Computer forensics involves the collection, analysis, and reporting of information about security incidents and computer-based criminal activity. Cloud computing causes new challenges for the forensics process. This paper addresses three challenges for network forensics in an Infrastructure-as-a-Service (IaaS) environment: First, network forensics needs a mechanism for analysing network traffic remotely in the cloud. This task is complicated by dynamic migration of virtual machines. Second, forensics needs to be targeted at the virtual resources of a specific cloud user. In a multi-tenancy environment, in which multiple cloud clients share physical resources, forensics must not infringe the privacy and security of other users. Third, forensic data should be processed directly in the cloud to avoid a costly transfer of huge amounts of data to external investigators. This paper presents a generic model for network forensics in the cloud and defines an architecture that addresses above challenges. We validate this architecture with a prototype implementation based on the OpenNebula platform and the Xplico analysis tool.


Cloud Computing Network Forensics Incident Investigation 


  1. 1.
    Almulhem, A., Traore, I.: Experience with engineering a network forensics system. In: Proc. of the 2005 Int. Conf. on Information Networking, Jeju (2005)Google Scholar
  2. 2.
    Beebe, N.: Digital forensic research: The good, the bad and the unaddressed. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics V. IFIP AICT, vol. 306, pp. 17–36. Springer, Boston (2009)CrossRefGoogle Scholar
  3. 3.
    Biggs, S.: Cloud computing: The impact on digital forensic investigations. In: Proc. of the 4th Int. Conf. for Internet Technology and Secured Transactions, ICITST (2009)Google Scholar
  4. 4.
    Birk, D.: Technical Challenges of Forensic Investigations in Cloud Computing Environments. In: Workshop on Cryptography and Security in Clouds, pp. 1–6 (2011)Google Scholar
  5. 5.
    Catteddu, D., Hogben, G.: Cloud Computing – Benefits, risks and recommendations for information security. ENISA Technical Report (2009)Google Scholar
  6. 6.
    Cohen, M.I.: PyFlag – an advanced network forensic framework. Digit. Investig. 5, 112–120 (2008)CrossRefGoogle Scholar
  7. 7.
    Doelitzscher, F., Reich, C., Knahl, M., Clarke, N.: Incident Detection for Cloud Environments. In: EMERGING 2011, The Third International Conference on Emerging Network Intelligence, pp. 100–105 (2011)Google Scholar
  8. 8.
    Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. SIGOPS Oper. Syst. Rev. 37(5), 193–206 (2003)CrossRefGoogle Scholar
  9. 9.
    Glavach, S., Zimmerman, D.: Cyber Forensics in the Cloud. IAnewsletter 14(1), 1–36 (2011)Google Scholar
  10. 10.
    Grobauer, B., Schreck, T.: Towards incident handling in the cloud. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop, CCSW 2010, pp. 77–85. ACM Press, New York (2010)CrossRefGoogle Scholar
  11. 11.
    Grobauer, B., Walloschek, T., Stocker, E.: Understanding Cloud Computing Vulnerabilities. IEEE Security & Privacy Magazine 9(2), 50–57 (2011)CrossRefGoogle Scholar
  12. 12.
    Haggerty, J., Llewellyn-Jones, D., Taylor, M.: FORWEB: file fingerprinting for automated network forensics investigations. In: Proceedings of the First International Conference on Forensic Applications and Techniques in Telecommunications Information and Multimedia eForensics (2008)Google Scholar
  13. 13.
    Hoopes, J., Bawcom, A., Kenealy, P., Noonan, W., Schiller, C., Shore, F., Willems, C., Williams, D.: Virtualization for Security. Syngress Publishing, Burlington (2009)Google Scholar
  14. 14.
    Kent, K., Chevalier, S., Grance, T., Dang, H.: SP800-86: Guide to Integrating Forensic Techniques into Incident Response. National Institute of Standards and Technology, Gaithersburg (2006)Google Scholar
  15. 15.
    Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy – An Enterprise Perspecive on Risks and Compliance. O’Reilly Media, Sebastopol (2009)Google Scholar
  16. 16.
    Noblett, M.G., Pollitt, M.M., Presley, L.A.: Recovering and examining computer forensic evidence. Forensic Science Communications 2(4) (2000)Google Scholar
  17. 17.
    Pilli, E.S., Joshi, R.C., Niyogi, R.: Data reduction by identification and correlation of TCP/IP attack attributes for network forensics. In: Proceedings of the International Conference & Workshop on Emerging Trends in Technology, ICWET 2011, pp. 276–283. ACM Press, New York (2011)Google Scholar
  18. 18.
    Ranum, M.J.: Network forensics and traffic monitoring. Computer Security Journal, 35–39 (1997)Google Scholar
  19. 19.
    Ruan, K., Carthy, J., Kechadi, T., Crosbie, M.: Cloud Forensics. In: Advances in Digital Forensics VII, vol. 361, pp. 35–46 (2011)Google Scholar
  20. 20.
    Santos, N., Gummadi, K.P., Rodrigues, R.: Towards trusted cloud computing. In: Proceedings of the 2009 Conference on Hot Topics in Cloud Computing, HotCloud 2009, USENIX Association, Berkeley (2009)Google Scholar
  21. 21.
    Scarfone, K., Mell, P.: Guide to intrusion detection and prevention systems. NIST Special Publication 800-94 (2007)Google Scholar
  22. 22.
    Sempolinski, P., Thain, D.: A Comparison and Critique of Eucalyptus, OpenNebula and Nimbus. In: 2010 IEEE Second International Conference on Cloud Computing Technology and Science, 417–426. IEEE (November 2010)Google Scholar
  23. 23.
    Shanmugasundaram, K., Memon, N., Savant, A.: ForNet: A distributed forensics network. In: Second International Workshop on Mathematical Methods. Models and Architectures for Computer Networks Security (2003)Google Scholar
  24. 24.
    Somorovsky, J., Heiderich, M., Jensen, M.: All your clouds are belong to us: security analysis of cloud management interfaces. In: Proceedings of the ACM Cloud Computing Security Workshop, CCSW (2011)Google Scholar
  25. 25.
    Wang, H.-M., Yang, C.-H.: Design and implementation of a network forensics system for Linux. In: 2010 International Computer Symposium (ICS 2010), pp. 390–395. IEEE (December 2010)Google Scholar
  26. 26.
    Zafarullah, A.F., Anwar, Z.: Digital forensics for Eucalyptus. In: Proceedings of the, Frontiers of Information Technology, FIT 2011, pp. 110–116. IEEE Computer Society, Washington, DC (2011)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Tobias Gebhardt
    • 1
  • Hans P. Reiser
    • 2
  1. 1.TÜV SÜD AG Embedded SystemsMunichGermany
  2. 2.University of PassauPassauGermany

Personalised recommendations