INSPECT- An Intelligent and Reliable Forensic Investigation through Virtual Machine Snapshots

Cloud computing is emerging as a popular paradigm that provides significant advances and utilityoriented services over shared virtualized resources. Despite the advantage of the cloud services, the majority of cloud users are reluctant to access the cloud due to unprecedented security threats in the cloud environment. The increasing cloud vulnerability incidences show the significance of cloud forensic techniques for the criminal investigation. It is challenging to gather the evidence from the abundant cloud data and identifying the source of the attack from the crime scene. Moreover, the Cloud Service Provider (CSP) confines the investigator to carry out the forensic investigation due to the prime concerns in the multi-tenant cloud infrastructure. To cope up with these constraints, this paper presents INSPECT, an investigation model that accomplishes adaptive evidence acquisition with adequate support for dynamic Chain of Custody presentation. By utilizing the VM log files, the INSPECT approach forensically acquires the corresponding evidence from the cloud data storage based on the location of malicious activity. It enhances the evidence acquisition and analysis process by optimally selecting and exploiting the required forensic fields alone instead of analyzing the entire log information. The INSPECT applies the Modified Fuzzy C-Means (M-FCM) clustering with contextual initialization method on the acquired evidence to recognize the source of the attack and improves the trustworthiness of the evidence through the submission of the chain of custody. By analyzing the Service Level Agreement (SLA) of the cloud users, it facilitates the source of attack identification from the clustered data. Furthermore, it isolates the evidence to avert deliberate modification by an adversary in the multi-tenant cloud. Eventually, INSPECT presents the evidence along with the chain of custody information regarding the crime scene. It enables the law enforcement authority to explore the evidence through the chain of custody information and to reconstruct the crime scene using the VM snapshots associated with timestamp data. The experimental results reveal that the INSPECT approach accomplishes a high level of accuracy in the investigation with the improved trustworthiness over the multi-tenant cloud infrastructure.

[1]  Eyal de Lara,et al.  Exploring VM Introspection: Techniques and Trade-offs , 2015, VEE.

[2]  G. Geethakumari,et al.  An efficient approach to forensic investigation in cloud using VM snapshots , 2015, 2015 International Conference on Pervasive Computing (ICPC).

[3]  M. Tahar Kechadi,et al.  Key Terms for Service Level Agreements to Support Cloud Forensics , 2012, IFIP Int. Conf. Digital Forensics.

[4]  Raouf Boutaba,et al.  Cloud computing: state-of-the-art and research challenges , 2010, Journal of Internet Services and Applications.

[5]  Martin S. Olivier,et al.  Isolating Instances in Cloud Forensics , 2012, IFIP Int. Conf. Digital Forensics.

[6]  Bashar Nuseibeh,et al.  Adaptive evidence collection in the cloud using attack scenarios , 2016, Comput. Secur..

[7]  Alan T. Sherman,et al.  Design and Implementation of FROST - Digital Forensic Tools for the OpenStack Cloud Computing Platform , 2016 .

[8]  Ahmed Fahim,et al.  A Clustering Algorithm based on Local Density of Points , 2017 .

[9]  Sieteng Soh,et al.  Cloud forensics: Technical challenges, solutions and comparative analysis , 2015, Digit. Investig..

[10]  Kim-Kwang Raymond Choo,et al.  An integrated conceptual digital forensic framework for cloud computing , 2012, Digit. Investig..

[11]  Ragib Hasan,et al.  Chronos: Towards Securing System Time in the Cloud for Reliable Forensics Investigation , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[12]  Ragib Hasan,et al.  Cloud Forensics: A Meta-Study of Challenges, Approaches, and Open Problems , 2013, ArXiv.

[13]  Gur Mauj Saran Srivastava,et al.  Cloud Computing: A Paradigm Shift in the Way of Computing , 2017 .

[14]  Yin Pan,et al.  Forensic Acquisition and Analysis of VMware Virtual Hard Disks , 2012 .

[15]  Martin S. Olivier,et al.  Isolating a cloud instance for a digital forensic investigation , 2011, ISSA.

[16]  Abhinav Srivastava,et al.  CloudVMI: Virtual Machine Introspection as a Cloud Service , 2014, 2014 IEEE International Conference on Cloud Engineering.

[17]  Alan T. Sherman,et al.  Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques , 2012, Digit. Investig..

[18]  Steven Furnell,et al.  Cloud Forensics: A Review of Challenges, Solutions and Open Problems , 2015, 2015 International Conference on Cloud Computing (ICCC).

[19]  Mark John Taylor,et al.  Forensic investigation of cloud computing systems , 2011, Netw. Secur..

[20]  Gang Zhou,et al.  Forensic Analysis Using Migration in Cloud Computing Environment , 2011 .

[21]  K. Umamaheswari,et al.  Impregnable Defence Architecture using Dynamic Correlation-based Graded Intrusion Detection System for Cloud , 2017 .

[22]  Zhen Ling,et al.  Cyber Crime Scene Investigations (C²SI) through Cloud Computing , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems Workshops.

[23]  Abha Belorkar,et al.  Regeneration of events using system snapshots for cloud forensic analysis , 2011, 2011 Annual IEEE India Conference.

[24]  Brian Hay,et al.  Forensics examination of volatile system data using virtual introspection , 2008, OPSR.

[25]  Tahar Kechadi,et al.  Survey on Cloud Forensics and Critical Criteria for Cloud Forensic Capability: A Preliminary Analysis , 2011 .