12.1 Introduction

Cloud computing is a new approach to delivering information communications technology (ICT) to organizations. Cloud computing is built on the premise that organizations do not need to invest in buying hardware, software, and network infrastructures to support business‐critical applications. Utilizing a cloud‐based infrastructure, organizations can increase ICT capacity or add ICT capabilities without investing in new infrastructure, training new personnel, or licensing new software. Cloud computing encompasses any subscription‐based or pay‐per‐use service that, in real time over the internet, extends organizations' existing ICT capabilities.

The advent of cloud computing is forcing a change from traditional software and hardware models to ICT being delivered over the internet or through private networks located in shared data centers (public cloud) or within private data centers (private cloud). As global markets change, organizations must also change to meet consumer demands. Organizations require flexible structures; and to complement this flexibility, they require the ability to provide new applications, hardware, and network infrastructures quickly, thus supporting changing market environments and enabling the organization to sustain a competitive advantage. A recent study by IDC, “Quantitative Estimates of the Demand for Cloud Computing in Europe and the Likely Barriers to Take‐up 24,” illustrates that the adoption of cloud computing is on the rise. Information Week has conducted a survey annually illustrating that organizations are increasingly implementing cloud‐based solutions, and these adoption rates have risen from 16% in 2008 to 33% in 2012 (Emison 2013).

On the other hand, the increased adoption rates of cloud computing solutions are also an opportunity for criminals to store information within cloud‐based environments. Criminals are aggressively expanding the use of digital technology for illegal activities. Crimes committed in cyberspace, such as data theft, internet fraud, business espionage, pornography, online child exploitation, and cyberterrorism are on the rise (Kolenbrander et al. 2016).

Law enforcement agencies are increasingly faced with cloud computing solutions being used by companies and individuals who engage in illegal activities. Over the past 20 years, digital forensic techniques have become a vital tool employed by law enforcement agencies in combating criminal activity. The evolution of computer forensics has advanced at a rapid pace due to the rise in computer‐related crime. Computer forensics, which is a branch of digital forensics, is the science of acquiring, retrieving, preserving, and presenting data that has been processed electronically and stored on computer media (Hayes 2014).

The rise of cloud computing not only exacerbates the problem of scale for digital forensic practitioners, but also creates a new forum for cybercrime, with associated challenges (Ruan et al. 2011). Law enforcement agencies can no longer rely on traditional digital forensics techniques during investigations that involve cloud computing platforms. The discovery and acquisition of digital evidence from remote, elastic, provider‐controlled cloud platforms differs considerably from the discovery and acquisition of digital evidence from local suspect devices such as laptops, PCs and servers. Acquiring data from cloud‐based environments requires different tools, techniques, and approaches. It is necessary to develop new processes and techniques to retrieve evidence from cloud‐based environments (Lessing and Von Solms 2008; Faheem et al. 2015).

In this chapter, first we review and discuss digital forensic processes and models in the cloud computing platform. Next, we present a new digital forensics process within cloud‐based environments. This approach will draw on various aspects of digital forensics, such as analysis and acquisition methods. To support this approach, a digital forensic framework model will be developed during live investigations. This new approach will focus on the identification and acquisition of data within cloud‐based environments during the execution of search warrants by law enforcement agencies. The object of this approach is to meet the many challenges of conducting investigations in which evidential material is located within the Cloud. The rest of this chapter is organized as follows. We start in Section 12.2 by presenting digital forensics models and discussing the Digital Forensic Research Workshop (DFRWS) investigative model. We then focus on cloud forensics processes and models in Section 12.3. Finally, in Section 12.4, we discuss new and future cloud forensic models, taking into account what has been developed in this forensic area. We give a constructive analysis before concluding the chapter.

12.2 Digital Forensics Models

In this section, we describe and discuss different digital forensic models proposed in the literature, to see their impact on the current cloud forensic models.

12.3 Cloud Forensics Process and Model

Cloud computing brings fundamental changes to the way organizations manage their computing needs by enabling them to harness the flexibility of the Cloud while reducing overall ICT running costs. (Ruan et al. 2011) stated that cloud computing has the potential to become one of the most transformative computing technologies, following in the footsteps of mainframes, tablet computers, personal computers, the World Wide Web, and smartphones.

With increasing adoption rates and access to a wide variety of cloud solutions, cloud computing is greatly impacting the way digital forensic investigations are conducted. (Ruan et al. 2011) recognize that cloud computing operates in a computing environment that is different from traditional on‐site client application environments. The additional complexity for digital forensic investigations in cloud‐based environments arises from the various types of cloud models that exist, such as Software‐as‐a‐Service (SaaS), Infrastructure‐as‐a‐Service (IaaS), and Platform‐as‐a‐Service (PaaS). Despite significant research in the field of digital forensics, little has been written about how digital forensics processes can be applied to a cloud‐based environment. Performing investigations within a cloud‐based environment has gained momentum in the digital forensic community during the past couple of years. The majority of research concerning cloud computing is focused on defining the challenges of performing digital forensic investigations within physical a cloud computing environment (Birk, 2011; Reilly et al. 2011; Ruan et al. 2011). Cloud forensics is a new field of digital forensics that brings new challenges (Reilly et al. 2011), such as evidence identification, legal issues, data acquisition, and the suitability of traditional digital forensic tools to acquire data from the Cloud. These challenges not only exacerbate the problems of digital forensics within a cloud environment but also create a new front for digital forensic investigations. (Barbara 2009) highlights the important issue of data identification in the Cloud, stating that “with the huge amount of potential data flowing in and out of a cloud, how do you identify individual users of individual services provided by a transient host image, particularly when they make expert efforts to cover their tracks?” Hence, it is clear that digital forensic practitioners will need to adapt their processes and tools in order to conduct investigations in cloud environments. According to (Frowen 2009), there is no foolproof, universal method of extracting evidence in an admissible fashion from the Cloud, and in some cases, very little evidence is available to extract. As such, cloud computing represents just one of the fast‐paced technological developments presenting ongoing challenges to legislators, law enforcement officials, and computer forensic analysts. Cloud computing is the most difficult area when it comes to satisfying guidelines mentioned by the Association of Chief Police Officers (ACPO) related to searching and seizing evidence, due to the remoteness of cloud data centers (http://www.digital‐detective.net/acpo‐good‐practice‐guide‐for‐digital‐evidence). (Reilly et al. 2011) state that certain aspects of computer forensic processes can be applied to cloud computing, but the main stumbling block is the fact that it may be impractical or legally impossible for digital forensic investigators to seize physical devices likely to contain digital evidence. (Dykstra and Sherman 2012) state that discovery and acquisition of evidence in remote, elastic, provider‐controlled cloud computing platforms differ from traditional digital forensics, and examiners lack the proper tools to conduct these tasks. Criminals that target or use cloud computing will undoubtedly emerge in this landscape, and investigators will continue to rely on their existing expertise and tools like Guidance Software's Encase or Access Data's Forensic Tool Kit unless alternative tools or techniques are developed (Richard and Roussev 2006). Several researchers have pointed out that evidence acquisition is a forefront issue with cloud forensics (Dykstra and Sherman 2012; Taylor et al. 2011). In addition, (Ruan et al. 2011) identified the main peripheral challenges posed by cloud adoption and digital investigations within cloud‐based environments:

• Data jurisdictional issues
• Lack of international collaboration and legislative mechanisms
• Lack of laws and regulations
• Decreased access to and control over data

(Birk 2011) states that technical challenges for cloud forensics investigations arise due to the various types of cloud computing environments and uncertainty about how to conduct investigations in these environments. (Garfinkel 2010) suggests that “cloud computing in particular may make it impossible to perform basic forensic steps of data preservation and isolation of forensic data/systems of interest.” (Lillard et al. 2010) see cloud computing as a subject that must be approached as a matter of network forensics combined with remote disk forensics. However, there are other considerations for law enforcement officers to contemplate when conducting investigations in the Cloud, such as time‐dependent issues, extracting large volumes of data, lack of access to data due to the absence of passwords or a lack of expertise, and procedures and appropriate tools during the execution of search warrants. These issues have not been considered fully by Burk and others (Dykstra and Sherman 2012; Ruan et al. 2011; Taylor et al. 2011). In addition, in cloud computing platforms, law enforcement investigators do not have physical control over the data or the data centers in which it resides. Many users access cloud platforms with data that resides locally and/or is synced (Boucher and Le‐Khac 2018). How does law enforcement seize only that portion of artifacts where the evidence may exist? How will they know if they have gotten everything they will need during the analysis, interpretation, documentation, and presentation of evidence? According to the results of a survey conducted by (Ruan et al. 2011) of 156 forensics experts and practitioners worldwide, more than half of the respondents agreed that the establishment of a new foundation of standards and policies for digital forensics in cloud‐based environments is an opportunity. Indeed, 88.89% agreed or strongly agreed that designing forensic architectures for the Cloud is a valuable research direction for cloud forensics. The need for digital investigations in cloud environments will increase as the adoption of cloud services continues to grow. This will compel law enforcement agencies to adapt their digital forensic procedures when conducting investigations in cloud environments. The extent to which law enforcement agencies have changed from traditional digital forensics processes to meet the challenges posed by cloud forensics could not be established through this research. The challenges in relation to cloud‐based forensics are not only technical; there are many legal challenges associated with data recording, privacy, and access issues (Cushman et al. 2016). In addition, the manner in which access is provided to digital forensic practitioners and the process of acquiring evidential material also pose legal concerns. These concerns are extremely important, especially in relation to cloud environments being ubiquitous, multinational, and widely distributed. However, these issues do not fully address the intricacies law enforcement investigators are faced with when executing search warrants within cloud environments. In another survey conducted by (Ruan et al. 2011), of 72 respondents who were asked what the challenges are in cloud forensics, 90.14% agreed or strongly agreed that jurisdiction issues were a key challenge and 82.94% agreed or strongly agreed that the lack of laws/regulations was also a challenge. This is further complicated if cloud resources are distributed across international boundaries. (Ruan et al. 2011) stated that traditional digital forensic professionals identify multijurisdictional and multitenancy challenges as the top legal concern. Performing forensics in the cloud exacerbates these challenges. To summarize, we can say that cloud forensics is in its infancy, although a number of important papers have been published in this area that give insight into the more theoretical side. The research did identify that cloud adoption is high and, as a result, the number of cloud‐based investigations will rise. These high adoption rates pose a new set of challenges for law enforcement agencies. However, a number of authors have identified critical points regarding cloud forensics and the issues that law enforcement agencies will face. A digital forensic framework model applicable to cloud forensics is required. In addition, many researchers have stated that the current set of digital forensic tools cannot be fully applied to acquisitions in cloud environments. A number of authors agree that the difficulties posed by cloud forensics are complex, given the various forms of cloud computing services that exist. In addition, there are large implications when acquiring data from a cloud environment that may spread over multiple jurisdictions. Researchers have explored the challenges and proposed some solutions to mitigate these challenges. These solutions may be practical during incident response or civil investigations. However, solutions put forward by some researchers could not be utilized by law enforcement agencies in criminal investigations. These issues illustrate the requirement to develop a digital forensic framework for cloud‐based investigations supported by appropriate digital forensic tools. This would assist both law enforcement agencies and non‐law enforcement bodies conducting criminal investigations in the Cloud.

12.4 Toward a New Cloud Forensics Model

Another objective of our research is how to build a new digital forensic process for investigators to identify and extract data from cloud systems, and how to address associated problems. To do so, we launched a study on how the proliferation of cloud computing is affecting investigators, including the depth of knowledge of cloud computing, digital forensic approaches, and views on moving away from the traditional digital forensic approach. We learned the following from our study:

• Investigating cloud environments is very challenging. In addition, the growth of social media is adding to the challenges faced by investigators when conducting investigations in the Cloud.
• Using traditional approaches to digital forensics may ultimately lead to the loss of evidential material if employed during the execution of search warrants. The reason is that computer forensic practitioners may only establish that a cloud‐based solution was used by a suspect during the review of the seized evidence. This can lead to the destruction of evidence in the Cloud by a suspect.

Due to the limitations of traditional forensics, an alternative digital forensic model is required, supported by a robust framework to identify and extract data from cloud environments. Our new model was initially presented in (Plunkett et al. 2015). In this chapter, we continue to detail and complete it with a comprehensive study and evaluation. This model is described as a framework that enables an investigator to identify and extract specific data relating to a given case in the most efficient manner. In addition, we also propose a number of digital forensics tools that support the extraction of evidential material from a cloud system. Usually, these tools have been fully accepted by the courts. There are different ways to launch a cloud investigation. However, we conducted research and found that investigators need to be specific about the data volumes they identify and acquire. This applies to organizations or individuals that may be under investigation. It is neither practical for investigators to seize entire virtual machines running on cloud systems nor practical to seize entire physical servers of data centers. Hence, our approach has been developed by being cognizant of the factors mentioned previously while also ensuring that the following considerations are addressed: (i) time on site and (ii) large data extraction. First, when officers investigate a suspect location under a search warrant, the time spent on site is a critical factor. They need to identify, document, and acquire evidential material in a reasonable timeframe that does not impact greatly the suspect organization or individual. Second, during the execution of a search warrant, investigators can be faced with very large volumes of data. Extracting all the potentially useful data during the execution of a search warrant can cause a number of issues.

12.4.1 Model

This is a digital forensic framework model consists of three main components coupled with the use of dedicated software and hardware, outlined as follows: (i) pre‐search preparation; (ii) search; (iii) post‐search investigation. Each of these components has a number of tasks that must be completed prior to the next component being utilized. A diagram illustrating these steps is provided in Figure 12.1.

12.5 Evaluation and Analysis

To evaluate the proposed approach, we consider the following scenario. In a country, the Authority was established following the enactment of the Competition Act, 1991. The function of the Authority is to promote competition in all sectors of the economy by tackling anticompetitive practices and by increasing awareness of such practices. Where there is evidence of businesses engaging in anti‐competitive practices – whether through price‐fixing or abusing their dominant position – the Authority can intervene through the enforcement of competition law. Under Section 45 of the Competition Act 2002, the Authority has the power to enter any premises to seize and retain any books, documents, and records. The application of the proposed model was utilized by the Authority's digital forensics practitioners in conjunction with traditional forensic techniques during the execution of three search warrants on organizations alleged to be engaged in cartel behavior. Prior to the implementation of our approach, the Authority utilized traditional digital forensic methods. The Authority's Cartels division is responsible for investigating alleged hard‐core criminal Cartels. The information outlined here does not refer directly to the industry in which the investigation took place, the organizations that were under investigation, or the people involved in the alleged behavior. The organization, for referral purposes, will be called Organization A. The Cartels division received intelligence regarding cartel behavior in a particular industry, and, as a result, further evidence was required to progress the investigation. This evidence would be gathered through the execution of two search warrants on the suspected organizations. In this evaluation, we focus on the search stage and post‐search investigation.

12.6 Conclusion

In this chapter, the challenges of cloud forensics have been discussed in conjunction with examining current digital forensic tools and frameworks. The utilization of digital forensic tools that have the ability to systematically search digital devices, whether in the Cloud or locally stored, is critical to conducting effective forensic investigations. Current research efforts suggest that cloud forensics is still in its infancy. Numerous challenges have been identified and incorporated into our proposed cloud forensic model. The proposed model successfully identified and extracted data from a cloud computing system. Acquiring evidence from the Cloud is complex but can be simplified and accomplished in an organized and systematic way by utilizing an appropriate digital forensic framework. The proposed approach attempts to improve upon existing digital frameworks through the amalgamation of standard techniques. The proposed model also advocates a systematic approach supported by digital forensic tools, which reduces the risks associated with the acquisition of digital evidence.

The growth of smart mobile devices and their integration with cloud systems is a new area and requires further research. Computing devices such as laptops and PCs will soon be overtaken by smart mobile devices. This opens a new set of challenges for cloud forensics and will require fundamentally different tools and supporting frameworks (Faheem et al. 2015; Faheem et al. 2016). The current generation of digital forensics tools is limited in use when acquiring data from a cloud system. These tools have been overtaken by the advances of cloud‐based solutions and the intense growth of information. Research regarding the next generation of digital forensic tools for law enforcement agencies is required to meet future advancements of cloud technologies.

References

1. Barbara, J.J. (2009). Cloud computing: another digital forensic challenge. Forensic Magazine. https://www.forensicmag.com/article/2009/10/cloud‐computing‐another‐digital‐forensic‐challenge (accessed December 2016).
2. Baryamureeba, V. and Tushabe, F. (2004). The enhanced digital investigation process model. In: Proceedings of the Fourth Digital Forensic Research Workshop, 1–9.
3. Birk, D. (2011). Technical challenges of forensic investigations in Cloud. http://www.zurich.ibm.com/~cca/csc2011/submissions/birk.pdf (accessed December 2016).
4. Boucher, J. and Le‐Khac, N.‐A. (2018). Forensic framework to identify local vs synced artefacts. Digital Investigation 24 (1): 2018.
5. Carrier, B. and Spafford, E.H. (2003). Getting physical with the digital investigation process. International Journal of Digital Evidence 2 (2).
6. Cushman, I., Chen, L., Rawat, D. et al. (2016). Designing hybrid cloud using OpenStack for supporting multimedia with security and privacy concerns. 9th EAI International Conference on Mobile Multimedia Communications, Xi'an, China, June 18–19, 2016.
7. Doodeman, M. (2017). ISTAR model. Dutch National Police Agency.
8. Dykstra, J. and Sherman, A.T. (2012). Acquiring forensic evidence from infrastructure‐as‐a‐service cloud computing: exploring and evaluating tools, trust, and techniques. Digital Investigation 9: S90–S98.
9. Emison, J.M. 2013. Research: (2013) State of cloud computing. Federal‐CIO‐Council. 2011. Guidelines for Secure Use of Cloud Computing by Federal Departments and Agencies.
10. Faheem, M., Kechadi, M.‐T., and Le‐Khac, N.‐A. (2015). The state of the art forensic techniques in mobile cloud environment: a survey, challenges and current trend. International Journal of Digital Crime and Forensics 7 (2): 1–19.
11. Faheem, M., Kechadi, M‐T., Le‐Khac, N‐A. (2016) ‘Toward a new mobile cloud forensic framework’. IEEE Sixth International Conference on Innovative Computing Technology (INTECH), Dublin, Ireland, 24–26 Aug. 2016.
12. Frowen, A. (2009). Cloud computing and computer forensics. http://www.artipot.com/articles/384511/coud‐computing‐and‐computer‐forensics.htm (accessed December 2016).
13. Garfinkel, S.L. (2010). Digital forensics research: the next 10 years. Digital Investigation 2010 (7): S64–S73.
14. Hayes, D. (2014). A Practical Guide to Computer Forensics Investigations. Pearson IT Certification.
15. Kolenbrander F., Le‐Khac N‐A., and Kechadi M‐T. (2016). Forensic analysis of ARES GALAXY peer‐to‐peer network. 11th annual ADFSL Conference on Digital Forensics, Security and Law, Florida, USA, May 2016.
16. Lessing, M. and Von Solms, SH. (2008). Live forensic acquisition as alternative to traditional forensic processes. 4th International Conference on IT Incident Management & IT Forensics.
17. Lillard, T.V., Garrison, C.P., Schiller, C.A. et al. (2010). Digital Forensics for Network, Internet, and Cloud Computing. Syngress Media.
18. Plunkett, J., Le‐Khac N‐A., and Kechadi M‐T. (2015). Digital forensic investigations in the Cloud: a proposed approach for Irish law enforcement. 11th Annual IFIP WG 11.9 International Conference on Digital Forensics (IFIP119 2015), Orlando, Florida, United States, 26–28 January 2015.
19. Pollitt, M.M. (1995). Computer forensics: An approach to evidence in cyberspace. In: Proceeding of the National Information Systems Security Conference, Baltimore, vol. II, 487‐491.
20. Reilly, D., Wren, C., and Berry, T. (2011). Cloud computing: pros and cons for computer forensic investigations. International Journal Multimedia and Image Processing 1 (1): 26–34.
21. Reith, M., Carr, C., and Gunsch, G. (2002). An examination of digital forensic models. International Journal of Digital Evidence 1 (3).
22. Richard, I.I.I. and Roussev, V. (2006). Digital forensic tools: the next generation. In: Digital Crime and Forensic Science in Cyberspace, 75–90. IGI Global.
23. Ruan, K., Carthy, J., Kechadi, T. et al. (2011). Cloud forensics, advances in digital forensics VII. IFIP Advances in Information and Communication Technology 361: 35–46.
24. Russinovich, M. (2006). AccessEnum v1.32. https://docs.microsoft.com/en‐us/sysinternals/downloads/accessenum (accessed December 2016).
25. Ryder, S. and Le‐Khac N‐A. (2016), The end of effective law enforcement in the Cloud? To encrypt, or not to encrypt The 9th IEEE International Conference on Cloud Computing, San Francisco, CA USA, June 2016.
26. Schut H., Farina J., Scanlon M. et al. (2015). Towards the forensic identification and investigation of cloud hosted servers through noninvasive wiretaps. The 10th International Workshop on Frontiers in Availability, Reliability and Security FARES 2015, Toulouse, France, August 24–28, 2015.
27. Taylor, M., Gresty, D., and Lamb, D. (2011). Forensic investigation of cloud computing systems. Journal Network Security 2011 (3): 4–10.