What is a concern for gathering forensics evidence in public cloud environments?

One of the primary concerns when gathering forensic evidence in public cloud environments is the issue of multitenancy. In a shared cloud infrastructure, multiple tenants (organizations or users) operate on the same physical hardware, using virtualization to logically separate resources. This architecture poses a significant challenge for forensic investigations because:

Forensic investigators must ensure that they do not inadvertently access or expose data belonging to other tenants while collecting evidence.

This can limit access to low-level system data or hardware-level logs that might be essential for a thorough forensic analysis, since providers must enforce strict data isolation policies.

This concern is recognized in industry practices and guidelines, including NIST SP 800-86, which underscores the need to collect data in a forensically sound and legally defensible manner—something made more complex in shared environments.

The Cisco CyberOps Associate guide emphasizes the challenges of evidence handling in cloud environments, stating that "gathering evidence in the cloud must be carefully performed to ensure compliance with legal standards and to respect the boundaries of other tenants' data".