ArticlePDF Available

Cloud forensics: An overview

Authors:

Abstract and Figures

Cloud computing is estimated to be one of the most transformative technologies in the history of computing. Cloud organizations, including the providers and customers of cloud services, have yet to establish a well-defined forensic capability. Without this they are unable to ensure the robustness and suitability of their services to support investigations of criminal activity. In this paper, we take the first steps towards defining the new area of cloud forensics, and analyze its challenges and opportunities.
Content may be subject to copyright.
Cloud forensics: An overview
Keyun Ruan, Prof. Joe Carthy, Prof. Tahar Kechadi, Mark Crosbie*
Centre for Cybercrime Investigation, University College Dublin,
* IBM Ireland Ltd
{keyun.ruan, joe.carthy, tahar.kechadi}@ucd.ie, mcrosbie@ie.ibm.com
Abstract
Cloud computing is estimated to be one of the most transformative technologies in the history of
computing. Cloud organizations, including the providers and customers of cloud services, have yet to
establish a well-defined forensic capability. Without this they are unable to ensure the robustness and
suitability of their services to support investigations of criminal activity. In this paper, we take the first
steps towards defining the new area of cloud forensics, and analyze its challenges and opportunities.
Keywords:"Cloud forensics, cloud computing, digital forensics"
1. Introduction
Cloud computing has the potential to become one of the most transformative developments in the
history of computing, following the footsteps of mainframes, minicomputers, PCs (Personal
Computers), and smart phones (Perry et al., 2009). It is radically changing the way how
information technology services are created, delivered, accessed and managed.
According to a May 2008 forecast by Merrill Lynch (2008), the volume of the cloud computing
market opportunity will amount to $160 billion by 2011. According to an October 2008 forecast by
IDC (International Data Corporation) (Gens, 2008), spending on cloud services is growing at five
times the rate of traditional on-premises IT (Information Technology). Even more striking than this
high growth rate is the contribution the growth of cloud offerings will soon make to the overall
growth of the IT market; Cloud computing services will generate approximately one-third of the
net new growth within the IT industry. In March 2009, Gartner (2009) forecasted that the
worldwide cloud service market is expected to reach $150.1 billion in 2013.
Businesses around the world are rapidly adopting cloud computing. The 2009 F5 cloud computing
survey (F5 Network and Applied Research West, 2009) found that, 66% of 250 IT managers
interviewed have dedicated budget funds for the Cloud, 71% expect cloud computing budgets to
grow over the next two years. One conclusion from the survey is that cloud computing is gaining
critical mass among large enterprises: 82% of the respondents said they are "in some stage of trial,
implementation or use of public clouds" and 83% said the same for use of private clouds.
Government agencies are also seeing a shift into cloud adoption. A recent InformationWeek
government survey (Foley, 2010) of IT managers in federal government found that 22% planned to
implement cloud computing over the next 12 months and another 22% within two years.
According to research from INPUT (2009), in the United States, public sector investment in cloud
computing is likely to more than double in the next five years, and US Federal government
spending on the Cloud will increase steadily, reaching $792 million by 2013.
Over the last decade, the number of crimes that involve computers and Internet has grown,
spurring an increase in companies and products that aim to assist law enforcement in using digital
evidence to determine the perpetrators, methods, timing and victims of computer crime. As a result,
digital forensics has evolved to assure proper presentation of computer and cyber crime evidentiary
data in court. According to Federal Bureau of Investigation [FBI] 2008 statistics, in the United
States, the size of the average digital forensic case is growing at the rate of 35% per year from 83
GB in 2003 to 277 GB in 2007. With storage capacity growth outpacing network bandwidth and
latency improvements, forensic data is not only getting bigger, but is also growing significantly
larger relative to the ability to process them in a timely manner, as stated by Roussev et al. (2009).
The rise of cloud computing not only has exacerbated the problem of scale for digital forensic
activities, but also created a brand new front for cybercrime investigation with various challenges.
Digital forensic practitioners must extend digial forensic knowledge and tools into cloud
computing environments, and help cloud organizations, including both CSP (Cloud Service
Provider) and cloud customers, to establish a forensic capability in order to reduce cloud security
risks. Otherwise, cloud organizations will have difficulties in carrying out investigations on critical
incidents happened in the Cloud such as criminal intrusions and major policy violations, as well as
collaborating with law enforcement in cases of resource confiscation, etc.
In this paper, we take the first step to give an overview of the new area, cloud forensics, and
analyze its challenges and opportunities.
2. Discussion on the definitions of cloud forensics
2.1 Cloud forensics
We propose in this paper the definition of cloud forensics as the application of digital
forensics in cloud computing as a subset of network forensics, as shown in Figure 1.
Figure 1. Where is cloud forensics?
Firstly, we identify cloud forensics as a cross-discipline between cloud computing and digital
forensics. There are various definitions for both cloud computing and digital forensics to this
date, and in this paper we adopt the current definitions for both cloud computing and digital
forensics from NIST:
Digital forensics is the application of science to the identification, collection,
examination, and analysis of data while preserving the integrity of the information
and maintaining a strict chain of custody for the data. (Kent et al.,2006)
Cloud computing is a model for enabling convenient, on-demand network access to a
shared pool of configurable resources (e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned and released with minimal management
effort or service provider interaction. Cloud computing has five essential
characteristics, i.e., on-demand self-service, broad network access, resource pooling,
rapid elasticity and measured service. It has three service models, i.e., Cloud
Software as a Service (SaaS), Cloud Platform as a Service (PaaS) and Cloud
Infrastructure as a Service (IaaS). And it has four deployment models, i.e., private
cloud, community cloud, public cloud and hybrid cloud. (Mell and Grance, 2009)
Secondly, we recognize cloud forensics as a subset of network forensics (DFRWS, 2001), as
network forensics deals with forensic investigations in any kind of public or private networks,
and cloud computing is based on broad network access, thus technically, cloud forensics
should follow the main phases of network forensic process with extended or novel techniques
tailored for cloud computing environment in each phase.
2.2 The three dimensions of cloud forensics
As we can see from the NIST definition, cloud computing is an evolving paradigm with
complex aspects. Its essential characteristics have dramatically reduced the cost of IT which is
driving the global trend in the rapid strategic adopting of cloud computing in businesses and
governments (EurActiv, 2011). To ensure service availability and cost-effectiveness, major
CSPs, such as Amazon, Salesforce.com, and Google all have data centers around the world in
different jurisdictions providing cloud services. Data stored in one data center is replicated to
multiple locations to ensure abundance and reduce the risk of single point of failure. Of course
these points of replication are potentially under many separate jurisdictions. Segregation of
duties between the CSP and the customer in forensic responsibilities becomes different in
different service models, and interactions between multiple tenants sharing same cloud
resources are different in different deployment models.
As a result, multi-jurisdiction and multi-tenancy have become a default setting for cloud
forensics, creating much more legal challenges. Sophisticated collaborations between the CSP
and the customer, or between multiple tenants sharing same resources, or among international
law enforcement are required in most of the cloud forensics cases. In order to analyze the
problem more comprehensively, and to emphasize the fact that cloud forensics is a multi-
dimensional issue instead of only a technical issue, we would like to extend the definition of
cloud forensics across three major dimensions; organizational, legal and technical, as shown in
Figure 2.
Figure 2. Cloud forensic three-dimensional model
2.2.1 The technical dimension
The technical dimension involves a set of tools and procedures to carry out the
forensic process in cloud computing environments. We emphasize some of the key
aspects in the technical dimension as follows:
1. Forensic data collection
Cloud forensic collection is the process of identifying, labelling, recording, and
acquiring forensic data from the possible sources of data in the Cloud. These
data sources include client-side artefacts that reside on client premises, and
provider-side artefacts reside on provider infrastructure. Since the segregation of
duties is different in different cloud service models, the tools and procedures to
collect forensic data are also different. In different deploy models, provider-side
artefacts are different, e.g., in public clouds, provider-side artifacts need to be
segregated among multiple tenants, whereas in private clouds, there is no such
need.
The sequence order in which data is collected is defined according to the
volatility of data; highly volatile data (i.e. RAM images) should be collected first,
followed by data with lower volatility. The collection process should follow
procedures that preserve the integrity of data, with clearly-defined segregation of
duties between client and provider, and without breaching law(s) and
regulation(s) under the jurisdiction(s) where data is collected, or compromising
confidentiality of any other tenant(s) sharing the same resource(s).
2. Elastic, static and live forensics
Rapid elasticity is one of the essential characteristics of cloud computing. Cloud
compute and storage resources can be provisioned and deprovisioned on demand.
As a result, cloud investigation tools also need to be elastic; in most cases large
scale static and live forensic tools are required, such as e-discovery, data
acquisition, data recovery, evidence examination, evidence analysis tools and
tools to collect volatile data.
3. Evidence segregation
Another essential characteristic of cloud computing is resource pooling. IT cost
is reduced in multi-tenant environments where various resources are shared.
However, cloud forensics involves the reverse process of evidence segregation,
but the underlying components that make up the cloud infrastructure, e.g., CPU
(Central Processing Unit) caches, GPU (Graphis Processing Units), etc., were
not designed for strong compartmentalization in a multi-tenant architecture
(CSA, 2009). Tools and procedures to segregate forensic data in the cloud
among muliple tenants in different deployment models and different service
models need to be developed.
4. Investigations in virtualized environments
Virtualization is a key technology used to implement cloud services. However
tools and procedures are yet to be developed for investigations in virtualized
environment, e.g. hypervisor investigations. On the other hand, while operations
are mostly virtualized in cloud environments, investigations in most cases
require evidence retrieval from physical locations. Loss of data control is one of
the major security challenges in the Cloud (CSA, 2009). In cloud forensics, tools
and procedures need to be developed to physically locate forensic data at a given
timestamp, and physically trace forensic data at a given time period, taking into
considerations of the jurisdiction(s) of the physical locations.
5. Pro-active preparations
Pro-active measures can be taken as preparations to make forensic investigation
easier. Such measures include designing forensic-aware cloud applications, and
pro-actively collecting forensic data in the Cloud using tools provided by the
CSP or tools developed from the customer side. It often involves a set of design
principles, such as conducting regular snapshots to remote storage, regularly
tracking authentication and access-control records and performing object-level
auditing of all access.
2.2.2 The organizational dimension
Figure 4. Cloud forensic organizational structure
Forensic investigations in cloud computing environments always involves at least
two parties: the CSP, and the cloud customer. When the CSP outsources services to
other parties, the scope of investigation widens. Figure 4 shows the proposed
organizational structure needed in order to carry out cloud forensic activities
efficiently and effectively with a joint effort.
2.2.2.1 Organizational structure for each cloud organization
In order to establish a forensic capability, each cloud organization, including the
providers and customers of cloud services, is required to define a structure of internal
staffing, provider-customer collaboration, and external assistance fulfilling the
following roles:
Investigators: the investigators (on the provider side and on the customer
side) are responsible for collaborative investigation allegations of
misconduct in the Cloud and working with external assistance or law
enforcement when needed. They not only need knowledge of how to carry
out investigations from their own sides, but also need to understand the
forensic capabilities of the parties they are interacting with and the
segregation of duties among these parties regarding forensic investigation.
IT Professionals: this group includes system, network, and security
administrators, ethical hackers, cloud security architect, and technical
support staff in the cloud organization. They contribute to the investigation
with their expertise, facilitate the investigators in accessing the crime scene,
and may also perform data collection for the investigators.
Incident Handlers: this group responds to a variety of specific security
incidents in the Cloud, such as unauthorized data access, accidental data
leakage and data loss, breach of tenant confidentiality, inappropriate system
usage, malicious code infections, malicious insider attack, (distributed)
denial of service sttacks, etc. It is wise for a cloud organization to have a
written plan with categorized security incidents on different levels of the
Cloud and respective incident handlers to be referred to in cases of forensic
investigations.
Legal Advisors: It is crucial to include legal advisors in forensic staffing
who are familiar with multi-jurisdiction and multi-tenant issues in the Cloud
so that any forensic activities will not violate regulations under respective
jurisdiction(s) or confidentialities of other tenant(s) sharing the same
resource(s). Service Level Agreements (SLAs) must be written with clauses
that explain the procedures to follow in the event of a forensic investigation.
An internal legal advisor should be involved in drafting these clauses so that
they respect the law across all jurisdictions in which the CSP operates.
Internal legal advisors are also responsible to communicate and collaborate
with external law enforcement during the course of a forensic investigation.
External Assistance: in most cases, it is wise for the cloud organizations to
rely on a combination of its own staff and external parties to perform
forensic tasks such as e-discovery, investigations on civil cases,
investigations on external chain of dependencies. It is important for cloud
organizations to determine in advance, which actions should be performed
by external assistance regaring forensic activities, and make it clear in
relevant policies, guidelines and agreements which are transparent to its
service customers and law enforcement when necessary.
2.2.2.2 Chain of Dependencies
CSPs and most cloud applications oftern have dependencies on other CSP(s). The
dependencies in a (discrete) chain of CSP(s)/customer(s) can be highly dynamic. In
such a situation investigation in the Cloud may depend on the investigations of each
one of the links in the chain and level of complexity of the dependencies. Any
interruption or corruption in the chain or a lack of coordination of responsibilities
between all the parties involved can lead to problems. Essential communications and
collaborations regarding forensic activities through this chain need to be facilitated
by organizational policies and legally binded in the SLAs.
The chain of CSP(s)/cloud customer(s), taking into consideration the chain of
dependencies between them, has to communicate and collaborate with the following
parties in order to facilitate effective and efficient forensic activities.
Law enforcement: the top priority for cloud organizations is the availability
of service and the top priority for law enforcement is the prosecution of
criminals (DFRWS, 2001). These two different priorities often clash in
situations such as evidence collection. Cloud organizations need to work
closely with law enforcement to improve mutual understanding, and
collaborate much further in the cases such as resource confiscation.
Third parties: cloud organizations need to work closely with third parties
for auditing and compliance purposes regarding cloud forensics.
Academia: cloud organizations need to work closely with academia on
cloud forensic research and education in order to contribute to the
knowledge of the area, and also to receive up-to-date training for their
internal forensic staff.
2.2.3 The legal dimension
2.2.3.1 Multi-jurisdiction and multi-tenancy
Multi-jurisdiction and multi-tenancy challenges have been identified as the top legal
concerns among digital forensics experts (Broadhurst, 2006; Liles et al., 2009) and
these two issues are both exacerbated in the Cloud.
Regulations and agreements have to be developed in the legal dimension of cloud
forensics, to secure that forensic activities will not breach any laws or regulations
under any jurisdiction(s) where the data resides in, and the confidentiality of other
tenants sharing the same infrastructure will not be compromised, throughout the
investigation.
2.2.3.2 Service Level Agreement
SLA defines the terms of use between a pair of CSP and cloud customer. The
following terms regarding forensic investigations are not in place at the moment and
have to be included into the SLA.
(1) Service provided, techniques supported, access granted by the CSP to the
customer regarding forensic investigation
(2) Trust boundaries, roles and responsibilities between the CSP and the cloud
customer regarding forensic investigation
(3) How forensic investigations are secured in a multi-jurisdictional environment in
terms of legal regulations, confidentiality of customer data, and privacy policies
(4) How forensic investigations are secured in a multi-tenant environment in terms
of legal regulations, confidentiality of customer data and privacy policies
2.3 Cloud crime
We extend the definition of computer crime by Casey (2000) to cloud crime. Cloud crime is
any crime that involves cloud computing. The Cloud can be the object, subject or tool of
crimes. The Cloud is the object of the crime when the CSP is the target of the crime and is
directly affected by the criminal act, e.g. DDOS (Distributed Denial of Service) attacks
targeting part(s) of the Cloud or even the entire cloud. The Cloud is the subject of the crime
when it is the environment where the crime is committed, e.g., unauthorized modification or
deletion of data residing in the Cloud, identity theft of users of the Cloud. The Cloud can also
be the tool used to conduct or plan a crime, e.g., evidence related to the crime can be stored
and shared in the Cloud and a Cloud that is used to attack other Clouds is called a dark Cloud.
2.4 Usage of cloud forensics
There are various usages of cloud forensics. We summarize them as follows:
(1) Investigation
Investigation on cloud crime and policy violation in multi-jurisdictional and multi-tenant
cloud environments
Investigation on suspect transactions, operations and systems in the Cloud for incident
response
Event reconstruction in the Cloud
Providing admissible evidence to the court
Collaboration with law enforcement in resource confiscation
(2) Troubleshooting
Locating data file and hosts virtually and physically in cloud environments.
To determine the root cause for single events or trends spanning multiple events over time,
and to develop new strategies to help prevent recurrence of similar incidents.
Tracing an event and assessing the current state of an event in the Cloud
Resolving functional issues in cloud applications and cloud services
Resolving operational issues in cloud systems
Security incident handling in the Cloud
(3) Log Monitoring
Collecting, analyzing and correlating log entries across multiple systems in the Cloud,
assisting in auditing, due diligence, regulatory compliance and other efforts
(4) Data and System Recovery
Recovering data in the Cloud, that has been accidentally or intentionally deleted or
modified
Recovering encrypted data in the Cloud, when the encryption key has been lost.
Recovering systems from accidental damage or attacks
Acquiring data from the Cloud that are being redeployed, retired or need to be sanitized
(5) Due Diligence/Regulatory Compliance
Helping organizations exercise due diligence and comply with requirements such as
protecting sensitive information, maintaining certain records for audit purposes, notifying
impacted parties when protected information is exposed, etc.
3. Challenges
In order to establish a forensic capability for cloud organizations in all three-dimensions defined
above, we are facing enormous challenges. In the technical dimension, we have very limited tools
and procedures in all five major components that we emphasize in this paper. In the legal
dimension there is currently no agreement among cloud organizations on collaborative
investigation, and no terms and conditions are present in SLAs on segregation of duties between
CSP and cloud customer. International cyber law and policies must progress to help resolve the
issues surrounding multi-jurisdiction investigations.
3.1 Challenges in forensic data collection
In all combinations of cloud service and deployment models, the cloud customer faces the
challenge of decreased access to forensic data. Access to forensic data varies dependent on the
cloud model; IaaS customers enjoy relatively easy access to all data required for a forensic
investigation, while SaaS customers may have little to no access to data required.
Decreased access to forensic data means the cloud customer generally has no control or knowledge
over the exact physical location of their data, and may only be able to specify location at a higher
level of abstraction, typically as an object or container identified. CSPs intentionally hide the
location of data from customers to facilitate data movement and replication.
Moreover, there is a lack of appropriate terms of use in the SLA (Service Level Agreement) to
enable general forensic readiness in the Cloud. Many CSPs do not provide services or interfaces
for the customers to gather forensic data. For example, SaaS (Software as a Service) providers may
not provide access to the IP logs of clients accessing content; IaaS (Infrastructure as a Service)
providers may not provide forensic data such as recent VM (Virtual Machine) and disk images. In
the Cloud, the customers have decreased access to relevant log files and metadata in all levels as
well as a limited ability to audit the operations of the network of their CSP and conduct real-time
monitoring on their own networks.
3.2 Challenges in elastic, static and live forensics
The proliferation of endpoints, especially mobile endpoints, is a challenge for data discovery and
evidence collection. The impact of crimes and the workload of investigation can be exacerbated in
cloud computing simply because of the sheer number of resources connected to the Cloud.
Time synchronization is crucial to the audit logs that are used as source of evidence in the
investigation. Accurate time synchronization has been always an issue in network forensics, and is
made all the more challenging in a cloud environment as timestamps must be synchronized across
multiple physical machines spread in multiple geographical regions, between cloud infrastructure
and remote web clients including numerous end points.
Similar to time synchronization, unification of log formats has been a traditional issue in network
forensics and the challenge is exacerbated in the Cloud because it is extremely difficult to unify the
log formats or make them convertible to each other from the massive resources available in the
Cloud. Furthermore, proprietary or unusual log formats of one party can become major roadblocks
in joint investigations.
In computer forensics, recovered deleted data is an important source of evidence, so it is in the
Cloud. In AWS (Amazon Web Service) the right to alter or delete the original snapshot is
explicitly reserved for the AWS account that created the volume. When item and attribute data are
deleted within a domain, removal of the mapping within the domain starts immediately, and is also
generally complete within seconds. Once the mapping is removed, there is no remote access to the
deleted data. Storage space occupied by the data elements deleted is made available for future
write operations and the it is likely that storage space will be overwritten by newly stored data.
However, some deleted data might be still present in the snapshot after deletion (Amazon, 2010).
A simple challenge is: how to recover deleted data, identify the ownership of deleted data, and use
deleted data as sources of event reconstruction in the Cloud?
3.3 Challenges in evidence segregation
In the Cloud, different instances running on the same physical machine are logically isolated from
each other via hypervisor. An instance’s neighbours have no more access to that instance than any
other host on the Internet and can be treated as if they are on separate physical hosts. Customer
instances have no access to raw disk devices, but instead are presented with virtualized disks. On
the physical level system audit logs of shared resources and other forensic data are shared among
multiple tenants. Currently, the provisioning and de-provisioning technologies still need to be
much improved in the Cloud (CSA, 2009), and it remains a challenge for the CSP and law
enforcement to keep the same segregating in the whole process of investigation without breaching
the confidentiality of other tenants sharing the same infrastructure and ensure the admissibility of
the evidence.
Another issue is that the easy-to-use feature of cloud models results in a weak registration system,
facilitating anonymity that is easy to be abused and making it easier for cloud criminals to conceal
their identities and harder for investigators to identify and trace suspects as well as segregate
evidence.
Moreover, encryption is used in the Cloud to separate data hosting of the CSPs and data usage of
the cloud customers and most of the major CSPs encourage customers to encrypt their sensitive
data before uploading to the Cloud if encryption is not provided by the CSP by default (Amazon,
2010; Force.com, 2010; Google, 2010). Unencrypted data in the Cloud can be considered lost from
a strict security perspective. A chain of separation is required to segregate key management from
the CSP hosting the data and needs to be standardized in contract language. Agreement has to be
made among the law enforcement, the cloud customer and the CSP on granting access to keys of
forensic data, otherwise evidence can be easily compromised when encryption key is destoryed.
3.4 Challenges in virtualized environments
Cloud computing claims to provide data and compute redundancy by replicating and distributing
resources. However in reality most CSPs implement instances of a cloud computer environment in
a virtualized environment. Instances of servers run as virtual machines, monitored and provisioned
by a hypervisor. The hypervisor in a Cloud is analogous to a kernel in the traditional operating
system. Attackers will aim to focus their attacks against the hypervisor; compromise of the
hypervisor amplifies any attack as many compute resources rely on its security. For law
enforcement and cloud investigators, however, there is a huge lack of policies, procedures and
techniques on hypervisor level to facilitate investigation.
In the Cloud, mirroring data for delivery by edge networks, its redundant storage in multiple
jurisdictions and the lack of transparent real-time information about where data is stored introduces
difficulties for investigation. Investigators may unknowingly violate regulations, especially if clear
information is not provided about the jurisdiction of storage (ENISA,2009). The CSPs cannot
provide tools for the customer to locate at a given time, or trace at a given period of time, precisely
and physically the multiple locations of a piece of data across all the geographical regions where
the Cloud resides. Furthermore, the distributed nature of cloud computing forces a stronger
international collaboration between law enforcement and industry, in cases such as confiscating “a
Cloud” since the agency of a single nation cannot manage it when the physical servers are spread
across different countries.
3.5 Challenges in internal staffing
Today most cloud organizations are dealing with investigations with traditional network forensic
tools and staffing, or are simply neglecting the issue. The major challenge in establishing a cloud
forensic organizational structure is the lack of forensic expertise and relevant legal experience. The
deep-rooted reasons for this challenge, which is also a challenge for the whole discipline of digital
forensics, are firstly, the relative slow progress of forensic research compare to the rapidly
evolving technology and secondly, the slow progress of relevant laws and international regulations.
With only a decade of research and development, the discipline of digital forensics is still in its
infancy, new forensic research areas in non-standard systems (Beebe, 2009), such as cloud
computing, need to be explored, techniques need to be developed, regulations need to catch up,
law advisors need to be trained, staff need to be equipped with new knowledge and skills to deal
with the new grounds for cyber crimes created by the rapid rise of new models such as cloud
computing.
3.6 Challenges in external chain of dependency
As mentioned in the organizational dimension of cloud forensics, CSPs and most cloud
applications often have dependencies on other CSPs. For example, a CSP providing an email
application (SaaS) may depend on a 3rd party provider to host log-files (PaaS), who in turn may
rely on a partner to provide infrastructure to store log files (IaaS). Although many predict the
industry is moving towards federated or integrated Cloud in the near future, today every CSP has a
different approach to solving this problem. Correlation of activities across CSPs is a big challenge.
Investigation in the chain of dependencies between CSPs may depend on the investigations of each
one of the links in the chain and level of complexity of the dependencies. Any interruption or
corruption in the chain or a lack of coordination of responsibilities between all the parties involved
can lead to problems. Currently threre are no tool, procedure, policy or agreement regarding cross-
provider forensic investigations.
3.7 Challenges regarding SLA
Important terms regarding forensic investigations are not included in the SLA at the moment. This
is because there is a lack of customer awareness, a lack of CSP transparency and a lack of
international regulations. Most cloud customers are still not aware of the potential issues that might
rise regarding forensic investigations in the Cloud and their significance. The consequence is that
they might end up not knowing anything at all about what has happened in the Cloud in cases
when their data is lost in criminal activities and has no right to claim any compensation. CSPs are
not willing to ensure transparency to the customers regarding forensic investigations because they
either do not know how to investigate cloud crimes themselves or the methods and techniques they
are using are likely to be problematic in the highly complex and dynamic multi-jurisdiction and
multi-tenancy cloud environment. The progress of any law and regulations including law and
regulations of cyber crimes is very slow, while cloud computing is rapidly emerging as a new
battlefield of cyber crimes for hackers who are equipped by the most updated techniques,
investigators, law enforcement and various cloud organizations.
3.8 Challenges regarding Multi-Jurisdiction and multi-tenancy
The legal challenges of multi-jurisdiction and multi-tenancy concern the differences among
legislations in all the countries (states) the Cloud and its customers reside in. The differences
between jurisdictions affects on issues such as what kind of data can be accessed and retrieved in
the jurisdiction(s) where the physical machine(s) from which data is accessed and retrieved, how to
conduct evidence retrieval without breaching privacy or privilege rights of tenants according to the
privacy policis and regulations in the organizations and specific jurisdiction where multiple
tenants’ data is located, what kind of evidence is admissible to the court in the specific jurisdiction,
what kind of chain of custody is needed in the evidence preservation in the jurisdiction(s) where
forensic data has passed during an investigation in the Cloud. Multi-jurisdiction issues also
concern lack of legislative mechanism that facilitates collaboration between industry and law
enforcement around the world, in cases such as resource seizure, cloud confiscation, evidence
retrieval, data exhchange between countries, etc.
4. Opportunities
4.1 Cost Effectiveness
Everything is less expensive when implemented on a larger scale, including security and forensic
services. Cloud computing is currently very attractive to SMEs (Small and Medium Enterprises)
due to the cost advantage which also applies to forensic implementations. SMEs that cannot afford
dedicated internal or external forensics implementations or services may have an upgrade at
relatively low cost when adopting cloud computing.
4.2 Data Abundance
Amazon S3 and Amazon Simple DB ensure object durability by storing objects multiple times
across multiple Availability Zones on the initial write and then actively doing further replication in
the event of device unavailability or detected bit-rot to reduce the risk of single point of failure
(Amazon, 2010). Data abundance generated in the Cloud is helpful to investigations as full data
deletion cannot be guaranteed and investigators can take advantage of it to recover data as
evidence. Scaled up to the Cloud, when a request to delete a cloud resource is made it actually
technically can never result in true wiping of the data. Full data deletion may only be guaranteed
by destroying the resource that is shared with other cloud tenants. Thus pieces or segments of data
that is crucial to investigation are very likely to remain somewhere in the Cloud for the
investigators to discover.
4.3 Overall Robustness
Some of the cloud technologies help to improve the overall robustness of forensics in the Cloud.
For example, Amazon S3 generates an MD5 hash automatically when you store an object. So
theoretically, the cloud customers do not need to look for external tools to generate time-
consuming MD5 checksums. IaaS offerings support on-demand cloning of virtual machines. As a
result, in the event of a suspected security breach, the customer can take an image of a live virtual
machine for offline forensic analysis, leading to less downtime for analysis. Multiple clones can
also be created and analysis activities parallelized to reduce investigation time. This improves the
analysis of security incidents and increases the probability of tracking attackers and patching
weaknesses. Amazon S3 allows customer to use “Versioning” to preserve, retrieve, and restore
every version of every object stored in the S3 bucket. An Amazon S3 bucket can be configured to
log access to the bucket and objects within it. The access log contains details about each access
request including request type, the request resource, the requestor’s IP, and the time and date of the
request (Amazon, 2010). All of these can be used to investigate abnormal incidents and application
failures.
4.4 Scalability and Flexibility
Cloud computing allows scalable and flexible usage of resources which also applies to forensic
services. For example, it can provide unlimited pay-per-use storage of logs, allowing more
comprehensive logging without compromising performance. It can also massively increase the
efficiency of indexing, searching and various queries of the logs. Cloud instances can be scaled as
needed based on the logging load. Furthermore, forensic activities only take place when incidents
happen which can largely take advantage of the cost-effectiveness of cloud computing. Customers
have the choice to build their own dedicated forensic server(s) in the Cloud, ready to use only in
need.
4.5 Standards and Policies
Forensics has often been an after-thought when technology develops, creating many so-called
bandage solutions and ad-hoc solutions (Meyers and Rogers, 2004). Cloud computing is a
transformative technology which is changing the way IT is managed and generating a new wave of
innovations. Cloud computing is still at its early stage and this is a unique opportunity to lay a
foundation of standards and policies for cloud forensics that will evolve together with the
technology until it matures.
4.6 Forensics-as-a-Service
The concept of “Security as a Service” is emerging in cloud computing. For example, research has
shown the advantages of a cloud platform for large-scale forensic computing (Roussev et al.,2009)
and cloud-based anti-virus software (Oberheide et al., 2008). The emerging delivery models
include established information security vendors changing their delivery methods to include
services delivered through the Cloud, and start-up information security companies play as pure
CSPs and provide security only as a cloud service and do not provide traditional client/server
security products for networks, hosts, and/or applications. Likewise, “Forensics as a [Cloud]
Service” can be developed in the same way to make use of the massive computing power to
facilitate cyber criminal investigations on all levels.
5. Future work and conclusions
The rise of cloud computing is pushing digital forensics into a new horizon. Many existing
challenges are exacerbated in the Cloud, including jurisdictional issue and the lack of international
collaboration, while the new environment also brings unique opportunities for foundational
standards and policies. Cloud computing is a new battlefield of cyber crime, as well as a new
ground for novel investigative approaches. Cloud forensics is a new area of research, much has to
be done and this paper merely signposts the way forward.
6. References
Amazon (2010) Amazon Web Services: Overview of Security Processes.
Beebe, N. (2009) ‘Digital forensic research: The good, the bad and the unaddressed’. Advances in Digital
Forensics V: p17-37.
Casey, E. (2000) Digital Evidence and Computer Crime. Academic Press.
Cloud Security Alliance [CSA] 2009 Security Guidance for Critical Areas of Focus in Cloud Computing
V2.1.
Digital Forensic Research Workshop [DFRWS] 2001 A Road Map for Digital Forensic Research.
EurActiv (2011) Cloud computing: A legal maze for Europe. EurActiv February 11.
European Network and Information Security Agency [ENISA] 2009 Cloud Computing: Benefits, risks and
recommendations for information security.
F5 Networks and Applied Research West (2009) The 2009 F5 cloud computing survey.
Federal Bureau of Investigation [FBI] 2008 Regional Computer Forensics Laboratory (RCFL) Program
Annual Report for Fiscal Year 2007.
Foley, J., (2010) Federal agencies shift into cloud adoption. Information Week June 14.
Force.com (2010) Secure, private, and trustworthy: enterprise cloud computing with Force.com.
Gartner (2009) Worldwide Cloud service revenue will grow 21.3 percent in 2009.
Google (2010) Security Whitepaper: Google Apps Messaging and Collaboration Products.
Broadhurst, R. (2006) ‘Developments in the global law enforcement of cyber-crime’, Policing: International
Journal of Police Strategies and Management, Vol.20, No 3: p.408-433
Gens, F. (2008) IT Cloud services forecast 2008 to 2012: A key driver of new growth. IDC
INPUT (2009) Evolution of the Cloud: The future of cloud computing in government.
Kent, K., Chevalier, S., Grance, T., Dang, H. (2006) NIST Guide to Integrating Forensic Techniques into
Incident Response. NIST.
Mell, P., Grance, T. (2009) The NIST Definition of Cloud Computing Version 15. NIST
Merrill Lynch (2008) The Cloud wars: $100+ billion at stake.
Meyers, M., Rogers, M. (2004) ‘Computer forensics: The need for standardization and certification’.
International Journal of Digital Evidence, Vol 3 No 2.
Liles, S., Rogers, M., Hoebich, M. (2009) ‘A survey of the legal issues facing digital forensic experts’,
Advances in Digital Forensics V: p.267-277
Oberheide, J., Cooke, E., Jahanian, F. (2008) ‘CloudAV:N-Version Antivirus in the Network Cloud’. In
Proceedings of USENIX Security 2008: p91-106. July, 2008. San Jose.
Perry, R., Hatcher, E., Mahowald, R.P., Hendrick, S.D. (2009) Force.com Cloud platform drives huge time to
market and cost savings. IDC
Roussev, V., Wang, L., Richard, G., Marziale, L. (2009) ‘A cloud computing platform for large-scale forensic
computing’, Advances in Digital Forensics V: p. 201-215.
... The difficulties looked by the NIST working gathering present into nine general classifications [13]: 1) Architecture 2) Data collection 3) Analysis 4) Anti-forensics -hiding or obscuring data 5) Trustworthiness of first responders to an incident 6) Roles of data owners, managers and users 7) Legal jurisdictions 8) Technical standards and practices 9) Training The remainder of the difficulties in cloud criminology are ordered dependent on the advanced legal cycle in a distributed computing climate presented in [6] and as follows; information assortment, live legal sciences, proof isolation, virtualized conditions, and proactive measure. The test concerning legitimate issue in computerized proof in the cloud climate was added later. ...
... When the information is transferred to the cloud, proof could be scattered more than a few workers situated in any topographical zone, not at all like the customary examination where the proof could be the presume's PC, cell phone, or other equipment gadgets. To decrease the odds of disappointment, information is commonly copied at various areas [6]. Detecting the specific area is intense and drowsy, even with the participation from suppliers. ...
... This dithering is because of numerous reasons. Initially, the suppliers purposely attempt to shroud the area of information to encourage information development and duplication [6]. They can even oddball admittance to their equipment, particularly in a multi-occupant climate (for example public cloud) as a customer could get to other customers' information [5]. ...
Preprint
Full-text available
Cloud forensics is the application of digital forensics in cloud computing as a subset of network forensics to gather and preserve evidence that's suitable for presentation during a court of law. Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you'll access technology services, like computing power, storage, and databases, on an as-needed basis from a cloud provider. In this report, we present detailed research to investigate the issues in forensics relating to cloud computing and present possible solutions.
... technique to enhance system security which can provide strong isolation between untrusted guests and security tools placed out of the guests [2]- [4]. ...
... Although sometimes Phase 1 is enough for attack detection (examples shown in Section VI), we need a record transferring mechanism, to convert collected information to a readable format, though. To prevent the values in LBR and 2 In Linux kernel, the last 32-bit value of the pgd field is equivalent to the last 32-bit value in CR3. other registers from being polluted, the hypervisor stores the auxiliary information that is related to the virtual machine into a memory buffer upon the first arrival of LBR profiling. ...
Article
Full-text available
Cloud attack provenance is a well-established industrial practice for assuring transparency and accountability for a service provider to tenants. However, the multi-tenancy and self-service nature coupled with the sheer size of a cloud implies many unique challenges to cloud forensics. Although Virtual Machine Introspection (VMI) is a powerful tool for attack provenance due to the privilege isolation, the stealthiness of state-of-the-art attacks and the lack of precise information make existing attack provenance solutions difficult to fulfill real-time forensics when tracking enormous suspicious behaviors. To this end, we propose an instruction-level tracing framework for inspecting the presence of attacks by dynamically tracking shared processor hardware event patterns and analyzing the attack traces. To overcome the challenges of real-time detection and provenance, we advocate Last Branch Record (LBR) profiling, to extract the suspicious execution flows. With the hardware assistance and software-based virtualization introspection, we show that the framework can provide an effective response to threats in different cases, thereby enabling a quick attack provenance with high fidelity. The evaluation shows that our prototype introduces negligible performance penalties.
... Finally, the investigation concludes with the preparation of technical reports outlining the findings. All results are documented to ensure transparency [27]. ...
Article
Full-text available
Cloud computing technology delivers services, resources, and computer systems over the internet, enabling the easy modification of resources. Each field has its challenges, and the challenges of data transfer in the cloud pose unique obstacles for forensic analysts, making it necessary for them to investigate and adjust the evolving landscape of cloud computing. This is where cloud forensics emerges as a critical component. Cloud forensics, a specialized field within digital forensics, focuses on uncovering evidence of exploitation, conducting thorough investigations, and presenting findings to law enforcement for legal action against perpetrators. This paper examines the primary challenges encountered in cloud forensics, reviews the relevant literature, and analyzes the strategies implemented to address these obstacles.
... Cloud computing is often called one of the most transformative technologies in recent history due to the way in which services can be composed and consumed (Ruan, et al., 2011). Cloud computing describes highly scalable, on-demand computing resources offered by service providers on a pay-as-you-go basis. ...
Article
Full-text available
Digital forensics in modern, cloud-based, microservice-based applications are complicated by multiple layers of abstraction, thereby making it difficult to accurately capture and correlate events that occur across these layers due to filtering caused by abstraction. The complexities linked to each layer of abstraction are primarily invisible to subsequent layers. Similarly, software services are often composed of one or more services provided by various service providers across the globe. Investigators are often faced with situations where breaches span over multiple service provider boundaries where not all digital forensic readiness evidence artefacts are captured by the service provider's forensic readiness processes. Instead, digital evidence artefacts are scattered across multiple service provider domains. This paper presents a novel, federated distributed digital forensic readiness model suitable for use in software-as-service, platform-as-service and infrastructure-as-service provider scenarios. The proposed model enables a service provider to capture and inspect forensic readiness artefacts in environments with various layers of abstraction. More importantly, the model also offers a way to share and access forensic readiness artefacts in a forensically sound manner to ultimately ensure that investigators can obtain a clear view of digital forensic events as they occur between amalgamated services provided by one or more separate service providers.
... Data in the cloud is often encrypted both in transit and at rest, thus making it difficult to access and preserve without proper credentials or encryption keys. According to [4,5], there are many different types of crimes and therefore rendering it almost impossible to acquire complete chain of dependencies in the cloud. The patent infringement case between Apple and Samsung, cloud-based evidence was a central issue. ...
Article
The emergence of cloud computing has transformed the manner in which organizations handle their data and digital assets, delivering unmatched convenience and scalability. Though with this, it has also brought about new and unique challenges in preservation of digital evidence in ensuring integrity and admissibility in legal proceedings. To enhance the credibility of digital evidence, the study will review literature on specialized software tools and techniques that help in preserving evidence in its unaltered state for legal examination. The researcher will determine the effectiveness of cryptographic techniques in ensuring integrity of digital evidence that is stored in cloud environment. A comparative analysis will be done. The study will give an overview of different techniques and critical considerations that will facilitate the admissibility of digital evidence in legal proceedings. This will help in revealing the gaps in digital forensics in a Cloud Environment.
... Cloud computing requires huge access to networks to provide the connec- Fig. 1: Where cloud forensics fits? [3] tion between various virtual resources deployed at various locations. So, cloud forensics is considered as a subset of network forensics as network forensics involves forensics of various types of private and public networks. ...
Article
Full-text available
Cloud computing has got a dominant position in the field of computing with its roots in virtualization techniques and its characteristics such as scalability, elasticity, availability and many more. As cloud computing has been adopted by many companies and businesses, security becomes a main challenging aspect. Though cloud computing comes with secured deployment models, criminals still find a way to break it and commit crimes; therefore, cloud computing must always be ready to support the forensics investigation to deal with such security issues and the acts of criminals. Cloud forensics is a field in cyber forensics domain using which investigators can collect the digital evidence of a crime which took place in a cloud environment and present the same as a proof of evidence. This paper intends to provide a prototype model with implementation that makes the forensic task easier by collecting, preserving and presenting the data to the investigator by simplifying the task of data collection phase of the forensic investigation.
... Cloud computing requires huge access to networks to provide the connec- Fig. 1: Where cloud forensics fits? [3] tion between various virtual resources deployed at various locations. So, cloud forensics is considered as a subset of network forensics as network forensics involves forensics of various types of private and public networks. ...
Book
Full-text available
This book presents the peer-reviewed proceedings of the 2nd International Conference on Computational and Bioengineering (CBE 2020) jointly organized in virtual mode by the Department of Computer Science and the Department of BioScience & Sericulture, Sri Padmavati Mahila Visvavidyalayam (Women's University), Tirupati, Andhra Pradesh, India, during 4–5 December 2020. The book includes the latest research on advanced computational methodologies such as artificial intelligence, data mining and data warehousing, cloud computing, computational intelligence, soft computing, image processing, Internet of things, cognitive computing, wireless networks, social networks, big data analytics, machine learning, network security, computer networks and communications, bioinformatics, biocomputing/biometrics, computational biology, biomaterials, bioengineering, and medical and biomedical informatics.
Book
Full-text available
This book presents the peer-reviewed proceedings of the 2nd International Conference on Computational and Bioengineering (CBE 2020) jointly organized in virtual mode by the Department of Computer Science and the Department of BioScience & Sericulture, Sri Padmavati Mahila Visvavidyalayam (Women's University), Tirupati, Andhra Pradesh, India, during 4–5 December 2020. The book includes the latest research on advanced computational methodologies such as artificial intelligence, data mining and data warehousing, cloud computing, computational intelligence, soft computing, image processing, Internet of things, cognitive computing, wireless networks, social networks, big data analytics, machine learning, network security, computer networks and communications, bioinformatics, biocomputing/biometrics, computational biology, biomaterials, bioengineering, and medical and biomedical informatics.
Conference Paper
Full-text available
The timely processing of massive digital forensic collections demands the use of large-scale distributed computing resources and the flexibility to customize the processing performed on the collections. This paper describes MPI MapReduce (MMR), an open implementation of the MapReduce processing model that outperforms traditional forensic computing techniques. MMR provides linear scaling for CPU-intensive processing and super-linear scaling for indexing-related workloads. © IFIP International Federation for Information Processing 2009.
Conference Paper
Full-text available
This paper discusses the results of a survey focusing on the legal issues facing digital forensic experts in the United States. The survey attracted 71 respondents from law enforcement, academia, government, industry and the legal community. It extends the well-known Brungs-Jamieson research on attitudes and priorities of the Australian digital forensic community. The results are compared with those from the Brungs-Jamieson study to determine if digital forensic experts from different countries share priorities and concerns. Several differences are observed between stakeholder groups regarding the importance of specific legal issues. Nevertheless, the results indicate that, despite differing opinions, it is possible to find a common ground that can help craft public policy and set funding priorities.
Article
Full-text available
Purpose Addresses the rapid expansion of computer connectivity and the opportunities provided for criminals to exploit security vulnerabilities in the online environment. Design/methodology/approach International efforts to combat cyber‐crime are reviewed by evaluating the forms of mutual legal assistance (MLA) now in place. Findings Cyber‐crime is often traditional crime (e.g. fraud, identify theft, child pornography) albeit executed swiftly and to vast numbers of potential victims, as well as unauthorised access, damage and interference to computer systems. Most detrimental are malicious and exploit codes that interrupt computer operations on a global scale and along with other cyber‐crimes threaten e‐commerce. The cross‐national nature of most computer‐related crimes have rendered many time‐honoured methods of policing both domestically and in cross‐border situations ineffective even in advanced nations, while the “digital divide” provides “safe havens” for cyber‐criminals. In response to the threat of cyber‐crime there is an urgent need to reform methods of MLA and to develop trans‐national policing capability. Practical implications The international response is briefly outlined in the context of the United Nations (UN) Transnational Organised Crime Convention (in force from September 2003) and the Council of Europe's innovative Cyber‐crime Convention (in force from July 2004). In addition, the role of the UN, Interpol, other institutions and bi‐lateral, regional and other efforts aimed a creating a seamless web of enforcement against cyber‐criminals are described. Originality/value The potential for potent global enforcement mechanisms are discussed.
Conference Paper
Digital forensics is a relatively new scientific discipline, but one that has matured greatly over the past decade. In any field of human endeavor, it is important to periodically pause and review the state of the discipline. This paper examines where the discipline of digital forensics is at this point in time and what has been accomplished in order to critically analyze what has been done well and what ought to be done better. The paper also takes stock of what is known, what is not known and what needs to be known. It is a compilation of the author’s opinion and the viewpoints of twenty-one other practitioners and researchers, many of whom are leaders in the field. In synthesizing these professional opinions, several consensus views emerge that provide valuable insights into the “state of the discipline.”
Conference Paper
Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host- based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing com- plexity has resulted in vulnerabilities that are being ex- ploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model en- ables identification of malicious and unwanted software by multiple, heterogeneous detection engines in paral- lel, a technique we term 'N-version protection'. This approach provides several important benefits including better detection of malicious software, enhanced foren- sics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud an- tivirus system called CloudAV. CloudAV includes a lightweight, cross-platform host agent and a network ser- vice with ten antivirus engines and two behavioral detec- tion engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly mini- mize the impact of this delay. Finally, we relate two case studies demonstrating how the forensics capabilities of CloudAV were used by operators during the deployment.
Secure, private, and trustworthy: enterprise cloud computing with Force
Force.com (2010) Secure, private, and trustworthy: enterprise cloud computing with Force.com.
Worldwide Cloud service revenue will grow 21
  • Gartner
Gartner (2009) Worldwide Cloud service revenue will grow 21.3 percent in 2009.
Security Whitepaper: Google Apps Messaging and Collaboration Products
Google (2010) Security Whitepaper: Google Apps Messaging and Collaboration Products.