Novel Digital Forensic Framework for Cloud Computing Environment

Cloud computing is a transformative computing model for businesses that deliver computer based services over the Internet. Cloud computing faces major concerns due to its architectural characteristics despite the technological innovations that have made it a feasible solution. The huge popularity and utility of the cloud environment has made it the soft target of cloud crimes. Investigating cloud crimes and fixing the responsibility of the cyber crimes committed in the cloud platforms help instill confidence and trust in the stake holders be the clients, the cloud service providers or the third party entities. Cyber crime investigation is incomplete without the proper detection of the digital evidence in cloud. In general, cloud computing is characterized by its highly virtualized nature. As virtualization provides many benefits, it also makes it difficult to detect digital evidence when it is in the cloud environment. The approach used for the traditional digital forensic cannot be directly applied to the cloud environment due to the presence of virtualization, and hence cloud crime investigation is more difficult to perform than a traditional physical computer investigation. The existing research in cloud forensics has only focused on the organizational and the legal aspects, where as our work aims to contribute towards the technical aspects of forensics in cloud. The aim of this research is to design a generic digital forensic framework for the cloud crime investigation by identifying the challenges and requirements of forensics in the virtualized environment of cloud computing, address the issues of dead/live forensic analysis within/outside the virtual machine that runs in a cloud environment, and to design a digital forensic triage using parallel processing framework to examine and partially analyze the virtual machine data to speed up the investigation of the cloud crime. To analyze the evidence within the virtual machine, we designed various methods of examining the file system metadata, the registry file content, and the physical memory content. For the evidence which is outside a virtual machine (cloud logs), various methods of log data segregation and collection have been devised.

[1]  A. Reyes,et al.  Cyber Crime Investigations: Bridging the Gaps Between Security Professionals, Law Enforcement, and Prosecutors , 2007 .

[2]  Kim-Kwang Raymond Choo,et al.  Google Drive: Forensic analysis of data remnants , 2014, J. Netw. Comput. Appl..

[3]  Donald E. Knuth,et al.  Fast Pattern Matching in Strings , 1977, SIAM J. Comput..

[4]  Kim-Kwang Raymond Choo,et al.  Forensic collection of cloud storage data: Does the act of collection result in changes to the data or its metadata? , 2013, Digit. Investig..

[5]  Marcus K. Rogers,et al.  Computer Forensics Field Triage Process Model , 2006, J. Digit. Forensics Secur. Law.

[6]  Harlan Carvey,et al.  Digital Forensics with Open Source Tools , 2011 .

[7]  Mark John Taylor,et al.  Forensic investigation of cloud computing systems , 2011, Netw. Secur..

[8]  Eugene H. Spafford,et al.  Getting Physical with the Digital Investigation Process , 2003, Int. J. Digit. EVid..

[9]  Steven Furnell,et al.  Towards An Automated Forensic Examiner (AFE) Based Upon Criminal Profiling & Artificial Intelligence , 2013 .

[10]  Simson L. Garfinkel,et al.  Digital forensics research: The next 10 years , 2010, Digit. Investig..

[11]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[12]  Tahar Kechadi,et al.  Survey on Cloud Forensics and Critical Criteria for Cloud Forensic Capability: A Preliminary Analysis , 2011 .

[13]  Rodney McKemmish,et al.  What is forensic computing , 1999 .

[14]  D. Garg,et al.  String Matching Algorithms and their Applicability in various Applications , 2012 .

[15]  Kim-Kwang Raymond Choo,et al.  An integrated conceptual digital forensic framework for cloud computing , 2012, Digit. Investig..

[16]  Jin Tong,et al.  NIST Cloud Computing Reference Architecture: Recommendations of the National Institute of Standards and Technology (Special Publication 500-292) , 2012 .

[17]  C. Ilioudis,et al.  Detecting and Manipulating Compressed Alternate Data Streams in a Forensics Investigation , 2008, 2008 Third International Annual Workshop on Digital Forensics and Incident Analysis.

[18]  Dinkar Sitaram,et al.  Moving To The Cloud: Developing Apps in the New World of Cloud Computing , 2011 .

[19]  Bernd Grobauer,et al.  Understanding Cloud Computing Vulnerabilities , 2011, IEEE Security & Privacy.

[20]  Kim-Kwang Raymond Choo,et al.  Digital droplets: Microsoft SkyDrive forensic data remnants , 2013, Future Gener. Comput. Syst..

[21]  Sangjin Lee,et al.  Digital forensic investigation of cloud storage services , 2012, Digit. Investig..

[22]  Harjinder S. Lallie Challenges in applying the ACPO principles in cloud forensic investigations , 2012, J. Digit. Forensics Secur. Law.

[23]  Sangjin Lee,et al.  A new triage model conforming to the needs of selective search and seizure of electronic evidence , 2013, Digit. Investig..

[24]  Timothy Grance,et al.  Guide to Integrating Forensic Techniques into Incident Response , 2006 .

[25]  Toby Velte,et al.  Cloud Computing, A Practical Approach , 2009 .

[26]  Jerry Honeycutt Microsoft Windows Registry Guide, Second Edition , 2005 .

[27]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[28]  Vassil Roussev,et al.  Real-time digital forensics and triage , 2013, Digit. Investig..

[29]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[30]  Kim-Kwang Raymond Choo,et al.  Dropbox analysis: Data remnants on user machines , 2013, Digit. Investig..

[31]  Alan T. Sherman,et al.  Design and Implementation of FROST - Digital Forensic Tools for the OpenStack Cloud Computing Platform , 2016 .

[32]  Chris Rose,et al.  A Break in the Clouds: Towards a Cloud Definition , 2011 .

[33]  Vijay Varadharajan,et al.  TVDSEC: Trusted Virtual Domain Security , 2011, 2011 Fourth IEEE International Conference on Utility and Cloud Computing.

[34]  Digambar Povar,et al.  Digital Image Evidence Detection Based on Skin Tone Filtering Technique , 2011, ACC.

[35]  Adrian Shaw,et al.  A practical and robust approach to coping with large volumes of data submitted for digital forensic examination , 2013, Digit. Investig..

[36]  Zvi Galil,et al.  On improving the worst case running time of the Boyer-Moore string matching algorithm , 1978, CACM.

[37]  Corrado Federici,et al.  Cloud Data Imager: A unified answer to remote acquisition of cloud storage areas , 2014, Digit. Investig..

[38]  Alan T. Sherman,et al.  Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques , 2012, Digit. Investig..

[39]  Fabio Marturana,et al.  A Machine Learning-based Triage methodology for automated categorization of digital media , 2013, Digit. Investig..