![Page 1: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/1.jpg)
secret.cis.uab.edu
Providing Proofs of Past Data Possession in Cloud Forensics Shams Zawoad, Ragib HasanSECuRE and Trustworthy computing (SECRET) LabUniversity of Alabama at Birmingham
04/08/2023
![Page 2: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/2.jpg)
secret.cis.uab.edu 04/08/2023 2
Problem Statement : A Motivating Story
Bob
Investigator
XYZ Corporation
Cloud VM/Storage
Did Bob have this file?
![Page 3: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/3.jpg)
secret.cis.uab.edu 04/08/2023 3
What is Digital Forensics and Cloud Forensics?
Identificatio
n
Incident Identificatio
nEvidence
Identification
Collection
Organization
Examination
Analysis
Presentation
• Applying digital forensics procedures in cloud.
• A subset of Network forensics [Ruan et al.]
Digital Forensics
Cloud Forensics
![Page 4: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/4.jpg)
secret.cis.uab.edu 04/08/2023 4
Cloud Forensics vs Traditional Digital Forensics
• Physical access to computing resources
• No need to depend on third party
• Single user system
• Tools are available
• No physical access
• Need to depend on CSP
• Multi-tenant system
• No proven available tool
Traditional Cloud
![Page 5: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/5.jpg)
secret.cis.uab.edu 04/08/2023 5
What is Past Data Possession?
If a file ‘F’ was possessed by a user ‘U’, then Past Data Possession states that
U possessed F at a given past time
![Page 6: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/6.jpg)
secret.cis.uab.edu 04/08/2023 6
Why Is It Challenging to Provide the Past Data Possession?
Reduced Control over Clouds
Multi-tenancyChain of Custody
Presentation
NetworkServers
OSData
Application
Access Control
NetworkServers
OSData
Application
Access Control
NetworkServers
OSData
Application
Access Control
SaaS PaaS IaaSCustomers have controlCustomers do not have control
![Page 7: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/7.jpg)
secret.cis.uab.edu 04/08/2023 7
In the Threat Model, Bob, Investigator, and the Cloud can be Malicious
User can delete records or present fake records
Investigator can plant invalid evidence
CSP can provide false past data possession or deny hosting any evidence
Every body can collude with each other
![Page 8: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/8.jpg)
secret.cis.uab.edu 04/08/2023 8
Hence, The Possible Attacks can be:
Denial of possession
False presenceEvidence contamination
Repudiation by CSPRepudiation by User
Privacy Violation
![Page 9: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/9.jpg)
secret.cis.uab.edu 04/08/2023 9
What Can be the Solution?
Proposing Proof of Past Data Possession (PPDP)
• PPDP attests that a User U possessed a File F at a given past time.
• An Auditor can use PPDP to check the Past Data Possession.
• File can be deleted but PPDP can still preserve the proof of data possession.
![Page 10: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/10.jpg)
secret.cis.uab.edu 04/08/2023 10
PPDP Provides:
I1: Adversaries cannot remove any evidence.I2: Adversaries cannot plant any invalid evidence.I3: Adversaries cannot change any existing evidence.
I4: CSP cannot deny hosting any evidence.I5: CSP cannot repudiate any previously published proof.
Integrity
![Page 11: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/11.jpg)
secret.cis.uab.edu 04/08/2023 11
PPDP Provides:
Confidentiality
C1: From the proof adversaries cannot recover the original file.
C2: From the proof adversaries cannot learn about the version history of file.
![Page 12: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/12.jpg)
secret.cis.uab.edu 04/08/2023 12
Components of PPDP
File
Proof of File
P
Accumulator
Signed Accumulator,
PPDP
• Private, stored in Cloud
• Private, Stored in Cloud
• Private, Stored in Cloud
• Public, Available through RSS
![Page 13: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/13.jpg)
secret.cis.uab.edu 04/08/2023 13
Proof of Past Data Possession (PPDP)
User
Proof Storage
CSP
![Page 14: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/14.jpg)
secret.cis.uab.edu 04/08/2023 14
Bloom Filter as an AccumulatorA probabilistic data structure to check whether an element is a member of a set or not. • Stores the membership information in a bit
array • Space efficient representation.• Performance of element insertion and
membership checking is good.• False positive probability is not zero.
Is used in Google Chrome to maintain Black-list of malicious URLs.
![Page 15: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/15.jpg)
secret.cis.uab.edu 04/08/2023 15
Verification of Past Data PossessionPPDPu = <H(DSu),
SPkc(DSu)>
Document
Exists?No
Accepts
Yes
Rejects
Bit positions
Signature Valid?
NoReject
sYes
DSu
![Page 16: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/16.jpg)
secret.cis.uab.edu 04/08/2023 16
Investigator/ Auditor can query in two ways:
How to Identify the Generation Time of Evidence?
• A time range of evidence generation.
• Exact date of evidence generation.
![Page 17: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/17.jpg)
secret.cis.uab.edu 04/08/2023 17
Security Analysis w.r.t. Collusion Model
CUI
¬CUI
C¬UI
CU¬I
![Page 18: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/18.jpg)
secret.cis.uab.edu 04/08/2023 18
Security Analysis w.r.t. Collusion Model
C¬U ¬ I
¬CU ¬ I
¬C¬UI
¬C¬U¬I
![Page 19: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/19.jpg)
secret.cis.uab.edu 04/08/2023 19
Security Analysis
Non repudiation by CSP : Proof is signedPreservation of user’s privacy: One-way HashingNon repudiation by User: Advanced version of PPDP, each evidence is signed
![Page 20: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/20.jpg)
secret.cis.uab.edu 04/08/2023 20
Proof-of-Concept Implementation
FTP Server on Amazon EC2 Micro Instance.
Client Machine: Intel Core-i5-24305 CPU @ 2.40 GHz processor and 8GB RAM.
Bloom filter : 0.01 % False Positive Probability for 1000 elements.
RSA (1024 bit) and SHA 1 (160 bit)
![Page 21: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/21.jpg)
secret.cis.uab.edu 04/08/2023 21
Evaluation of Our Prototype% Overhead associated with time needed to insert the PPDP
![Page 22: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/22.jpg)
secret.cis.uab.edu 04/08/2023 22
Evaluation of Our PrototypeAverage time required to find true negative match
![Page 23: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/23.jpg)
secret.cis.uab.edu 04/08/2023 23
Evaluation of Our PrototypeAverage time required to find a true positive match
![Page 24: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/24.jpg)
secret.cis.uab.edu 04/08/2023 24
Applications of PPDP
CSP can preserve the proof without storing the data itself.
Storage overhead for CSP but can earn money by Forensic-as-service.
Make the Cloud more Auditable which in turn makesCloud more Regulatory Compliant.
![Page 25: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/25.jpg)
secret.cis.uab.edu 04/08/2023 25
Conclusion
Future work : Implement the scheme in private cloud, later collaborate with a commercial CSP.
• Introduced the notion of a Proof of Past Data Possession (PPDP) in the context of digital forensics.
• Proposed an efficient and secured cryptographic scheme for creating a PPDP.
• Evaluated the proposed PPDP scheme using a commercial cloud vendor.
![Page 26: Providing Proofs of Past Data Possession in Cloud Forensics](https://reader036.vdocument.in/reader036/viewer/2022081413/5474e3b3b4af9fb40a8b599d/html5/thumbnails/26.jpg)
secret.cis.uab.edu
Thank YouQ & A
04/08/2023