Cloud forensics: An overview Keyun Ruan, Prof. Joe Carthy, Prof. Tahar Kechadi, Mark Crosbie*

Centre for Cybercrime Investigation, University College Dublin, * IBM Ireland Ltd

{keyun.ruan, joe.carthy, tahar.kechadi}@ucd.ie, mcrosbie@ie.ibm.com

Abstract

Cloud computing is estimated to be one of the most transformative technologies in the history of

computing. Cloud organizations, including the providers and customers of cloud services, have yet to

establish a well-defined forensic capability. Without this they are unable to ensure the robustness and

suitability of their services to support investigations of criminal activity. In this paper, we take the first

steps towards defining the new area of cloud forensics, and analyze its challenges and opportunities.

Keywords:  Cloud forensics, cloud computing, digital forensics  

1. Introduction Cloud computing has the potential to become one of the most transformative developments in the

history of computing, following the footsteps of mainframes, minicomputers, PCs (Personal

Computers), and smart phones (Perry et al., 2009). It is radically changing the way how

information technology services are created, delivered, accessed and managed.

According to a May 2008 forecast by Merrill Lynch (2008), the volume of the cloud computing

market opportunity will amount to $160 billion by 2011. According to an October 2008 forecast by

IDC (International Data Corporation) (Gens, 2008), spending on cloud services is growing at five

times the rate of traditional on-premises IT (Information Technology). Even more striking than this

high growth rate is the contribution the growth of cloud offerings will soon make to the overall

growth of the IT market; Cloud computing services will generate approximately one-third of the

net new growth within the IT industry. In March 2009, Gartner (2009) forecasted that the

worldwide cloud service market is expected to reach $150.1 billion in 2013.

Businesses around the world are rapidly adopting cloud computing. The 2009 F5 cloud computing

survey (F5 Network and Applied Research West, 2009) found that, 66% of 250 IT managers

interviewed have dedicated budget funds for the Cloud, 71% expect cloud computing budgets to

grow over the next two years. One conclusion from the survey is that cloud computing is gaining

critical mass among large enterprises: 82% of the respondents said they are "in some stage of trial,

implementation or use of public clouds" and 83% said the same for use of private clouds.

Government agencies are also seeing a shift into cloud adoption. A recent InformationWeek

government survey (Foley, 2010) of IT managers in federal government found that 22% planned to

implement cloud computing over the next 12 months and another 22% within two years.

According to research from INPUT (2009), in the United States, public sector investment in cloud

computing is likely to more than double in the next five years, and US Federal government

spending on the Cloud will increase steadily, reaching $792 million by 2013.

Over the last decade, the number of crimes that involve computers and Internet has grown,

spurring an increase in companies and products that aim to assist law enforcement in using digital

evidence to determine the perpetrators, methods, timing and victims of computer crime. As a result,

digital forensics has evolved to assure proper presentation of computer and cyber crime evidentiary

data in court. According to Federal Bureau of Investigation [FBI] 2008 statistics, in the United

States, the size of the average digital forensic case is growing at the rate of 35% per year – from 83

GB in 2003 to 277 GB in 2007. With storage capacity growth outpacing network bandwidth and

latency improvements, forensic data is not only getting bigger, but is also growing significantly

larger relative to the ability to process them in a timely manner, as stated by Roussev et al. (2009).

The rise of cloud computing not only has exacerbated the problem of scale for digital forensic

activities, but also created a brand new front for cybercrime investigation with various challenges.

Digital forensic practitioners must extend digial forensic knowledge and tools into cloud

computing environments, and help cloud organizations, including both CSP (Cloud Service

Provider) and cloud customers, to establish a forensic capability in order to reduce cloud security

risks. Otherwise, cloud organizations will have difficulties in carrying out investigations on critical

incidents happened in the Cloud such as criminal intrusions and major policy violations, as well as

collaborating with law enforcement in cases of resource confiscation, etc.

In this paper, we take the first step to give an overview of the new area, cloud forensics, and

analyze its challenges and opportunities.

2. Discussion on the definitions of cloud forensics 2.1 Cloud forensics

We propose in this paper the definition of cloud forensics as the application of digital

forensics in cloud computing as a subset of network forensics, as shown in Figure 1.

Figure 1. Where is cloud forensics?

Firstly, we identify cloud forensics as a cross-discipline between cloud computing and digital

forensics. There are various definitions for both cloud computing and digital forensics to this

date, and in this paper we adopt the current definitions for both cloud computing and digital

forensics from NIST:

Digital forensics is the application of science to the identification, collection,

examination, and analysis of data while preserving the integrity of the information

and maintaining a strict chain of custody for the data. (Kent et al.,2006)

Cloud computing is a model for enabling convenient, on-demand network access to a

shared pool of configurable resources (e.g., networks, servers, storage, applications,

and services) that can be rapidly provisioned and released with minimal management

effort or service provider interaction. Cloud computing has five essential

characteristics, i.e., on-demand self-service, broad network access, resource pooling,

rapid elasticity and measured service. It has three service models, i.e., Cloud

Software as a Service (SaaS), Cloud Platform as a Service (PaaS) and Cloud

Infrastructure as a Service (IaaS). And it has four deployment models, i.e., private

cloud, community cloud, public cloud and hybrid cloud. (Mell and Grance, 2009)

Secondly, we recognize cloud forensics as a subset of network forensics (DFRWS, 2001), as

network forensics deals with forensic investigations in any kind of public or private networks,

and cloud computing is based on broad network access, thus technically, cloud forensics

should follow the main phases of network forensic process with extended or novel techniques

tailored for cloud computing environment in each phase.

2.2 The three dimensions of cloud forensics As we can see from the NIST definition, cloud computing is an evolving paradigm with

complex aspects. Its essential characteristics have dramatically reduced the cost of IT which is

driving the global trend in the rapid strategic adopting of cloud computing in businesses and

governments (EurActiv, 2011). To ensure service availability and cost-effectiveness, major

CSPs, such as Amazon, Salesforce.com, and Google all have data centers around the world in

different jurisdictions providing cloud services. Data stored in one data center is replicated to

multiple locations to ensure abundance and reduce the risk of single point of failure. Of course

these points of replication are potentially under many separate jurisdictions. Segregation of

duties between the CSP and the customer in forensic responsibilities becomes different in

different service models, and interactions between multiple tenants sharing same cloud

resources are different in different deployment models.

As a result, multi-jurisdiction and multi-tenancy have become a default setting for cloud

forensics, creating much more legal challenges. Sophisticated collaborations between the CSP

and the customer, or between multiple tenants sharing same resources, or among international

law enforcement are required in most of the cloud forensics cases. In order to analyze the

problem more comprehensively, and to emphasize the fact that cloud forensics is a multi-

dimensional issue instead of only a technical issue, we would like to extend the definition of

cloud forensics across three major dimensions; organizational, legal and technical, as shown in

Figure 2.

Figure 2. Cloud forensic three-dimensional model

2.2.1 The technical dimension

The technical dimension involves a set of tools and procedures to carry out the

forensic process in cloud computing environments. We emphasize some of the key

aspects in the technical dimension as follows:

1. Forensic data collection

Cloud forensic collection is the process of identifying, labelling, recording, and

acquiring forensic data from the possible sources of data in the Cloud. These

data sources include client-side artefacts that reside on client premises, and

provider-side artefacts reside on provider infrastructure. Since the segregation of

duties is different in different cloud service models, the tools and procedures to

collect forensic data are also different. In different deploy models, provider-side

artefacts are different, e.g., in public clouds, provider-side artifacts need to be

segregated among multiple tenants, whereas in private clouds, there is no such

need.

The sequence order in which data is collected is defined according to the

volatility of data; highly volatile data (i.e. RAM images) should be collected first,

followed by data with lower volatility. The collection process should follow

procedures that preserve the integrity of data, with clearly-defined segregation of

duties between client and provider, and without breaching law(s) and

regulation(s) under the jurisdiction(s) where data is collected, or compromising

confidentiality of any other tenant(s) sharing the same resource(s).

2. Elastic, static and live forensics

Rapid elasticity is one of the essential characteristics of cloud computing. Cloud

compute and storage resources can be provisioned and deprovisioned on demand.

As a result, cloud investigation tools also need to be elastic; in most cases large

scale static and live forensic tools are required, such as e-discovery, data

acquisition, data recovery, evidence examination, evidence analysis tools and

tools to collect volatile data.

3. Evidence segregation

Another essential characteristic of cloud computing is resource pooling. IT cost

is reduced in multi-tenant environments where various resources are shared.

However, cloud forensics involves the reverse process of evidence segregation,

but the underlying components that make up the cloud infrastructure, e.g., CPU

(Central Processing Unit) caches, GPU (Graphis Processing Units), etc., were

not designed for strong compartmentalization in a multi-tenant architecture

(CSA, 2009). Tools and procedures to segregate forensic data in the cloud

among muliple tenants in different deployment models and different service

models need to be developed.

4. Investigations in virtualized environments

Virtualization is a key technology used to implement cloud services. However

tools and procedures are yet to be developed for investigations in virtualized

environment, e.g. hypervisor investigations. On the other hand, while operations

are mostly virtualized in cloud environments, investigations in most cases

require evidence retrieval from physical locations. Loss of data control is one of

the major security challenges in the Cloud (CSA, 2009). In cloud forensics, tools

and procedures need to be developed to physically locate forensic data at a given

timestamp, and physically trace forensic data at a given time period, taking into

considerations of the jurisdiction(s) of the physical locations.

5. Pro-active preparations

Pro-active measures can be taken as preparations to make forensic investigation

easier. Such measures include designing forensic-aware cloud applications, and

pro-actively collecting forensic data in the Cloud using tools provided by the

CSP or tools developed from the customer side. It often involves a set of design

principles, such as conducting regular snapshots to remote storage, regularly

tracking authentication and access-control records and performing object-level

auditing of all access.

2.2.2 The organizational dimension

Figure 4. Cloud forensic organizational structure

Forensic investigations in cloud computing environments always involves at least

two parties: the CSP, and the cloud customer. When the CSP outsources services to

other parties, the scope of investigation widens. Figure 4 shows the proposed

organizational structure needed in order to carry out cloud forensic activities

efficiently and effectively with a joint effort.

2.2.2.1 Organizational structure for each cloud organization

In order to establish a forensic capability, each cloud organization, including the

providers and customers of cloud services, is required to define a structure of internal

staffing, provider-customer collaboration, and external assistance fulfilling the

following roles:

• Investigators: the investigators (on the provider side and on the customer

side) are responsible for collaborative investigation allegations of

misconduct in the Cloud and working with external assistance or law

enforcement when needed. They not only need knowledge of how to carry

out investigations from their own sides, but also need to understand the

forensic capabilities of the parties they are interacting with and the

segregation of duties among these parties regarding forensic investigation.

• IT Professionals: this group includes system, network, and security

administrators, ethical hackers, cloud security architect, and technical

support staff in the cloud organization. They contribute to the investigation

with their expertise, facilitate the investigators in accessing the crime scene,

and may also perform data collection for the investigators.

• Incident Handlers: this group responds to a variety of specific security

incidents in the Cloud, such as unauthorized data access, accidental data

leakage and data loss, breach of tenant confidentiality, inappropriate system

usage, malicious code infections, malicious insider attack, (distributed)

denial of service sttacks, etc. It is wise for a cloud organization to have a

written plan with categorized security incidents on different levels of the

Cloud and respective incident handlers to be referred to in cases of forensic

investigations.

• Legal Advisors: It is crucial to include legal advisors in forensic staffing

who are familiar with multi-jurisdiction and multi-tenant issues in the Cloud

so that any forensic activities will not violate regulations under respective

jurisdiction(s) or confidentialities of other tenant(s) sharing the same

resource(s). Service Level Agreements (SLAs) must be written with clauses

that explain the procedures to follow in the event of a forensic investigation.

An internal legal advisor should be involved in drafting these clauses so that

they respect the law across all jurisdictions in which the CSP operates.

Internal legal advisors are also responsible to communicate and collaborate

with external law enforcement during the course of a forensic investigation.

• External Assistance: in most cases, it is wise for the cloud organizations to

rely on a combination of its own staff and external parties to perform

forensic tasks such as e-discovery, investigations on civil cases,

investigations on external chain of dependencies. It is important for cloud

organizations to determine in advance, which actions should be performed

by external assistance regaring forensic activities, and make it clear in

relevant policies, guidelines and agreements which are transparent to its

service customers and law enforcement when necessary.

2.2.2.2 Chain of Dependencies

CSPs and most cloud applications oftern have dependencies on other CSP(s). The

dependencies in a (discrete) chain of CSP(s)/customer(s) can be highly dynamic. In

such a situation investigation in the Cloud may depend on the investigations of each

one of the links in the chain and level of complexity of the dependencies. Any

interruption or corruption in the chain or a lack of coordination of responsibilities

between all the parties involved can lead to problems. Essential communications and

collaborations regarding forensic activities through this chain need to be facilitated

by organizational policies and legally binded in the SLAs.

The chain of CSP(s)/cloud customer(s), taking into consideration the chain of

dependencies between them, has to communicate and collaborate with the following

parties in order to facilitate effective and efficient forensic activities.

• Law enforcement: the top priority for cloud organizations is the availability

of service and the top priority for law enforcement is the prosecution of

criminals (DFRWS, 2001). These two different priorities often clash in

situations such as evidence collection. Cloud organizations need to work

closely with law enforcement to improve mutual understanding, and

collaborate much further in the cases such as resource confiscation.

• Third parties: cloud organizations need to work closely with third parties

for auditing and compliance purposes regarding cloud forensics.

• Academia: cloud organizations need to work closely with academia on

cloud forensic research and education in order to contribute to the

knowledge of the area, and also to receive up-to-date training for their

internal forensic staff.

2.2.3 The legal dimension

2.2.3.1 Multi-jurisdiction and multi-tenancy

Multi-jurisdiction and multi-tenancy challenges have been identified as the top legal

concerns among digital forensics experts (Broadhurst, 2006; Liles et al., 2009) and

these two issues are both exacerbated in the Cloud.

Regulations and agreements have to be developed in the legal dimension of cloud

forensics, to secure that forensic activities will not breach any laws or regulations

under any jurisdiction(s) where the data resides in, and the confidentiality of other

tenants sharing the same infrastructure will not be compromised, throughout the

investigation.

2.2.3.2 Service Level Agreement

SLA defines the terms of use between a pair of CSP and cloud customer. The

following terms regarding forensic investigations are not in place at the moment and

have to be included into the SLA.

(1) Service provided, techniques supported, access granted by the CSP to the

customer regarding forensic investigation

(2) Trust boundaries, roles and responsibilities between the CSP and the cloud

customer regarding forensic investigation

(3) How forensic investigations are secured in a multi-jurisdictional environment in

terms of legal regulations, confidentiality of customer data, and privacy policies

(4) How forensic investigations are secured in a multi-tenant environment in terms

of legal regulations, confidentiality of customer data and privacy policies

2.3 Cloud crime We extend the definition of computer crime by Casey (2000) to cloud crime. Cloud crime is

any crime that involves cloud computing. The Cloud can be the object, subject or tool of

crimes. The Cloud is the object of the crime when the CSP is the target of the crime and is

directly affected by the criminal act, e.g. DDOS (Distributed Denial of Service) attacks

targeting part(s) of the Cloud or even the entire cloud. The Cloud is the subject of the crime

when it is the environment where the crime is committed, e.g., unauthorized modification or

deletion of data residing in the Cloud, identity theft of users of the Cloud. The Cloud can also

be the tool used to conduct or plan a crime, e.g., evidence related to the crime can be stored

and shared in the Cloud and a Cloud that is used to attack other Clouds is called a dark Cloud.

2.4 Usage of cloud forensics There are various usages of cloud forensics. We summarize them as follows:

(1) Investigation

• Investigation on cloud crime and policy violation in multi-jurisdictional and multi-tenant

cloud environments

• Investigation on suspect transactions, operations and systems in the Cloud for incident

response

• Event reconstruction in the Cloud

• Providing admissible evidence to the court

• Collaboration with law enforcement in resource confiscation

(2) Troubleshooting

• Locating data file and hosts virtually and physically in cloud environments.

• To determine the root cause for single events or trends spanning multiple events over time,

and to develop new strategies to help prevent recurrence of similar incidents.

• Tracing an event and assessing the current state of an event in the Cloud

• Resolving functional issues in cloud applications and cloud services

• Resolving operational issues in cloud systems

• Security incident handling in the Cloud

(3) Log Monitoring

• Collecting, analyzing and correlating log entries across multiple systems in the Cloud,

assisting in auditing, due diligence, regulatory compliance and other efforts

(4) Data and System Recovery

• Recovering data in the Cloud, that has been accidentally or intentionally deleted or

modified

• Recovering encrypted data in the Cloud, when the encryption key has been lost.

• Recovering systems from accidental damage or attacks

• Acquiring data from the Cloud that are being redeployed, retired or need to be sanitized

(5) Due Diligence/Regulatory Compliance

• Helping organizations exercise due diligence and comply with requirements such as

protecting sensitive information, maintaining certain records for audit purposes, notifying

impacted parties when protected information is exposed, etc.

3. Challenges In order to establish a forensic capability for cloud organizations in all three-dimensions defined

above, we are facing enormous challenges. In the technical dimension, we have very limited tools

and procedures in all five major components that we emphasize in this paper. In the legal

dimension there is currently no agreement among cloud organizations on collaborative

investigation, and no terms and conditions are present in SLAs on segregation of duties between

CSP and cloud customer. International cyber law and policies must progress to help resolve the

issues surrounding multi-jurisdiction investigations.

3.1 Challenges in forensic data collection

In all combinations of cloud service and deployment models, the cloud customer faces the

challenge of decreased access to forensic data. Access to forensic data varies dependent on the

cloud model; IaaS customers enjoy relatively easy access to all data required for a forensic

investigation, while SaaS customers may have little to no access to data required.

Decreased access to forensic data means the cloud customer generally has no control or knowledge

over the exact physical location of their data, and may only be able to specify location at a higher

level of abstraction, typically as an object or container identified. CSPs intentionally hide the

location of data from customers to facilitate data movement and replication.

Moreover, there is a lack of appropriate terms of use in the SLA (Service Level Agreement) to

enable general forensic readiness in the Cloud. Many CSPs do not provide services or interfaces

for the customers to gather forensic data. For example, SaaS (Software as a Service) providers may

not provide access to the IP logs of clients accessing content; IaaS (Infrastructure as a Service)

providers may not provide forensic data such as recent VM (Virtual Machine) and disk images. In

the Cloud, the customers have decreased access to relevant log files and metadata in all levels as

well as a limited ability to audit the operations of the network of their CSP and conduct real-time

monitoring on their own networks.

3.2 Challenges in elastic, static and live forensics

The proliferation of endpoints, especially mobile endpoints, is a challenge for data discovery and

evidence collection. The impact of crimes and the workload of investigation can be exacerbated in

cloud computing simply because of the sheer number of resources connected to the Cloud.

Time synchronization is crucial to the audit logs that are used as source of evidence in the

investigation. Accurate time synchronization has been always an issue in network forensics, and is

made all the more challenging in a cloud environment as timestamps must be synchronized across

multiple physical machines spread in multiple geographical regions, between cloud infrastructure

and remote web clients including numerous end points.

Similar to time synchronization, unification of log formats has been a traditional issue in network

forensics and the challenge is exacerbated in the Cloud because it is extremely difficult to unify the

log formats or make them convertible to each other from the massive resources available in the

Cloud. Furthermore, proprietary or unusual log formats of one party can become major roadblocks

in joint investigations.

In computer forensics, recovered deleted data is an important source of evidence, so it is in the

Cloud. In AWS (Amazon Web Service) the right to alter or delete the original snapshot is

explicitly reserved for the AWS account that created the volume. When item and attribute data are

deleted within a domain, removal of the mapping within the domain starts immediately, and is also

generally complete within seconds. Once the mapping is removed, there is no remote access to the

deleted data. Storage space occupied by the data elements deleted is made available for future

write operations and the it is likely that storage space will be overwritten by newly stored data.

However, some deleted data might be still present in the snapshot after deletion (Amazon, 2010).

A simple challenge is: how to recover deleted data, identify the ownership of deleted data, and use

deleted data as sources of event reconstruction in the Cloud?

3.3 Challenges in evidence segregation

In the Cloud, different instances running on the same physical machine are logically isolated from

each other via hypervisor. An instance’s neighbours have no more access to that instance than any

other host on the Internet and can be treated as if they are on separate physical hosts. Customer

instances have no access to raw disk devices, but instead are presented with virtualized disks. On

the physical level system audit logs of shared resources and other forensic data are shared among

multiple tenants. Currently, the provisioning and de-provisioning technologies still need to be

much improved in the Cloud (CSA, 2009), and it remains a challenge for the CSP and law

enforcement to keep the same segregating in the whole process of investigation without breaching

the confidentiality of other tenants sharing the same infrastructure and ensure the admissibility of

the evidence.

Another issue is that the easy-to-use feature of cloud models results in a weak registration system,

facilitating anonymity that is easy to be abused and making it easier for cloud criminals to conceal

their identities and harder for investigators to identify and trace suspects as well as segregate

evidence.

Moreover, encryption is used in the Cloud to separate data hosting of the CSPs and data usage of

the cloud customers and most of the major CSPs encourage customers to encrypt their sensitive

data before uploading to the Cloud if encryption is not provided by the CSP by default (Amazon,

2010; Force.com, 2010; Google, 2010). Unencrypted data in the Cloud can be considered lost from

a strict security perspective. A chain of separation is required to segregate key management from

the CSP hosting the data and needs to be standardized in contract language. Agreement has to be

made among the law enforcement, the cloud customer and the CSP on granting access to keys of

forensic data, otherwise evidence can be easily compromised when encryption key is destoryed.

3.4 Challenges in virtualized environments

Cloud computing claims to provide data and compute redundancy by replicating and distributing

resources. However in reality most CSPs implement instances of a cloud computer environment in

a virtualized environment. Instances of servers run as virtual machines, monitored and provisioned

by a hypervisor. The hypervisor in a Cloud is analogous to a kernel in the traditional operating

system. Attackers will aim to focus their attacks against the hypervisor; compromise of the

hypervisor amplifies any attack as many compute resources rely on its security. For law

enforcement and cloud investigators, however, there is a huge lack of policies, procedures and

techniques on hypervisor level to facilitate investigation.

In the Cloud, mirroring data for delivery by edge networks, its redundant storage in multiple

jurisdictions and the lack of transparent real-time information about where data is stored introduces

difficulties for investigation. Investigators may unknowingly violate regulations, especially if clear

information is not provided about the jurisdiction of storage (ENISA,2009). The CSPs cannot

provide tools for the customer to locate at a given time, or trace at a given period of time, precisely

and physically the multiple locations of a piece of data across all the geographical regions where

the Cloud resides. Furthermore, the distributed nature of cloud computing forces a stronger

international collaboration between law enforcement and industry, in cases such as confiscating “a

Cloud” since the agency of a single nation cannot manage it when the physical servers are spread

across different countries.

3.5 Challenges in internal staffing

Today most cloud organizations are dealing with investigations with traditional network forensic

tools and staffing, or are simply neglecting the issue. The major challenge in establishing a cloud

forensic organizational structure is the lack of forensic expertise and relevant legal experience. The

deep-rooted reasons for this challenge, which is also a challenge for the whole discipline of digital

forensics, are firstly, the relative slow progress of forensic research compare to the rapidly

evolving technology and secondly, the slow progress of relevant laws and international regulations.

With only a decade of research and development, the discipline of digital forensics is still in its

infancy, new forensic research areas in non-standard systems (Beebe, 2009), such as cloud

computing, need to be explored, techniques need to be developed, regulations need to catch up,

law advisors need to be trained, staff need to be equipped with new knowledge and skills to deal

with the new grounds for cyber crimes created by the rapid rise of new models such as cloud

computing.

3.6 Challenges in external chain of dependency

As mentioned in the organizational dimension of cloud forensics, CSPs and most cloud

applications often have dependencies on other CSPs. For example, a CSP providing an email

application (SaaS) may depend on a 3rd party provider to host log-files (PaaS), who in turn may

rely on a partner to provide infrastructure to store log files (IaaS). Although many predict the

industry is moving towards federated or integrated Cloud in the near future, today every CSP has a

different approach to solving this problem. Correlation of activities across CSPs is a big challenge.

Investigation in the chain of dependencies between CSPs may depend on the investigations of each

one of the links in the chain and level of complexity of the dependencies. Any interruption or

corruption in the chain or a lack of coordination of responsibilities between all the parties involved

can lead to problems. Currently threre are no tool, procedure, policy or agreement regarding cross-

provider forensic investigations.

3.7 Challenges regarding SLA

Important terms regarding forensic investigations are not included in the SLA at the moment. This

is because there is a lack of customer awareness, a lack of CSP transparency and a lack of

international regulations. Most cloud customers are still not aware of the potential issues that might

rise regarding forensic investigations in the Cloud and their significance. The consequence is that

they might end up not knowing anything at all about what has happened in the Cloud in cases

when their data is lost in criminal activities and has no right to claim any compensation. CSPs are

not willing to ensure transparency to the customers regarding forensic investigations because they

either do not know how to investigate cloud crimes themselves or the methods and techniques they

are using are likely to be problematic in the highly complex and dynamic multi-jurisdiction and

multi-tenancy cloud environment. The progress of any law and regulations including law and

regulations of cyber crimes is very slow, while cloud computing is rapidly emerging as a new

battlefield of cyber crimes for hackers who are equipped by the most updated techniques,

investigators, law enforcement and various cloud organizations.

3.8 Challenges regarding Multi-Jurisdiction and multi-tenancy

The legal challenges of multi-jurisdiction and multi-tenancy concern the differences among

legislations in all the countries (states) the Cloud and its customers reside in. The differences

between jurisdictions affects on issues such as what kind of data can be accessed and retrieved in

the jurisdiction(s) where the physical machine(s) from which data is accessed and retrieved, how to

conduct evidence retrieval without breaching privacy or privilege rights of tenants according to the

privacy policis and regulations in the organizations and specific jurisdiction where multiple

tenants’ data is located, what kind of evidence is admissible to the court in the specific jurisdiction,

what kind of chain of custody is needed in the evidence preservation in the jurisdiction(s) where

forensic data has passed during an investigation in the Cloud. Multi-jurisdiction issues also

concern lack of legislative mechanism that facilitates collaboration between industry and law

enforcement around the world, in cases such as resource seizure, cloud confiscation, evidence

retrieval, data exhchange between countries, etc.

4. Opportunities 4.1 Cost Effectiveness

Everything is less expensive when implemented on a larger scale, including security and forensic

services. Cloud computing is currently very attractive to SMEs (Small and Medium Enterprises)

due to the cost advantage which also applies to forensic implementations. SMEs that cannot afford

dedicated internal or external forensics implementations or services may have an upgrade at

relatively low cost when adopting cloud computing.

4.2 Data Abundance

Amazon S3 and Amazon Simple DB ensure object durability by storing objects multiple times

across multiple Availability Zones on the initial write and then actively doing further replication in

the event of device unavailability or detected bit-rot to reduce the risk of single point of failure

(Amazon, 2010). Data abundance generated in the Cloud is helpful to investigations as full data

deletion cannot be guaranteed and investigators can take advantage of it to recover data as

evidence. Scaled up to the Cloud, when a request to delete a cloud resource is made it actually

technically can never result in true wiping of the data. Full data deletion may only be guaranteed

by destroying the resource that is shared with other cloud tenants. Thus pieces or segments of data

that is crucial to investigation are very likely to remain somewhere in the Cloud for the

investigators to discover.

4.3 Overall Robustness

Some of the cloud technologies help to improve the overall robustness of forensics in the Cloud.

For example, Amazon S3 generates an MD5 hash automatically when you store an object. So

theoretically, the cloud customers do not need to look for external tools to generate time-

consuming MD5 checksums. IaaS offerings support on-demand cloning of virtual machines. As a

result, in the event of a suspected security breach, the customer can take an image of a live virtual

machine for offline forensic analysis, leading to less downtime for analysis. Multiple clones can

also be created and analysis activities parallelized to reduce investigation time. This improves the

analysis of security incidents and increases the probability of tracking attackers and patching

weaknesses. Amazon S3 allows customer to use “Versioning” to preserve, retrieve, and restore

every version of every object stored in the S3 bucket. An Amazon S3 bucket can be configured to

log access to the bucket and objects within it. The access log contains details about each access

request including request type, the request resource, the requestor’s IP, and the time and date of the

request (Amazon, 2010). All of these can be used to investigate abnormal incidents and application

failures.

4.4 Scalability and Flexibility

Cloud computing allows scalable and flexible usage of resources which also applies to forensic

services. For example, it can provide unlimited pay-per-use storage of logs, allowing more

comprehensive logging without compromising performance. It can also massively increase the

efficiency of indexing, searching and various queries of the logs. Cloud instances can be scaled as

needed based on the logging load. Furthermore, forensic activities only take place when incidents

happen which can largely take advantage of the cost-effectiveness of cloud computing. Customers

have the choice to build their own dedicated forensic server(s) in the Cloud, ready to use only in

need.

4.5 Standards and Policies

Forensics has often been an after-thought when technology develops, creating many so-called

bandage solutions and ad-hoc solutions (Meyers and Rogers, 2004). Cloud computing is a

transformative technology which is changing the way IT is managed and generating a new wave of

innovations. Cloud computing is still at its early stage and this is a unique opportunity to lay a

foundation of standards and policies for cloud forensics that will evolve together with the

technology until it matures.

4.6 Forensics-as-a-Service

The concept of “Security as a Service” is emerging in cloud computing. For example, research has

shown the advantages of a cloud platform for large-scale forensic computing (Roussev et al.,2009)

and cloud-based anti-virus software (Oberheide et al., 2008). The emerging delivery models

include established information security vendors changing their delivery methods to include

services delivered through the Cloud, and start-up information security companies play as pure

CSPs and provide security only as a cloud service and do not provide traditional client/server

security products for networks, hosts, and/or applications. Likewise, “Forensics as a [Cloud]

Service” can be developed in the same way to make use of the massive computing power to

facilitate cyber criminal investigations on all levels.

5. Future work and conclusions The rise of cloud computing is pushing digital forensics into a new horizon. Many existing

challenges are exacerbated in the Cloud, including jurisdictional issue and the lack of international

collaboration, while the new environment also brings unique opportunities for foundational

standards and policies. Cloud computing is a new battlefield of cyber crime, as well as a new

ground for novel investigative approaches. Cloud forensics is a new area of research, much has to

be done and this paper merely signposts the way forward.

6. References

Amazon (2010) Amazon Web Services: Overview of Security Processes.

Beebe, N. (2009) ‘Digital forensic research: The good, the bad and the unaddressed’. Advances in Digital

Forensics V: p17-37.

Casey, E. (2000) Digital Evidence and Computer Crime. Academic Press.

Cloud Security Alliance [CSA] 2009 Security Guidance for Critical Areas of Focus in Cloud Computing

V2.1.

Digital Forensic Research Workshop [DFRWS] 2001 A Road Map for Digital Forensic Research.

EurActiv (2011) Cloud computing: A legal maze for Europe. EurActiv February 11.

European Network and Information Security Agency [ENISA] 2009 Cloud Computing: Benefits, risks and

recommendations for information security.

F5 Networks and Applied Research West (2009) The 2009 F5 cloud computing survey.

Federal Bureau of Investigation [FBI] 2008 Regional Computer Forensics Laboratory (RCFL) Program

Annual Report for Fiscal Year 2007.

Foley, J., (2010) Federal agencies shift into cloud adoption. Information Week June 14.

Force.com (2010) Secure, private, and trustworthy: enterprise cloud computing with Force.com.

Gartner (2009) Worldwide Cloud service revenue will grow 21.3 percent in 2009.

Google (2010) Security Whitepaper: Google Apps Messaging and Collaboration Products.

Broadhurst, R. (2006) ‘Developments in the global law enforcement of cyber-crime’, Policing: International

Journal of Police Strategies and Management, Vol.20, No 3: p.408-433

Gens, F. (2008) IT Cloud services forecast – 2008 to 2012: A key driver of new growth. IDC

INPUT (2009) Evolution of the Cloud: The future of cloud computing in government.

Kent, K., Chevalier, S., Grance, T., Dang, H. (2006) NIST Guide to Integrating Forensic Techniques into

Incident Response. NIST.

Mell, P., Grance, T. (2009) The NIST Definition of Cloud Computing Version 15. NIST

Merrill Lynch (2008) The Cloud wars: $100+ billion at stake.

Meyers, M., Rogers, M. (2004) ‘Computer forensics: The need for standardization and certification’.

International Journal of Digital Evidence, Vol 3 No 2.

Liles, S., Rogers, M., Hoebich, M. (2009) ‘A survey of the legal issues facing digital forensic experts’,

Advances in Digital Forensics V: p.267-277

Oberheide, J., Cooke, E., Jahanian, F. (2008) ‘CloudAV:N-Version Antivirus in the Network Cloud’. In

Proceedings of USENIX Security 2008: p91-106. July, 2008. San Jose.

Perry, R., Hatcher, E., Mahowald, R.P., Hendrick, S.D. (2009) Force.com Cloud platform drives huge time to

market and cost savings. IDC

Roussev, V., Wang, L., Richard, G., Marziale, L. (2009) ‘A cloud computing platform for large-scale forensic

computing’, Advances in Digital Forensics V: p. 201-215.