Identifying Evidence for Cloud Forensic Analysis
Cloud computing provides benefits such as increased flexibility, scalability and cost savings to enterprises. However, it introduces several challenges to digital forensic investigations. Current forensic analysis frameworks and tools are largely intended for off-line investigations and it is assumed that the logs are under investigator control. In cloud computing, however, evidence can be distributed across several machines, most of which would be outside the control of the investigator. Other challenges include the dependence of forensically-valuable data on the cloud deployment model, large volumes of data, proprietary data formats, multiple isolated virtual machine instances running on a single physical machine and inadequate tools for conducting cloud forensic investigations.
This research demonstrates that evidence from multiple sources can be used to reconstruct cloud attack scenarios. The sources include: (i) intrusion detection system and application software logs; (ii) cloud service API calls; and (iii) system calls from virtual machines. A forensic analysis framework for cloud computing environments is presented that considers logged data related to activities in the application layer as well as lower layers. A Prolog-based forensic analysis tool is used to automate the correlation of evidence from clients and the cloud service provider in order to reconstruct attack scenarios in a forensic investigation.
KeywordsCloud forensics Attack scenarios OpenStack
Unable to display preview. Download preview PDF.
- Beck, F., Festor, O.: Syscall Interception in Xen Hypervisor, Technical Report no. 9999, INRIA Nancy - Grand Est, Villers-les-Nancy, France (2009)Google Scholar
- Birk, D., Wegener, C.: Technical issues of forensic investigations in cloud computing environments. In: Proceedings of the Sixth International Workshop on Systematic Approaches to Digital Forensic Engineering (2011)Google Scholar
- Dykstra, J., Sherman, A.: Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust and techniques. Digital Investigation 9(S), S90–S98 (2012)Google Scholar
- Dykstra, J., Sherman, A.: Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform. Digital Investigation 10(S), S87–S95 (2013)Google Scholar
- Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty and Doubt. Pearson Education, Boston (2007)Google Scholar
- Kent, K., Chevalier, S., Grance, T., Dang, H.: Guide to Integrating Forensic Techniques into Incident Response, NIST Special Publication 800–86. National Institute of Standards and Technology, Gaithersburg (2006)Google Scholar
- Mell, P., Grance, T.: NIST Definition of Cloud Computing, NIST Special Publication 800–145. National Institute of Standards and Technology, Gaithersburg (2011)Google Scholar
- Ou, X., Govindavajhala, S., Appel, A.: MulVAL: a logic-based network security analyzer. In: Proceedings of the Fourteenth USENIX Security Symposium (2005)Google Scholar
- Palmer, G.: A Road Map for Digital Forensic Research, DFRWS Technical Report, DTR-T001-01 Final, Air Force Research Laboratory, Rome, New York (2001)Google Scholar
- Ruan, K., Carthy, J., Kechadi, T., Crosbie, M.: Cloud forensics. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics V, pp. 35–46. Springer, Heidelberg (2011)Google Scholar
- Sun, X., Dai, J., Liu, P., Singhal, A., Yen, J.: Towards probabilistic identification of zero-day attack paths. In: Proceedings of the IEEE Conference on Communications and Network Security, pp. 64–72 (2016)Google Scholar
- Wang, W., Daniels, T.: A graph based approach toward network forensic analysis. ACM Transactions on Information and Systems Security 12(1), article no. 4 (2008)Google Scholar