Towards Building Forensics Enabled Cloud Through Secure Logging-as-a-Service

Collection and analysis of various logs (e.g., process logs, network logs) are fundamental activities in computer forensics. Ensuring the security of the activity logs is therefore crucial to ensure reliable forensics investigations. However, because of the black-box nature of clouds and the volatility and co-mingling of cloud data, providing the cloud logs to investigators while preserving users' privacy and the integrity of logs is challenging. The current secure logging schemes, which consider the logger as trusted cannot be applied in clouds since there is a chance that cloud providers (logger) collude with malicious users or investigators to alter the logs. In this paper, we analyze the threats on cloud users' activity logs considering the collusion between cloud users, providers, and investigators. Based on the threat model, we propose Secure-Logging-as-a-Service ( SecLaaS), which preserves various logs generated for the activity of virtual machines running in clouds and ensures the confidentiality and integrity of such logs. Investigators or the court authority can only access these logs by the RESTful APIs provided by SecLaaS, which ensures confidentiality of logs. The integrity of the logs is ensured by hash-chain scheme and proofs of past logs published periodically by the cloud providers. In prior research, we used two accumulator schemes Bloom filter and RSA accumulator to build the proofs of past logs. In this paper, we propose a new accumulator scheme - Bloom-Tree, which performs better than the other two accumulators in terms of time and space requirement.

[1]  Zahid Anwar,et al.  Digital Forensics for Eucalyptus , 2011, 2011 Frontiers of Information Technology.

[2]  A. Kumar,et al.  Space-code bloom filter for efficient per-flow traffic measurement , 2004, IEEE INFOCOM 2004.

[3]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[4]  Gene Tsudik,et al.  A new approach to secure logging , 2008, TOS.

[5]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[6]  Alecsandru Patrascu,et al.  Logging System for Cloud Computing Forensic Environments , 2014 .

[7]  Sieteng Soh,et al.  Cloud forensics: Technical challenges, solutions and comparative analysis , 2015, Digit. Investig..

[8]  Indrajit Ray,et al.  Secure Logging as a Service—Delegating Log Management to the Cloud , 2013, IEEE Systems Journal.

[9]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[10]  Alan T. Sherman,et al.  Design and Implementation of FROST - Digital Forensic Tools for the OpenStack Cloud Computing Platform , 2016 .

[11]  Jack Wiles,et al.  The Best Damn Cybercrime and Digital Forensics Book Period , 2007 .

[12]  Rafael Accorsi,et al.  On the Relationship of Privacy and Secure Remote Logging in Dynamic Systems , 2006, SEC.

[13]  Raffael Marty,et al.  Cloud application logging for forensics , 2011, SAC.

[14]  R. Fielding,et al.  Architectural Styles and the Design of Network-based Software Architectures (CHAPTER 5) , 2000 .

[15]  James A. Hall,et al.  The Sarbanes-Oxley Act: Implications for large-scale IT outsourcing , 2007, Commun. ACM.

[16]  Lawrence O Gostin,et al.  Health information privacy. , 1995, Cornell law review.

[17]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[18]  Shams Zawoad,et al.  Digital Forensics in the Cloud , 2013 .

[19]  Ragib Hasan,et al.  SecLaaS: secure logging-as-a-service for cloud forensics , 2013, ASIA CCS '13.

[20]  Evaggelia Pitoura,et al.  Bloom-based filters for hierarchical data , 2003 .

[21]  Roberto Tamassia,et al.  Authenticated hash tables , 2008, CCS.

[22]  Engin Kirda,et al.  A security analysis of Amazon's Elastic Compute Cloud service , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2012).

[23]  Chris Wren,et al.  Cloud computing: Forensic challenges for law enforcement , 2010, 2010 International Conference for Internet Technology and Secured Transactions.

[24]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[25]  Shams Zawoad Towards Building Proofs of Past Data Possession in Cloud Forensics , 2012 .

[26]  Kent E. Seamons,et al.  Logcrypt: Forward Security and Public Verification for Secure Audit Logs , 2005, IACR Cryptol. ePrint Arch..

[27]  Christoph Wegener,et al.  Technical Issues of Forensic Investigations in Cloud Computing Environments , 2011, 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering.

[28]  Mohand Tahar Kechadi,et al.  Cloud Forensics , 2011, IFIP Int. Conf. Digital Forensics.

[29]  Tim Storer,et al.  Calm Before the Storm: The Challenges of Cloud Computing in Digital Forensics , 2014, Int. J. Digit. Crime Forensics.

[30]  Peng Ning,et al.  BAF: An Efficient Publicly Verifiable Secure Audit Logging Scheme for Distributed Systems , 2009, 2009 Annual Computer Security Applications Conference.

[31]  Nasir D. Memon,et al.  Payload attribution via hierarchical bloom filters , 2004, CCS '04.

[32]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[33]  Mihir Bellare,et al.  Forward-Security in Private-Key Cryptography , 2003, CT-RSA.

[34]  Timothy Grance,et al.  Guide to Integrating Forensic Techniques into Incident Response , 2006 .

[35]  Mihir Bellare,et al.  Forward Integrity For Secure Audit Logs , 1997 .