence: Internal authentication anomalies, access to admin services, unusual SMB or LDAP traffic.

5. Lateral Movement

The attacker moves within the network to access additional systems, servers, or data repositories.
Network Evidence: Internal scanning, SMB/RDP connections between hosts, abnormal east-west traffic.

6. Command and Control (C2)

The compromised systems communicate with attacker-controlled servers to receive commands or send data.
Network Evidence: Periodic outbound connections, DNS tunneling, encrypted traffic to suspicious IPs, JA3/JA4 fingerprints.

7. Data Exfiltration

Sensitive data is transferred out of the network using various methods such as HTTPS, FTP, DNS, or cloud services.
Network Evidence: Large outbound data transfers, unusual upload activity, encrypted outbound traffic patterns.

8. Covering Tracks

The attacker attempts to hide evidence by deleting logs, disabling security controls, or using encrypted channels.
Network Evidence: Missing logs, sudden log gaps, traffic obfuscation, anonymization services (TOR/VPN).

Legal considerations in network investigations

Network investigations must be conducted within legal and regulatory boundaries to ensure that collected evidence is admissible, defensible, and does not violate privacy or statutory requirements. Failure to follow legal procedures can result in evidence being rejected or legal liability for the investigator or organization.

1. Authorization and Scope

Before initiating a network investigation, proper authorization must be obtained from management, system owners, or legal authorities. The scope of the investigation should be clearly defined, including which systems, users, and data can be monitored or collected. Unauthorized monitoring may constitute illegal surveillance.

2. Privacy and Data Protection

Network traffic often contains personal, confidential, or sensitive information. Investigators must comply with applicable data protection laws and organizational policies, ensuring that only relevant data is collected and accessed. Excessive or indiscriminate monitoring can violate privacy rights.

3. Evidence Collection and Preservation

Network evidence is highly volatile, making proper collection and preservation critical. Investigators must ensure integrity by using validated tools, maintaining original data, and applying hashing where applicable. Any alteration or loss of evidence can compromise admissibility.

4. Chain of Custody

A documented chain of custody must be maintained for all network evidence, including logs, PCAPs, and exports. This record should detail who collected the evidence, when, how, and where it was stored. An unbroken chain is essential for legal acceptance.

5. Use of Monitoring and Interception Tools

The use of packet capture, interception, or monitoring tools must comply with local laws and regulations. In some jurisdictions, intercepting communications without consent or legal authority is prohibited, even during internal investigations.

6. Cross-Border and Cloud Jurisdiction

Network and cloud data may be stored or routed through multiple countries, raising jurisdictional issues. Investigators must consider data residency laws and may require legal processes to access cloud or foreign-hosted data.

7. Documentation and Reporting

All investigative actions must be accurately documented, including tools used, methods applied, and findings observed. Reports should be clear, factual, and unbiased, suitable for review by legal teams or courts.

Network Protocol Analysis

TCP/IP, UDP, ICMP, ARP analysis

TCP/IP Analysis

TCP analysis focuses on connection-oriented communications, making it critical for reconstructing attacker activity. Investigators analyze the three-way handshake (SYN, SYN-ACK, ACK), session duration, retransmissions, resets (RST), and abnormal flag combinations.
TCP artifacts help identify command-and-control traffic, data exfiltration, brute-force attempts, and session hijacking. Sequence numbers, ports, and timing patterns allow forensic analysts to rebuild timelines and prove unauthorized access.

Key Indicators

Repeated SYN packets → Port scanning
Unexpected RST flags → Session disruption or evasion
Long-lived connections → Backdoors or C2 channels

UDP Analysis

UDP is connectionless and fast, making it attractive for malware and data exfiltration. Forensic analysis focuses on packet frequency, payload size, and destination behavior, rather than session establishment.
Attackers often misuse UDP for DNS tunneling, DDoS attacks, VoIP abuse, and malware beaconing. Because UDP lacks acknowledgments, investigators rely on pattern analysis and correlation with logs.

Key Indicators

High-volume UDP floods → DDoS
Unusual DNS payload size → DNS tunneling
Repeated outbound UDP to same IP → Malware beaconing

ICMP Analysis

ICMP analysis helps detect network reconnaissance and covert communication. Attackers commonly use ICMP for ping sweeps, network mapping, and data tunneling.
Forensic investigators examine ICMP types and codes, frequency, and payload anomalies to distinguish normal diagnostics from malicious use.

Key Indicators

ICMP Echo floods → DoS attacks
Sequential ICMP requests → Network scanning
Non-empty ICMP payloads → ICMP tunneling

ARP Analysis

ARP analysis is critical for detecting local network attacks, especially Man-in-the-Middle (MITM) activity. Investigators analyze ARP request/reply patterns, MAC-IP mappings, and unsolicited ARP responses.
Abnormal ARP behavior often indicates ARP spoofing/poisoning, enabling traffic interception or credential theft.

Key Indicators

Multiple IPs mapped to one MAC → ARP spoofing
Frequent ARP replies without requests → ARP poisoning
Gateway MAC changes → MITM attack

DNS, HTTP/HTTPS forensic artifacts

DNS Forensic Artifacts

DNS artifacts are critical for identifying where a system attempted to communicate. Investigators analyze DNS query logs, response records, cache entries, and passive DNS data to trace malicious infrastructure. DNS evidence often reveals command-and-control servers, phishing domains, malware download sources, and data exfiltration paths.

Key DNS Artifacts

Queried domain names and timestamps
Source IP and hostname of requesting device
DNS record types (A, AAAA, MX, TXT)
NXDOMAIN responses (failed lookups)
Abnormally long or encoded domain names

HTTP Forensic Artifacts

HTTP artifacts provide clear visibility into user and malware web activity because content is unencrypted. Investigators examine URLs, request methods, headers, user-agents, cookies, and response codes.
HTTP evidence helps prove website access, file downloads, exploit kit usage, and credential submission.

Key HTTP Artifacts

URLs and query strings
GET / POST requests
User-Agent strings
Cookies and session IDs
Downloaded file names and paths

HTTPS Forensic Artifacts

Although HTTPS encrypts content, investigators can still extract valuable metadata. Analysis focuses on TLS handshakes, certificates, Server Name Indication (SNI), JA3/JA4 fingerprints, IP addresses, and traffic patterns.
HTTPS artifacts help identify malware C2 traffic, phishing servers, and encrypted data exfiltration.

Key HTTPS Artifacts

TLS version and cipher suites
Certificate details (issuer, validity)
SNI domain names
JA3/JA4 TLS fingerprints
Session duration and data volume

Why DNS & HTTP/HTTPS Artifacts Matter Together

When correlated, DNS and web artifacts allow investigators to:

Trace full communication paths
Identify malware infrastructure
Prove user or system web activity
Reconstruct attack timelines

Email protocols (SMTP, POP3, IMAP)

SMTP (Simple Mail Transfer Protocol)

SMTP is used to send and relay emails between mail servers and from clients to servers. In forensic investigations, SMTP analysis focuses on email headers, relay paths, timestamps, and originating IP addresses.
SMTP artifacts help investigators trace phishing emails, spoofed messages, malware delivery, and insider data leakage.

Key SMTP Artifacts

Message-ID
Sender and recipient addresses
“Received” header chain (mail hops)
Sending IP and mail server hostnames
Timestamp inconsistencies

POP3 (Post Office Protocol v3)

POP3 is used by clients to download emails from a server to a local device. Emails are often removed from the server after download.
Forensic analysis focuses on authentication logs, download timestamps, and client IP addresses to determine when and where emails were accessed.

Key POP3 Artifacts

Login (USER / PASS) logs
Email download timestamps
Client IP address
Deletion events

IMAP (Internet Message Access Protocol)

IMAP allows emails to remain on the server and be synchronized across multiple devices. Investigators analyze access logs, folder actions, message flags, and IP addresses.
IMAP artifacts are valuable in cases involving account compromise, unauthorized access, or multi-device usage.

Key IMAP Artifacts

Login and logout logs
Folder actions (read, move, delete)
Message flags (seen, unseen)
Access IPs and device identifiers

SMTP vs POP3 vs IMAP (Forensic Comparison)

Feature	SMTP	POP3	IMAP
Primary Function	Send emails	Download emails	Sync emails
Data Location	Servers	Local device	Server
Forensic Use	Trace origin & delivery	Prove access & deletion	Track multi-device access
Common Abuse	Phishing, spoofing	Credential misuse	Account compromise

VPN & proxy traffic analysis

VPN Traffic Analysis

VPN traffic analysis focuses on identifying encrypted tunnels used to mask a user’s real IP address and activity. Although VPN payloads are encrypted, investigators analyze connection metadata, tunnel protocols, endpoints, timing patterns, and data volumes. VPN artifacts are critical in cases involving data exfiltration, insider threats, malware command-and-control, and policy bypassing.

Key VPN Artifacts

VPN protocol type (IPsec, OpenVPN, WireGuard, L2TP)
Tunnel endpoints (source/destination IPs)
Authentication logs and session duration
Data transfer volume and timing patterns
Repeated reconnects or long-lived sessions

Proxy Traffic Analysis

Proxy analysis examines traffic routed through intermediate servers to hide origin or bypass controls. Investigators analyze proxy logs, HTTP headers, X-Forwarded-For fields, and access timestamps.
Proxies are frequently used in phishing, malware distribution, policy violations, and anonymous browsing.

Key Proxy Artifacts

Client IP vs proxy IP
Requested URLs and timestamps
User-Agent strings
Authentication credentials (if used)
Proxy server response codes

VPN vs Proxy

Aspect	VPN	Proxy
Traffic Coverage	All network traffic	Application-specific
Encryption	Yes	Usually No
Forensic Visibility	Metadata-based	Header and log-based
Common Misuse	Data exfiltration, C2	Web anonymization, bypass

Encrypted traffic challenges

Encrypted traffic significantly limits visibility into network communications, making forensic analysis more complex. While encryption protects confidentiality, it also allows attackers to hide malicious activity, command-and-control traffic, and data exfiltration within legitimate-looking encrypted channels such as HTTPS, VPNs, and TLS-based protocols.

1. Lack of Payload Visibility

Investigators cannot directly view packet contents in encrypted traffic, restricting analysis to metadata only. This makes it difficult to identify stolen data, malicious commands, or exploit payloads.

Impact: Cannot prove exact data content without decryption.

2. Increasing Use of HTTPS and TLS

Most web traffic is now encrypted by default, including malicious downloads and phishing sites. Attackers exploit trusted protocols to blend in with normal traffic.

Impact: Malicious HTTPS traffic appears similar to legitimate browsing.

3. Encrypted Malware Communication (C2)

Modern malware uses TLS, HTTPS, VPNs, or Tor for command-and-control communications. This hides attacker infrastructure and instructions.

Impact: Difficult to distinguish malware traffic from normal encrypted sessions.

4. Certificate and Trust Abuse

Attackers use free or stolen TLS certificates, making malicious servers appear legitimate. Self-signed certificates may also be used internally.

Impact: Certificate presence alone is no longer a reliable trust indicator.

5. Limited Decryption Capabilities

Decrypting traffic requires private keys, SSL inspection devices, or endpoint access, which may not be available during investigations.

Impact: Investigations rely heavily on indirect evidence.

6. Privacy and Legal Restrictions

Decrypting user traffic can violate privacy laws and organizational policies, especially without proper authorization.

Impact: Legal constraints may prevent deep inspection.

How Investigators Overcome Encrypted Traffic Challenges

Investigators rely on metadata and behavioral analysis, including:

TLS handshake details (versions, cipher suites)
Certificate analysis and anomalies
SNI, JA3/JA4 fingerprints
Session duration and data volume
DNS correlations and timing patterns

Why This Matters in Network & Cloud Forensics

Understanding encrypted traffic challenges helps investigators:

Apply behavior-based detection
Correlate network, endpoint, and cloud logs
Avoid false assumptions
Maintain legal and forensic soundness

Network Log & Traffic Analysis

Firewall, IDS/IPS, router, and switch logs

Firewall Logs

Firewall logs record allowed, denied, and blocked network traffic based on security rules. In forensic investigations, they help determine what traffic entered or left the network, including source/destination IPs, ports, protocols, and action taken.
Firewall artifacts are critical for identifying unauthorized access attempts, data exfiltration, policy violations, and attacker entry points.

Key Firewall Artifacts

Source and destination IP addresses
Ports and protocols
Allow / deny / drop actions
Rule IDs and timestamps
NAT translations

IDS/IPS Logs

IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) logs capture suspicious or malicious activity detected through signatures or behavior analysis.
IDS logs are used for alerting and investigation, while IPS logs show blocked or prevented attacks.

Key IDS/IPS Artifacts

Alert signatures and severity
Source and destination IPs
Attack type (SQLi, exploit, malware)
Packet payload snippets (if available)
Detection timestamps

Router Logs

Router logs document network routing activity, connections, and access control events. They help trace traffic paths, unauthorized connections, and routing anomalies.
Routers also log authentication attempts, configuration changes, and interface status, which are vital in insider or infrastructure compromise cases.

Key Router Artifacts

Connection and flow records
Access control list (ACL) hits
Login and configuration changes
Interface up/down events

Switch Logs

Switch logs provide visibility into internal network activity, especially east-west traffic. They are essential for investigating lateral movement, ARP spoofing, and unauthorized device connections.
Switches also log MAC address tables, port status, and VLAN activity.

Key Switch Artifacts

MAC address to port mappings
Port up/down events
VLAN assignments
ARP and CAM table changes

Log Correlation Value in Network Forensics

By correlating logs from firewalls, IDS/IPS, routers, and switches, investigators can:

Reconstruct complete attack paths
Identify patient zero
Validate alerts and anomalies
Produce legally defensible timelines

Proxy server logs

Proxy server logs record web traffic passing through an intermediary server between users and the internet. In network investigations, these logs are crucial for uncovering user web activity, policy violations, malware communication, and data leakage—even when users attempt to hide their identity or bypass controls.

Key Proxy Log Artifacts

Proxy logs typically contain:

Client (internal) IP address
Proxy IP and destination server IP
Requested URL and domain name
HTTP method (GET, POST, CONNECT)
Timestamp and session duration
User authentication details (username)
HTTP response codes and data size
User-Agent strings

Packet capture (PCAP) analysis

PCAP analysis involves examining raw network packets captured from a network to reconstruct communication between systems. In network forensics, PCAPs are considered primary evidence because they provide the most detailed view of network activity, including protocols, sessions, timing, and in some cases, payload content.

What Investigators Analyze in PCAPs

1. Traffic Flow & Sessions

Investigators identify who communicated with whom, over which protocol and ports. TCP streams, UDP flows, and session durations help reconstruct attack timelines.

2. Protocol Behavior

Analysis of protocols such as TCP, UDP, DNS, HTTP, ICMP, ARP, SMTP helps detect abnormal or malicious behavior like scanning, spoofing, tunneling, or malware C2 communication.

3. Payload & Content (When Unencrypted)

For unencrypted traffic, PCAPs may reveal:

User credentials
Malware payloads
Downloaded files
Exploit traffic

This evidence is highly valuable for legal attribution.

4. Encrypted Traffic Metadata

Even when encrypted, PCAPs provide:

TLS handshake details
Certificates and SNI
JA3/JA4 fingerprints
Packet size and timing patterns

Session reconstruction

Session reconstruction is the process of reassembling individual network sessions from packet-level data to understand who communicated with whom, when, how, and what occurred during a network interaction. It transforms raw packets into human-readable conversations, making it one of the most powerful techniques in network investigations.

What Session Reconstruction Reveals

1. User and System Activity

Reconstructed sessions show source and destination IPs, ports, protocols, timestamps, and duration, helping investigators attribute activity to specific systems or users.

2. Application-Level Behavior

By rebuilding HTTP, FTP, SMTP, DNS, and other protocol streams, investigators can view visited URLs, commands issued, files transferred, and email transactions.

3. Malicious Actions

Session reconstruction exposes malware downloads, exploit attempts, credential theft, lateral movement, and command-and-control communications, especially in unencrypted traffic.

Session Reconstruction in Encrypted Traffic

Although payloads are encrypted, session reconstruction still provides:

TLS handshake sequences
Certificate and SNI details
Session timing and frequency
Beaconing patterns

These indicators help identify covert malware activity and data exfiltration.

Identifying data exfiltration

Data exfiltration is the unauthorized transfer of sensitive data from an internal network to an external destination. In network forensics, identifying exfiltration involves analyzing traffic patterns, logs, and metadata to detect abnormal outbound behavior that indicates data theft.

Common Data Exfiltration Methods

HTTPS uploads to attacker-controlled servers
DNS tunneling using encoded queries
FTP/SFTP transfers
Cloud storage abuse (Drive, Dropbox, OneDrive)
Email attachments or SMTP abuse
VPN or proxy-based exfiltration

Key Indicators of Data Exfiltration

1. Abnormal Outbound Traffic

Large or continuous outbound data transfers, especially outside business hours or to unknown destinations.

2. Unusual Protocol Usage

Unexpected use of FTP, SCP, DNS, or ICMP for data transfer.

3. Repeated Beaconing Patterns

Regular, timed connections with consistent packet sizes indicating automated data leakage.

4. Suspicious Destinations

Connections to newly registered domains, unknown IP ranges, or anonymization services.

5. Encrypted Exfiltration

Encrypted traffic with unusual volume, duration, or frequency inconsistent with normal behavior.

Cloud Forensics

Cloud forensics challenges & evidence volatility

Cloud environments introduce unique forensic challenges due to shared infrastructure, abstraction layers, and dynamic resource allocation. Evidence in the cloud is often highly volatile, making timely and legally sound collection critical.

Key Cloud Forensics Challenges

1. Evidence Volatility

Cloud resources such as virtual machines, containers, and serverless functions can be terminated or auto-scaled within seconds, causing logs, memory, and temporary storage to be lost.

Impact: Critical evidence may disappear before acquisition.

2. Limited Physical Access

Investigators do not have physical control over cloud hardware, relying entirely on cloud service provider (CSP) logs and APIs.

Impact: Evidence scope is limited to what the CSP exposes.

3. Shared Responsibility Model

Security and logging responsibilities are divided between the customer and CSP, leading to gaps if logging is not pre-enabled.

Impact: Missing or incomplete evidence.

4. Multi-Tenancy & Data Isolation

Cloud infrastructure is shared among multiple customers, restricting access to low-level network and hardware artifacts.

Impact: No direct access to hypervisor or physical network logs.

5. Jurisdiction & Legal Constraints

Cloud data may be stored in multiple geographic regions, raising legal and compliance issues.

Impact: Delays or restrictions in evidence acquisition.

6. Time Synchronization Issues

Different cloud services may log events in different time zones or formats.

Impact: Timeline reconstruction becomes complex.

Evidence Volatility in Cloud Environments

Highly volatile cloud evidence includes:

VM memory (RAM)
Temporary storage and cache
Ephemeral IP addresses
Short-lived containers
Serverless execution logs

Persistent evidence includes:

Cloud audit logs (e.g., AWS CloudTrail)
Object storage access logs
Identity and access logs
Load balancer logs

Shared responsibility model

The Shared Responsibility Model defines how security, compliance, and forensic responsibilities are divided between a Cloud Service Provider (CSP) and the customer. Understanding this model is critical in cloud forensics because it determines who owns which logs, evidence, and investigative actions during a security incident.

Cloud Service Provider (CSP) Responsibilities

The CSP is responsible for security of the cloud, which includes:

Physical data centers and hardware
Network infrastructure and virtualization layer
Host operating systems and hypervisors
Availability and resilience of cloud services

Forensic Impact: Investigators cannot access physical devices or hypervisor logs and must rely on CSP-provided evidence.

Customer Responsibilities

The customer is responsible for security in the cloud, which includes:

Guest operating systems
Applications and workloads
Identity and access management (IAM)
Data protection and encryption
Enabling and retaining logs

Forensic Impact: Failure to enable logging (CloudTrail, VPC Flow Logs, etc.) may result in no forensic evidence.

Shared Responsibility by Service Model

Service Model	CSP Responsibility	Customer Responsibility
IaaS	Physical infra, hypervisor	OS, apps, network configs
PaaS	Infra + OS	Applications, data
SaaS	Entire platform	User access & data usage

SaaS, PaaS, IaaS investigation approach

IaaS (Infrastructure as a Service)

In IaaS environments, investigators have the highest level of control and visibility compared to other cloud models. The focus is on virtual machines, network configurations, and storage.

Evidence Sources

VM disk snapshots and images
Memory (if captured in time)
VPC / Virtual Network Flow Logs
Firewall and security group logs
IAM activity logs (e.g., CloudTrail)
Load balancer logs

Investigation Approach

Isolate affected VM
Take disk snapshots (read-only)
Collect network and access logs
Correlate VM artifacts with cloud audit logs

Forensic Challenge: Volatile memory and ephemeral IPs.

PaaS (Platform as a Service)

In PaaS, the CSP manages the OS and platform, limiting forensic access. Investigations focus on application behavior, access control, and platform logs.

Evidence Sources

Application logs
API access logs
Authentication and IAM logs
Database access logs
Platform audit logs

Investigation Approach

Identify compromised application or service
Collect platform and application logs
Review API usage and authentication patterns
Correlate logs with external access

Forensic Challenge: No access to OS or filesystem.

SaaS (Software as a Service)

SaaS investigations rely almost entirely on provider-generated logs and metadata. The focus is on user activity and data access.

Evidence Sources

User login and activity logs
File access, sharing, and deletion logs
Email or collaboration logs
Admin actions and configuration changes

Investigation Approach

Identify compromised accounts
Review user activity timelines
Detect data access or exfiltration
Work with CSP for extended evidence

Forensic Challenge: Limited evidence control and retention.

Comparison: SaaS vs PaaS vs IaaS

Aspect	IaaS	PaaS	SaaS
Investigator Control	High	Medium	Low
OS Access	Yes	No	No
Primary Evidence	VM, network logs	App & API logs	User activity logs
Evidence Volatility	High	Medium	Depends on CSP
CSP Dependency	Medium	High	Very High

Evidence acquisition from cloud environments

Evidence acquisition in cloud environments involves collecting digital artifacts from cloud platforms while preserving integrity, legality, and chain of custody. Unlike traditional forensics, cloud evidence is mostly log-driven, API-based, and highly volatile, requiring speed and planning.

Primary Cloud Evidence Sources

1. Cloud Audit & Activity Logs

These logs record who did what, when, and from where.

IAM / Identity logs
Admin and API call logs
Configuration change logs

Examples: AWS CloudTrail, Azure Activity Logs, GCP Audit Logs
Forensic Value: User attribution, timeline reconstruction

2. Network Evidence

Cloud network logs show traffic flow and communication paths.

VPC / Virtual Network Flow Logs
Load balancer access logs
Firewall and security group logs

Forensic Value: Detect C2 traffic, lateral movement, data exfiltration

3. Compute Evidence (IaaS)

Applicable mainly in IaaS investigations.

VM disk snapshots (read-only)
Boot volumes and attached storage
Memory (only if captured quickly)

Forensic Value: Malware, persistence, OS artifacts
Challenge: Memory and ephemeral disks are highly volatile

4. Application & Platform Logs (PaaS)

Focuses on application behavior and abuse.

Application logs
API request logs
Database access logs

Forensic Value: Web attacks, API misuse, data tampering

5. SaaS Evidence

Relies entirely on provider-generated logs.

User login and access logs
File access, sharing, deletion logs
Email and collaboration logs

Forensic Value: Account compromise, insider threats

Cloud Evidence Acquisition Process

Preserve First
- Enable log retention
- Prevent deletion or rotation
Acquire via APIs
- Export logs in native formats
- Maintain timestamps and metadata
Snapshot Resources
- Take VM and storage snapshots (IaaS)
Hash & Secure
- Hash exported data where applicable
- Store evidence in write-protected storage
Document Chain of Custody
- Who collected, how, when, and from where

Cloud Platform Artifacts

AWS logs (CloudTrail, VPC Flow Logs, S3 access logs)

AWS CloudTrail

AWS CloudTrail records API activity and account actions across AWS services. It answers the critical forensic questions: who did what, when, from where, and using which credentials.

What CloudTrail Captures

IAM actions (login, role assumption)
API calls (Create, Delete, Modify resources)
Source IP address and user agent
Timestamps and AWS region
Success and failure events

AWS VPC Flow Logs

VPC Flow Logs capture network traffic metadata flowing to and from network interfaces within a VPC. They do not capture packet payloads, only flow-level data.

What VPC Flow Logs Capture

Source and destination IP addresses
Source and destination ports
Protocol (TCP/UDP/ICMP)
Traffic action (ACCEPT / REJECT)
Bytes transferred and timestamps

AWS S3 Access Logs

S3 Access Logs record object-level access activity on S3 buckets. They are crucial in investigations involving data theft, insider threats, and ransomware.

What S3 Access Logs Capture

Requester identity (IAM user/role)
Source IP address
Bucket and object name
Request type (GET, PUT, DELETE)
HTTP response code and data size

AWS Log Correlation

When correlated together:

CloudTrail → Who performed the action
VPC Flow Logs → How systems communicated
S3 Access Logs → What data was accessed or stolen

This correlation enables end-to-end attack reconstruction.

Comparison Table

Log Type	Focus	Key Question Answered
CloudTrail	API & account actions	Who did what?
VPC Flow Logs	Network metadata	Who talked to whom?
S3 Access Logs	Object access	What data was accessed?

Azure logs (Activity Logs, Security Center)

Azure Activity Logs

Azure Activity Logs record control-plane actions performed on Azure resources. They answer the core forensic questions: who changed what, when, where, and how across a subscription.

What Activity Logs Capture

Resource create/update/delete actions
Administrative operations and policy changes
Caller identity (user, service principal, managed identity)
Source IP, timestamp, region
Operation status (success/failure)

Azure Security Center / Microsoft Defender for Cloud

Defender for Cloud provides security posture management and threat detection across Azure resources. It aggregates signals from workloads to generate alerts, recommendations, and attack insights.

What Defender for Cloud Provides

Security alerts (malware, suspicious logins, lateral movement)
Threat intelligence–backed detections
Resource security posture and misconfiguration findings
Recommendations and remediation guidance

Comparison

Log / Service	Focus	Key Question Answered
Azure Activity Logs	Control-plane actions	Who changed what?
Defender for Cloud	Threat detection & posture	Is it malicious or risky?

Google Cloud logging overview

Google Cloud Logging (formerly Stackdriver Logging) is the central logging service in Google Cloud Platform (GCP) that collects, stores, and analyzes audit, network, system, and application logs. In cloud forensics, it serves as the primary source of evidence for investigating security incidents, misuse, and policy violations.

Core Google Cloud Log Types

1. Cloud Audit Logs

These logs record who did what, when, and from where across GCP services.

Types

Admin Activity Logs – Resource creation, deletion, configuration changes
Data Access Logs – Read/write access to user data
System Event Logs – Google-initiated actions
Policy Denied Logs – Failed actions due to IAM policies

2. VPC Flow Logs

VPC Flow Logs capture network flow metadata for traffic going to and from VM instances.

Captured Data

Source and destination IP
Source and destination ports
Protocol
Bytes sent/received
Allow / deny decision

3. Compute & Resource Logs

These logs relate to VMs, containers, and cloud services.

Examples

Compute Engine VM logs
Kubernetes (GKE) audit and workload logs
Load balancer access logs

4. Application Logs

Generated by applications running on GCP services.

Log Retention & Export

Default retention is limited
Logs should be exported to:
- Cloud Storage (long-term preservation)
- BigQuery (analysis)
- SIEM tools (correlation)

Google Cloud Logging in Investigations

Investigators use GCP logs to:

Attribute actions to IAM identities
Detect malicious network behavior
Reconstruct cloud attack timelines
Support legally defensible reports

Comparison

Log Type	Focus	Key Question Answered
Cloud Audit Logs	Identity & actions	Who did what?
VPC Flow Logs	Network metadata	Who talked to whom?
Resource Logs	VM / service events	What happened on the system?
Application Logs	App behavior	How was the app abused?

Cloud identity & access misuse detection

Cloud identity and access misuse detection focuses on identifying unauthorized, abnormal, or malicious use of cloud identities, such as users, service accounts, roles, and API keys. Since most cloud attacks begin with credential abuse rather than malware, monitoring identity activity is critical for detecting breaches early.

Common Identity & Access Misuse Scenarios

Compromised user credentials used from unusual locations
Excessive or unauthorized privilege assignments
Abuse of service accounts or API keys
Unauthorized access to sensitive cloud resources
Bypassing MFA or conditional access controls

Key Indicators of Identity Misuse

1. Abnormal Login Behavior

Logins from unfamiliar IP addresses or countries
Access at unusual times
Multiple failed login attempts followed by success

2. Privilege Escalation

Sudden assignment of admin or owner roles
Creation of new high-privilege accounts
Modification of IAM policies without approval

3. Service Account Abuse

Service accounts used interactively
Access from unexpected resources
Long-lived or exposed access keys

4. API & Token Misuse

High-volume API calls
Use of disabled or expired keys
Token usage from unknown sources

Incident Reconstruction

Timeline creation using network and cloud logs

Timeline creation is the process of ordering events from multiple network and cloud log sources to understand what happened, when it happened, how it happened, and who was involved during a security incident. In cloud environments, timelines rely heavily on identity, network, and service logs rather than physical system access.

Key Log Sources for Timeline Building

Cloud Identity & Audit Logs

AWS CloudTrail
Azure Activity and Entra ID logs
Google Cloud Audit Logs

Used to identify: logins, API calls, privilege changes, and configuration updates.

Network Logs

VPC Flow Logs / NSG Flow Logs
Firewall, IDS/IPS, and proxy logs
Load balancer access logs

Used to identify: inbound access, outbound connections, lateral movement, and data transfer activity.

Service & Resource Logs

VM and container logs
Storage access logs (S3, Blob, GCS)
Application and API gateway logs

Used to identify: resource usage, data access, and service abuse.

Creation Process

1. Define the Incident Window

Identify the earliest suspicious event
Extend the time range before and after the event

2. Normalize Time

Convert all timestamps to a single time zone (UTC)
Account for clock drift and log latency

3. Correlate Identity Events

Login attempts and successes
Role and permission changes
Token or API key usage

4. Correlate Network Activity

First inbound connection
Outbound connections to unknown IPs
Repeated or high-volume data transfers

5. Add Resource & Data Events

VM creation or deletion
Storage access and downloads
Application-level actions

Example Timeline Flow

Login from unknown IP
Privilege escalation via IAM policy change
New VM instance created
Outbound traffic to external server
Large data download from cloud storage

This sequence helps confirm account compromise and data exfiltration.

Attribution techniques

Attribution techniques are methods used to identify or associate malicious activity with a specific user, system, account, or threat actor based on evidence collected from network, cloud, and identity logs. In cloud environments, attribution relies more on log correlation and behavior analysis than physical device evidence.

Levels of Attribution

1. Technical Attribution

Links activity to IP addresses, devices, cloud resources, or accounts.

Examples

Source IP from VPC Flow Logs
API calls linked to a specific IAM role
VM instance IDs involved in an attack

2. Identity-Based Attribution

Associates actions with cloud identities.

Examples

IAM user or role making API calls
Service account misuse
OAuth token or API key usage

Logs Used

CloudTrail / Azure Activity Logs
Entra ID / IAM audit logs
Google Cloud Audit Logs

3. Behavioral Attribution

Identifies attackers based on patterns and anomalies rather than identity alone.

Examples

Access at unusual times
Abnormal resource creation
Repeated failed authentication attempts

4. Infrastructure Attribution

Links attacks to external infrastructure used by the attacker.

Examples

Reused IP ranges or ASN
Known proxy or VPN services
Cloud-hosted attack servers

5. Campaign or Threat Actor Attribution

Associates activity with known threat groups using shared tactics, techniques, and procedures (TTPs).

Examples

Similar attack sequences
Reused command-and-control infrastructure
Matching MITRE ATT&CK techniques

Case correlation

Case correlation is the process of linking multiple events, alerts, logs, or incidents to determine whether they are part of the same attack, campaign, or misuse activity. In network and cloud environments, it helps investigators move from isolated alerts to a complete incident narrative.

Why Case Correlation Is Important

Reduces alert fatigue by grouping related events
Reveals full attack scope and impact
Identifies repeated or ongoing misuse
Helps distinguish real incidents from false positives

Common Correlation Points

1. Identity Correlation

Same IAM user or role used across events
Reuse of API keys or access tokens
Similar login behavior across services

2. Network Correlation

Repeated communication with the same IP or domain
Similar traffic patterns across different resources
Use of the same proxy or VPN infrastructure

3. Time-Based Correlation

Events occurring in a logical sequence
Repeated activity at specific times
Short gaps between related actions

4. Resource Correlation

Same VM, container, or storage account involved
Similar naming conventions for created resources
Reuse of compromised systems

5. Behavioral Correlation

Identical attack techniques
Repeated privilege escalation patterns
Consistent misuse workflows

Logs Used for Case Correlation

Identity and audit logs
Network flow and firewall logs
Cloud service and resource logs
Application and API logs

Example Case Correlation Scenario

Multiple failed logins from different IPs
Successful login from a new country
IAM role escalation
Creation of new VM instances
Outbound data transfer to external server

Correlating these events confirms a single coordinated incident.