Discussion on the Challenges and Opportunities of Cloud Forensics

  • Rainer Poisel
  • Simon Tjoa
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7465)


Cloud Forensics refers to digital forensics investigations performed in Cloud Computing Environments. Nowadays digital investigators face various technical, legal, and organizational challenges to keep up with current developments in the field of Cloud Computing. But, due to its dynamic nature, Cloud Computing also offers several opportunities to improve digital investigations in Cloud Environments. Digital investigators may utilize Cloud Computing setups and process complex tasks in cloud infrastructures. Thus they can take advantage of the enormous computing power at hand in such environments.

In this paper we focus on the current State-of-the-Art of affected fields of Cloud Forensics. The benefit for the reader of this paper is a clear overview of the challenges and opportunities for scientific developments in the field of Cloud Forensics.


Cloud Forensics digital forensics evidence 


  1. 1.
    Children warned against net predators (2000),
  2. 2.
    Electronic crime scene investigation: An on-the-scene reference for first responders, recommendations of the National Institute of Standards and Technology (2001)Google Scholar
  3. 3. - open-source ediscovery engine (2011),
  4. 4.
    Hadoop - mapreduce (2011),
  5. 5.
    Security guidance for critical areas of focus in cloud computing v3.0 (2011)Google Scholar
  6. 6.
    AccessData: Decryption and password cracking software,
  7. 7.
    Accorsi, R.: Business process as a service: Chances for remote auditing. In: Proceedings of 35th IEEE Annual Computer Software and Applications Conference Workshops (2011)Google Scholar
  8. 8.
    ACPO: Good practice guide for computer-based electronic evidence. 7safe (August 2007),
  9. 9.
    Agudo, I., Nuñez, D., Giammatteo, G., Rizomiliotis, P., Lambrinoudakis, C.: Cryptography Goes to the Cloud. In: Lee, C., Seigneur, J.-M., Park, J.J., Wagner, R.R. (eds.) STA 2011 Workshops. CCIS, vol. 187, pp. 190–197. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Ando, R., Kadobayashi, Y., Shinoda, Y.: Asynchronous Pseudo Physical Memory Snapshot and Forensics on Paravirtualized VMM Using Split Kernel Module. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 131–143. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Baliga, J., Ayre, R.W.A., Hinton, K., Tucker, R.S.: Green cloud computing: Balancing energy in processing, storage, and transport. Proceedings of the IEEE 99(1), 149–167 (2011)CrossRefGoogle Scholar
  12. 12.
    Barrett, D., Kipper, G.: Virtualization and Forensics: A Digital Forensic Investigator’s Guide to Virtual Environments. Syngress Media, Syngress/Elsevier (2010),
  13. 13.
    Beebe, N., Beebe, N.: Digital forensic research: The good, the bad and the unaddressed. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics V. IFIP AICT, vol. 306, pp. 17–36. Springer, Boston (2009)CrossRefGoogle Scholar
  14. 14.
    Biggs, S., Vidalis, S.: Cloud computing: The impact on digital forensic investigations. In: Proceedings of the International Conference for Internet Technology and Secured Transactions (ICITST) 2009, London, pp. 1–6 (November 2009)Google Scholar
  15. 15.
    Birk, D.: Technical challenges of forensic investigations in cloud computing environments. In: Proceedings of the Workshop on Cryptography and Security in Clouds, pp. 1–6 (March 2011)Google Scholar
  16. 16.
    Birk, D., Wegener, C.: Technical issues of forensic investigations in cloud computing environments. In: Proceedings of the 6th International Workshop on Systematic Approaches to Digital Forensic Engineering, Oakland, CA, USA (2011)Google Scholar
  17. 17.
    Brezinski, D., Killalea, T.: Guidelines for evidence collection and archiving. RFC 3227 (Best Current Practice) (2002)Google Scholar
  18. 18.
    Carlton, G.H., Zhou, H.: A survey of cloud computing challenges from a digital forensics perspective. International Journal of Interdisciplinary Telecommunications and Networking 3(4), 1–16 (2011)CrossRefGoogle Scholar
  19. 19.
    Carrier, B.D., Spafford, E.H.: Getting physical with the digital investigation process. International Journal of Digital Evidence 2(2), 1–20 (2003)Google Scholar
  20. 20.
    Casey, E.: Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet. Academic Press (2011),
  21. 21.
    Chow, R., Golle, P., Jakobsson, M., Masuoka, R., Molina, J.: Controlling data in the cloud:outsourcing computation without outsourcing control. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security (CCSW 2009), pp. 85–90. ACM (November 2009)Google Scholar
  22. 22.
    Cohen, F.: Digital Forensic Evidence Examination - 2nd Edn. Fred Cohen & Associates (2010)Google Scholar
  23. 23.
    Cohen, M., Bilby, D., Caronni, G.: Distributed forensics and incident response in the enterprise. Digital Investigation 8(suppl.), S101–S110 (2011)Google Scholar
  24. 24.
    Dean, J., Ghemawat, S.: Mapreduce: Simplified data processing on large clusters. In: Proceedings of the 6th Symposium on Operating Systems Design and Implementation. USENIX (2004)Google Scholar
  25. 25.
    Delport, W., Olivier, M.S., Koehn, M.: Isolating a cloud instance for a digital forensic investigation. In: Proceedings of the 2011 Information Security for South Africa (ISSA 2011) Conference (2011)Google Scholar
  26. 26.
    Dillon, T.S., Wu, C., Chang, E.: Cloud computing: Issues and challenges. In: Proceedings of the International Conference on Advanced Information Networking and Applications (AINA 2010), pp. 27–33 (2010)Google Scholar
  27. 27.
    Flaglien, A.O., Mallasvik, A., Mustorp, M., Arnes, A.: Storage and exchange formats for digital evidence. Digital Investigation 8(2), 122–128 (2011); standards, professionalization and quality in digital forensicsCrossRefGoogle Scholar
  28. 28.
    Foster, I.T., Zhao, Y., Raicu, I., Lu, S.: Cloud computing and grid computing 360-degree compared. Computing Research Repository abs/0901.0131, 1–10 (2009)Google Scholar
  29. 29.
    Garfinkel, S.L.: Digital forensics research: The next 10 years. Digital Investigation 7(suppl. 1), S64–S73 (2010); the Proceedings of the Tenth Annual DFRWS ConferenceGoogle Scholar
  30. 30.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2003). The Internet Society (2003)Google Scholar
  31. 31.
    Gartner: Gartner says worldwide cloud services market to surpass $68 billion in 2010 (2010), (accessed: December 30, 2011)
  32. 32.
    Grispos, G., Glisson, W.B., Storer, T.: Calm before the storm: The emerging challenges of cloud computing in digital forensics (August 2011),, draft published for comment
  33. 33.
    Hegarty, R., Merabti, M., Shi, Q., Askwith, B.: Forensic analysis of distributed service oriented computing platforms (June 2011)Google Scholar
  34. 34.
    Karen, K., Chevalier, S., Grance, T., Dang, H.: Guide to integrating forensic techniques into incident response, recommendations of the National Institute of Standards and Technology (2006)Google Scholar
  35. 35.
    Kazarian, B., Hanlon, B.: SMB Cloud Adoption Study,- Global Report (December 2010), (accessed: December 30, 2011)
  36. 36.
    Ke, L.: Design of a Forensic Overlay Model for Application Development. Master’s thesis, University of Canterbury, College of Engineering (2011)Google Scholar
  37. 37.
    Kourai, K., Chiba, S.: Hyperspector: virtual distributed monitoring environments for secure intrusion detection. In: Hind, M., Vitek, J. (eds.) Proceedings of the 1st International Conference on Virtual Execution Environments (VEE 2005), pp. 197–207. ACM (2005)Google Scholar
  38. 38.
    Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: efficient support for forensic analysis. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) Proceedings of ACM Conference on Computer and Communications Security (ACM CCS 2010), pp. 50–60. ACM (2010)Google Scholar
  39. 39.
    Krutz, R., Vines, R.: Cloud Security: A Comprehensive Guide to Secure Cloud Computing. John Wiley & Sons (2010),
  40. 40.
    Kuhn, S., Taylor, S.: A survey of forensic analysis in virtualized environments. Tech. rep., Dartmouth College, Hanover, New Hampshire (2011)Google Scholar
  41. 41.
    Sandia National Laboratories: Libvmi (2011), (online; Status: January 09, 2012)
  42. 42.
    Lempereur, B., Merabti, M., Shi, Q.: Pypette: A framework for the automated evaluation of live digital forensic techniques. In: Proceedings of the 11th Annual PostGraduate Symposium on The Convergence of Telecommunications Networking and Broadcasting (2010),
  43. 43.
    Lillard, T., Garrison, C., Schiller, C., Steele, J., Murray, J.: Digital Forensics for Network, Internet, and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data. Elsevier (2010),
  44. 44.
    Lu, R., Lin, X., Liang, X., Shen, X.S.: Secure provenance: the essential of bread and butter of data forensics in cloud computing. In: Feng, D., Basin, D.A., Liu, P. (eds.) Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2010), pp. 282–292. ACM (2010)Google Scholar
  45. 45.
    Marsico, C.V.: Computer evidence v. daubert: The coming conflict. Cerias tech report 2005-17, Center for Education and Research in Information Assurance and Security, Purdue University (2005)Google Scholar
  46. 46.
    Marty, R.: Cloud application logging for forensics. In: Chu, W.C., Wong, W.E., Palakal, M.J., Hung, C.C. (eds.) Proceedings of the 2011 ACM Symposium on Applied Computing (SAC), pp. 178–184. ACM (2011)Google Scholar
  47. 47.
    Mason, S., George, E.: Digital evidence and “cloud” computing. Computer Law & Security Review 27(5), 524–528 (2011)CrossRefGoogle Scholar
  48. 48.
    Mell, P., Grance, T.: The nist definition of cloud computing (September 2011),
  49. 49.
    Miller, R.: Outage in dublin knocks amazon, microsoft data centers offline (2011),
  50. 50.
    Payne, B.D., Lee, W.: Secure and flexible monitoring of virtual machines. In: Proceedings of 23rd Annual Computer Security Applications Conference (ACSAC 2007). pp. 385–397. IEEE Computer Society (2007) Google Scholar
  51. 51.
    Pollitt, M.: Blue skies and storm clouds. Journal of Digital Forensic Practice 2(2), 105–106 (2008)CrossRefGoogle Scholar
  52. 52.
    Pollitt, M.M.: An ad hoc review of digital forensic models. In: Proceedings Second Int. Workshop Systematic Approaches to Digital Forensic Engineering SADFE 2007, pp. 43–54 (2007)Google Scholar
  53. 53.
    Reilly, D., Wren, C., Berry, T.: Cloud computing: Forensic challenges for law enforcement. In: Proceedings of International Conference for Internet Technology and Secured Transactions ICITST 2010, pp. 1–7. IEEE (2010)Google Scholar
  54. 54.
    Richard, G.G., Roussev, V.: Next-generation digital forensics. Communications of the ACM 49, 76–80 (2006), CrossRefGoogle Scholar
  55. 55.
    Roussev, V., Richard, G.G.: Breaking the performance wall: The case for distributed digital forensics. In: Proceedings of the 2004 Digital Forensics Research Workshop, DFRWS 2004 (2004)Google Scholar
  56. 56.
    Roussev, V., Wang, L., Richard, G.G., Marziale, L.: Mmr: A platform for large-scale forensic computing. In: Proceedings of the Fifth Annual IFIP WG 11.9 International Conference on Digital Forensics (2009)Google Scholar
  57. 57.
    Ruan, K., Baggili, I., Carthy, J., Kechadi, T.: Survey on cloud forensics and critical criteria for cloud forensic capability: A preliminary analysis. In: Proceedings of the 2011 ADFSL Conference on Digital Forensics, Security and Law (2011)Google Scholar
  58. 58.
    Ruan, K., Carthy, J., Kechadi, T., Crosbie, M.: Cloud forensics: An overview. Advances in Digital Forensics 7, 35–49 (2011)Google Scholar
  59. 59.
    Starcher, G.: Accessdata dna & amazon ec2 (2011),
  60. 60.
    Talbot, J., Yoo, R.: The phoenix system for mapreduce programming, (accessed: December 30, 2011)
  61. 61.
    Taylor, M., Haggerty, J., Gresty, D., Hegarty, R.: Digital evidence in cloud computing systems. Computer Law & Security Review 26(3), 304–308 (2010)CrossRefGoogle Scholar
  62. 62.
    Taylor, M., Haggerty, J., Gresty, D., Lamb, D.: Forensic investigation of cloud computing systems. Network Security 2011(3), 4–10 (2011)CrossRefGoogle Scholar
  63. 63.
    Wang, K.: Using a local search warrant to acquire evidence stored overseas via the internet. In: Chow, K.P., Shenoi, S. (eds.) Advances in Digital Forensics VI. IFIP AICT, vol. 337, pp. 37–48. Springer, Boston (2010), CrossRefGoogle Scholar
  64. 64.
    Wang, Y., Cannady, J., Rosenbluth, J.: Foundations of computer forensics: A technology for the fight against computer crime. Computer Law & Security Review 21(2), 119–127 (2005)CrossRefGoogle Scholar
  65. 65.
    Wolthusen, S.D.: Overcast: Forensic discovery in cloud environments. In: Proceedings of the Fifth International Conference on IT Security Incident Management and IT Forensics, DC, USA, pp. 3–9 (2009)Google Scholar
  66. 66.
    Zimmerman, S., Glavach, D.: Cyber forensics in the cloud, the newsletter for information assurance technology professionals volume 14(1) (2011),
  67. 67.
    Zonenberg, A.: Distributed hash cracker: A cross-platform gpu-accelerated password recovery system. Tech. rep., Rensselaer Polytechnic Institute (2009)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Rainer Poisel
    • 1
  • Simon Tjoa
    • 1
  1. 1.Institute of IT Security ResearchSt. Poelten University of Applied SciencesSt. PoeltenAustria

Personalised recommendations