CLOUD FORENSICS: CHALLENGES ONLY

AHEAD
Anupam Tiwari
CEH, CCCSP, Chartered Engineer,
GFSU Certified Cyber Security Professional, B.E, M-Tech
(Computer Science), PGERP, PGDIS, PGDBM
Min of Defense
anupam.tiwari@nic.in

ABSTRACT
Cloud Computing is emerging amongst all the bombilate words of acclivitous technologies as
the most prodigious maturations in the chronicles of computing. As it still takes time to settle,
a new egressing challenge as felt whilst its implementation across has been a relatively more
newfangled field known as Cloud Forensics. Today as Cloud still needs time to mature and
offer its full exploitation, the even newer subfield Cloud Forensics is a carking cause to
negate immediate acceptance of cloud computing with open arms. The research in this field
is still in parturient stages to say from perspective of the way cases and incidents are being
handled on ground today.
To bring out few key pertinent issues that immediately come to the fore include Distributed
storage instead of the traditional Local storage which was easy to confiscate by the forensic
team or we take the issue of shared storage in a multi user environment that may be hired on
a time bound deal by the user from the CSP[1] or even if a particular user associated with
data location is identified, secerning it from other users is never going to be easy owing to
confidentiality and privacy issues!!!
In this paper we discuss and build upon the challenges as available today to the forensics
industry focused on growing Clouds.

KEYWORDS: Cloud[2], Cloud Forensics[3], Computing, Cyber Security, Digital

Forensics, Evidence, Platform as a Service, Software as a Service, Cloud Service Provider,
Virtual Machine

I.

INTRODUCTION

Cloud computing is apace developing IT

noteworthy development and has come forth
as a foreboding direction for cost-effective
and reliable service delivery for a variety of
users. Many countries and leading
organizations have already accredited and
embarked on to exploit into Cloud
Computing strengths, proffering the latest
services to a variety of user spanning
citizens, industries and businesses across the
globe. Whilst all this good news, bright

prospects being offered by cloud computing

there lays a rising concern about the
trustworthiness, security and forensics
aspect of the same. Cloud offers unique
opportunities for malicious individuals to
launch attacks without any tell tale signs
remaining behind. Lets get it clear with an
easy sample setup. Billu, recently released
from prison decides to go hi-tech for his
next crime. He decides this time to offer
Crime ware as a Service[4]. He fixes a
deal with a competitor of a leading online
shopping website and subsequently decides

Cyber Times International Journal of Technology & Management

Vol. 8 Issue 1, October March 2015

to use Cloud services to launch a distributed

denial of service by hiring machines from a
CSP instead of investing in infrastructure of
hardware and Software. The victim
shopping site that renders a lot of revenue as
it suffices the demand of traffic consisting
of pan global users goes down for few hours
and as a result of the attack perforce the user
traffic to get deviated to the competitors
online shopping site. After the attack, Billu
terminates all the hired virtual machines[5]
and colludes with the CSP to provide
fiddled logs in case of any investigations by
any agencies.
Now from perspective of the probing
agencies there exists a lot of gap in
existence of standards and policies from
every node involved in such a typical case
including CSP and User. Standards to be
complied by the CSP, Terms & conditions

to be standing between CSP and the user

remain to be resolved still to fulfill even the
basic security and Forensics aspects. The
challenges seen from the view point of a
Digital Forensic[6] specialist are abounding.

Collection

Media

Examination

Data

Reporting

Analysis

Information

Evidence

Figure 1: Typical Forensic Process

Imagine the above fields as seen in the

figure in context of Cloud Computing. The
versatile characteristics of cloud computing
simply perplex the basic prerequisite of
forensics in Cloud. The variety of
challenges offered by cloud computing in
context of forensics is discussed below;

On Site

Infrastructure

Platform

Software

Application

Application

Application

Application

You Manage

Data

Data

Data

Data

Vendor

Runtime

Runtime

Runtime

Runtime

Middleware

Middleware

Middleware

Middleware

O/S

O/S

O/S

O/S

Virtualization

Virtualization

Virtualization

Virtualization

Server

Server

Server

Server

Storage

Storage

Storage

Storage

Networking

Networking

Networking

Networking

Figure 2: Control over Data in Clouds

II. STORAGE
The Cloud Storage is not local, it can range
panning across continents. So in a typical
case as above where does the forensic
expert look for extracting remnants of logs

and data. What will he confiscate? In

tralatitious computer forensics case,
investigators have entire hold over the
evidence including router logs, process logs,
and hard disks thats in front of their eyes.

Cyber Times International Journal of Technology & Management

Vol. 8 Issue 1, October March 2015

Alas, in the case of cloud computing, the

hold over data varies as per variety of
service models available viz SaaS[7],
PaaS[8], and IaaS[9]. Even the delivery
model makes a lot of difference incl Public,
Private or Hybrid etc. Thus dispersed nature
of the Cloud based systems directly
effectuates control over the functional
layers. Figure 2 shows that SaaS offers
actually no control to the user whereas IaaS
proffers highest

III. SHARING OF SPACE

Cloud
computing
is
a
multiuser
arrangement, while conventional computing
is an adept system. This makes the whole
process more daedal for ascertaining any
forensic excavates. In a typical environ
cloud make the matter more tortuous the
malicious criminal may simply rent and shut
down the virtual environment, data across
several Virtual Machines share the same
physical hardware and setup. And this
makes the forensic process even intricate to
work on. In any case even if the same is
extracted in some way technically, it
becomes hard to testify in the court. Besides
new generation attacks like Side Channel
attacks [10] only make the whole process
more complex.

IV. DELETION OF DATA

In IT systems any time something is deleted,
does it actually get deleted? No, what seems
like a file deletion is actually a referenced
entity that is deleted, the references to that
entity are not deleted and they remain as
they were prior, expecting to be overwritten
ahead. And such reference deletion besides
being uncommitted at a particular point for
recovery has a higher chance of being
missed if the same space becomes available
to be a part of another customized
requirement of any other user which is
highly likely owing to the graduating
demand in the market of the clouds. Besides
real time regular backups of these

overwritten shared storage makes the

forensics process actually unmanageable.

V. EVIDENCE
COORDINATION
In any typical forensic process, the forensic
team is always interested to know and
correlate all the events that happened around
the incident reported. How will correlation
of all activities be done in a cloud environ
wherein not one but multiple CSPs may be
involved. Different CSPs will offer
miscellanea of architectures and platforms
leading to interoperability issues.

VI. VIRTUAL
CHECKPOINTS

MACHINE

Reconstruction of Virtual machines or

cloning[11] an exact existing state though
possible technically vide a variety of
algorithms ,remain to be validated and
recognized by the court of law owing to lack
of accepted standards available currently in
the environs of the Cloud. Fargo/VM
Fork[12] are usable platforms presently in
technology prevue which enable speedy
cloning of running VMs for remoting
functionality but without any constituted
and accepted standards.

VII. TIME
SYNCHRONEITY

STAMP

Precise time synchrony is of vital

importance for any network forensics, and is
a brobdingnagian challenge when seen in
the light of cloud environs where it must be
synched across multiple physical machines
located across continents with different time
zones, platforms and infrastructure. Time
stamp synchronization is vital in respect of
audit logs used as origin of evidence in the
any digital investigations, Precise time
synchronization
arrogates
greater
importance and is critical to issues to be
dissolved during network forensics, which is
exacerbated by the fact that a cloud
environment needs to synchronize time

Cyber Times International Journal of Technology & Management

Vol. 8 Issue 1, October March 2015

stamps that is coherent with different

devices spanning variety of time zones.

VIII. LOG FORMATS

INTEROPERABILITY
Multifariousness of logs in different formats
and concomitant conjugation has been a
conventional issuance in network forensics
and this is exasperated in cloud environs
because it is exceedingly unmanageable to
commix these varieties from different
sources and make some useful analytics.

IX. INTEROPERABILITY IN
CSPs
Interoperability means the ability for
multiple cloud platforms to work together
and interoperate that desires existence of
abstraction betwixt application data logic
and system interfaces. Though standards
today are setting in but still a long way to go
before we come out of the proprietary
architecture challenges of various CSPs.

X. NO SINGLE POINT OF
FAILURE FOR CRIMINALS
The current lack of standards and policies in
cloud forensics is a win-win situation for
any criminal to commit crime. There is no
single point of failure in the typical setup of
cloud services letting criminals to be
convicted in a square mode. No single
PC/terminal can be held as an evidence for
the forensic team as required in schema of
things in digital forensics. No one computer
in a group that holds all of the data
necessary for the forensic investigator to
reconstruct the information about the crime.
A vicious organization can opt one CSP for
a storage solution, another CSP for hosting
services and route everything through
another CSP.

XI. REAL TIME MONITORING

Unless otherwise specific monitoring is

being done on a network, the colossally
humongous size of any CSP infrastructure
makes it impossible to monitor a network in
real time. A typical cloud infrastructure may
be composed of rented time on thousands of
systems around, owned and run by scads of
variety of CSPs. With a diverse
infrastructure traversing across geographic
locations, even resolving where to look to
place sensors will be staggeringly baffling.

XII. EVIDENCE SEPARATION

Collection of evidence vide various logs,
metadata etc. in a Cloud setup though
difficult to collate is possible today owing to
the improving versions of CSPs interface to
the user and investigators. But the difficult
work commences after collation that
necessitates separating critical logs with
junk logs owing to the vastness of logs of
multiple users spread over variety of
locations. It remains a challenge for CSPs
and law agencies to isolate resources during
investigations without infracting the
confidentiality of other users sharing the
same brick

XIII. CHAIN OF CUSTODY

(CoC)
Refers to the chronological documentation
showing the seizure, custody, control,
transfer, analysis, and disposition of
electronic evidence. Working in a
conventional case, the chain of custody
would be relatively easy to work on viz a
viz Cloud environs where neither the
location is fixed, neither the architecture is
known, neither straight forward logs are
available. In fact, the chain of custody of
data may be impossible to verify. Without a
committed and bounded by law/standards
CSP, the challenge in cloud forensics only
gains exponentially.

XIV. MULTIPLE
DEPENDENCIES

Cyber Times International Journal of Technology & Management

Vol. 8 Issue 1, October March 2015

The technological architecture any cloud is

based makes it possible for eager profit
making CSPs to hire services in form of
Storage, Infrastructure or Software etc.
making the chain of dependencies more
longer and complex. Each link of this long
multiple chain will be individual challenges
in itself as discussed above vide various
attributes.

XV. DATA MIRRORING

Data mirroring[13] refers to the real-time
operation of copying data, as a precise copy,
from one location to a local or remote
storage medium. In a cloud setup, mirroring
data comes as a feature for safe guarding
data of users and customers. Data mirroring
across multiple machines in variety of legal
domains spanning geographic locations over
another variety of algorithms custom-made
differently makes the forensics an actually
complex case to work on. Mirroring
policies, standards and customized setup
makes it all tougher for the forensic rep that
may be involved in investigating such
scenarios with nowhere to start from.

XVI. TRUST VALIDATION

The example we discussed above with Billu
colluding with the CSP is possible
practically in the market today owing to
non-existence of any recognized and
accepted potent trust standards and SLAs
amongst various agencies involved in the
setup. Cloud setups have numerous layers of
abstraction, from hardware to virtualization
to guest operating systems. The integrity
and trustworthiness of forensic data is
dependent on the cumulative trustiness of
the layers that could potentially fudge data
integrity.

XVII. TRAINED
PERSONNELS[14]
Availability of trained personnels and
investigators remains a serious cause of
concern owing to lack of training materials

that prepare investigators on cloud

computing technology/forensics operating
policies and procedures. As on date most
digital forensic training materials are
actually kind of superannuated and are not
relevant in a typical cloud setup. This lack
of knowledge steps in to arrest remote
investigations where systems are not
physically accessible and there is an
absentia of right tools to efficaciously look
into any case. More or less the hit and trial
method rules in most of the cases which
should not be the case anytime.

XVIII. CONCLUSION AND

FUTURE SCOPE
Cloud is a certain futurity relating to every
attribute of our lives in future be it Banking,
Education, Mobiles, Sports, Corporate
Houses, HR, Automobiles Commerce,
Aviation and we can actually relate every
field associated with our lives with this
potent technology. But like always shining
side of moon, there is dark side to it too and
simply taking it on without preparing for the
side effects that come along will indeed be a
failure of without time for reaction.
Cybercrime have only been increasing over
the years with a recent stat showing an
increase upto 10.4% in 2014 vis a vis last
year. These crimes if quantified will figure
in millions and the interesting is that each of
this crime has a forensic associated with it.
Emerging and associated new technologies
like Big Data[15] only make the surface for
cyber criminals bigger and wide with more
ambiguities. Data Provenance[16] is an even
bigger challenge in the field of forensics.
With the challenges as discussed and bought
out above, it seems not very near when the
challenges are resolved and the forensics as
a field is not seen with an exclamation mark
in terms of purposing cases. All the
challenges as bought out above are still
open and must be in various stages of
research across globe. From a user
perception actually there is little to be done
except logging and exploiting interface, the

Cyber Times International Journal of Technology & Management

Vol. 8 Issue 1, October March 2015

prime task remains between the CSP and

legal authorities between various countries.
CSPs need to provide a robust interface with
multiple transpositions of prognosticated
requirements. Coming up with a common
legal binding amongst variety of countries
with diverse cultures will itself be a
challenge. Though things have started to
build up viz the Common Criteria for
Information Technology Security which is
an International Standard (ISO/IEC 15408)
[17] for security certification. Recently
Twenty-six countries agreed on reform to
improve cyber security through international
public-private collaboration and forensics is
a definite agenda vide this. Every incident
of Cyber Crime reported has a forensic
angle to it and so the Common Criteria
setup will ensure that future in cloud
forensics is not as undefined as might have
been without such an initiatory. At least the
infancy stage is ON for the rising giant
technology.

ACKNOWLEDGEMENT
I am very grateful to the Col. (Retd.)
Mahesh Khera, President, Broadband India
Forum and the world of open source which
has enabled me to understand and put my
thoughts on this very critical but still un
attended subject. Special thanks to Dr. Anup
Girdhar, CEO - Founder, Sedulity Solutions
& Technologies who gave me an
opportunity to present this paper and has
been my guide over my various interactions
with him in courses I have pursued over a
period of time.
REFERENCES
[1] Webopedia, Cloud Service Provider Available
at<http://www.webopedia.com/TERM/C/cloud_
provider.html>, [Accessed 12th Jan 2015]
[2] Wikipedia , Cloud Computing Available at
<http://en.wikipedia.org/wiki/Cloud_computing
>, [Accessed 12th Jan 2015].

[3] Wikipedia, Cloud Forensics Available at

<http://www.forensicswiki.org/wiki/Cloud_Fore
nsics_Bibliography>, [Accessed 14th Jan 2015]
[4] RWSP, Crimeware as a service Available at
<http://www.rwsp.org/projects/139-crimewaresas-sa-sservice.html>, [Accessed 15th Jan 2015]
[5] Webopedia ,Virtual Machine , Available at
<http://www.webopedia.com/TERM/V/virtual_
machine.html>, [ Accessed 17th Jan 2015]
[6] Wikipedia, Digital Forensics , Available
at<http://en.wikipedia.org/wiki/Digital_forensic
s >, [ Accessed 19th Jan 2015]
[7] Wikipedia , Software as a Service , Available at
<http://en.wikipedia.org/wiki/Software_as_a_ser
vice >,[Accessed 19 Jan 2015]
[8] Wikipedia , Platform as a Service , Available at
<en.wikipedia.org/wiki/Platform_as_a_service>,
[Accessed 19 Jan 2015]
[9] Microsoft, Infrastructure as a Service, Available
at<http://social.technet.microsoft.com/wiki/cont
ents/articles/4633.what-is-infrastructure-as-as
service.aspx >, [Accessed 21 Jan 2015]
[10] NIST ,Side Channel Attacks, Available at
<http://csrc.nist.gov/groups/STM/cmvp/docume
nts/fips140-3/physec/papers/physecpaper19.pdf
>, [Accessed 22 Jan 2015]
[11] Cloning, Virtual Machine, Available at <
https://www.vmware.com/support/ws55/doc/ws_
clone_overview.html >, [Accessed 29 Jan 2015]
[12] VM Fork, Virtual Machine, Available at yellow
bricks
<http://www.yellowbricks.com/2014/10/07/project-fargo-akavmfork-what-is-it/ >, [Accessed 30 Jan 2015]
[13] Data Mirroring , Cloud , Available at <
http://www.techopedia.com/definition/1068/data
-mirroring >, [Accessed 08 Feb 2015]
[14] NIST Cloud Computing
Forensic Science
Challenges,
Available
at
<
http://csrc.nist.gov/publications/drafts/nistir8006/draft_nistir_8006.pdf > , [Accessed 05th
Mar 2015]
[15] Big
Data,
Available
at
<
http://www.sas.com/en_us/insights/bigdata/what-is-big-data.html>, [Accessed 17 Feb
2015]
[16] Wikipedia, Data Provenance Available at <
http://en.wikipedia.org/wiki/Provenance#Data_p
rovenance > , [Accessed 19th Feb 2015]
[17] ISO/IEC
15408,
Available
at
<
http://www.iso.org/iso/iso_catalogue/catalogue_t
c/catalogue_detail.htm?csnumber=50341 > ,
[Accessed 27th Feb 2015]

Cyber Times International Journal of Technology & Management

Vol. 8 Issue 1, October March 2015