© 2021 The SANS Institute, Author Retains Full Rights
21
Cloud Forensics Triage Framework (CFTF)
GIAC (GCFA) Gold Certification
Author: Michael Beck, mbeck.eagle@gmail.com
Advisor: Clay Risenhoover
Accepted: 23-June-2021
Abstract
Digital media forensic investigations come in multiple forms and span single assets -
from thumb drives, laptops, mobile phones, or a single email server to large-scale
corporate incident response actions. Corporate network investigations are when analysts
can become overwhelmed with the volume of internal hosts of interest, which must be
forensically triaged and analyzed. The pressure to produce evidence to support or refute
a case is still the same. Analysts need to deliver the evidence as quickly as possible and
maintain proper evidence handling procedures. Endpoint Detection and Response (EDR)
tools perform a great job identifying these systems and providing a platform to collect
data. The next step of preparation and analysis of these hosts must be done and is time-
consuming. This circumstance is where a Cloud Forensics Triage Framework (CFTF) can
leverage cloud resources to set up a scalable and automated forensic triage framework
and benefit the digital media forensic investigators. The research will explore the
possibilities of using a mixture of traditional forensic media collection processes and
modern cloud technologies to determine if reducing the time it takes to deliver processed
media benefits the overall mean time to deliver results.
Will this reduce the time required to find the needle in the stack of needles?
