Forensic investigation of cloud computing systems

doi:10.1016/S1353-4858(11)70024-1

Network Security

Volume 2011, Issue 3, March 2011, Pages 4-10

https://doi.org/10.1016/S1353-4858(11)70024-1 Get rights and content

Cloud computing describes a computing concept where software services, and the resources they use, operate as (and on) a virtualised platform across many different host machines, connected by the Internet or an organisation's internal network. From a business or system user's point of view, the cloud provides, via virtualisation, a single platform or service collection in which it can operate.

Cloud computing is a new concept in the distributed processing of data and is likely to make computer forensic evidence acquisition and evidence analysis increasingly complex.

Currently there do not appear to be any published guidelines that specifically address the conduct of computer forensic investigations of cloud computing systems. In order to understand and analyse evidence within this environment, computer forensics examiners will require a broader range of technical knowledge across multiple hardware platforms and operating systems. Dr Mark Taylor et al examine the issues concerning the forensic investigation of cloud systems.

Section snippets

Exposure to threats

Cloud computing involves potentially greater exposure to security threats and privacy breaches, especially when the cloud is based on the Internet rather than an organisation's own internal network. For example, it might be unclear as to where data is processed within a cloud computing system, and such processing can occur in differing jurisdictions. Current commercial cloud service providers include Microsoft Azure Services Platform, Amazon Web Services and Google, as well as open source cloud

Fighting crime

Computer forensics has emerged in recent years as an important tool in the fight against crime. It is defined as the application of computer investigation and analysis techniques to determine potential evidence.¹ Traditionally, computer forensics has classified crime involving computers and associated technologies in three ways — the computer is: the target of the crime; a repository of information used or generated during the commission of a crime; or a tool used in committing a crime.² These

Linear process

Computer forensics investigations generally follow a linear process: identification, extraction, analysis and presentation of evidence. First, the analyst identifies potential sources of evidence. For example, what is the suspected crime? What hardware or software is being used by the suspect? Where is the evidence located? Second, the analyst must extract evidence in a robust manner to maintain its integrity. The computing environment is highly volatile as it deals with virtual rather than

Evidence acquisition

Digital evidence can be more ethereal and dynamic in the virtual environments provided in a cloud computing system. If a software application is accessed via a cloud computing system, data traditionally written to the operating system, such as registry entries or temporary Internet files, will reside or be stored within the virtual environment and so lost when the user exits the cloud. Virtualisation sanitises resources so the traditional analysis of leftover artefacts could be limited. This

Third-party location

Related to this architectural issue is that of the third party's location. Potentially, this can have a major impact on the investigatory jurisdiction and responsibility. Currently, the procedure for identifying and extracting evidence is the seizure of the computing device itself. The investigation team has the tangible evidence of the device and they are able to analyse the data held on it. However, the cloud computing paradigm aims to push data and services back into the network. Therefore,

Physical seizure

Cloud computing impacts upon the ability of law enforcement agencies to physically seize computing assets in order to pursue an investigation. If a law enforcement agency could find the appropriate server systems in a timely manner, it would be unlikely that they could get to information in a timely manner, and in particular, the agency could have difficulty in seizing such systems let alone ‘seize’ a datacentre.

Cloud computing can be broken down into different categories. These include

Suspects in the cloud

Finally, there is the issue of identifying the actual suspects within the cloud environment. In traditional forensics, a computer will be seized that has physical links to the suspect. For example, a computer might be seized from the suspect's home or work environment, thus physically tying the suspect to the machine and the evidence. Within the network environment, computers interact without a suspect's knowledge. As there is no physical interaction, identities within this networked

Evidence analysis

It could be difficult to analyse the sequence of events in a particular transaction in a cloud computing system since a variety of different machines might have been involved in the transaction — for example, a transaction involving updates to a large number of database tables in a distributed database. Another challenge facing the forensics community when analysing evidence in cloud computing environments is the degree of software standardisation, as there are several virtualisation platforms.

Audit trail

Cloud computing systems could potentially be made easier to forensically investigate whether some form of audit trail was maintained by the cloud system. For example, with regard to SaaS cloud environments, the software applications themselves could maintain appropriate audit trails of changes made to application data. With IaaS and PaaS cloud environments, logs could be maintained of users' activity within the cloud environment. However, given the typically large scale of cloud environments,

Management of computer forensic investigations

The first stage of a computer forensic investigation involving a cloud computing system would be to clearly identify the purpose of the investigation. For example, the investigation might concern unauthorised access to application systems based in the cloud, suspected fraud or money laundering or the accessing or dissemination of offensive material. It is important that the purpose of a computer forensic investigation is clearly defined so that the full scope of the investigatory process can be

Forensic agent

A private cloud computing system is for a single organisation's internal use and it may be run by the organisation itself or outsourced to a third party. Even in such a cloud computing environment within an organisation it may be difficult to shut down servers. In the public or hybrid private-public cloud computing environment this would be even more complex. A public cloud is managed by another organisation that provides cloud services. The more dispersed architecture of a public cloud system

Conclusions

Cloud computing is likely to make the acquisition and analysis of digital evidence more complex. Computer forensic investigations of cloud computing systems are likely to require more time and effort to undertake, due to the number of computing devices within the cloud that may need to be forensically examined. In addition, in legal terms, cloud computing systems will make it potentially more difficult for the computer forensic analyst to acquire and analyse digital evidence to the same

About the authors

Dr Mark Taylor is a senior lecturer in computing at Liverpool John Moores University. He is a Chartered IT Professional, a Chartered Engineer and a Chartered Scientist.

References (13)

J. Haggerty et al.
‘Managing corporate computer forensics’
Computer Fraud and Security
(2006)
Li, X; Seberry, J. ‘Forensic Computing’. 4th International Conference on Cryptology in India – Progress in Cryptology...
Mohay G; Anderson, A; Collie, B; del Vel, O. Computer and intrusion forensics, Artech House, Boston, MA, US, (2003)...
EnCase. Guidance Software
Forensic Tool Kit (FTK). AccessData
R. Grossman
‘The case for cloud computing’
IT Professional
(2009)

There are more references available in the full text version of this article.

Cited by (103)

Enhanced Forensic Process for Improving Mobile Cloud Traceability in Cloud-Based Mobile Applications
2020, Procedia Computer Science
Recently, the raPID popularity of smart phones significantly impacts the day-to-day activities of humans due to the increased access to social media and instant messaging services. The misuse of social media services leads to different cybercrime activities. Both the mobile device and cloud are the most significant evidential sources for the social network application forensics. It is essential to establish a mobile cloud forensic process to deal with the crime activities performed by the intelligent mobile user. Also, improving the cloud event traceability is a challenging task in a massive cloud environment. This work presents a mobile cloud forensic process that incorporates the time synchronization and inter and intra-application analysis along with the traditional forensic procedure. Time synchronization is a prerequisite process that facilitates the investigator to perform the application forensics in the mobile cloud concisely. An inter and intra-application analysis process ensures the extraction of the forensic-rich evidence and enriches the performance of the cloud event traceability by utilizing the metadata of potential mobile evidence. The proposed forensic process maintains a chronological timeline of evidence before correlating the potential evidence of the mobile and cloud. Eventually, it submits the extracted evidence with a chain of custody information to validate the forensic investigation process. It significantly enhances the accuracy of the investigation and produces evidence by applying the step by step process in the Android WeChat social network application.
Frameup: An incriminatory attack on Storj: A peer to peer blockchain enabled distributed storage system
2019, Digital Investigation
In this work we present a primary account of frameup, an incriminatory attack made possible because of existing implementations in distributed peer to peer storage. The frameup attack shows that an adversary has the ability to store unencrypted data on the hard drives of people renting out their hard drive space. This is important to forensic examiners as it opens the door for possibly framing an innocent victim. Our work employs Storj as an example technology, due to its popularity and market size. Storj is a blockchain enabled system that allows people to rent out their hard drive space to other users around the world by employing a cryptocurrency token that is used to pay for the services rendered. It uses blockchain features like a transaction ledger, public/private key encryption, and cryptographic hash functions – but this work is not centered around blockchain. Our work discusses two frameup attacks, a preliminary and an optimized attack, both of which take advantage of Storj's implementation. Results illustrate that Storj allows a potential adversary to store incriminating unencrypted files, or parts of files that are viewable on people's systems when renting out their unused hard drive space. We offer potential solutions to mitigate our discovered attacks, a developed tool to review if a person has been a victim of a frameup attack, and a mechanism for showing that the files were stored on a hard drive without the renter's knowledge. Our hope is that this work will inspire future security and forensics research directions in the exploration of distributed peer to peer storage systems that embrace blockchain and cryptocurrency tokens.
Formalising investigative decision making in digital forensics: Proposing the Digital Evidence Reporting and Decision Support (DERDS) framework
2019, Digital Investigation
In the field of digital forensics it is crucial for any practitioner to possess the ability to make reliable investigative decisions which result in the reporting of credible evidence. This competency should be considered a core attribute of a practitioner’s skill set and it is often taken for granted that all practitioners possess this ability; in reality this is not the case. A lack of dedicated research and formalisation of investigative decision making models to support digital forensics practitioner’s is an issue given the complexity of many digital investigations. Often, the ability to make forensically sound decisions regarding the reliability of any findings is arguably an assumed trait of the practitioner, rather than a formally taught competency. As a result, the digital forensic discipline is facing increasing recent scrutiny with regards to the quality and validity of evidence it’s practitioners are producing. This work offers the Digital Evidence Reporting and Decision Support (DERDS) framework, designed to help the practitioner assess the reliability of their ‘inferences, assumptions of conclusions’ in relation to any potentially evidential findings. The structure and application of the DERDS framework is discussed, demonstrating the stages of decision making a practitioner must undergo when evaluating the accuracy of their findings, whilst also recognising when content may be deemed unsafe to report.
On cloud security requirements, threats, vulnerabilities and countermeasures: A survey
2019, Computer Science Review
The world is witnessing a phenomenal growth in the cloud enabled services and is expected to grow further with the improved technological innovations. However, the associated security and privacy challenges inhibit its widespread adoption, and therefore require further exploration. Researchers from academia, industry, and standards organizations have provided potential solutions to these challenges in the previously published studies. The narrative review presented in this survey, however, provides an integrationist end-to-end mapping of cloud security requirements, identified threats, known vulnerabilities, and recommended countermeasures, which seems to be not presented before at one place. Additionally, this study contributes towards identifying a unified taxonomy for security requirements, threats, vulnerabilities and countermeasures to carry out the proposed end-to-end mapping. Further, it highlights security challenges in other related areas like trust based security models, cloud-enabled applications of Big Data, Internet of Things (IoT), Software Defined Network (SDN) and Network Function Virtualization (NFV).
Towards a practical cloud forensics logging framework
2018, Journal of Information Security and Applications
Citation Excerpt :
Though the cloud computing offers significant benefits, there has been growing concern about the security, privacy, legal, and jurisdictional aspects of cloud environment and the way the cloud computing stores and process customers data [4]. Further to that researchers have pointed out that the cloud infrastructure is not matured to support digital forensic needs as well, and identified issues and challenges associated with conducting forensics in the cloud [5–7]. Researchers also have noted that, till date, there is no vendor which facilitates the forensic investigation in the cloud [8].
This paper exposes and explore the practical issues with the usability of log artefacts for digital forensics in cloud computing. Logs, providing detailed events of actions on a time scale have been a prime forensic artefact. However collection of logs for analysis, from a cloud computing environment is complex and challenging task, primarily due to the volatility, multi-tenancy, authenticity and physical storage locations of logs, which often results in jurisdictional challenges too. Diverse nature of logs, such as network logs, system logs, database logs and application logs produces additional complexity in the collection and analysis for investigative purposes. In addition there is no commonality in log architecture between cloud service providers, nor the log information fully meets the specific needs of forensic practitioners. In this paper we present a practical log architecture framework, analyse it from the perspective and business needs of forensic practitioners. We prove the framework on an ownCloud - a widely used open source platform. The log architecture has been assessed by validating it against the Association of Chief Police Officers Good Practice Guide for Computer-Based Electronic Evidence guidelines. Further validation has been done against the National Institute of Standards and Technology published report on Cloud Computing Forensic Challenges, i.e., NISTIR 8006. Our work helps the forensic examiners and law enforcement agencies in establishing confidence in log artefacts and easy interpretation of logs by presenting it in a user friendly way. Our work also helps the investigators to build a collective chain of evidence as well as the Cloud Service Providers to provision forensics enabled logging.
An Integrative Review Exploring the Development of Sustainable Product Design in the Technological Context of Industry 4.0
2024, SSRN

View all citing articles on Scopus

About the authors

Dr Mark Taylor is a senior lecturer in computing at Liverpool John Moores University. He is a Chartered IT Professional, a Chartered Engineer and a Chartered Scientist.

Dr John Haggerty is lecturer in information systems security at the University of Salford. His research interests include digital forensics, network security, signature matching and mobile computing.

David Gresty works for an independent security company principally in the field of law enforcement forensic investigations. He has extensive experience investigating child protection and the downloading of unlawful material.

Dr David Lamb is a research fellow in computer networks and security at Liverpool John Moores University.

View full text

FeatureForensic investigation of cloud computing systems

Section snippets

Exposure to threats

Fighting crime

Linear process

Evidence acquisition

Third-party location

Physical seizure

Suspects in the cloud

Evidence analysis

Audit trail

Management of computer forensic investigations

Forensic agent

Conclusions

Computer Fraud and Security

EnCase. Guidance Software

Forensic Tool Kit (FTK). AccessData

‘The case for cloud computing’

IT Professional

Feature
Forensic investigation of cloud computing systems