Cloud Forensic Tools And Storage :a Review Paper

By Author: Wisemonkeys
Total Articles: 277
Comment this article

Abstract—Digital era such as now, cloud technology cannot be released in our lives. Cloud computing has also become one of the fastest-growing and transformative technologies. In addition to some convenience and comfort in using the cloud, it turns out to cause new problems, namely cybercrime. Cybercrime will be increasingly diverse and allow criminals to innovate with the cloud. Cloud forensics remains an obstacle and challenge for investigators because each cloud provider has a different architecture so different investigations are needed in conducting cloud forensics. The inevitable vulnerabilities and criminal targeting of cloud environments demand an understanding of how digital forensic investigations of the cloud can be accomplished. The architecture, process flow, tools, storage and forensics process are discussed in this paper.

Keywords—cloud forensics, digital forensics, process flow, tool.

I. Introduction

Cloud computing has the potential to become one of the most transformative computing technologies, following in the footsteps of mainframes, minicomputers, personal computers, the World ...
... Wide Web and smartphones. Cloud computing is radically changing how information technology services are created, delivered, accessed and managed. Spending on cloud services is growing at five times the rate of traditional on-premises information technology (IT).

Cloud computing services are forecast to generate approximately one-third of the net new growth within the IT industry. The rise of cloud computing not only exacerbates the problem of scale for digital forensic activities, but also creates a brand-new front for cybercrime investigations with the associated challenges. Digital forensic practitioners must extend their expertise and tools to cloud computing environments. Moreover, cloud-based entities – cloud service providers (CSPs) and cloud customers – must establish forensic capabilities that can help reduce cloud security risks. This paper discusses the emerging area of cloud forensics, and highlights its challenges and opportunities.

Cloud forensics is a cross discipline of cloud computing and digital forensics. Cloud computing is a shared collection of configurable networked resources (e.g., networks, servers, storage, applications and services) that can be reconfigured quickly with minimal effort. Digital forensics is the application of computer science principles to recover electronic evidence for presentation in a court of law. Cloud forensics is a subset of network forensics. Network forensics deals with forensic investigations of networks. Cloud computing is based on broad network access. Therefore, cloud forensics follows the main phases of network forensics with techniques tailored to cloud computing environments. Cloud computing is an evolving paradigm with complex aspects. Its essential characteristics have dramatically reduced IT costs, contributing to the rapid adoption of cloud computing by business and government. To ensure service availability and cost-effectiveness, CSPs maintain data centers around the world. Data stored in one data center is replicated at multiple locations to ensure abundance and reduce the risk of failure.

Also, the segregation of duties between CSPs and customers with regard to forensic responsibilities differ according to the service models being used. Likewise, the interactions between multiple tenants that share the same cloud resources differ according to the deployment model being employed. Multiple jurisdictions and multi-tenancy are the default settings for cloud forensics, which create additional legal challenges. Sophisticated interactions between CSPs and customers, resource sharing by multiple tenants and collaboration between international law enforcement agencies are required in most cloud forensic investigations. In order to analyze the domain of cloud forensics more comprehensively, and to emphasize the fact that cloud forensics is a multi-dimensional issue instead of merely a technical issue, we discuss the technical, organizational and legal dimensions of cloud forensics.

At present, there are several established and proven digital forensics tools in the market. With the proliferation of clouds, a large portion of these investigations now involves data stored in or actions performed in a cloud computing system. Unfortunately, many of the assumptions of digital forensics are not valid in cloud computing model. For example, in a cloud environment, investigators do not have physical access to the evidence – something they usually have in traditional privately owned and locally hosted computing systems. As a result, cloud forensics brings new challenges from both technical and legal point of view and has opened new research area for security and forensics experts.

II. Architecture of Cloud Forensics

A forensic investigation in a cloud computing environment involves at least two entities: the CSP and the cloud customer. However, the scope of the investigation widens when a CSP outsources services to other parties. Figure 1 shows the various entities that may be involved in a cloud forensic investigation. CSPs and most cloud applications often have dependencies on other CSPs. The dependencies in a chain of CSPs/customers can be highly dynamic. In such a situation, the cloud forensic investigation may depend on investigations of each link in the chain. Any interruption or corruption in the chain or a lack of coordination of responsibilities between all the involved parties can lead to serious problems.

Figure 1 : Entities involved in a cloud forensic investigation

Organizational policies and service level agreements (SLAs) facilitate communication and collaboration in forensic activities. In addition to law enforcement, the chain of CSPs must communicate and collaborate with third parties and academia. Third parties can assist with auditing and compliance while academia can provide technical expertise that could enhance the efficiency and effectiveness of investigations. To establish a cloud forensic capability, each cloud entity must provide internal staffing, provider-customer collaboration and external assistance that fulfill the following roles:

A. Investigators

Investigators are responsible for examining allegations of misconduct and working with external law enforcement agencies as needed. They must have sufficient expertise to perform investigations of their own assets as well as interact with other parties in forensic investigations.

B. IT Professionals:

IT professionals include system, network and security administrators, ethical hackers, cloud security architects, and technical and support staff. They provide expert knowledge in support of investigations, assist investigators in accessing crime scenes, and may perform data collection on behalf of investigators.

C. Incident Handlers:

Incident handlers respond to security incidents such as unauthorized data access, accidental data leakage and loss, breach of tenant confidentiality, inappropriate system use, malicious code infections, insider attacks and denial of service attacks. All cloud entities should have written plans that categorize security incidents for the different levels of the cloud and identify incident handlers with the appropriate expertise.

D. Legal Advisors:

Legal advisors are familiar with multi-jurisdictional and multi-tenancy issues in the cloud. They ensure that forensic activities do not violate laws and regulations, and maintain the confidentiality of other tenants that share the resources. SLAs must clarify the procedures that are followed in forensic investigations. Internal legal advisors should be involved in drafting the SLAs to cover all the jurisdictions in which a CSP operates. Internal legal advisors are also responsible for communicating and collaborating with external law enforcement agencies during the course of forensic investigations.

E. External Assistance:

It is prudent for a cloud entity to rely on internal staff as well as external parties to perform forensic tasks. It is important for a cloud entity to determine, in advance, the actions that should be performed by external parties, and ensure that the relevant policies, guidelines and agreements are transparent to customers and law enforcement agencies.

III. Cloud Forensic Process

Cloud Forensics process is initiated after the incident happens as a post incident activity. It follows through pre-defined steps. In a cloud computing the process can be grouped to three areas, viz., Client forensics, Cloud forensics and Network forensics.

A. Client Forensics

Digital crimes are initiated and often carried out from the client side, but the artifacts are left both on the client and server sides. Client-side evidence identification and collection is a vital part of the process. The evidence data, such as history logs, temp data, registry, access logs, chat logs, session data and persistent cookies, can be found on the web browser. It is critical that the data should be collected as early as possible in its sterile state for forensic purposes to use as evidence. There is a potential risk that the data could be erased either purposefully by the actor, or inadvertently by the system due to system configuration; e.g., the web browser history and session logs can be configured to be overwritten or erased after a specified period or when the file size reaches the configured maximum limit. Proliferation of client-side end points, especially to the mobile end points makes the forensic data identification and collection even more challenging. For cloud forensics it is critical that those end points are identified and collected timely, keeping evidence integrity in-tact, so that a time line of events can be created.

B. Cloud (Server) Forensics

Many digital artifacts that are created and available on the servers form critical part of forensic data and it is essential that this evidence is collected. The artifacts include system logs, application logs, user authentication and access information, database logs etc. The physical inaccessibility and unknown location of the data makes it much harder to conduct the evidence identification, separation and collection in cloud forensics. In a highly decentralized and virtualized cloud environment it is quite common that the data may be located across multiple data centers situated in different geographic locations. Traditional approach to seizing the system is no more practical either, even if the location is known, as it could bring down whole data center, affecting other customers due to multi-tenancy. A number of researchers have cited this issue and some partially suggested possible solutions.

Loss of governance is another major issue in cloud forensics. The customers are entrusting the governance to the providers. This was also flagged by the European Network and Information Security Agency (ENISA)'s cloud computing risk assessment report, which includes the ‘loss of governance’ as one of the top risks of cloud computing, especially in Infrastructures as a Service (IaaS). Loss of governance inadvertently that leads to loss of control of information assets by the data owners poses another big bottleneck for evidence collection. The loss of control depends on the cloud model. In IaaS users have more control and relatively unfettered access to the system logs and data, whereas in PaaS model their access is limited to the application logs and what pre-defined API provides, and in SaaS model customers have either little or no access to such data. As the customers increasingly rely on the CSPs to provide the functionality and services, they correspondingly give the CSPs more control of their information assets. As the customers relinquishes the control, they lose access to important information and thereby its identification and collection for any subsequent forensic needs. As the degree of control decreases less forensics data is available for cloud users and therefore there is more dependency on the CSPs to get access to such data. That in turn depends upon the SLAs and what CSPs are willing to provide. In addition, the Virtual Machine (VM) instances are subject to movement within a data center, outside to a different data center in the same jurisdiction or to completely a new data center located in a separate jurisdiction, based upon many factors such as load balancing, business continuity etc. Such moves, carried out by the CSPs, are completely outside the control of the client. This also adds additional challenges to the cloud server-side forensics.

C. Network Forensics

Traditional network forensics deals with the analysis of network traffic and logs for tracing events that have occurred in the past. Network forensics is theoretically also possible in cloud environments. The different TCP/IP protocol layers can provide several sets of information on communication between VM instances within cloud, as well as with instances outside the cloud. CSPs ordinarily do not provide the network traces or communication logs generated by the customer instances or applications despite the fact that such logs are critical element of forensic data. As an example, if someone used an IaaS instance to distribute a malware, the routing information and network log are crucial part of forensic data collection, but they are difficult to obtain. This becomes more challenging for PaaS and SaaS cloud models and the collectability of the information depends heavily on the support investigators receive from the CSPs.

IV. Process Flow of Cloud Forensics

The cloud forensic process flow is shown in Figure 2, which is described as follows:

A. Identification

The investigator identifies whether crime has occurred or not.

B. Evidence Collection

The investigator identifies the evidence from the three different sources of cloud service model (SaaS, IaaS, and PaaS). The SaaS model monitors the VM information of each user by accessing the log files such as application log, access log, error log, authentication log, transaction log, data volume, etc. The IaaS monitors the system level logs, hypervisor logs, raw virtual machine files, unencrypted RAM snapshots, firewalls, network packets, storage logs, backups, etc. The PaaS model identifies the evidence from an application-specific log and accessed through API, patch, operating system exceptions, malware software warnings, etc.

Figure 2 : Cloud forensic process flow

C. Examination and Analysis

The analyst inspects the collected evidence and merges, correlates, and assimilates data to produce a reasoned conclusion. The analyst examines the evidence from physical as well as logical files where they reside.

D. Preservation

The information is protected from tampering. The chain of custody has been maintained to preserve the log files since the information is located in a different geographical area.

E. Presentation and Reporting

An investigator makes an organized report to state his findings about the case.

V. Tools for Cloud Forensic

If some kind of falsification or intrusion is suspected in cloud first the network has to be checked by performing various steps of network forensics so as to obtain any evidence from the network.

A. FROST

FROST is a forensics tool for the OpenStack cloud computing platform. This tool acquires data from API logs, virtual disks and guest firewall logs in order to carry out the digital forensic investigation. FROST provides Infrastructure-as-a-Service (IaaS) cloud. This tool stores the log data in Hash trees and returns it in Cryptographic form. It works at the cloud management plane and hence does not need to interact with the operating system inside the guest virtual machines. Therefore, no trust is needed in these machines. The FROST tools are user driven so no interaction of the forensic examiners and customers with the Cloud service providers are needed for law enforcement. The latest features of these tools allow forensic experts to extract the required forensic data from the OpenStack cloud without the provider’s interaction. The outline has an extensible arrangement of scientific goals, including the future expansion of other information safeguarding methods, revelation techniques, checking procedures, measurements and reviewing abilities.

The three main components of FROST and their functions are:

The image of the virtual disk of any user’s virtual machine can be retrieved using this tool and then the integrity of these images can be validated using cryptographic checksums.
Logs of all the API requests to the cloud provider made by a user using his/her own credentials can be retrieved by him/her and their integrity can be validated.
OpenStack firewall logs for any of the user’s virtual machines can be retrieved and its integrity validated using this tool.
B. UEFD CLoud Analyzer

Forensic investigators get huge amount of potential evidence for their investigations from the cloud information sources. Hence these sources act as virtual goldmine of very valuable

data. Data from mobile devices can be captured using various tools and can be used by investigators to solve crimes related to the cyber world. The cloud service providers want to maintain the confidentiality of their clients, so they use various mechanisms to ensure that the data cannot be captured by anyone else. Hence accessing this data for criminal investigations always remains a challenge. Data from private social media accounts such as Facebook, Twitter, Kik and Instagram can be extracted, preserved and analyzed using The UFED Cloud Analyzer tool being discussed here. It also provides for file storage and other means of speeding up investigations. Existing cloud data as well as metadata can be collected using UFED PRO Series and can be packaged in a manner which can very easily be used for forensic examination. This tool has efficient searching as well as filtering and sorting capability which provides very important details about “Who? When? Where?” has committed any crime which can help the experts move in the correct direction during investigation.

Key Features of UFED Cloud Analyzer

1) Extraction based upon mobile device
Login information extracted from the mobile device is used to access private-user cloud data.

2) Extraction based upon username
Usernames and passwords provided by the investigated subject or retrieved from personal files and contacts or via other discovery means is used to login to private-user cloud data.

3) Preservation of forensic data
The entire process of data extraction from the cloud is traced by logging in to maintain data authenticity. Each piece of extracted data is hashed separately and can be later compared against its origin.

4) Unified format is used to visualize the data
Different cloud services are normalized in a unified format and can be viewed in Timeline, File Thumbnails, Contacts or Maps format.

5) Data can be reported, shared & exported
This tool can generate and share easy-to read, PDF reports for entire data sets or filtered Information. Extracted data can be exported to other analytical tools for deeper analysis and Cross source investigation with third party data.

C. F response
F-Response is an easy to use, vendor neutral, patented software utility that enables an investigator to conduct live Forensics, Data Recovery, and eDiscovery over an IP network using their tool(s) of choice. F-Response is not another analysis tool. F-Response is a utility that allows you to make better use of the tools and training that you already have.

F-Response software uses a patented process to provide read-only access to full physical disk(s), physical memory (RAM), 3rd party Cloud, Email and Database storage. Designed to be completely vendor neutral, if your analysis software reads a hard drive or network share, it will work with F-Response.

F-Response was the first to market with cloud connection capabilities and we’ve learned a lot since that time, tuning our approach to this challenging and constantly changing technology. Starting in v8 Cloud collection is all about downloading the content directly, either to a VHD or local share. This new approach has proven to be faster with less potential for provider-imposed throttling. We can’t eliminate it entirely, but the new F-Response goes a long way in making it less likely to occur.

Conclusion
With the increasing use of cloud computing, there is an increasing emphasis on providing trustworthy cloud forensics schemes. Researchers have explored the challenges and proposed some solutions to mitigate the challenges. In paper, we understand the flow, working, architecture and tools used for cloud forensics.

Cloud computing is pushing the frontiers of digital forensics. The cloud exacerbates many technological, organizational and legal challenges. Several of these challenges, such as data replication, location transparency and multi-tenancy, are unique to cloud forensics. Nevertheless, cloud forensics brings unique opportunities that can significantly advance the efficacy and speed of forensic investigations.

Acknowledgment
First and foremost, praises and thanks to the God, the Almighty, for His showers of blessings throughout my research work to complete the research successfully.

I would like to express my deep and sincere gratitude to my research supervisor, Mr. Sohrabh Vakharia, Patkar Varde College for giving me the opportunity to do research and providing invaluable guidance throughout this research I was deeply inspired by his dynamism, vision, honesty and motivation. He taught me how to do research and how to present it as vividly as possible. Working and studying under his leadership was a great privilege and honor. I am very grateful for everything he provided me.

I would like to thank my parents for their love, prayer, care, and sacrifice to educate me and prepare for my future. Last but not least, I would like to thank everyone who directly or indirectly supported the research.

References
[1] https://onlinelibrary.wiley.com/doi/epdf/10.1002/sec.1688

[2] ADFSL Conference on Digital Forensics, Security and Law, 2011 45 UNDERSTANDING ISSUES IN CLOUD FORENSICS: TWO HYPOTHETICAL CASE STUDIES Josiah Dykstra and Alan T. Sherman Cyber Defense Lab, Department of CSEE University of Maryland, Baltimore County (UMBC) 1000 Hilltop Circle, Baltimore, MD 21250 {dykstra, sherman}@umbc.edu

[3] International Journal of Cyber-Security and Digital Forensics (IJCSDF) 8(4): 292-297 The Society of Digital Information and Wireless Communications (SDIWC), 2019 ISSN: 2305-0011, Forensic Analysis in Cloud Storage with Live Forensics in Windows (Adrive Case Study), Tri Rochmadi and Dadang Heksaputra Department of Information System, Universitas Alma Ata, Yogyakarta, Indonesia Street Brawijaya 99, Yogyakarta 55183 trirochmadi@almaata.ac.id, dadang@almaata.ac.id.

[4] CLOUD FORENSICS Keyun Ruan, Joe Carthy, Tahar Kechadi and Mark Crosbie, G. Peterson and S. Shenoi (Eds.): Advances in Digital Forensics VII, IFIP AICT 361, pp. 35–46, 2011. c IFIP International Federation for Information Processing 2011, ADVANCES IN DIGITAL FORENSICS VII

[5] https://www.intechopen.com/chapters/64377

[6]Cloud Forensics Solutions: A Review Stavros Simou1 , Christos Kalloniatis1 , Evangelia Kavakli1 , and Stefanos Gritzalis2 1 Cultural Informatics Laboratory, Department of Cultural Technology and Communication, University of the Aegean, University Hill, GR 81100 Mytilene, Greece {SSimou,chkallon}@aegean.gr, kavakli@ct.aegean.gr 2 Information and Communication Systems Security Laboratory, Department of Information and Communications Systems Engineering, University of the Aegean, GR 83200, Samos, Greece sgritz@aegean.gr
[7] OCF: An Open Cloud Forensics Model for ReliableDigital ForensicsShams Zawoad, Ragib Hasan, and Anthony Skjellum*{zawoad, ragib}@cis.uab.edu, skjellum@auburn.eduDepartment of Computer and Information SciencesUniversity of Alabama at Birmingham, AL 35294, USA*Department of Computer Science and Software EngineeringAuburn University, AL 36849, USA

[8] Cloud Forensics: A Meta-Study of Challenges, Approaches, and Open Problems Shams Zawoad University of Alabama at Birmingham Birmingham, Alabama 35294-1170 Email: zawoad@cis.uab.edu Ragib Hasan University of Alabama at Birmingham Birmingham, Alabama 35294-1170 Email: ragib@cis.uab.edu
[9] A State-of-the-Art Review of Cloud Forensics JDFSL V9N4, A STATE-OF-THE-ART REVIEW OF CLOUD FORENSICS Sameera Almulla , Youssef Iraqi , and Andrew Jones

[10] Communications on Applied Electronics (CAE) – ISSN : 2394-4714 Foundation of Computer Science FCS, New York, USA Volume 5 – No.3, June 2016 – www.caeaccess.org 24 Comparitive Study of Cloud Forensics Tools Sameena Naaz Department of Computer Science and Engineering Faculty of Engineering and Technology Jamia Hamdard New Delhi – 62, India Faizan Ahmad Siddiqui Department of Computer Science and Engineering Faculty of Engineering and Technology Jamia Hamdard New Delhi – 62, India

[11] Cloud forensics: Technical challenges, solutions and comparative analysis Ameer Pichan* , Mihai Lazarescu, Sie Teng Soh Department of Computing, Curtin University, Kent Street, Bentley, Perth, WA 6102, Australia

It is said that "Knowledge is Power" and Wisemonkeys(https://wisemonkeys.info/) is the ideal platform to prove this right where this blog was posted. Additionally, when knowledge is free it should be shared. Therefore, keeping this in mind Wisemonkeys an LMS platform is developed so that people can exchange their ideas, knowledge, and experiences for the wise Gen Z.

SIGN UP(https://me.wisemonkeys.info/login) TODAY and upgrade your knowledge base.