Network Forensics for Cloud Computing

Computer forensics involves the collection, analysis, and reporting of information about security incidents and computer-based criminal activity. Cloud computing causes new challenges for the forensics process. This paper addresses three challenges for network forensics in an Infrastructure-as-a-Service (IaaS) environment: First, network forensics needs a mechanism for analysing network traffic remotely in the cloud. This task is complicated by dynamic migration of virtual machines. Second, forensics needs to be targeted at the virtual resources of a specific cloud user. In a multi-tenancy environment, in which multiple cloud clients share physical resources, forensics must not infringe the privacy and security of other users. Third, forensic data should be processed directly in the cloud to avoid a costly transfer of huge amounts of data to external investigators. This paper presents a generic model for network forensics in the cloud and defines an architecture that addresses above challenges. We validate this architecture with a prototype implementation based on the OpenNebula platform and the Xplico analysis tool.

[1]  Chung-Huang Yang,et al.  Design and implementation of a network forensics system for Linux , 2010, 2010 International Computer Symposium (ICS2010).

[2]  Christoph Wegener,et al.  Technical Issues of Forensic Investigations in Cloud Computing Environments , 2011, 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering.

[3]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[4]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[5]  Douglas Thain,et al.  A Comparison and Critique of Eucalyptus, OpenNebula and Nimbus , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[6]  Rajdeep Niyogi,et al.  Data reduction by identification and correlation of TCP/IP attack attributes for network forensics , 2011, ICWET.

[7]  Bernd Grobauer,et al.  Towards incident handling in the cloud: challenges and approaches , 2010, CCSW '10.

[8]  Lawrence A. Presley,et al.  Recovering and Examining Computer Forensic Evidence , 2000 .

[9]  Michael Cohen,et al.  PyFlag - An advanced network forensic framework , 2008, Digit. Investig..

[10]  Issa Traoré,et al.  Experience with Engineering a Network Forensics System , 2005, ICOIN.

[11]  Timothy Grance,et al.  Guide to Integrating Forensic Techniques into Incident Response , 2006 .

[12]  Jörg Schwenk,et al.  All your clouds are belong to us: security analysis of cloud management interfaces , 2011, CCSW '11.

[13]  Daniele Catteddu,et al.  Cloud Computing: Benefits, Risks and Recommendations for Information Security , 2009 .

[14]  Nasir D. Memon,et al.  ForNet: A Distributed Forensics Network , 2003, MMM-ACNS.

[15]  Bernd Grobauer,et al.  Understanding Cloud Computing Vulnerabilities , 2011, IEEE Security & Privacy.

[16]  Frank Doelitzscher,et al.  Incident Detection for Cloud Environments , 2011 .

[17]  Stephen Biggs,et al.  Cloud Computing: The impact on digital forensic investigations , 2009, 2009 International Conference for Internet Technology and Secured Transactions, (ICITST).

[18]  Zahid Anwar,et al.  Digital Forensics for Eucalyptus , 2011, 2011 Frontiers of Information Technology.

[19]  Mark John Taylor,et al.  FORWEB: file fingerprinting for automated network forensics investigations , 2008, e-Forensics '08.

[20]  Sujeet Shenoi,et al.  Advances in Digital Forensics V - Fifth IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 26-28, 2009, Revised Selected Papers , 2009, IFIP Int. Conf. Digital Forensics.

[21]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[22]  Nicole Beebe,et al.  Digital Forensic Research: The Good, the Bad and the Unaddressed , 2009, IFIP Int. Conf. Digital Forensics.

[23]  Daniele Catteddu and Giles Hogben Cloud Computing. Benefits, risks and recommendations for information security , 2009 .