Conference Paper

Forensics in the Cloud: A Literature Analysis and Classification

Conference Paper

Forensics in the Cloud: A Literature Analysis and Classification

If you want to read the PDF, try requesting it from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
Abstract This paper presents the LogDrive framework for mitigating the following problems of storage forensics in Infrastructure-as-a-Service (IaaS) cloud environments: volatility, increasing volume of forensic data, and anti-forensic attacks that hide traces of incidents in virtual machines. The proposed proactive data collection function of virtual block devices mitigates the problem of volatility within the cloud environments and enables a time-traveling investigation to reveal overwritten or deleted evidence files. We employ a sector-hash-based file detection method with random sampling to search for an evidence file in the record of the write logs of the virtual storage. The problem formulation, the investigation context, and the design with five algorithms are presented. We explore the performance of LogDrive through a detailed evaluation. Finally, security analysis of LogDrive is presented based on the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) threats model and related work. We posted the source code of LogDrive on GitHub.
Article
Full-text available
Nowadays, cloud computing has become an emerging and widely used technology throughout the world on account of its dynamic, reliable and customizable quality of service. However, at the same time, the security problem of cloud environment is attracted more and more attentions from academia and industry. In many concerns regarding cloud computing security, the digital forensic is a hot topic. Compared with traditional digital forensic on common digital devices and hardware, it is difficult to implement digital forensic in cloud because it is very hard to collect logs from cloud environment. In this paper, we try to design a new system to address the issue of digital forensic in cloud environment. We use a new architecture to help investigators performing the log collection. Firstly, a Hostbased Intrusion Detection System (HIDS) is introduced to secure the data in cloud from malicious attacks of intruders. Then, based on the feedback results of HIDS, one web server generates email alerts and Secure Shell (SSH) message to restrict further suspicious activities. Finally, the digital forensic investigators can collect reliable evidence of suspected user. In this way, HIDS and log collection will be significant part for digital forensic in cloud environment.
Conference Paper
Full-text available
A service level agreement (SLA) is usually signed or exchanged between two or more parties on mutually agreed terms. The terms and conditions are related to the nature of the services provided with defined quality, expectations and remedies in case of unsatisfactory performance of services. Management of SLA(s) happens to be very crucial for success of web services as well as cloud services; especially where a consumer demands a cloud service that cannot be provided by a single service provider. At the same time, aggregation of services may not be possible due to distributed resources among various data centers adhering to various qualities of services. The problem becomes specific if the SLA is required to cover the planning and preprocessing of digital evidence collection as the part of Digital Forensic-as-a-Service (DFaaS). SLA in that case requires not only certain preprocessing but also some particular customizations as per the nature of the services. The problem calls for a solution in terms of a comprehensive framework that allows dynamic inter-operable compatible hybrid cloud and/or multi cloud that are mostly aggregated cloud services. Any kind of such cloud services are based on mainly two mechanisms: • Multi-component based services and • Multi-channelized composed services A framework has been proposed to show a cloud service as an intermediary between the consumer and a series of cloud service providers that is capable of providing DFaaS.
Conference Paper
Full-text available
Cloud computing is playing an increasingly important role in the service provisioning domain given the economic and technological benefits it offers. The popularity of cloud services is so immense such that any failure on their part leads to serious consequences on the population at large. Service failures cause the Service Level Agreement (SLA) between cloud service provider and service subscriber to be violated, leading to financial losses and reputation hit for the subscriber. Even when the latter is entitled to claim compensation from the provider, they are still left with the burden of constructing proof which requires capturing and preserving relevant data. This process is typically manual, expensive and time-consuming. To address this problem, we first analyse the enforcement of cloud SLAs and identify main properties that a solution ought to have. We subsequently propose a method, based on the concept of fair exchange, and show that our approach enforces cloud SLA
Article
Full-text available
The rapid growth of raw data volume requiring forensic processing has become one of the top concerns of forensic analysts. At present, there are no readily available solutions that provide: a) open and flexible integration of existing forensic tools into a processing pipeline; and b) scale-out architecture that is compatible with common cloud technologies. Containers, lightweight OS-level virtualized environments, are quickly becoming the preferred architectural unit for building large-scale data processing systems. We present a container-based software framework, SCARF, which applies this approach to forensic computations. Our prototype demonstrates its practicality by providing low-cost integration of both custom code and a variety of third-party tools via simple data interfaces. The resulting system fits well with the data parallel nature of most forensic tasks, which tend to have few dependencies that limit parallel execution. Our experimental evaluation shows that for several types of processing tasks–such as hashing, indexing and bulk processing–performance scales almost linearly with the addition of hardware resources. We show that the software engineering effort to integrate new tools is quite modest, and all the critical task scheduling and resource allocation are automatically managed by the container orchestration runtime–Docker Swarm, or similar.
Conference Paper
Full-text available
The Internet of Things (IoT) is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure. Typically, internet of things (IoT) is expected to offer advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M) and covers a variety of protocols, domains, and applications. The interconnection of these embedded devices including smart objects, is expected to usher in automation in nearly all fields, while also enabling advanced applications like a Smart Grid. The main research challenge in Internet of things (IoT) for the forensic investigators is based size of the objects of forensic interest, relevancy, blurry network boundaries and edgeless networks, especially on method for conducting the investigation. The aim of this paper is to identify the best approach by designing a novel model to conduct the investigation situations for digital forensic professionals and experts. There was existing research works which introduce models for identifying the objects of forensics interest in investigations, but there were no rigorous testing for accepting the approach. Currently in this work, an integrated model is designed based on triage model and 1-2-3 zone model for volatile based data preservation.
Conference Paper
Full-text available
Acquiring data from cloud storage services has become increasingly important to digital forensic investigations. As more providers offer greater online storage facilities and user data is synchronised across multiple devices, an abundance of data sources has become available to assist with forensic investigations. However, such data can only become evidence when there is a thorough understanding of the data dynamics between client devices and the cloud, and there are explanations for any variations. This paper documents and analyses the artefacts created by interactions between Apple's cloud service, email, and contacts applications. An explanation of why some artefacts synchronised over the cloud do not have matching cryptographic hashes is offered, and the ability to establish email origin on a system of multiple devices sharing a single account is established.
Article
Full-text available
Forensic investigation in cloud computing systems faces various legal, technical and organizational challenges. In this work, we focus on the technical issues of cloud forensics, specifically event correlation—a technique used to expose the relation between two or more cloud events. Event correlation in cloud is relatively at its early stages. We categorize the cloud event correlation in to two stages. In the first stage, we consider the events from the perspective of single artifact and perform correlation (homogeneous correlation). In the second stage, we collect the events from multiple artifacts and then perform correlation (heterogeneous correlation). The proposed approach helps automate the detection of incidents from cloud evidences and also speedup the event interpretation process by the investigator.
Conference Paper
Full-text available
Abstract—Digital forensics is becoming very challenging because of three main reasons: 1) highly distributed systems under multiple jurisdictions, 2) Big Data handling and 3) lack of forensic services, in a cloud computing environment. Due to these obstacles, all the digital investigations are becoming time consuming that makes the solutions more expensive. Cloud computing is capable of handling these challenges but it lacks an architectural level support for forensic analysis that can meet all the legal requirements. Cloud provider cannot provide solutions to these challenges by offering forensics tools on Software-asa- Service (SaaS) model. In this paper, we propose a multi-tier cloud architecture for Forensics-as-a-Service (FaaS) capable of handling the aforementioned challenges and introducing a new infrastructure-level forensic support from cloud providers. We will also discuss the improvement in time and cost efficiency of the overall investigation process.
Article
This paper exposes and explore the practical issues with the usability of log artefacts for digital forensics in cloud computing. Logs, providing detailed events of actions on a time scale have been a prime forensic artefact. However collection of logs for analysis, from a cloud computing environment is complex and challenging task, primarily due to the volatility, multi-tenancy, authenticity and physical storage locations of logs, which often results in jurisdictional challenges too. Diverse nature of logs, such as network logs, system logs, database logs and application logs produces additional complexity in the collection and analysis for investigative purposes. In addition there is no commonality in log architecture between cloud service providers, nor the log information fully meets the specific needs of forensic practitioners. In this paper we present a practical log architecture framework, analyse it from the perspective and business needs of forensic practitioners. We prove the framework on an ownCloud - a widely used open source platform. The log architecture has been assessed by validating it against the Association of Chief Police Officers Good Practice Guide for Computer-Based Electronic Evidence guidelines. Further validation has been done against the National Institute of Standards and Technology published report on Cloud Computing Forensic Challenges, i.e., NISTIR 8006. Our work helps the forensic examiners and law enforcement agencies in establishing confidence in log artefacts and easy interpretation of logs by presenting it in a user friendly way. Our work also helps the investigators to build a collective chain of evidence as well as the Cloud Service Providers to provision forensics enabled logging.
Article
Fog computing has emerged as a promising paradigm in overcoming the growing challenges (e.g., low latency, location awareness, and geographic distribution) arising from many real-world Internet of Things (IoT) applications, by extending the cloud to the network edge. With the widespread deployment of fog-assisted IoT applications, unprecedentedly huge volumes of network traffic from massive IoT devices would continuously arrive at the fog nodes. Archiving the network traffic can be highly beneficial to fog computing, which forms the basis of forensic, monitoring, troubleshooting, and many other critical tasks. Such high value, however, constantly renders traffic archives the first-order target to experienced attackers. This mandates the traffic archives to be built in a trustworthy way and stayed encrypted at rest. Security aside, it is yet highly desirable to retain the utility of the encrypted traffic archives, in particular by making them privately queryable. In this paper, we take the first research attempt and explore a new design point to delicately bridge trusted hardware and searchable encryption for building trustworthy, encrypted, yet queryable network traffic archives for fog-assisted IoT applications. We take a systematic approach to address several key challenges, which are unsolvable by synthesizing out-of-box techniques, from ground up. Extensive evaluations show that our system can achieve stable archiving throughput of 350Mbps with one core, and saturate a 1Gbps link with four cores; for a real trace, it outperforms a baseline system without any of our designs by over 110⨉.
Article
The advent of cloud computing has brought the computing power of corporate data processing and storage centers to lightweight devices. Software-as-a-service cloud subscribers enjoy the convenience of personal devices along with the power and capability of a service. Using logical as opposed to physical partitions across cloud servers, providers supply flexible and scalable resources. Furthermore, the possibility for multitenant accounts promises considerable freedom when establishing access controls for cloud content. For forensic analysts conducting data acquisition, cloud resources present unique challenges. Inherent properties such as dynamic content, multiple sources, and nonlocal content make it difficult for a standard to be developed for evidence gathering in satisfaction of United States federal evidentiary standards in criminal litigation. Development of such standards, while essential for reliable production of evidence at trial, may not be entirely possible given the guarantees to privacy granted by the Fourth Amendment and the Electronic Communications Privacy Act. Privacy of information on a cloud is complicated because the data is stored on resources owned by a third-party provider, accessible by users of an account group, and monitored according to a service level agreement. This research constructs a balancing test for competing considerations of a forensic investigator acquiring information from a cloud. © 2018 Adam J. Brown, William Bradley Glisson, Todd R. Andel, Kim-Kwang Raymond Choo
Chapter
A considerable number of cloud forensic systems and tools have been proposed in recent years. Trust issue of digital evidence, a significant security topic, is indispensable for cloud forensics systems. In this paper, we propose a different cloud forensic system—Distributed Cloud Forensic System with Decentralization and Multi-participation (DCFS). The DCFS is set in an untrusted and multi-tenancy cloud environment, and it is assumed that cloud users, cloud employees, or forensic investigators can be dishonest. The DCFS, which is different from existing centralized cloud forensic systems, is a distributed and decentralized system that does not rely on any single node or any third party to obtain credible evidence from the cloud. Trust is divided into all participants in the DCFS, and these participants supervise each other. A distributed public ledger is maintained in the DCFS, and this ledger records all the proofs of forensic evidence along with other useful information. This ledger can enhance the credibility and integrity of forensic evidence to some degree and complete the chain of custody in forensic investigation. The forensic evidence, which are provided by the cloud employees, presented to the court of law using the DCFS will be more trustful.
Chapter
Software Defined Networking (SDN) is an increasingly common implementation for virtualization of networking functionalities. Although security of SDNs has been investigated thoroughly in the literature, forensic acquisition and analysis of data remnants for the purposes of constructing digital evidences for threat intelligence did not have much research attention. This chapter at first proposes a practical framework for forensics investigation in Openflow based SDN platforms. Furthermore, due to the sheer amount of data that flows through networks it is important that the proposed framework also implements data reduction techniques not only for facilitating intelligence creation, but also to help with long term storage and mapping of SDN data. The framework is validated through experimenting two use-cases on a virtual SDN running on Mininet. Analysis and comparison of Southbound PCAP files and the memory images of switches enabled successful acquisition of forensic evidential artefacts pertaining to these use cases. © Springer International Publishing AG, part of Springer Nature 2018.
Article
This study explores the challenges of digital forensics investigation in file access, transfer and operations, and identifies file operational and behavioral patterns based on timestamps—in both the standalone as well as interactions between Windows NTFS and Ubuntu Ext4 filesystems. File-based metadata is observed, and timestamps across different cloud access behavioral patterns are compared and validated. As critical metadata information cannot be easily observed, a rigorous iterative approach was implemented to extract hidden, critical file attributes and timestamps. Direct observation and cross-sectional analysis were adopted to analyze timestamps, and to differentiate between patterns based on different types of cloud access operations. Fundamental observation rules and characteristics of file interaction in the cloud environment are derived as behavioral patterns for cloud operations. This study contributes to cloud forensics investigation of data breach incidents where the crime clues, characteristics and evidence of the incidents are collected, identified and analyzed. The results demonstrate the effectiveness of pattern identification for digital forensics across various types of cloud access operations.
Article
Today is the era of Internet of Things (IoT), millions of machines such as cars, smoke detectors, watches, glasses, webcams, etc. are being connected to the Internet. The number of machines that possess the ability of remote access to monitor and collect data is continuously increasing. This development makes, on one hand, the human life more comfort- able, convenient, but it also raises on other hand issues on security and privacy. However, this development also raises challenges for the digital investigator when IoT devices involve in criminal scenes. Indeed, current research in the literature focuses on security and privacy for IoT environments rather than methods or techniques of forensic acquisition and analysis for IoT devices. Therefore, in this paper, we discuss firstly different aspects related to IoT forensics and then focus on the cur- rent challenges. We also describe forensic approaches for a IoT device smartwatch as a case study. We analyze forensic artifacts retrieved from smartwatch devices and discuss on evidence found aligned with challenges in IoT forensics
Article
Vehicular fog computing extends the fog computing paradigm to conventional vehicular networks. This allows us to support more ubiquitous vehicles, achieve better communication efficiency, and address limitations in conventional vehicular networks in terms of latency, location awareness, and real-time response (typically required in smart traffic control, driving safety applications, entertainment services, and other applications). Such requirements are particularly important in adversarial environments (e.g., urban warfare and battlefields in the Internet of Battlefield Things involving military vehicles). However, there is no one widely accepted definition for vehicular fog computing and use cases. Thus, in this article, we formalize the vehicular fog computing architecture and present a typical use case in vehicular fog computing. Then we discuss several key security and forensic challenges and potential solutions.
Conference Paper
IoT device forensics is a difficult problem given that manufactured IoT devices are not standardized, many store little to no historical data, and are always connected; making them extremely volatile. The goal of this paper was to address these challenges by presenting a primary account for a general framework and practical approach we term Forensic State Acquisition from Internet of Things (FSAIoT). We argue that by leveraging the acquisition of the state of IoT devices (e.g. if an IoT lock is open or locked), it becomes possible to paint a clear picture of events that have occurred. To this end, FSAIoT consists of a centralized Forensic State Acquisition Controller (FSAC) employed in three state collection modes: controller to IoT device, controller to cloud, and controller to controller. We present a proof of concept implementation using openHAB -- a device agnostic open source IoT device controller -- and self-created scripts, to resemble a FSAC implementation. Our proof of concept employed an Insteon IP Camera as a controller to device test, an Insteon Hub as a controller to controller test, and a nest thermostat for a a controller to cloud test. Our findings show that it is possible to practically pull forensically relevant state data from IoT devices. Future work and open research problems are shared.
Article
Digital investigation in the cloud is challenging, but there's also opportunities for innovations in digital forensic solutions (such as remote forensic collection of evidential data from cloud servers client devices and the underlying supporting infrastructure such as distributed file systems). This column describes the challenges and opportunities in cloud forensics.
Conference Paper
Multiple device ownership exponentially increases the volume and variety of data, with detrimental implications to digital forensic investigations. Several authors have proposed data reduction approaches in attempts to enhance the data acquisition and processing phases of the investigation process. Other works have aimed to take advantage of cloud computing's seemingly unlimited resources to leverage investigations. However, such approaches inadvertently affect the credibility of forensic evidence and its admissibility in a court of law, and degrade the efficiency of forensic processes. In this paper, we propose a novel approach which leverages current processes by focusing on augmenting computational and latency capabilities. To achieve this, we motivate a cloudlet-based digital forensic (DF) approach to complement existing cloud computing systems. Based on their proximity to end-devices and remote DF investigation teams, our proposed solution effectively tackles low latency challenges present with the cloud alternative. In addition, configuring the cloudlet solution as the sole custodian of data counters ensures that investigators remain in control of their data, and hence can maintain a comprehensive evidence trail. Finally, have also proposed a cloudlet-based DF resource optimization approach to facilitate upward and downward scaling of resources to cope with a variety of data sizes, multiple devices, and concurrent multiple cases.
Article
The pervasive nature of cloud-enabled big data storage solutions introduces new challenges in the identification, collection, analysis, preservation and archiving of digital evidences. Investigation of such complex platforms to locate and recover traces of criminal activities is a time-consuming process. Hence, cyber forensics researchers are moving towards streamlining the investigation process by locating and documenting residual artefacts (evidences) of forensic value of users’ activities on cloud-enabled big data platforms in order to reduce the investigation time and resources involved in a real-world investigation. In this paper, we seek to determine the data remnants of forensic value from Syncany private cloud storage service, a popular storage engine for big data platforms. We demonstrate the types and the locations of the artefacts that can be forensically recovered. Findings from this research contribute to an in-depth understanding of cloud-enabled big data storage forensics, which can result in reduced time and resources spent in real-world investigations involving Syncany-based cloud platforms.
Chapter
Various advantages offered by cloud computing business model has made it one of the most significant of current computing trends like personal, mobile, ubiquitous, cluster, grid, and utility computing models. These advantages have created complex issues for forensic investigators and practitioners for conducting digital forensic investigation in cloud computing environment. In the past few years, many researchers have contributed in identifying the forensic challenges, designing forensic frameworks, data acquisition methods for cloud computing systems. However, to date, there is no unique universally accepted forensic process model for cloud computing environment to acquire and analyze data available therein. This paper contributes in three specific areas to expedite research in this emerging field. First is designing a digital forensic architecture for cloud computing systems; second is evidence source identification, segregation and acquisition; and finally methods for partial analysis of evidence within and outside of a virtual machine (VM).
Conference Paper
In recent times, cloud computing has become one of essential computing paradigms. Several companies and organizations that aim of using a cloud computing technology worry about the migration of their work to the cloud computing. This is due to the data security issues where cybercrimes are representing a real problem for them because of the huge damage that can cause. This lead researchers and scientists to thinking about provide new procedures and strategies to fight and trace criminals and attackers. Besides investigating crimes related to the cloud environment in forensically sound manner, the process of performing cybercrime investigation in the cloud environment is known as cloud forensics. This process is facing complex challenges due to the dynamic nature of cloud computing. In this paper, a cloud forensic strategy is proposed for assisting digital investigators and experts for investigation of cybercrimes in effective and efficient manner. The proposed strategy is based on cloud computing platform that providing enormous processing and storage capabilities. This strategy can be as guided to the digital investigators and practitioners to follow it in performing of investigation of cybercrimes.
Conference Paper
Cloud computing in recent years has become very popular and, indeed, many current applications are served from the cloud. Because the cloud architecture is based on virtual machines, VMs and VM management are quite important. Monitoring a large number of virtual machines is an important research topic. Since the establishment of the Personal Information Protection Act, there has been more attention focused on cloud security. Among cloud security topics, log analysis allows insight into virtual machine operation. If there are incidents, they need to be reported instantly in order to maintain information security. Consequently, log collection and real time warning systems are necessary. In this paper, we propose a distributed management architecture and evaluate its system performance. We also discuss the effects on the system due to bandwidth and background traffic ratios, VM numbers and transmission time using a set of simulations. The results show the proposed architecture not only saves time, but also reduces the load of log transmission for monitoring cloud services.
Conference Paper
Cloud computing offers applications and infrastructure at low prices and opens the possibility of criminal cases. The increasing criminal cases in the cloud environment have made investigators to use latest investigative methods for forensic process. Similarly, the attackers discover new ways to hide the sources of evidence. This may hinder the investigation process and is called anti-forensics. Anti-forensic attack compromises the trust and availability of evidence. To defend such kind of attacks against forensic tools, anti-forensic techniques in cloud environment have to be researched exhaustively. This paper explores the anti-forensic techniques in the cloud environment and proposes a framework for detecting the anti-forensic attack against cloud forensic process. The framework provides an effective model for forensic investigation of anti-forensic attacks in cloud.
Conference Paper
Recent attacks on the cloud environment highlights the necessity for conducting forensic investigations. But performing forensics in the cloud is different from traditional environment. Conforming the same, National Institute of Standards and Technology (NIST) listed more than 65 challenges for cloud forensics. Even though cloud is a XaaS provider, Forensics-as-a-Service was not included in that list. There are various technical, organizational and legal reasons for it. But, performing investigation in the cloud environment is practically possible only if support from the Cloud Service Provider (CSP) is made available. Our proposed model-FaaSeC can extend the forensic support from CSP and make CSP to provide Forensics-as-a-Service (FaaS) to the investigator.
Conference Paper
Digital evidence stored on digital devices play an important role in a wide range of types of crime, including murder, computer intrusion, espionage, extortion and child pornography in proof of a fact about what did or did not happen. However, digital information is fragile because it can be easily modified, copied, stored or destroyed. All digital evidence will be analyzed to determine the type of information stored in digital devices. The field of Digital Forensics is highly dependent on Tools with more features. In our work Cloud Based Digital Forensic Tool (CBDFT) is developed for acquisition, preservation, analysis and presentation of digital evidence. In this paper to measure the functionality of various forensic tools, we have compared the results generated by CBDFT with other available tools like FTK, Encase, Recover my files, Recuva, Blade, and Forensic Imager. These tools were examined in a fixed scenario to show the differences and capabilities of each tool.
Conference Paper
Although numerous researches have been carried on Internet of Things (IoT), little focus has been employed on how Digital Forensics (DF) techniques can be used to conduct Digital Forensic Investigations (DFIs) in IoT-based infrastructures. Up to this point, IoT has not fully adapted to DF techniques owing to the fact that the current DF tools and procedures are not able to meet the heterogeneity and distributed nature of the IoT infrastructures. As a result, gathering, examining and analysing potential evidence from IoT environments that may be used as admissible evidence in a court of law poses a challenge to DF investigators and Law Enforcement Agencies (LEA). Therefore, the problem addressed is that, at the time of writing this paper, there currently exist no accepted DF frameworks that can help to conduct DFIs in an IoT-based environment. Based on this premise, the authors have proposed a generic Digital Forensic Investigation Framework for IoT (DFIF-IoT) that is able to support future IoT investigative capabilities with a degree of certainty. The proposed framework includes the following advantage: It complies with the ISO/IEC 27043: 2015 which is an international standard for information technology, security techniques, incident investigation principles, and process. It is, therefore, the authors’ opinion that if the proposed framework is successfully incorporated in future DF tool development, it will facilitate effective digital forensic crime investigation for IoT infrastructures.
Conference Paper
This work introduces a methodology for cloud accountability that assures system dependability in terms of availability and reliability. This assurance is provided relative to the cloud service level agreement. The presented methodology is guided by the NIST SP800-86 digital forensic model, that motivates the collection, examination and analysis of data from the cloud platform, and the generated evidence including logs and context are reported to appropriate cloud agents. As part of this work, we present a novel approach to collecting digital evidence to support cloud-based system dependability, using the Virtual Machine Introspection (VMI) technique. Our VMI approach complements, as well as checks the dependability metrics provided by the cloud service providers (CSPs) as evidence. This methodology, including the VMI approach is particularly relevant since it provides a means of addressing the perceived lack of trust for cloud-based services towards cloud accountability. Our research focuses on applying an evidence-based methodology - cloud accountability method - to cloud-based system engineering for assuring cloud agents of the dependability of cloud platforms.
Article
Cloud computing can be generally regarded as the technology enabler for Internet of Things (IoT). To ensure the most effective collection of evidence from cloud-enabled IoT infrastructure, it is vital for forensic practitioners to possess a contemporary understanding of the artefacts from different cloud services and applications. In this paper, we seek to determine the data remnants from the use of the newer BitTorrent Sync applications (version 2.x). Findings from our research using mobile and computer devices running Windows, Mac OS, Ubuntu, iOS, and Android devices suggested that artefacts relating to the installation, uninstallation, log-in, log-off, and file synchronisation could be recovered, which are potential sources of IoT forensics. We also extend the cloud forensics framework of Martini and Choo to provide a forensically sound investigation methodology for the newer BitTorrent Sync applications.
Conference Paper
Researchers in the field of cloud forensics need to move away from insisting on acquiring all data as has historically been the case in computer forensics- and yet still be able to prove the accuracy, sufficiency and soundness of partially acquired data. Virtualization is considered to be one of the main pillars in providing cloud services. In some cases, investigators might end up having to rely on suspect Virtual Machine (VM) snapshots in the form of memory dumps and user activity logs. Then, in these cases the main challenge is to analyse these memory dumps without altering the evidence. In this paper, we propose a forensic process model based on the NIST model to examined the private cloud based VM snapshots (e.g. XenServer). Moreover, we examine snapshots using existing digital forensic tools and were able to successfully acquire data without the need to transform the snapshot files.
Conference Paper
Cloud computing is a booming service orientedarchitecture which supports multiple tenants and users. Theyallow clients to use their infrastructure on a pay-per use model. With the increasing popularity of cloud systems, cyber crimes oncloud systems are also on the rise. But there are no standardizedmethods established for performing digital forensic investigationon the cloud. Our paper focuses on forensic analysis of cloudsystems with specific emphasis to the analysis of cloud servicelogs. One of the major issues with service logs in cloud is thatthere is no segregation as all events related to all tenants andusers are logged together. Hence it is essential to group eventsrelevant to specific users or tenants who are of interest to theinvestigation. This paper discusses event correlation techniquesto group events logged by tenants of interest. OpenStack cloudis used for the testing and evaluation of the solution.
Conference Paper
Digital forensics is becoming an important feature for many embedded devices. In automotive systems, digital forensics involves multiple electronic control units (ECUs) used to support the connected and intelligent vehicle’s technology. Digital evidence from these ECUs can be used in forensics investigation and analysis. Such a mechanism can potentially facilitate crash investigation, insurance claims and crime investigation. Issues related to forensics include the authenticity, integrity and privacy of the data. In this paper, the security of the forensic process and data in automotive systems is analysed. We propose an efficient, secure, privacy- preserving and reliable mechanism to provide a forensics data collection and storage process. A diagnostic application for smart phones, DiaLOG, is incorporated in the proposed process that uses a secure protocol to communicate the collected forensic data to a secure cloud storage. The proposed protocol for communicating forensic data is implemented to measure performance results and formally analysed using Scyther and CasperFDR with no known attack found.