10
Cloud Forensics: Model, Challenges, and Approaches

Lei Chen1, Nhien‐An Le‐Khac2, Sebastian Schlepphorst2, and Lanchuan Xu3

1Georgia Southern University, Statesboro, GA, USA

2University College Dublin, Dublin, Ireland

3Chengdu Railway Public Security Bureau, Chengdu, China

10.1 Introduction

As cloud technologies have emerged in recent years, cloud storage and computing have greatly enhanced everyone's work productivity and life quality in many ways. These technologies allow reliable, scalable, flexible, and cost‐effective data storage and data processing through using networked systems and databases, virtual environments, and a set of cloud management and operational methods. Nonetheless, the ubiquitous applications of the Cloud provide potential opportunities for cybercriminals to hack into organizational and personal cloud environments and acquire sensitive and private data. The ever‐increasing number and scale of such cyber and cloud attacks has drawn the attention of digital forensic investigators.

Traditional digital forensic investigation approaches and processes focus on the acquisition of potential digital evidence from traditional data storage devices, such as hard drives, solid state drives (SSDs), computer memory, and external storage, such as Universal Serial Bus (USB) memory keys and Secure Digital (SD) cards. Due to the distributed nature of data storage and processing in cloud computing, some of these traditional acquisition techniques have proven to be no longer valid, effective, or efficient. In a similar way, traditional digital evidence analysis is typically conducted against a digital image of a storage device, commonly loading a single file system with relatively limited total data volume to process. In the cloud environment, however, analyses occur locally and remotely, often in virtual environments.

Cloud forensics has emerged as an important area of research and practice in recent years due to the ever‐growing number of cloud applications and cyberattacks. Many research findings have been presented in this field, including but are not limited to cloud acquisition, analysis, and presentation methods and tools; improved efficiency and effectiveness of these methods and tools in the cloud forensic process; and the challenges faced during forensic investigations in the cloud environment. A critical issue that demands discussion is how digital forensics, as a key component and integral part just like security, can fit into the cloud service models: i.e. Infrastructure‐as‐a‐Service (IaaS), Platform‐as‐a‐Service (PaaS), and Software‐as‐a‐Service (SaaS).

In this chapter, we aim to address and discuss this important issue by first reviewing and understanding the current cloud computing model and digital forensics defined by the National Institute of Standards and Technology (NIST). Then we analyze how each digital forensic process may affect and be integrated in the cloud environment. Finally, we present our proposed model of digital forensics in the Cloud for facilitating present and future digital investigations in law enforcement.

10.2 Background

10.2.1 Cloud Computing

Cloud computing is a completely new paradigm in information technology (IT), allowing the sharing, exchange, and processing of data via a massive infrastructure and a network of properly connected and configured systems and networks. By using cloud computing and storage, there is no need for most individuals and organizations to purchase hardware and software that is not fully utilized, as was the case in the past. Instead, users and organizations may subscribe to cloud services from vendors and providers; they only need terminal systems for the purpose of human interaction and decision‐making while pushing most computing and storage to the Cloud.

Cloud computing greatly extends the current IT capabilities of organizations and individuals by providing subscription‐based or pay‐per‐use services. The study “Quantitative Estimates of the Demand for Cloud Computing in Europe and the Likely Barriers to Up‐take” by the International Data Corporation (IDC) illustrated that the adoption of cloud computing is on the rise (Bradshaw et al. 2012). In fact, 32.7% of the 1,056 surveyed organizations had fully adopted cloud computing in more than one business area and 13.4% had full adoption in a single business area (Bradshaw et al. 2012).

NIST has defined cloud computing and included this definition in its released official document: “cloud computing is a model for enabling ubiquitous, convenient, on‐demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models” (Mell and Grance 2011, p. 2). These characteristics, service models, and deployment models are discussed in detail in the next few paragraphs.

According to NIST, the five characteristics of cloud computing are on‐demand self service, broad network access, resource pooling, rapid elasticity, and measured service (Kent et al. 2006). These characteristics of cloud computing indicate dramatic departures from traditional computing in many ways, e.g. user applications and interaction; data storage, transportation, and processing; individual and organizational communication; etc. (Kent et al. 2006). Consequently, the tools, methods, approaches, and procedures of digital investigation must adapt to this new paradigm to remain effective and efficient.

NIST has categorized cloud computing's service models into three types: IaaS, PaaS), and SaaS) (Mell and Grance 2011). The goal of IaaS is to provide processing, storage, networks, and other fundamental computing resources to consumers so that they can deploy and use operating systems (OSs) and applications that run on top of the OS. In IaaS, typically customers or end users have control of the OS, storage, and applications, and in certain scenarios they may also have limited control over network components and configurations, such as the host firewalls and intrusion detection systems (IDSs) (Mell and Grance 2011). In the PaaS service model, customers are typically allowed to deploy applications and software generated on their own or acquired from a third party. Such a service model requires cloud service providers to facilitate customers and provide platform‐relevant components, including hardware, programming languages, libraries, services, and tools (Mell and Grance 2011). Given that in PaaS, customers' interests mainly involve application development, they may not need or may not have much control over the underlying cloud infrastructure; this saves developers the cost and time of purchasing and configuring their own hardware, network, and OS environment (Mell and Grance 2011). SaaS aims to provide applications and software tools to customers either by subscription or by a pay‐per‐use model, instead of paying for an up‐front perpetual software license. In this service model, typically, customers do not manage or control the cloud infrastructure, although they may have access to user‐specific application configuration settings and applications or user data, which are typically stored in the cloud environment and may impose some cost (Mell and Grance 2011).

In each of these cloud service models, end users have different levels of access to the cloud infrastructure, OSs, application software, and data; and levels of access should be clearly defined for security, privacy, and management purposes. Table 10.1 illustrates access control for customers in the three cloud service models (Edington and Kishore 2016). The SaaS model give customers the least amount of access because they only need to run the software applications, while PaaS provides application access because software developers need to modify the application code for development purposes. IaaS provides the most access to customers: essentially, customers have virtual machines running in the cloud environment, facilitated by cloud service providers.

Table 10.1 Customer access control in three different cloud service models.

Level of access / Service model IaaS PaaS SaaS
Basic access
Applications
Data
Runtime
Middleware
Operating systems
Virtualization
Servers
Storage
Networking

Four cloud computing deployment models are defined by NIST: public cloud, private cloud, hybrid cloud, and community cloud (Mell and Grance 2011). In a public cloud, service providers typically provide resources like virtual machines (VMs), application software, and storage to general public end customers. In contrast, a private cloud provides services to specified clients or customers; therefore, the underlying cloud infrastructure, OSs, software applications, and user and environment configurations and settings can be highly customized for security and many other reasons. A community cloud commonly has shared resources and applications among multiple entities or organizations, with an agreed‐on policy for the deployment and use of the Cloud. A hybrid cloud is a mixture of two or more cloud deployment types (Mell and Grance 2011).

10.2.2 Digital Forensics

While the increased adoption of cloud computing greatly helps organizations improve their work productivity and efficiency, it may create opportunities for cybercriminals to expand their illegal activities through or in the Cloud. Commonly found cybercrimes and illegal cyber activities include, but are not limited to, identity and data theft, internet fraud, business espionage, child pornography, and cyberterrorism, among others (Chen et al. 2015). Law‐enforcement personnel and agencies from around the world are increasingly faced with companies and individuals engaged in illegal cyber activities. Some of the digital forensic investigation leaders, in terms of technologies, implementation, and enforcement, are the United States, Mainland China, the United Kingdom, Ireland, Canada, Australia, and Hong Kong (Chen et al. 2015).

NIST defines digital forensics as “the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data” (Kent et al. 2006, p. 9). Given that the storage, processing, and transmission of data has changed in the cloud environment compared to the traditional environment, it is obvious that some of the conventional approaches and tools use by digital investigators may no longer be valid, effective, or efficient. In the literature, there is discussion and analysis of digital forensics in the IaaS cloud service model; however, no existing work or proposals in the context of digital forensics can be found for the PaaS or SaaS cloud service models.

Compared to the definition of digital forensics given by NIST, that given by Palmer at the Digital Forensic Research Workshop (DFRWS) was welcomed by researchers and practitioners: “the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations” (Palmer 2001, p. 16). The proposed process of digital forensics can be compressed into four main phases: identification, collection, examination, and presentation of the digital data and evidence. These four phases are further discussed in the following paragraphs.

Identification is the phase where investigators identify the potential system, storage, and location where critical crime‐related data may be found for solving a case (Palmer 2001). Traditionally, this would refer to hard drives, USB memory keys, CD‐ROMs, computer memory, and network component buffers or cache, among others. In the cloud environment, however, it becomes a challenge to identify where potential digital evidence may reside, as this varies among cloud service models, along with how much access customers may have and what can be accessed by customers, as well as the underlying cloud infrastructure.

In the phase of collection, the investigator collects and seizes the hardware devices, along with the OSs, applications and data found in these hardware devices while preserving the chain of custody and integrity of hardware, software and data (Palmer 2001). Due to the same aforementioned reasons, this becomes extremely difficult.

In the examination phase, investigators analyze the identified and collected hardware, software, and data using appropriate digital forensic tools, which help locate, retrieve, and interpret digital evidence so that it can be used to support proof of illegal activities (Palmer 2001). Almost all the conventional digital forensics tools were developed for non‐cloud devices and environments and therefore may not work or may need significant modifications in the cloud environment.

In the presentation phase, investigators prepare a final report stating the conclusion from the examination phase with the support of identified and analyzed digital evidence. This report will be presented to the judge and jury, who may not fully understand the cloud infrastructure or service models and may not be convinced by the presented linkage between the digital evidence and potential illegal activities (Palmer 2001).

For these and many other reasons, there is an increased demand for a well‐considered model for digital forensics in cloud computing. Some existing works in the literature have prepared for this purpose by providing a definition of cloud forensics. For example, (Ruan et al. 2011) conducted a survey among digital forensic experts and practitioners on cloud forensics and critical criteria for cloud forensics capabilities. Based on the survey results and a continuing survey in 2013 (Ruan et al. 2013), they defined cloud forensics as “the application of digital forensic science in cloud computing environments. Technically, it consists of a hybrid forensic approach (e.g. remote, virtual, network, live, large‐scale, thin‐client, thick‐client) towards the generation of digital evidence. Organizationally it involves interactions among cloud actors (i.e. cloud provider, cloud consumer, cloud broker, cloud carrier, and cloud auditor) for the purpose of facilitating both internal and external investigations. Legally it often implies multi‐ jurisdictional and multi‐tenant situations” (Ruan et al. 2013). With the foundation laid out by this study, we further investigate the process and propose our cloud forensic model in the following section.

10.3 Process and Model of Cloud Forensics

In recent years, cloud computing and storage services have provided customers with massive amounts of data storage space and enormous computing capabilities. Service providers such as Amazon, Dropbox, and Google all have cloud service plans and packages available at reasonable costs to customers. The storage and organization of data, compared to the conventional computing environment, has changed from local or traditional networks to the Cloud. This indicates that data may not be stored on a single server at a single location; data storage and communications may span more than one jurisdictional region, and there exist significant challenges to digital investigations in such a new environment (Zargari and Smith 2013; Thethi and Keane 2014; Chen et al. 2015). As an example, a photo posted on a user's Facebook wall may be shared through a link to a directory in the same user's Microsoft OneDrive.

10.3.1 Forensics Moving into the Cloud

Data in the Cloud may be stored in different cloud servers and nodes, and there may be one or more synchronized or unsynchronized copies of data in the Cloud and connected personal or organizational computers. As an example, users of Google Drive File Stream have the option of having a synchronized copy of selected data on multiple computers and devices. A user may choose to have certain files and directories be synchronized on a certain device. Some devices may not always be connected to the Cloud or may not be synchronized to what is stored in the user's Google Drive. Therefore, there is a challenge as to what and from where potential digital evidence should be acquired. In addition, cloud data may be shared among multiple users or parties, and a user may not own certain files found in that user's cloud storage (Chen et al. 2015). The access control and privileges of shared files also vary and may cause difficulty and confusion in digital forensic investigations (Chen et al. 2015). Furthermore, it is not uncommon for files to be split into data blocks that may be stored over multiple cloud computer nodes and even in different jurisdiction regions (Wu et al. 2012).

Given the aforementioned situations and challenges, it is crucially important to conduct redundant data cleaning and data validation throughout the entire digital investigation process. The timing of data acquisition also plays an important role in the process due to the dynamic and sharing characteristics of cloud data (Chen et al. 2015). Consequently, traditional digital forensic processes and models may not be effective or efficient for cloud forensics, and a new process model that reflects the cloud environment and pertinent approaches is urgently needed.

10.3.2 Cloud Forensics Process

While the methods and approaches in each digital forensic phase are quite different, the overall forensic process in the Cloud resembles that in a traditional environment. The initial step is to determine the locations of data for acquisition purposes. In the traditional digital forensic process, this refers to identifying local or network user accounts, specific hard disks, partitions, volumes, USB memory keys, external memory storage, and memory segments, among others (Chen et al. 2015). In the cloud environment, this requires identifying the cloud storage service providers, cloud user accounts and pertinent cloud drives, shared data, users among whom the data is shared, etc. The next phase is to preserve data integrity, which is commonly implemented by running hash functions over acquired data images in traditional digital forensics. However, in the cloud environment, it becomes a challenge to determine what data to hash and where the hashing should be performed (Wu and Yang 2010).

Details of the collection, extraction, analysis, and fixation of digital evidence are further discussed in the rest of this section. These discussions and elaborations will help us visualize a dynamic cloud forensic model that is proposed in Section 10.3.3.

10.3.2.1 Digital Evidence Collection and Extraction

Digital evidence may reside in all kinds of data and information, including but not limited to network and system information, files and directories, file system information, user and group information, policies, and logs, among many others (Chen et al. 2015). In the cloud environment, such data and information are found in distributed storage and virtual environments, which increases data volatility and makes it difficult to track data (Li and Deng 2012). Therefore, it is critically important for the digital evidence acquirer to obtain the order and locations of data creation and processing (Li and Deng 2012). Four different aspects of the cloud environment must be examined by investigators (Chen et al. 2013) for these reasons, and they are further elaborated in the following paragraphs.

Regardless of the cloud service model (IaaS, PaaS, or SaaS), the foremost examination must be conducted directly in the Cloud (Zhang 2010). While the digital investigator may not be an expert in cloud technologies, they must understand the technical details of cloud services, including but not limited to commonly used cloud devices, platforms, software, configurations, and access control by providers (Zhang 2010). When possible, investigators may need to obtain saved data, user access, and system logs from providers. (Zhang 2010) suggested that four categories of information need to be collected: infrastructure and equipment information, virtual information, application and service information, and information regarding intrusion‐alarm records and relevant access logs. In addition, we consider that, depending on the cloud service model, the quantity and level of information to collect should vary. Table 10.1, for example, indicates that information at the virtualization, server, storage, and networking levels should be examined regardless of the cloud model. For the IaaS model, however, since clients have the access to the OS and all levels above it, detailed information pertinent to user activities and control at these levels should be collected and examined.

Local computer systems should also be examined for any possible digital evidence (Zhang 2010). The reason is that, regardless of the cloud service model, data transfers occur between local computers and the Cloud, and therefore data fragments and caches may still reside locally. Possible valuable information includes partial, deleted, or damaged files; user activities and data‐communication logs; remote computer and server information; security parameters; and digital certificates and public keys, among others (Zhang 2010). Traditional digital forensics tools and methods can be very useful in this process.

In addition to the cloud environment and local systems, network audit nodes should also be examined (Zhang 2010). Such nodes include but are not limited to proxy servers and servers or systems where cloud computing security audits run. Typically, these computer nodes understand data up to the application layer in the Open Systems Interconnection (OSI) or Transmission Control Protocol/Internet Protocol (TCP/IP) network model, and are likely equipped with traffic analyzers and IDSs; therefore, they may provide invaluable information.

If potential digital evidence may exist in the subclouds of a large‐scale cloud, then these subclouds should also be examined (Zhang 2010). In fact, examination and data acquisition directly conducted in the subcloud environment typically cost less and are less time‐consuming when compared to the parent large‐scale cloud (Zhang 2010).

The extraction of data aims to restore deleted data and reconstruct hidden files. If the Cloud supports Forensics‐as‐a‐Service (FaaS), this process can then be accomplished entirely on the cloud side; otherwise, cloud‐oriented forensic tools and methods need to be employed to retrieve data from the Cloud to the local investigation lab. The details of this process are discussed in later sections of this chapter as well as in later chapters of this book.

10.3.2.2 Evidence Analysis and Fixation

Redundant data cleaning and deep data analysis are two main evidence‐analysis aspects in cloud forensics (Chen et al. 2015). The sharing of cloud data may generate multiple complete or partial copies of data across the Cloud and on more than one local system. Such redundant data should be identified, and a track of changes should be recorded for files and directories. Deep data analysis is essential in correlating data from various locations and sources (Chen et al. 2015). One example would be finding the same file or different versions of the same file on cloud storage and local systems, synchronized among a group of clients who have shared the same document. Finding the correlation of the evidence among different sources can often assist in investigations. Software technology and data mining are suggested for solving the problems of incomplete and inadequate evidence (Huang et al. 2013). Ultimately, the purpose of deep data analysis is to ensure that acquired data is complete, accurate, and not redundant.

The purpose of evidence fixation is to guarantee the integrity and genuineness of the evidence throughout the investigation process following relevant regulations (Miao 2013). Similar to traditional digital forensics, it is equally important to ensure the credibility and validity of digital evidence; therefore, the operating environment should avoid any possible unnecessary changes. Necessary changes should be justified and proven without jeopardizing the integrity of the evidence. For such purposes, environmental variables should be recorded, and a track of changes should be documented (Chen et al. 2015).

10.3.3 Dynamic Cloud Forensics Model

This section further discusses the processes of cloud forensics. Based on these processes, we propose a cloud forensic model, shown in Figure 10.1, aiming at providing overall guidance for cloud investigations. More details of this model are addressed toward the end of this section.

Image described by caption and surrounding text.

Figure 10.1 Proposed cloud forensic model.

Many researchers have proposed cloud‐based forensic architecture and models. For example, (Lin 2013) proposed a cloud‐based forensic architecture expected to enhance the efficiency of data acquisition and analysis. A cloud forensics model aiming to improve the efficiency and safety of digital evidence was proposed by (Gong et al. 2012). The cloud forensic model presented by (Zhang and Mai 2011) tackles the problem of efficiency by using dynamic parallel processing. An example of a model to solve cloud security problems is the computer cloud forensic system was presented by (Wu et al. 2012). (Chen et al. 2015) proposed a dynamic cloud forensic model considering both redundant data cleaning and deep data analysis for cloud data. Based on these cloud models, we propose a cloud forensic model that is simple and clear yet shows the important mandatory processes and components in cloud forensics.

Figure 10.1 shows our proposed model in a top‐down architecture. The first step in cloud forensics is to determine what to collect and where to collect artifacts. Digital artifacts may be found in the cloud environment at service providers, in subclouds, end users' devices, and proxy and audit servers (refer to Section 10.3.2.1). The orange arrows in Figure 10.1 refer to data acquisition. The components and functionalities in the green box can be implemented at a cloud forensic service center, which may support more than one end digital forensic lab and its associated investigators. The center collects raw forensic data from various sources and completes three major tasks: redundant data cleaning, deep data analysis, and storing the processed data in a database, ready to be further processed by end forensic labs and investigators. We consider that this process should be separated from the end forensic lab and investigators for a few reasons. Many forensics labs and private investigators do not have the resources or time to cope with cloud service providers. They may not have the hardware, software, or direct access to cloud data needed for forensic investigations. Cloud forensic service centers, which may be funded by the government or authorized companies with sufficient funding and resources, can serve as agents in acquiring raw cloud data and preprocessing, analyzing, and preparing the data in the form preferred by end forensic labs and investigators. We estimate that this model helps reduce the complexity and overhead to the investigators and therefore leads to a more efficient, reliable, accurate cloud forensic process. The authors of Chapter 12 of this book review a number of existing cloud forensic models and propose their model, which may provide readers with more insight into cloud forensic modeling and processes.

10.4 Cloud Forensics Methods, Approaches, and Tools

10.4.1 Methods and Approaches

Forensic triage is essentially a quick investigative screening process that typically happens at the initial stage of the investigation (Roussev et al. 2013; Parsonage 2014; Thethi and Keane 2014). This is especially useful when dealing with enormous amounts of data in a cloud investigation case; particularly, it is suggested that forensic triage should be conducted outside the lab environment and before acquiring or analyzing any digital evidence (Parsonage 2014). In cloud forensic practice, investigators are typically facing the challenge of determining and retrieving the most pertinent information from an immense amount of raw data, within time constraints. In addition, compared to traditional forensics, there is a strong demand for standard forensics methods and tools. Given this situation, triage is considered necessary in cloud forensics and defined as “a partial forensic examination conducted under (significant) time and resource constraints” (Roussev et al. 2013).

High‐performance computing systems and high‐speed networks should be utilized for cloud data acquisition and analysis in the cloud environment (Roussev et al. 2013; Thethi and Keane 2014). The enormous amount of data transferred and processed in cloud forensics requires that the investigation process be treated as a formal software‐engineering process (Roussev et al. 2013). In other words, there should be well‐recognized, widely agreed‐on principles and techniques to be applied to cloud forensics, and investigative activities should be traceable, measurable with regard to efficiency and effectiveness, repeatable, predictable, and subsequently optimizable (Roussev et al. 2013).

Compared to utilizing high‐performance computing, FaaS gives users an advantage by allowing simple, basic forensic investigations on their end (Zargari and Smith 2013; Thethi and Keane 2014). Such investigations include accessing certain logs and configuration files and recovering deleted files, among others. FaaS further indicates that the Cloud can provide interfaces and functionalities supporting remote forensic investigations. As an example, XIRAF, a service‐based digital forensic system and approach, was proposed in 2016 to process large volumes of acquired data (Alink et al. 2006). As early as 2010, the Netherlands Forensic Institute began to use XIRAF for more efficient digital forensic investigations. (Lee and Un 2012) described a type of FaaS using the term forensic cloud, where cloud servers allow remote indexing against terms and meaningful patterns for forensic keyword searches in Apache HBase. HBase, part of the Apache Hadoop project, is an open source, distributed, nonrelational database used by many cloud and social network services, including Facebook Messenger Platform (https://hbase.apache.org). More discussion of FaaS can be found in Chapter 16.

Users and organizations have a long list of choices in terms of cloud storage and service providers. Many of them, such as Amazon, Dropbox, Google, and Microsoft, provide similar services at comparable prices. (Chung et al. 2012) suggested that digital investigators should be familiar with file system locations, tools, and techniques for identifying and acquiring digital artifacts among various providers. For instance, for a behavior such as downloading and opening a file or accessing cloud storage using a web browser on a local computer, an investigator should know where and how to find and retrieve artifacts based on a combination of the type of file (Microsoft Office, Google Docs, etc.), cloud service provider (Amazon, Dropbox, Google Drive, etc.), web browser (Chrome, Internet Explorer, Firefox, etc.), and OS (Windows 10, Windows 7, Linux, macOS, iOS, Android, etc.) (Chung et al. 2012). As an example, this same user behavior using IE 8.0 in a Windows 7 environment might generate a file named s3.amazonaws.com.lnk in a local path while leaving little or no trace when using Firefox 9.0 in a Mac environment after the browser is closed (Chung et al. 2012).

Users' social network profiles, activities, and behaviors may provide valuable information to digital investigators. For example, a Facebook user may share photos stored on Google Drive via posted links. And interactions with work‐related friends on Facebook may indicate a possible profile of the same user on LinkedIn and other social networks that utilize cloud storage and computing, possibly linking to potential artifacts. For different social networks, different forensic tools, programming APIs, and credentials are required to extract user profile and data. As an example, the Representational State Transfer (REST) API, JavaScript Object Notation (JSON), and Python programming language are needed to extract a Twitter user’s profile and status (Howden et al. 2013).

10.4.2 Tools

Many traditional digital forensics tools have been updated with new features to support cloud forensics. For example, the industry‐leading digital forensic tools EnCase (https://www.guidancesoftware.com/encase‐forensic) and AccessData Forensic Toolkit (FTK) (https://www.accessdata.com/products‐services/forensic‐toolkit‐ftk) can acquire data from a cloud environment from certain cloud providers. According to (Zawoad and Hasan 2014), data can be acquired from the Amazon Elastic Compute Cloud (EC2) cloud environment using an EnCase servlet or FTK Remote Agent. Magnet Forensics' Internet Evidence Finder (IEF) and other third‐party software extensions and hardware dongles may help further expand the capability to cope with other providers’ clouds and even social networks (https://www.magnetforensics.com/magnet‐ief). F‐Response, an example competitor tool, utilizes software extensions and hardware connectors to remotely mount cloud storage, such as Amazon S3, Windows Azure storage, and OpenStack Cloud Files, thus providing seamless, efficient cloud forensics (www.f‐response.com).

Enormous amounts of data must be acquired in cloud forensics. It is common for acquiring just 1TB of cloud data to take a few days, which may not be acceptable in certain investigations. In order to test and evaluate the speed and efficiency of cloud data acquisition, (Thethi and Keane 2014) performed testing against Amazon EC2 with different tools. In their testing, the total time consisted of two parts: actual data acquisition time (AT) and data verification time (VT). The winner used a combination of Amazon AWS Snapshot (https://cloudranger.com/aws‐snapshots) and the dd command in Linux (http://+www.forensicswiki.org/wiki/Dd) to acquire 30GB of cloud data; the process required 5.09 hours AT and 0.33 hours VT with a total acquisition time of 5.42 hours (Thethi and Keane 2014). As a comparison, FTK Imager Lite achieved 6.76 total AT, and FTK Remote Agent needed 9.23 hours to complete the same task (Thethi and Keane 2014). With FaaS, this process is expected to be much faster and more efficient.

10.5 Challenges in Cloud Forensics

This section discusses challenges in cloud forensics. The cloud forensics processes and model presented in Section 10.3 are meaningful in providing an essential framework to investigators. The methods, approaches, and tools for cloud forensics discussed in Section 10.4 can be practical and helpful for cloud forensic investigations in reality. Nonetheless, challenges still exist in cloud forensics, and some of them are discussed in this section.

With cloud storage and computing widely used in many countries and regions, one of the main challenges is that data may reside on and transfer among computers and networks in different jurisdictional areas, where laws and regulations regarding data security and privacy may be very different (Chen et al. 2013). While technical issues can be solved by employing the same or similar tools and methods in data acquisition and analysis, these nontechnical issues should be addressed by following the laws and regulations of the country and local regions, which typically introduces overhead such as cost, time, and difficulties (Chen et al. 2015).

Cloud services and programs typically run continuously in a distributed environment maintained by service providers. Compared to mobile service carriers, cloud service providers store and process much larger volumes of customer data, and they may not be willing to pause or stop services and support data acquisition and restoration, or give access permissions to the cloud environment for investigation purpose (Chen et al. 2013). Given such situations, working with service providers may significantly delay the progress of digital investigations.

Much of the data from the Cloud is nontraditional or nonstandard, thus imposing significant challenges to data acquisition and fixation (Chen et al. 2013). It is also very difficult to preserve digital evidence over time due to the dynamic, heterogeneous nature of cloud data. In traditional digital forensics, system and network audits are very helpful in quickly identifying potential artifacts. However, in the cloud environment, audits become very difficult due to extremely dynamic networks and highly complex data organization and processing (Zheng 2012). This also indicates that due to short life cycles, artifacts may not be traceable or available at all time, and subsequently it can be very difficult to distinguish suspicious and regular activities (Zheng 2012).

10.6 Conclusions

This chapter is the opening for Part II of this book. We discussed models, processes, approaches, methods, tools, and challenges in cloud forensics. Some of these topics are further deliberated in the following chapters. In summary, the Cloud is a dynamic and complex environment in many ways: how and where data is stored and processed, user activities and accesses, service providers' roles and control over the Cloud, and jurisdictions on the legal side, among others. We hope that this chapter and this book provide readers and practitioners with information that can help improve the efficiency and enhance the accuracy of cloud forensic investigations.

References

  1. Alink, W., Bhoedjang, R., Boncz, P.A., and De Vries, A.P. (2006). Xiraf‐xml‐based indexing and querying for digital forensics. Digital Investigation 3: 50–58.
  2. Bradshaw, D., Folco, G., Cattaneo, G. et al. (2012). Quantitative estimates of the demand for cloud computing in Europe and the likely barriers to up‐take. European Commission ‐ DG Information Society.
  3. Chen, G., Du, Y., Du, J., and Li, N. (2013). Research of digital forensics under cloud computing environment. Netinfo Security 2013 (8): 87–90.
  4. Chen, L., Xu, L., Yuan, X. et al. (2015). Digital forensics in social networks and the cloud: process, approaches, methods, tools, and challenges. In: Proceedings of the 2015 IEEE International Conference on Computing, Networking and Communications (ICNC). IEEE.
  5. Chung, H., Park, P., Lee, S. et al. (2012). Digital forensic investigation of cloud storage services. Digital Investigation 9 (2): 81–95.
  6. Edington, M. and Kishore, R. (2016). Forensic model for cloud computing: an overview. In Proceedings of the 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), Chennai, India, March 23‐25, 2016. IEEE.
  7. Gong, W., Liu, P., and Chi, X. (2012). Construction and analysis of cloud forensics model. Computer Engineer 38 (11): 14–16.
  8. Howden, C., Liu, L., Ding, Z. et al. (2013). Moments in time: a forensic view of Twitter. In: 2013 IEEE International Conference on Green Computing and Communications and IEEE Internet of Things and IEEE Cyber, Physical and Social Computing, 899–908. IEEE.
  9. Huang, W., Pang, R., and Rong, Z. (2013). A new type of electronic evidence study based on cloud computing platform. Chinese Criminal Science 10 (10): 61–65.
  10. Kent, K., Chevalier, S., Grance, T. et al. (2006). Guide to integrating forensic techniques into incident response. https://www.nist.gov/publications/guide‐integrating‐forensic‐techniques‐incident‐response (accessed 24 March 2018).
  11. Lin, Q. (2013). Research on cloud forensics based on the internet of things. Netinfo Security 2013 (7): 61–64.
  12. Lee, J. and Un, S. (2012). Digital forensics as a service: a case study of forensic indexed search. In: 2012 International Conference on ICT Convergence, 499–503. IEEE.
  13. Li, X. and Deng, Z. (2012). Study on electronic forensic in cloud computing environment. China Information Security 2012 (11): 52–54.
  14. Miao, H. (2013). Forensics scheme in cloud computing environment. Practical Electronics 2013 (24): 88–89.
  15. Mell, P. and Grance, T. (2011). The NIST definition of cloud computing: recommendations of the National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800‐145.pdf (accessed 24 March 2018).
  16. Parsonage, H. (2014). Computer forensics case assessment and triage. http://computerforensics.parsonage.co.uk/triage.
  17. Palmer, G. (ed.) (2001). A road map for digital forensic research. From the Proceedings of The Digital Forensic Research Conference. DFRWS.
  18. Roussev, Y., Quates, C., and Martell, R. (2013). Real‐time digital forensics and triage. Digital Investigation 10 (2): 158–167.
  19. Ruan, K., Baggili, I.P., Carthy, J. et al. (2011). Survey on cloud forensics and critical criteria for cloud forensic capability: a preliminary analysis. In: Proceedings of the Conference on Digital Forensics, Security and Law, 16.
  20. Ruan, K., Carthy, J., Kechadi, T., and Baggili, I. (2013). Cloud forensics definitions and critical criteria for cloud forensic capability: an overview of survey results. Digital Investigation 10 (1): 34–43.
  21. Thethi, N. and Keane, A. (2014). Digital forensics investigations in the Cloud. In: Proceedings of the 2014 IEEE International Advance Computing Conference, 1475–1480. IEEE.
  22. Wu, L., Wang, L., and Gu, W. (2012). Research on computer forensics system based on cloud computing. Computer Science 39 (5): 83–85.
  23. Wu, T. and Yang, Y. (2010). Study on security analysis and forensics in cloud computing. Telecommunications Science 26 (12): 79–82.
  24. Zargari, S.A. and Smith, A. (2013). Policing as a service in the Cloud. In: Proceedings of the 2013 Fourth International Conference on Emerging Intelligent Data and Web Technologies, 589–596. doi:10.1109/EIDWT.2013.106 (accessed 24 March 2018).
  25. Zawoad, S. and Hasan, R. (2014). Cloud forensics: a meta‐study of challenges, approaches, and open problems. http://arxiv.org/pdf/1302.6312.pdf.
  26. Zhang, C. (2010). Under cloud calculative environment electronic data investigation and evidence collection. Netinfo Security 2010 (11): 52–54.
  27. Zhang, J. and Mai, Y. (2011). Cloud computing environment simulation computer forensics. Netinfo Security 2011 (10): 87–90.
  28. Zheng, Q. (2012). Computer forensic research base on cloud architecture. Journal of Fujian Police Academy 26 (2): 60–63.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset