Identifying Evidence for Cloud Forensic Analysis

  • Changwei LiuEmail author
  • Anoop Singhal
  • Duminda Wijesekera
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 511)


Cloud computing provides benefits such as increased flexibility, scalability and cost savings to enterprises. However, it introduces several challenges to digital forensic investigations. Current forensic analysis frameworks and tools are largely intended for off-line investigations and it is assumed that the logs are under investigator control. In cloud computing, however, evidence can be distributed across several machines, most of which would be outside the control of the investigator. Other challenges include the dependence of forensically-valuable data on the cloud deployment model, large volumes of data, proprietary data formats, multiple isolated virtual machine instances running on a single physical machine and inadequate tools for conducting cloud forensic investigations.

This research demonstrates that evidence from multiple sources can be used to reconstruct cloud attack scenarios. The sources include: (i) intrusion detection system and application software logs; (ii) cloud service API calls; and (iii) system calls from virtual machines. A forensic analysis framework for cloud computing environments is presented that considers logged data related to activities in the application layer as well as lower layers. A Prolog-based forensic analysis tool is used to automate the correlation of evidence from clients and the cloud service provider in order to reconstruct attack scenarios in a forensic investigation.


Cloud forensics Attack scenarios OpenStack 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Beck, F., Festor, O.: Syscall Interception in Xen Hypervisor, Technical Report no. 9999, INRIA Nancy - Grand Est, Villers-les-Nancy, France (2009)Google Scholar
  2. [2]
    Birk, D., Wegener, C.: Technical issues of forensic investigations in cloud computing environments. In: Proceedings of the Sixth International Workshop on Systematic Approaches to Digital Forensic Engineering (2011)Google Scholar
  3. [3]
    Dykstra, J., Sherman, A.: Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust and techniques. Digital Investigation 9(S), S90–S98 (2012)Google Scholar
  4. [4]
    Dykstra, J., Sherman, A.: Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform. Digital Investigation 10(S), S87–S95 (2013)Google Scholar
  5. [5]
    Hay, B., Nance, K.: Forensic examination of volatile system data using virtual introspection. ACM SIGOPS Operating Systems Review 42(3), 74–82 (2008)CrossRefGoogle Scholar
  6. [6]
    Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998)CrossRefGoogle Scholar
  7. [7]
    Hogan, M., Liu, F., Sokol, A., Tong, J.: NIST Cloud Computing Standards Roadmap, NIST Special Publication 500–291. National Institute of Standards and Technology, Gaithersburg (2011)CrossRefGoogle Scholar
  8. [8]
    Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty and Doubt. Pearson Education, Boston (2007)Google Scholar
  9. [9]
    Kent, K., Chevalier, S., Grance, T., Dang, H.: Guide to Integrating Forensic Techniques into Incident Response, NIST Special Publication 800–86. National Institute of Standards and Technology, Gaithersburg (2006)Google Scholar
  10. [10]
    Liu, C., Singhal, A., Wijesekera, D.: A logic-based network forensic model for evidence analysis. In: Peterson, G., Shenoi, S. (eds.) DigitalForensics 2015. IAICT, vol. 462, pp. 129–145. Springer, Cham (2015). doi: 10.1007/978-3-319-24123-4_8 CrossRefGoogle Scholar
  11. [11]
    Liu, C., Singhal, A., Wijesekara, D.: A probabilistic network forensic model for evidence analysis. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics XII. IFIPAICT, vol. 484, pp. 189–210. Springer, Cham (2016). doi: 10.1007/978-3-319-46279-0_10 CrossRefGoogle Scholar
  12. [12]
    Mell, P., Grance, T.: NIST Definition of Cloud Computing, NIST Special Publication 800–145. National Institute of Standards and Technology, Gaithersburg (2011)Google Scholar
  13. [13]
    Ou, X., Govindavajhala, S., Appel, A.: MulVAL: a logic-based network security analyzer. In: Proceedings of the Fourteenth USENIX Security Symposium (2005)Google Scholar
  14. [14]
    Palmer, G.: A Road Map for Digital Forensic Research, DFRWS Technical Report, DTR-T001-01 Final, Air Force Research Laboratory, Rome, New York (2001)Google Scholar
  15. [15]
    Pichan, A., Lazarescu, M., Soh, S.: Cloud forensics: Technical challenges, solutions and comparative analysis. Digital Investigation 13, 38–57 (2015)CrossRefGoogle Scholar
  16. [16]
    Ruan, K., Carthy, J., Kechadi, T., Crosbie, M.: Cloud forensics. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics V, pp. 35–46. Springer, Heidelberg (2011)Google Scholar
  17. [17]
    Sun, X., Dai, J., Liu, P., Singhal, A., Yen, J.: Towards probabilistic identification of zero-day attack paths. In: Proceedings of the IEEE Conference on Communications and Network Security, pp. 64–72 (2016)Google Scholar
  18. [18]
    Wang, W., Daniels, T.: A graph based approach toward network forensic analysis. ACM Transactions on Information and Systems Security 12(1), article no. 4 (2008)Google Scholar
  19. [19]
    Zawoad, S., Hasan, R.: A trustworthy cloud forensics environment. In: Peterson, G., Shenoi, S. (eds.) DigitalForensics 2015. IAICT, vol. 462, pp. 271–285. Springer, Cham (2015). doi: 10.1007/978-3-319-24123-4_16 CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  • Changwei Liu
    • 1
    Email author
  • Anoop Singhal
    • 1
  • Duminda Wijesekera
    • 1
  1. 1.George Mason UniversityFairfaxUSA

Personalised recommendations