LiveCloudInspector: Towards Integrated IaaS Forensics in the Cloud

Cloud-based systems are becoming an increasingly attractive target for malicious attacks. In IaaS environments, malicious attacks on a cloud customer's virtual machine may affect the customer, who cannot use all diagnostic means that are available in dedicated in-house infrastructures, as well as the cloud provider, due to possible subsequent attacks against the cloud infrastructure and other co-hosted customers. This paper presents an integrated approach towards forensics and incident analysis in IaaS cloud environments. The proposed architecture enables the cloud provider to securely offer forensics services to its customers on a self-service platform. The architecture combines three important analysis techniques and provides significantly better investigation capabilities than existing systems: First, it supports host-based forensics based on virtual machine introspection. Second, it offers live remote capture of network traffic. Third, and most importantly, it provides hybrid combinations of the first two techniques, which enables enhanced analysis capabilities such as support for monitoring encrypted communication.

[1]  Miguel Correia,et al.  The Final Frontier: Confidentiality and Privacy in the Cloud , 2011, Computer.

[2]  T. Scharping Hide-and-seek: China's elusive population data , 2001 .

[3]  Hans P. Reiser,et al.  Network Forensics for Cloud Computing , 2013, DAIS.

[4]  Alan T. Sherman,et al.  Design and Implementation of FROST - Digital Forensic Tools for the OpenStack Cloud Computing Platform , 2016 .

[5]  Christoph Wegener,et al.  Technical Issues of Forensic Investigations in Cloud Computing Environments , 2011, 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering.

[6]  Kim-Kwang Raymond Choo,et al.  An integrated conceptual digital forensic framework for cloud computing , 2012, Digit. Investig..

[7]  Lorenzo Martignoni,et al.  A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators , 2009, WOOT.

[8]  Ben W. Glasspoole,et al.  Cross-coupling: The final frontier. , 2011, Nature chemistry.

[9]  Lorenzo Martignoni,et al.  Testing CPU emulators , 2009, ISSTA.

[10]  Mark John Taylor,et al.  Forensic investigation of cloud computing systems , 2011, Netw. Secur..

[11]  Claudia Eckert,et al.  A Universal Semantic Bridge for Virtual Machine Introspection , 2011, ICISS.

[12]  Alan T. Sherman,et al.  Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques , 2012, Digit. Investig..

[13]  Zhi Wang,et al.  DKSM: Subverting Virtual Machine Introspection for Fun and Profit , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[14]  Adi Shamir,et al.  Playing "Hide and Seek" with Stored Keys , 1999, Financial Cryptography.