Abstract
Cloud computing provides benefits such as increased flexibility, scalability and cost savings to enterprises. However, it introduces several challenges to digital forensic investigations. Current forensic analysis frameworks and tools are largely intended for off-line investigations and it is assumed that the logs are under investigator control. In cloud computing, however, evidence can be distributed across several machines, most of which would be outside the control of the investigator. Other challenges include the dependence of forensically-valuable data on the cloud deployment model, large volumes of data, proprietary data formats, multiple isolated virtual machine instances running on a single physical machine and inadequate tools for conducting cloud forensic investigations.
This research demonstrates that evidence from multiple sources can be used to reconstruct cloud attack scenarios. The sources include: (i) intrusion detection system and application software logs; (ii) cloud service API calls; and (iii) system calls from virtual machines. A forensic analysis framework for cloud computing environments is presented that considers logged data related to activities in the application layer as well as lower layers. A Prolog-based forensic analysis tool is used to automate the correlation of evidence from clients and the cloud service provider in order to reconstruct attack scenarios in a forensic investigation.
Chapter PDF
Similar content being viewed by others
References
Beck, F., Festor, O.: Syscall Interception in Xen Hypervisor, Technical Report no. 9999, INRIA Nancy - Grand Est, Villers-les-Nancy, France (2009)
Birk, D., Wegener, C.: Technical issues of forensic investigations in cloud computing environments. In: Proceedings of the Sixth International Workshop on Systematic Approaches to Digital Forensic Engineering (2011)
Dykstra, J., Sherman, A.: Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust and techniques. Digital Investigation 9(S), S90–S98 (2012)
Dykstra, J., Sherman, A.: Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform. Digital Investigation 10(S), S87–S95 (2013)
Hay, B., Nance, K.: Forensic examination of volatile system data using virtual introspection. ACM SIGOPS Operating Systems Review 42(3), 74–82 (2008)
Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998)
Hogan, M., Liu, F., Sokol, A., Tong, J.: NIST Cloud Computing Standards Roadmap, NIST Special Publication 500–291. National Institute of Standards and Technology, Gaithersburg (2011)
Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty and Doubt. Pearson Education, Boston (2007)
Kent, K., Chevalier, S., Grance, T., Dang, H.: Guide to Integrating Forensic Techniques into Incident Response, NIST Special Publication 800–86. National Institute of Standards and Technology, Gaithersburg (2006)
Liu, C., Singhal, A., Wijesekera, D.: A logic-based network forensic model for evidence analysis. In: Peterson, G., Shenoi, S. (eds.) DigitalForensics 2015. IAICT, vol. 462, pp. 129–145. Springer, Cham (2015). doi:10.1007/978-3-319-24123-4_8
Liu, C., Singhal, A., Wijesekara, D.: A probabilistic network forensic model for evidence analysis. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics XII. IFIPAICT, vol. 484, pp. 189–210. Springer, Cham (2016). doi:10.1007/978-3-319-46279-0_10
Mell, P., Grance, T.: NIST Definition of Cloud Computing, NIST Special Publication 800–145. National Institute of Standards and Technology, Gaithersburg (2011)
Ou, X., Govindavajhala, S., Appel, A.: MulVAL: a logic-based network security analyzer. In: Proceedings of the Fourteenth USENIX Security Symposium (2005)
Palmer, G.: A Road Map for Digital Forensic Research, DFRWS Technical Report, DTR-T001-01 Final, Air Force Research Laboratory, Rome, New York (2001)
Pichan, A., Lazarescu, M., Soh, S.: Cloud forensics: Technical challenges, solutions and comparative analysis. Digital Investigation 13, 38–57 (2015)
Ruan, K., Carthy, J., Kechadi, T., Crosbie, M.: Cloud forensics. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics V, pp. 35–46. Springer, Heidelberg (2011)
Sun, X., Dai, J., Liu, P., Singhal, A., Yen, J.: Towards probabilistic identification of zero-day attack paths. In: Proceedings of the IEEE Conference on Communications and Network Security, pp. 64–72 (2016)
Wang, W., Daniels, T.: A graph based approach toward network forensic analysis. ACM Transactions on Information and Systems Security 12(1), article no. 4 (2008)
Zawoad, S., Hasan, R.: A trustworthy cloud forensics environment. In: Peterson, G., Shenoi, S. (eds.) DigitalForensics 2015. IAICT, vol. 462, pp. 271–285. Springer, Cham (2015). doi:10.1007/978-3-319-24123-4_16
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 IFIP International Federation for Information Processing
About this paper
Cite this paper
Liu, C., Singhal, A., Wijesekera, D. (2017). Identifying Evidence for Cloud Forensic Analysis. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIII. DigitalForensics 2017. IFIP Advances in Information and Communication Technology, vol 511. Springer, Cham. https://doi.org/10.1007/978-3-319-67208-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-67208-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67207-6
Online ISBN: 978-3-319-67208-3
eBook Packages: Computer ScienceComputer Science (R0)