Cloud forensics: A research perspective

Similar documents
CLOUD FORENSICS : AN OVERVIEW. Kumiko Ogawa

International Journal of Scientific & Engineering Research, Volume 7, Issue 2, February-2016 ISSN

DIGITAL FORENSICS FORENSICS FRAMEWORK FOR CLOUD COMPUTING

An Efficient Approach to Forensic Investigation in Cloud using VM Snapshots

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Organisational preparedness for hosted virtual desktops in the context of digital forensics

Security Models for Cloud

THINGS YOU NEED TO KNOW BEFORE DELVING INTO THE WORLD OF DIGITAL EVIDENCE. Roland Bastin Partner Risk Advisory Deloitte

Cloud forensics: An overview

Software Agent and Cloud Forensics: A Conceptual Framework

ASD CERTIFICATION REPORT

When Recognition Matters WHITEPAPER CLFE CERTIFIED LEAD FORENSIC EXAMINER.

This is the author submitted original manuscript (pre-print) version of a published work that appeared in final form in:

Auditing the Cloud. Paul Engle CISA, CIA

Available online at ScienceDirect. Procedia Computer Science 85 (2016 )

Multi Packed Security Addressing Challenges in Cloud Computing

Mitigating Risks with Cloud Computing Dan Reis

Information Security Incident Response Plan

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

ALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast

Need of Digital Forensics in Cloud Computing Enviornment

Copyright 2011 EMC Corporation. All rights reserved.

Version 1/2018. GDPR Processor Security Controls

Leveraging the Cloud for Law Enforcement. Richard A. Falkenrath, PhD Principal, The Chertoff Group

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

Information Security Incident Response Plan

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

Cloud Computing introduction

Procedures for a Harmonised Digital Forensic Process in Live Forensics

COMPUTER FORENSICS (CFRS)

SECURITY & PRIVACY DOCUMENTATION

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Why the cloud matters?

IMF IT-Incident Management and IT-Forensics

COMPUTER HACKING Forensic Investigator

An Integrated Research Analysis of Cloud Forensics for Secured Computing Environment

Introduction to Cloud Computing. [thoughtsoncloud.com] 1

Moving to computing are auditors ready for the security challenges? Albert Otete CPA CISA ISACA Uganda Workshop

Cloud First Policy General Directorate of Governance and Operations Version April 2017

Credit Card Data Compromise: Incident Response Plan

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

Securing Cloud Computing

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Exploring Cloud Incidents

THE DATA CENTER AS A COMPUTER

Matt Danner Flashback Data

Cyber security tips and self-assessment for business

Internal Audit Report DATA CENTER LOGICAL SECURITY

Kroll Ontrack VMware Forum. Survey and Report

Data Security and Privacy Principles IBM Cloud Services

DuncanPowell RESTRUCTURING TURNAROUND FORENSIC

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Chapter 7 Forensic Duplication

Certified Digital Forensics Examiner

Efficient integrity checking technique for securing client data in cloud computing

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

Reference Architecture for a Cloud Forensic Readiness System. De Marco, Lucia; Ferrucci, Filomena; Kechadi, Tahar.

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

CLOUD COMPUTING. Lecture 4: Introductory lecture for cloud computing. By: Latifa ALrashed. Networks and Communication Department

A centralised platform for digital forensic investigations in cloud-based environments

Certified Digital Forensics Examiner

An Integrated Framework of Multi Software Agent and Cloud Forensics

Abstract. and infiltrating systems in ways that have not been seen before. Digital forensic

System Approach for Single Keyword Search for Encrypted data files Guarantees in Public Infrastructure Clouds

CCISO Blueprint v1. EC-Council

Abstract. main advantage with cloud computing is that, the risk of infrastructure maintenance reduces a

Security and Compliance at Mavenlink

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Best Practices in Securing a Multicloud World

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE HEALTH AFFAIRS SKYLINE FIVE, SUITE 810, 5111 LEESBURG PIKE FALLS CHURCH, VIRGINIA

Information Systems and Tech (IST)

Cloud Technology and the Challenges for Forensics Investigators Alex Roney MATHEW and Jamal Abdullah AL-ZAHLI

locuz.com SOC Services

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

MFP: The Mobile Forensic Platform

Chapter 7 Forensic Duplication

2017 THALES DATA THREAT REPORT

Accelerate GDPR compliance with the Microsoft Cloud Agustín Corredera

Benefits of Cloud Computing

SPECIAL ISSUE, PAPER ID: IJDCST-09 ISSN

COMPTIA CLO-001 EXAM QUESTIONS & ANSWERS

Twilio cloud communications SECURITY

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

NLETS & CLOUD SECURITY. Bill Phillips, Information Security Officer

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

Data Security: Public Contracts and the Cloud

Security and Digital Forensics in Cloud Computing

Take control of your e-discovery process. Increase efficiency, reduce risk and keep costs in line with an integrated solution.

SentryWire Next generation packet capture and network security.

SentryWire Next generation packet capture and network security.

Privacy hacking & Data Theft

SURVEY PAPER ON CLOUD COMPUTING

Transcription:

Cloud forensics: A research perspective Sameera Almulla Electrical and Computer Engineering Khalifa University of Science Technology and Research U.A.E sameera.almulla@kustar.ac.ae Youssef Iraqi Electrical and Computer Engineering Khalifa University of Science Technology and Research U.A.E youssef.iraqi@kustar.ac.ae Andrew Jones Information Security Khalifa University of Science Technology and Research U.A.E Edith Cowan University, Australia University of South Australia andrew.jones@kustar.ac.ae Abstract Cloud computing and digital forensics are both developing topics and researching these topics requires an understanding of the main aspects of both cloud computing and digital forensics. In cloud computing it is necessary not only to understand its characteristics and the different services and deployment models but also to survey the underpinning elements of cloud computing such as virtualization and the distributed computing which are important to identify its impact on current digital forensics guidelines and procedures. Unlike papers discussing the challenges and opportunities presented by cloud computing in relation to digital forensics, in this paper, we will discuss the underpinning cloud computing elements which are required to provide forensics friendly cloud services. Furthermore, we suggest a set of questions that will aid in the process of cloud forensics analysis. Keywords-cloud computing; digital forensics; distributed computing; virtualization; cloud forensics I. INTRODUCTION The complex structure of cloud computing and the lack of standardization in many aspects of cloud such as its definition, Service Level Agreements (SLAs) and data security, are obstacles that are faced by researchers in the field of digital forensics of cloud computing. We define cloud forensics as a process to identify, preserve, collect, examine, analyze and present data available on client, service provider premises and the combined channel or network, while preserving data integrity and maintaining the chain of custody. The UK Association of Chief Police Officers (ACPO) is a widely used guideline for law enforcement both in the UK and many other countries in conducting digital forensics investigations. Pimlott J. [1], conducted an investigation on the impact of cloud computing on these guidelines to ascertain whether the guidelines can be followed by digital forensics investigators to extract digital data from a cloud environment in a forensically sound manner. This is normally interpreted as the process of obtaining an exact duplicate of evidence without altering the original source of evidence. However, in cases where investigators might cause some changes such as duplicating the main memory live forensics-, they must maintain a record of their actions. As stated by Pimlott [1], it is only a matter of time before digital forensics has a role to play in the cloud. In fact, there are already several cases of attacks carried out on information stored in cloud computing. For example, in January 2010, Google announced that its Single Sign On software had been hacked [2]. In another incident [3] a hacker penetrated Twitter s financial documents and other business information stored in a Twitter employee s Google account. It is clear that security breaches of cloud service providers are increasingly common. The rest of this paper is organized as follows. In section II, we review the background and related work. In section III, we discuss the impact of virtualization and distributed computing on cloud forensics. In section IV and V, we analyze digital forensics in relation to cloud computing and a set of questions as a guide for cloud forensics analysis. We conclude the paper in section VI. II. BACKGROUND AND LITERATURE REVIEW A. Digital Forensics Digital Forensics is [4] "the application of science to the identification, collection, examination and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody of data". Digital forensics must be based on scientifically sound methods, techniques and acceptable in a court of law [5]. For the purposes of cloud forensics, we consider digital forensic procedures according to a six stages model proposed in [6]: Identification: determine crime type, software and hardware used by the suspect and possible evidence location; Preservation: ensure evidence integrity; Collection: extract an exact copy bit by bit imageof the required data; Examination: study the collected data and its attributes; Analysis: an in-depth systematic evidence search is performed on suspect owned devices in two ways: live and static systems analysis; The findings will be presented to either organization management or court of law. B. Cloud Computing The US National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [7]. To analyze and study the impact of cloud computing on digital forensics, it is essential to understand its characteristics. 1

There are six main characteristics for cloud computing [7] namely on demand self-service, ubiquitous network access, resource pooling and multi-tenancy, location independence, rapid elasticity and pay-per-use business model. Resource pooling, multi-tenancy and service elasticity are considered as significant challenges to digital forensics. In the case of investigating for suspect related information it may result in a violation of the privacy of legitimate user s data. With respect to the issues of digital forensics, there should be a clear understanding of the cloud computing service and deployment models [1], [8]. There are three main service models. First, Software as a Service (SaaS), with applications delivered as a service over the internet. Second is Platform as a Service (PaaS), with the development platform provided as a service. The third is Infrastructure as a Service (IaaS), where the server(s), storage and hardware are delivered as a service. There are currently four deployment models for cloud computing, namely public, private, community and hybrid cloud [8]. The deployment models differ based on the owner, its location and who has access to it. In each deployment model, cloud services can be provided as SaaS, PaaS and IaaS. Fig. 1 visualizes cloud computing characteristics, service and deployment models [9]. Fig. 1: Visualized definition of cloud computing The literature as in [8] [10] [11] [12] [13] and [14] discussed the technical and legal challenges faced by digital forensic investigators. Next, we will discuss the underpinning cloud computing elements which are required to provide forensics friendly cloud services. III. READINESS OF CLOUD COMPUTING FOR DIGITAL FORENSICS The European Network and Information Security Agency (ENISA) [15], published a report recommending research in the area of digital forensics in cloud computing. The ENISA recommends forensics and evidence gathering mechanisms as a priority to enhance cloud computing security. To achieve this goal, this paper presents an in-depth discussion of cloud computing foundational elements and their impact on digital forensics as a platform for researchers in this field. According to NIST [9], virtualization and distributed computing are the main enablers for cloud computing as shown in Fig. 2. A. Virtualization One of the famous Cloud Service Provider (CSP) that depends on virtualization technology is Amazon.com. In 2011, a Russian hacker has been arrested for performing Distributed Denial of Service (DDoS) attack against both Amazon.com and ebay [16]. Fig. 2: Structure of cloud computing and enabling technologies It had a significant impact on Amzon's customers and they were not to conduct their online business services. Users of Amazon Elastic Compute Cloud (EC2) mainly depend on web services as an interface for their applications which are hosted on Amazon infrastructure. In the context of digital forensics, the type of virtualization will have a significant impact on the investigation. It can be either as hardware, software, desktop or computing resource virtualization [17]. The differences are generated based on the location and functionality of Virtual Machine Manager (VMM) also called the hypervisor. It provides an abstraction layer between the physical hardware and the guest machines which are known as Virtual Machines (VMs). As recommended by the Cloud Security Alliances (CSA) [8], from a security perspective, the client must identify which type of virtualization the CSPs use in providing the services. Fig. 3 shows the virtualization layer and the client and service providers' level of control in cloud computing. In all models, the virtualization is under the control of the CSP. In other words, the VMM remain under the service provider control and the virtual instances are provided to the client. Virtual instances can be available independently of the service models. For example, in IaaS a powerful technology called snapshots can provide a virtual machine image. However, in the cases of PaaS and SaaS, the ability to access virtual instances for investigation is severely limited [18]. Impact on Digital Forensics Increasing demands for computing resources and storage space have led to the development of virtual environments. As with many of the technologies that are developed with good intentions, individuals can use them to harm others or hide their illicit activities. a) Virtualization as a subject It is a subject when the virtual environment is used to conduct a crime. For example, Nirbhay and Ajit [19], investigated the private cloud for Hosted Virtual Desktops (HVD) through simulations of two scenarios. The aim was to investigate whether current digital forensic procedures are adequate for use with cloud-oriented digital forensics techniques. 2

Fig. 3 Level of control between client and provider in each service model Based on the findings, the authors concluded that to identify and extract evidence from VMs that are configured with persistent storage, current digital forensics procedures are applicable. However, identifying and extracting evidence in a cloud configured as a multi-tenant architecture is not possible with current digital forensics procedures. The differences in the findings are not caused by the actual virtualization technology but because of inherent characteristics of the cloud structure, namely multi-tenancy. b) Virtualization as a tool Another approach is to utilize the virtual environment as a tool to perform digital forensics. Hay & Nance [20] discussed how to utilize the hypervisor or a Virtual Machine (VM) to monitor another running virtual instance and record its state. The authors discussed the ability of the built-in mechanism called Virtual Introspection (VI) to monitor the state of a virtual machine from either the Virtual Machine Monitor (VMM) or from a virtual machine other than that which is being examined in order to perform live forensics in virtual environment. B. Distributed Computing Cloud computing is a generic and misleading term for researchers. In fact, to investigate issues of cloud forensics, researchers might use distributed computing and digital forensics as keywords. Distributed File System (DFS) is an important technology required to manage storage, namely user files and its metadata. A proprietary Google File System (GFS) [21] and the open source HaDoop File System (HDFS) [22] are widely used as DFS. The latter was developed after GFS publish papers discussing their DFS architecture with slight differences in the naming of the components [22]. In 2012, Facebook which owns one of the largest HDFS cluster, experienced a software bug which resulted in user's private messages being displayed on their public profile [23]. This incident was a result of internal system component failure but it violated the Facebook users' privacy. Understanding the DFS architecture not only aids system troubleshooting but also in forensics investigation. The GFS architecture consists of clusters where each cluster contains a single master and multiple chunk servers. User files are divided into chunks of size 64MB and stored on chunk servers. The master server maintains all file systems metadata including file and chunk namespaces, access control information, mapping from the file to its chunks and the current location of chunks. To maintain availability, the master is duplicated in shadow servers. Impact on Digital Forensics One of the fundamental skills of digital forensics examiners is to re-build files from range of file systems. In the digital environment, evidence is either the content information located in the chunk servers, such as files or non-content transactional information located in the master server, such as user logs, connection logs and metadata. a) Distributed computing as a subject It is a subject when the distributed computing environment is used to conduct a crime. In [24], the authors examine the feasibility of developing a digital forensics acquisition tool in distributed file systems. The authors discussed the digital forensics acquisition processes to gather both deleted and undeleted data from servers either located within or outside the investigators jurisdiction. In conclusion, the authors emphasize the necessity to develop forensicsreadiness-by-design approaches to handle cloud based crime. b) Distributed computing as a tool Another approach is to utilize the distributed computing environment as a tool to perform digital forensics. Hegarty, R. et al. [25] propose a distributed digital signature detection framework based on the cloud storage platform. It is based on detecting the presence of illicit files in cloud storage based on signature detection. The design of the framework and the implementation were discussed in the paper. The basic process of investigation is as follows: image the storage, compute the hash values of the files in the image and finally, compare generated hash values with known target files hash values e.g. distinguish system files from malware files. Hence, a forensic friendly cloud environment can be achieved by enhancing current virtualization and distributed computing methodologies. Given the heterogeneity of the cloud environment, researchers need to develop scientific approaches that will aid in developing cloud-forensicsreadiness-by-design. IV. DIGITAL FORENSICS IN RELATION TO CLOUD COMPUTING Traditional digital forensics involves seizing the equipment and media of the suspected user, which allows the investigators to preserve, acquire, analyze and present the evidence in a forensically sound manner. The heterogeneous environment and tremendous increase in the storage size of cloud computing means that these steps on the client, network and CSP sides will create significant challenges for conventional tools and techniques. In the case of cloud forensics, there is a high demand for the provision of pure and sufficient evidence to prove that a crime or incident did occur and that the evidence is admissible in a court of law. The potential digital forensics artifacts in different physical or logical locations include the following and the investigators will not necessarily have access to all parties involved in the crime-: Client Network Table 1: Artifacts location table Possible source of evidence Host Intrusion Detection System (HIDS) Web content and browser logs Firewalls and access log Chat logs Application cache Access logs Transaction logs Packet content Header content 3

CSP Firewalls logs Admin access logs IDS and NetFlow data Data storage (in case of IaaS client) In addition to the potential source of evidences, there are several concepts such as cloud crime types and where to perform investigation in/on cloud that can significantly assist researchers in this field. A. Crime Type Similar to computer crimes [26] any crime conducted using the cloud either as an object, subject or tool is considered a cloud computing crime [10] [11]. Cloud computing is an object when the CSP has been as a crime target e.g. Distributed Denial of Service (DDoS) attacks. It is a subject when the cloud environment is used to conduct crime e.g. identity theft, as discussed in section 1, the Google case [2]. Finally, cloud is considered as a tool when one cloud service is used to attack another service provider s network e.g. dark cloud. B. Performing Investigations In the Cloud Building a case based on evidence located in the cloud is considered as an "In" cloud investigation. With current digital forensics methodologies, organizations must be aware of a CSP's incident response strategy, including incident identification, notification and incident recovery. Snapshots provide an image of the system at a specific point in time. It can be considered as a rich source of evidence for services provided either based on virtualization or distributed systems. However, given the current approaches of taking the snapshot, its reliability and soundness for forensics purposes needs to be investigated. As a proactive measure, cloud users should check the availability of their virtual environment snapshots offline, together with the periods when these snapshots are performed. For example, the Amazon Elastic Block Store (EBS) Boot Volume provides storage services on a block level along with Elastic Compute Cloud (EC2) [27]. The EBS provides snapshots of the user storage. In the case of cyber-attacks, a snapshot can later be analyzed offline without tampering with the original storage and disturbance to the course of business. As stated in [28], when examiners have to access 'live' systems, capturing volatile data will result in changes to the target system. From our point of view, having both consistent snapshot of a running system and maintaining an audit trail of the examiners actions should minimizes the chances of error. C. Performing Investigation On the Cloud Unlike conducting investigations in the cloud, using cloud computing resources to improve the investigation process can be considered a silver lining. Computer and network forensics can be provided as on-demand services, where investigators will have as much storage and computing power as they need. Standby servers can be reserved for forensics and the computational power could be used to speed up the investigation analysis in areas such as searching, hashing and sorting evidence files. Recently, Dell has provided a forensics-as-a-service solution. Dell applies the process of digital forensics and then utilizes the datacenters capability to image seized devices on site to the outsourced storage. Also, they provide a remote interface to Encase and FTK to access and analyze suspected data [29]. V. SCENARIO OF DIGITAL FORENSICS ANALYSIS FOR CLOUD BASED CRIMES On the suspect's device, the examiners analyze the relevant items and explain when it was created, accessed, modified and deleted. Eventually, the examiners should be able to create a coherent timeline of events. Seizing the service provider's devices such as servers will not only affect business continuity and potentially violate legitimate user privacy, but it is also impractical to image Petabytes of information and analyze it. An Access Data Forensics Tool Kit (FTK) performance test report stated [30] that to process a 120GB hard drive using top-of-the-line workstations would require around 5.5 hours. Similarly, to analyze 2 TB of hard drive would require around 85 hours. It is reasonable to comment that analyzing digital evidence is extremely time consuming and that the larger the storage capacity, the greater the time required. To the best of our knowledge, there is currently no set of questions that can be used as guidance for cloud digital forensics process. Next, we propose an initial set of questions which can be populated based on the findings of researchers and investigators. To better understand the cloud based investigation process, we present a possible crime scenario and then analyze it based on the proposed questions. Bob is a criminal who deploys cloud services to distribute illicit images. He purchased 2TB of storage and a webserver from CSP1. To manage, process and encrypt these images, he purchased an application from CSP2 and an email service from CSP3. Both CSP2 and CSP3 require logging credentials. CSP2 uses the login password as a seed to generate an encryption key. A free trial of the service was also provided via a website, but with limited privileges. Only registered users can receive a set of illicit images delivered to their email accounts on a monthly basis. The Law Enforcement Agency (LEA) tipped off the web site and wishes to stop the service and prosecute the offender(s). What are the service providers' security policies toward digital forensics investigations? The security policies should state the information required from users and its availability. For example, the CSP may preserve a user's personal and credit card information and encryption keys. Also, the incident handling policy should state the CSP's readiness to handle crime cases and the availability of a digital forensics team. Hence, investigators, with the right authority, can request an "exact copy" of the required evidence. In this particular scenario, the investigator has successfully identified the CSP and he/she will be able to check the CSP's security and incident handling policies. The amount of information that can be retrieved will mainly depend on the provided service model such as IaaS, PaaS and SaaS. Does the crime involve cascaded CSPs? The completeness of the gathered evidence is important to correctly create the timeline of events. In cases where a suspect consumes different services from different CSPs, identifying the 4

involved CSPs will help in better synchronization of events. However, it is not an easy task for an investigator to pinpoint whether the criminal is using the services of multiple CSPs or a single CSP. Based on the scenario, once an investigator analyzes the provided web services, he/she will be able to conclude that to process and to manage these images the criminal has used the services of another CSP. Hence, this case involves cascaded providers. What type of deployment and service model? The potential amount of information available to the investigators changes according to the deployment and service models used [18]. For example, due to the geographical locations and legal procedures, the investigation of a private cloud may be more flexible than for a public cloud. Deployment models: According to the scenario, CSP1, CSP2 and CSP3 are public cloud service providers. Service Models: CSP1 provide storage services hence it is IaaS. CSP2, provide application for image management and processing then it is PaaS. Finally, CSP3, provides email services as SaaS, as illustrated in Fig. 2. What is the type of cloud crime? In conventional digital forensics, investigating a digital device used as a tool to conduct a crime will be slightly different to investigating a device considered as a subject of crime. In the former case, the owner of the device might be innocent and his/her machine used as a tool to conduct the crime by a third party. Similarly, it is important to identify the cloud crime type. According to the scenario, Bob used the cloud environment CSP1, CSP2 and CSP3- to carry out the crime; hence it is as the subject for investigations. What is the type of the evidence (content, noncontent) and what are the possible sources of evidence on the client, combined channel and CSP as in Table 1? Identifying the type of evidence is an implicit digital forensics process and it is equally important in cloud based crime cases. Since LEA is striving to prosecute the offender, any possible source of evidence on the client machine may not be recoverable. We will discuss possible sources of evidence on the service provider's side. CSP1: Possible content information is the storage media that contains the potential illicit images. The NetFlow and access logs - non-content information - are required to reconstruct the communication sessions and to eventually get the client IP address. Furthermore, snapshots of the storage can be provided to the investigators. For example, Amazon Elastic Block Store (EBS) Boot Volume [27] provides storage services at a block level along with Elastic Compute Cloud (EC2). The key feature of EBS volume is off-line persistent storage independent of the live storage. CSP2: System state and application specific logs can be extracted through API s provided by CSP2. For example, in GFS, an index to the cached information file name, chunk index, cached file metadata, chunk handle and replica locations can be retrieved via extensive and detailed diagnostic logs [21]. CSP3: is SaaS, which mostly depends on the CSP1 system logging level. The credit card information such as the suspect s name and credit card number will, potentially, be recorded at both CSP1 and CSP2. Is the data encrypted? Investigating encrypted information is a complex process, where the investigators first have to obtain the encryption keys then forensically analyze the information. As soon as the investigators manage to collect the required information -evidence- especially the storage, it will quickly become evident if the storage is encrypted. In this case, investigators can either request access to the stored encryption key at CSP2 or possibly obtain it by analyzing the NetFlow and access logs. An estimation of the time required to acquire the source of evidence? Once the LEA has tipped off the service, they will issue a search warrant to the service providers to provide the information required by the LEA [30]. Identifying and gathering information will almost certainly consume more time in the case of cascaded services than in single CSP. What are the possible digital forensics tools that can be used and can the preferred tool handle the type of acquired data? If the current state-of-the-art tools can be used to analyze gathered evidence, it will save investigators time and effort. In the scenario, the collected evidence has defined file formats such as for illicit images. Hence, FTK and EnCase can be used to analyze the evidence. However, in the case of the bulk of binary files such as snapshot files, investigators will need to manually analyze the data and to create their own tools. In the cloud, the availability of massive storage capabilities can slow the process of indexing and keyword searches and as a result, utilizing a single workstation to examine the target environment might not be sufficient. Furthermore, the heterogeneity of the cloud environment and cascaded services may result in actions that are untraceable with the current digital forensics tools and process. In future research, we will address more complicated cases such as investigations on software uploaded by attackers. VI. CONCLUSION AND FUTURE WORK The low cost of services provided in cloud computing has pushed many users to adopt cloud based services. However, as awareness has increased among users with regard to the 5

importance of detailed security incident handling policies, the demand on the service providers to add security solutions and framework onto the existing services has increased. At the same time, there is an increasing need for forensically based cloud computing services. We have discussed the impact of enabling technologies such as virtualization and distributed computing in providing forensically ready cloud computing. It can be achieved by enhancing current virtualization and distributed computing methodologies. Given the heterogeneity of the cloud environment, investigators must identify a set of guidelines which can help throughout the investigation. In this paper, we have suggested a set of questions that are crucial for the investigations. As Future work and to better address the challenges of cloud forensics, a comprehensive real life scenario will be constructed that covers different aspects and supports it through case studies. Also, we will develop a framework that will support the production of forensically sound evidence. VII. REFERENCES [1] L. Pimlott, An Investigation of the Impact of Cloud Computing on the Association of Chief Police Officers (ACPO) Good Practice Guide for Computer-Based Electronic Evidence, University of Derby, 2010. [2] J. Markoff, (2010), "Cyberattack on Google Said to Hit Password System," The New York Times. [Online]. Available: http://www.nytimes.com/2010/04/20/technology/20google.ht ml?sudsredirect=true. [Accessed 07 2012]. [3] J. D. Sutter, (2009),"Twitter Hack Raises Questions About Cloud Computing," [Online]. Available: http://edition.cnn.com/2009/tech/07/16/twitter.hack/index. html. [Accessed 12 2012]. [4] K. Kent, S. Chevalier, and T. Grance, "Guide to Integrating Forensic Techniques and Incident Response," National Institute of Standards and Technologies (NIST), 2006. [5] W. Delport, M. Kohn, and M.S. Olivier, "Isolating a cloud instance for a digital forensic investigation," in Proc. of the Information Security for South Africa (ISSA), 2011. [6] M. W. Andrew, "Defining a Process Model for Forensic Analysis of Digital Devices and Storage Media," in Proc. Second International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE ), 2007. [7] C. Furlani, "Cloud Computing: Benefits and Risks of Moving Federal IT into the Cloud," National Institute of Standards and Technologies (NIST), US, 2010. [8] CSA, "Security Guidance for Critical Areas of Focus in Cloud Computing," Cloud Security Alliance, 2009. [9] NIST, (2012), "Definition of Cloud Computing," [Online]. Available: http://csrc.nist.gov/groups/sns/cloudcomputing/index.html. [Accessed 09 2012]. [10] K. Ruan, J. Carthy, T. Kechadi, and M. Crosbie, "Cloud forensics: An overview," in Proc. of the 7th IFIP International Conference on Digital Forensics, 2011. [11] M. Taylor, J. Haggerty, D. Gresty and D. Lamb, "Forensic investigation of cloud computing systems," Network Security, no. 3, pp. 4-10, 2011. [12] D. Stephen, "Overcast: Forensic discovery in cloud computing," in Proc. of the 5 th International Conference on IT Security Incident Management and IT Forensics (IMF), 2009. [13] D. Reilly, C. Wern, T. Berry, "Cloud computing: forensic challenges for law enforcement," in Proc. of the International Conference for Internet Technology and Secured Transactions (ICITST), 2010. [14] S. Ahmed and M. Raja, "Takling cloud security issues and forensics model," in Proc. of the High-Capacity Optical Networks and Enabling Technologies (HONET), 2010. [15] ENISA, "Cloud Computing: Benefits, risks and recommendations for information security," European Network and information Security Agency, 2009. [16] S. Purewal, (2012), "Hacker Arrested for 2008 DDoS Attacks on Amazon.com," PCWorld, [Online]. Available: http://www.pcworld.com/article/259548/hacker_arrested_for _2008_ddos_attacks_on_amazon_com.html. [Accessed 02 2013]. [17] D. Barrett, and G. Kipper, "Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environments", Elsevier, 2010. [18] D. Birk and Ch. Wegener, "Technical challenges of forensics investigation in cloud computing environment," in Proc. of the 6th International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE), 2011. [19] J. Nirbhay and N. Ajit, "Organizational preparedness for hosted virtual desktops in the context of digital forensics," in Proc. of the SECAU Security Congress, 2011. [20] B.Hay and K. Nance, "Forensics examination of volatile system data using virtual introspection," ACM SIGOPS Operating Systems Review, vol. 42, no. 3, 2008. [21] S. Ghemawat, H. Gobioff and Sh. Leung, "The Google File System," in Proc. of the Sumposium on Operating Systems Principles (SOSP), 2003. [22] T. White, "Hadoop: the Definitive Guide," O'Reilly, 2009. [23] T. Spyridopoulos and V. Katos,, "Requirements for a forensically ready cloud storage service," International Journal of Digital Crime and Forensics, no. 3(3), pp. 19-36, 2011. [24] R. Hegarty, M. Merabti, Q. Shi and B. Askwith, "Forensics Analysis of distributed service oriented computing platforms," in Proc. of the 16th Annual Postgraduate Research Conference, 2011. [25] S. richmond, (2012), "Facebook flooded with complaints after messages 'bug'," The telegraph. [Online]. Available: http://www.telegraph.co.uk/technology/facebook/9563855/f acebook-flooded-with-complaints-after-messages-bug.html. [Accessed 02 2013]. [26] E. Casey, "Digital Evidence and Computer Crime," 2nd Edition, 2004. [27] Amazon, (2010),"Elastic Block Store,". [Online]. Available: http://aws.amazon.com/ebs/. [Accessed 04 2012]. [28] 7safe, "ACPO Good pratice guide for computer based electronic evidence," 2010. [29] Dell Corporation Limited, (2009),"Dell Press Releases," [Online]. Available: http://i.dell.com/sites/content/business/solutions/brochures/e n/documents/digital-forensics-blueprint.pdf. [Accessed 04 2012]. [30] J. Dykstra and A. T. Sherman, "Understanding issues in cloud computing: Two hypothetical case studies," Digital Investigation, vol. 3, no. 1, pp. Pages: 19-31, 2011. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback