DIGITAL FORENSIC FRAMEWORK FOR CLOUD COMPUTING

ENVIRONMENT

MSc IN COMPUTER SCIENCE

A.A MADAWALA

UNIVERSITY OF MORATUWA
SRI LANKA

DECEMBER 2010
Introduction

Digital forensic is developed and practiced as an offline post mortem to identify the criminal
activities after a criminal incident was happened utilizing a computer or directed to a computer
or both. As defined by NIST[1] Cloud computing is a model for enabling convenient, on-
demand network access to a shared pool of configurable resources that can be rapidly
provisioned and released with minimal management effort or service provider interaction.

Today’s digital forensic methods have designed aiming traditional IT infrastructures. The
Traditional methods, practices and tools were developed with the assumption of the capability of
having physical access to the evidence and capability of preservation and collection of evidence
for offline analysis. Currently, it is unclear, how to effectively perform incident analysis in a
highly dynamic cloud computing environment with redundancies in storage, caching with data
mobility [2]. Another issue is that attacks are changing for the cloud thus botnets will use cloud
computing to hide their activities. An example is the misuse of cloud computing infrastructures
as botnet to start Denial of-Service attacks against large scale infrastructures. New methods need
to be developed to detect and analyze such kind of attacks.

Even if the certain cloud based criminal incidents come out rarely from the Cloud Service
Providers, it is not any rarer. Most of those are hidden within CSP but even though considerable
amount of incidents are published hence the Cloud customers are searching the availability of
having forensic investigations in the cloud considering the issues and cases in the cloud. Since
companies data are not any more controlled by themselves, being confident about the availability
integrity and confidentiality (CIA) of data is problematic and the options available are not clear
if there is a breach of CIA. The CSP should consider these issues and the only solution is not
coming up with state of art technologies for cloud security. In the same time they should adjust
their cloud infrastructure as forensic aware in order to keep their business alive.

There is no standard framework available, no specific practices methods defined even the
research community is discussed on cloud forensic regularly. There are suggestions but those are
not addressed and solved the issue in every dimension hence an investigator is in dark in cloud
forensic investigations. To address the above issues, it is needed to identify the challenges unique
to the cloud in forensic investigations and evaluate existing solutions proposed by the
researchers. Based on that, new framework for cloud forensic should be defined while
identifying the gaps and issues in the existing solutions and suggesting and evaluating possible
solutions. In this, segmenting the cloud environment into partitions and proposing solutions to
partitions and adding up will be the better practice since one set of tools; methodologies cannot
be applied to the whole environment of the cloud.

The structure of rest of the proposal is as follows: Section 2 provides insight into the issues arise
in digital forensics due to the cloud computing environment. In section 3, it presents the
summary of the project and what it will achieve. The project environment and issues and
challenges in the implementation will be discussed in Section 4. Last chapter will summarize the
problem and the proposed solution.
Motivation

With the launch of Amazon web services(AWS)[3] in 2006, all the key players including
Salesforce, Microsoft, Google conduct more research on Cloud computing and introduce set of
cloud services to the customers. It gives the cloud customers the capability of moving their IT
infrastructure in to cloud environment pay for usage of resources. But a single cloud service
provider’s vulnerability will expose millions of users’ private financial data and other personal
information. It is not clear how to identify vulnerability is exposed due to CSP or the Cloud
Customer (CC) [4]. Cloud providers often are not transparent about how secure they are. As a
result, users sometimes have little idea of the risk they are running by storing information with a
cloud provider.

2010, Google announced that its password system that controls access by millions of users
worldwide to almost all of the company’s Web services, including e-mail and business
applications is hacked.[5]. A hacker also accessed Twitter’s financial documents and other
business information stored in a Twitter employee’s Google account.[6].so it seems that attacks
on the cloud is not rare and even the Big IT firms are still not yet100% secure. Current law
leaves cloud providers, users and law enforcement with little guidance as to what protections
cloud data already has or needs. [4]. So conducting a digital forensic investigations to assist
identify the criminals is big a challenge.

Digital forensic investigators need to adapt their techniques practices in order to capable to
conduct investigations in cloud computing environment. So it is essential to identify the issues
introduce by cloud computing for digital forensic investigations. Cloud computing raises a
number of unique forensic issues, including the location of potential digital evidence, its
preservation, and the subsequent forensic analysis. Location transparency is one of the key
aspects of cloud systems but digital forensics require breaking this abstraction
To gain the capability of seize data [7].

Gartner consultant [8] which stated, "Cloud services are especially difficult to investigate,
because logging and data for multiple customers may be co-located and may also be spread
across an ever-changing set of hosts and data centers,". In Traditional forensic approaches, the
likelihood of the data being removed, overwritten, deleted or destroyed by the perpetrator is low,
thus the probability that the data will be accepted as admissible evidence is high. [4]. But
investigating in the cloud is more difficult, because data for multiple customers may be located
on the same server, or otherwise spread across an ever changing set of hosts and data centers. So
the cloud-based evidence may have forensic and chain of custody problems, as accessing cloud
data and ensuring it has not been changed may be more challenging where there may be
multiple, variable storage locations for a single piece of data.

In Traditional forensic technologies it is assumed that only one tenant will be hosted in one
physical host [4]. So when presented with multiple tenants in a cloud environment, it is possible
that data will be acquired from tenants who are not under investigation. The ability of data sent
to the cloud to be stored anywhere in the world including countries where privacy laws are not
readily enforced or non-existent will create problems in digital forensic too. With all of above
issues, the requirement of a fully equipped framework which can answer the conflicts in digital
forensic investigation in cloud is highlighted.
Several researchers indirectly have addressed some of the issues related with cloud forensic by
suggesting usage of related techniques. Bradford [9] argue that it is unwise to depend upon
―audit trails and internal logs‖ and the digital forensics will only be possible on future systems if
those systems make proactive efforts at data collection and preservation. Sangroya[10] suggests
that Infrastructure as a service (IaaS) providers can put up a dedicated forensic server that can be
used on demand basis. Whenever a security violation takes place, the server can be brought
online. In some investigation cases, a backup of the environment can be easily made and put onto
the cloud without affecting the normal course of business.

As proposed by Grobauer[2], appropriate service-level agreements that describe data sources and
access possibilities should be placed between cloud customer and the provider. Incidents that
originate with CSP-controlled infrastructure and might have an impact on a customer’s resources
must be reported to the customer. Providing customers access to event sources, the CSP must
implement concepts and mechanisms that ensure two goals: all relevant event information should
be accessible, but one customer should not be able to view event information regarding other
customers (Customer-specific logging). Grobauer[2] also suggests that improving incident
analysis for cloud customers could be taken by improving live analysis techniques and
improving log file analysis

All the methods and practices proposed by the researchers are in ad hoc manner, hence a digital
forensic investigator instead of referring to one well defined framework, have to search for
different set of conflicting and not well defined set of solutions. So this project will identify the
available solutions which are proposed not for the whole cloud but certain partitions of the cloud
infrastructure and based on that will develop a framework filling the gaps and using new set of
methods and practices.

Project Summary

The main objective of this project is to come up with a digital forensic framework which is
capable of proposing and helping the investigators by defining set of practices, methodologies
and tools to conduct the digital forensic investigations in cloud environment. Mainly it will
identify various ad hoc proposals of the researchers and identify the conflicts of them. Then it
will compare the available set with a cloud computing environment and identify the gaps and
improvements needed to be done. Meanwhile the capability of using techniques such as live
forensic, network forensic and proactive forensic practices will be identified and tested for cloud
computing environment.

Project Details

Architecture and Environment

Cloud computing can be deployed in models such as Private clouds, Community clouds, Public
clouds and Hybrid clouds[11].In this project, public cloud model is considered since it does have
most of the issues in conducting digital forensic investigations as discussed previously in section
two. The Cloud services can be provided in models named Infrastructure as a service (IaaS),
Platform as a Service (PaaS) and Software as a Service (SaaS).The main differences between
these service models lies in how responsibilities are divided between cloud service provider and
cloud customer. Each of models has different set of issues in digital forensics hence all the
models are taken into account in this research.
As shown in figure 01, the cloud computing architecture is a collection of resources and owned
and managed by CC or CCP depending on the service model. So in order to conduct digital
forensic investigation, the boundaries of each resource needed to be identified and depending on
the service model, the responsibilities in each resource needed to be identified. Even if there are
few researches have being conducted on this field, the solutions proposed by the researchers are
not clearly defined since they haven’t address issues in the each and every partitions of the cloud
thus ultimately has given ad hoc practices and methodologies. Following chapters will discuss on
the proposed methodology to define a framework for cloud forensics.

Figure 01: E- Cloud reference architecture

In order to define a framework for digital forensic investigations in cloud, it is needed to identify
the infrastructure in the cloud and partition the resources logically based on who manage the
particular resource and similarities of issues in a logical partition and location of the resource in
the cloud. Then, find and identify and collect existing methodologies for certain logical partitions
are needed. For an example, the CC and CSP are communicated through a network where the
portions of the network is owned by CC, CSP and a third party who provide the communication
infrastructure thus it is essential to identify how to conduct the investigations in each network
segment and what practices, methodologies are tools requires.

The collected existing methodologies should be tested and the anomalies should be fixed while
proposing new methodologies. Secondly the logical partitions should be combined and the
unsolved sections should be identified while preserving the legal validity of the evidence. In
proposing new methodologies, applicability of live forensic, network forensic approaches and
proactive forensic practices should be taken in to consideration. Adelstein [12] states that
Information available from a live system provides a context for the disk data—for example,
running processes, network connections, memory (process and physical), and other state items
such as caches, logged-on users, and system load. Live analysis can capture both this volatile
information and static information about the file system. Proactive computer forensics is focused
on identifying computer security threats before those are capable of doing any harm [13].so this
technology can be used in infrastructure readiness phase to aid detecting any incidents in the
cloud. Secure provenance that records ownership and process history of data objects also can be
used to digital forensics in cloud computing [14].

Implementation Issues and Challenges

The major challenge of the proposed solution will be preserving the legal validity of the evidence
since the framework itself is defined by segmenting the infrastructure of the cloud. So to
preserve the validity it is a must to show the interrelationship of the evidence collected in the
segments since the cloud itself is too complex otherwise the court will reject to accept the
evidence. Mechanism should be defined within the framework itself to do this.
Within the technology, it is possible to propose solutions but the problem is how you overcome
legal barriers. The application of laws of multiple jurisdictions to a single cloud is quite
problematic and some laws impose obligations regarding the storage or transmission of data
which contradict the obligations imposed by other jurisdictions. Different countries have
differing levels of restrictions on how information can be shared. For example, the EU data
protection directive often impacts cloud computing providers. The Directive specifically
prohibits data transfers from EU members to countries with inadequate data protection laws,
including the United States [4].This is a big problem since defining framework itself is not
sufficient since these kinds of issues prohibit the use of such frameworks.

Deliverables

The Major outcome of the project will be a well defined framework which assists the digital
forensic investigators to conduct investigations in a complex cloud computing environment
 where traditional forensic methodologies cannot be used as it is. The framework will be
developed to address the issues in the cloud by dividing the cloud in to segments and proposing
solutions based on the issues in the segments and finally merged to come up with methodology
which can be used to a particular incident. With the proposed solution, different scenarios can be
investigated using a customized set of methodologies hence irrelevant methodologies no longer
exist thus simply the work of the investigator. Since it is developed as a flexible framework new
methodologies can be added up with the new inventions and new directions of the technology.

Timeline
Proposing
Solutions for
gaps using
Live forensic,
Final Network
Forensic and
Project Final Project Other Evaluate The
Proposal Report technologies Framework

Dec 2010 Jan 2011 Feb 2011 Apr 2011 Jun 2011 Aug 2011 Sep 2011 Nov 2011
Initial Project Identification Initial Final
Report of Existing Framework Framework
Methodologies For Cloud
in each partion Forensics
and
Identification
of Gaps

Conclusion

As per recent findings of the technology research firm Gartner Inc., the global cloud service
market is expected to grow substantially with revenue expected to reach $148.8 billion by
2014.Also attacks directed towards cloud based services will be increased hence identify the
attackers and take legal actions against them is needed. But there is a big uncertainty on the
capability of conducting digital forensic investigations in cloud infrastructures. So the
requirement of developing a well defined framework which addresses the issues face by the
investigators is mandatory. This proposal will introduce such kind of digital forensic framework
by seeing the problem in different dimension thus propose how the cloud infrastructure should be
partitioned in doing investigations and how to add up partitions and what tools and practices are
available for the investigators.

References

1) P.Mell, T.Grance, The NIST Definition of Cloud Computing Version 15, October, 2009
2) B. Grobauer and T. Schreck, ―Towards incident handling in the cloud: challenges and
approaches,‖ in Proceedings of the 2010 ACM workshop on Cloud computing security
workshop, pp. 77–86, 2010.
3) Amazon Web Service. [Online]. http://aws.amazon.com/ [Accessed: 12th December
2010]
4) A. Iqbal et al., ―CLOUD COMPUTING & NATIONAL SECURITY LAW.‖
5) Cyber attacks on Google Said to Hit Password
System.[Online].http://www.nytimes.com/2010/04/20/technology/20google.html?sudsred
irect=true. [Accessed: 12th December 2010]
6) Twitter Hack Raises Questions about ―Cloud Computing. [Online].
http://www.cnn.com/2009/TECH/07/16/twitter.hack/index.html. [Accessed: 12th
December 2010]
7) S. D. Wolthusen, ―Overcast: Forensic Discovery in Cloud Environments,‖ in 2009 Fifth
International Conference on IT Security Incident Management and IT Forensics, pp. 3-9,
2009.
8) [Online].http://www.gartner.com/technology/initiatives/cloud-computing.jsp [Accessed:
12th December 2010]
9) P. G. Bradford, M. Brown, J. Perdue, and B. Self, ―Towards proactive computer-system
forensics,‖ 2004.
10) A. Sangroya, S. Kumar, J. Dhok, and V. Varma, ―Towards Analyzing Data Security
Risks in Cloud Computing Environments,‖ Information Systems, Technology and
Management, pp. 255–265, 2010.
11) ) [Online].http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-
Computing-28Oct09-Research.pdf [Accessed: 12th December 2010]
12) F. Adelstein, ―Live forensics: diagnosing your system without killing it first,‖
Communications of the ACM, vol. 49, no. 2, pp. 63–66, 2006.
13) D. Ray and P. Bradford, ―An Integrated System for Insider Threat Detection,‖ Advances
in Digital Forensics III, pp. 75–86, 2007.
14) R. Lu, X. Lin, X. Liang, and X. S. Shen, ―Secure provenance: the essential of bread and
butter of data forensics in cloud computing,‖ in Proceedings of the 5th ACM Symposium
on Information, Computer and Communications Security, pp. 282–292, 2010.