Digital forensics investigations in the Cloud

The essentially infinite storage space offered by Cloud Computing is quickly becoming a problem for forensics investigators in regards to evidence acquisition, forensic imaging and extended time for data analysis. It is apparent that the amount of stored data will at some point become impossible to practically image for the forensic investigators to complete a full investigation. In this paper, we address these issues by determining the relationship between acquisition times on the different storage capacities, using remote acquisition to obtain data from virtual machines in the cloud. A hypothetical case study is used to investigate the importance of using a partial and full approach for acquisition of data from the cloud and to determine how each approach affects the duration and accuracy of the forensics investigation and outcome. Our results indicate that the relation between the time taken for image acquisition and different storage volumes is not linear, owing to several factors affecting remote acquisition, especially over the Internet. Performing the acquisition using cloud resources showed a considerable reduction in time when compared to the conventional imaging method. For a 30GB storage volume, the least time was recorded for the snapshot functionality of the cloud and dd command. The time using this method is reduced by almost 77 percent. FTK Remote Agent proved to be most efficient showing an almost 12 percent reduction in time over other methods of acquisition. Furthermore, the timelines produced with the help of the case study, showed that the hybrid approach should be preferred to complete approach for performing acquisition from the cloud, especially in time critical scenarios.

[1]  Vassil Roussev,et al.  Real-time digital forensics and triage , 2013, Digit. Investig..

[2]  Alan T. Sherman,et al.  Design and Implementation of FROST - Digital Forensic Tools for the OpenStack Cloud Computing Platform , 2016 .

[3]  Corrado Federici AlmaNebula: A Computer Forensics Framework for the Cloud , 2013, ANT/SEIT.

[4]  Kim-Kwang Raymond Choo,et al.  An integrated conceptual digital forensic framework for cloud computing , 2012, Digit. Investig..

[5]  Sangjin Lee,et al.  Digital forensic investigation of cloud storage services , 2012, Digit. Investig..

[6]  Gianluigi Me,et al.  A Case Study on Digital Forensics in the Cloud , 2012, 2012 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery.

[7]  Alan T. Sherman,et al.  Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques , 2012, Digit. Investig..

[8]  Hein S. Venter,et al.  Digital Forensic Framework for a Cloud Environment , 2012 .

[9]  Christoph Wegener,et al.  Technical Issues of Forensic Investigations in Cloud Computing Environments , 2011, 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering.

[10]  Mohand Tahar Kechadi,et al.  Cloud Forensics , 2011, IFIP Int. Conf. Digital Forensics.

[11]  Shaftab Ahmed,et al.  Tackling cloud security issues and forensics model , 2010, 7th International Symposium on High-capacity Optical Networks and Enabling Technologies.

[12]  Simson L. Garfinkel,et al.  Using purpose-built functions and block hashes to enable small block and sub-file forensics , 2010, Digit. Investig..

[13]  Timothy Grance,et al.  Guide to Integrating Forensic Techniques into Incident Response , 2006 .

[14]  Rodney McKemmish,et al.  What is forensic computing , 1999 .

[15]  F. Marturana Cloud Computing Implications to Digital Forensics a New Methodology Proposal , 2022 .

[16]  Golden G. Richard,et al.  Chapter IV Digital Forensics Tools : The Next Generation , .