Abstract
Cloud computing is a heavily evolving topic in information technology (IT). Rather than creating, deploying and managing a physical IT infrastructure to host their software applications, organizations are increasingly deploying their infrastructure into remote, virtualized environments, often hosted and managed by third parties. Due to this large scale, in case an attack over the network of cloud, it’s a great challenge to investigate to cloud. There is very low research done to develop the theory and practice of cloud forensic. The investigator has huge challenge of getting the IP address of the culprit as there is dynamic IP in cloud computing. Also one among many problems is that the customer is only concerned of security and threat of unknown. The cloud service provider never lets customer see what is behind "virtual curtain" which leads customer more doubting for the security and threat issue. In cloud forensics, the lack of physical access leads to big challenge for investigator. In this paper we are presenting few common challenges which arise in cloud forensic and proposed solution to it [1]
Keywords— Cloud computing, Digital forensics, Cloud forensic
Introduction:
Cloud computing is fairly marketing term that takes the technology, services, and applications for the delivery of hosted services over the internet and turns them into a self-service utility [2]. NIST defines cloud computing as “…a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” [2]. The virtualization and multi-tenant nature of the cloud gives the better usage of resources and these are main characteristics of cloud computing but these makes the main problems to cloud [3].
Digital forensics is a branch of forensic science which is concerned with the use of digital information (produced, stored and transmitted by computers) as source of evidence in investigations and legal proceedings. The first Digital Forensics Research Workshop held in New York in 2001 provided the following working definition of digital forensics [2]: “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering their construction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. “Digital Forensics (DF), as defined by McKemmis [2], is the “process of identifying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable”. The aim of a forensic investigation is to identify and preserve the evidence, extract the information, document every process, and analyse the extracted information to find answers with respect to the 5Ws (Why, When, Where, What, and Who).
Applying Digital forensics in cloud environment is called cloud forensics. Cloud forensic is a domain that works towards the usage and execution of digital forensic policy and methodologies within the cloud [1]. Usage of digital forensic in corporate communication amongst the cloud actor to comply with internal and external investigation[1]. According to [4], Cloud forensics is the process to retrieve digital evidence from the cloud for investigative purposes. Adversaries use cloud computing in different ways to commit crimes, including storing incriminating evidence like child pornography, launch attacks and crack encryption keys. The adversaries can provision a cloud instance, commit the crime, and immediately de-provision the cloud instance to destroy the evidence. The inaccessibility of data, potential lack of information and unknown provenance of evidence are major concerns for digital forensics in the cloud and can result in a situation where evidence may not be available or where the integrity of the evidence cannot be verified on the systems used for cloud computing [4].
Phases and Challenges of Cloud forensics:
Computer forensics is comprised of four main processes:
Identification process is comprised of two main steps: identification of an incident and identification of the evidence, which will be required to prove the incident[ 1].
The Identification phase mainly defines the purpose and process of Investigation. Identification of crime is the starting step in Digital Investigation Process model. Determining of a malicious activity that happen is simply identification step .The main thing here is how we say that the crime is happen? Traditionally in Digital Forensics the investigators identifies the crime in following ways [3]
Identification of crime in cloud is difficult compare to traditional forensics identification. This phase arises in cloud by the complaint of any cloud user or cloud service provider reporting the unauthorized use of cloud recourses.
The intrusion detection system in cloud may identify any anomalies in the virtual machine, in cloud environment one of the virtual machine is monitor all the virtual machines in the cloud that virtual machine can act as Intrusion Detection System.
The evidence is fickle and frail in the context of cloud so e we need to propose new methods to efficiently use existing tools and hence making the evidence to be evaluated and isolated properly.
Challenges:
In the collection process, an investigator extracts the digital evidence from different types of media e.g., hard disk, cell phone, email, and many more. Additionally, he needs to preserve the integrity of the evidence [1].
Evidence collection collects the evidence from identified sources of evidence. Collected evidence need to be preserved. Preserving data is maintaining data integrity original data is not to be changed till investigation completes. In traditional system the investigation process starts by seizing the hard disk of the system and taking the bit wise copy of the same maintaining integrity of the system. But in cloud, it is practically impossible because the evidence is untouchable and it is volatile in nature.
So the investigators and the researches need the better preservation methods. Some of the methods are proposed and are discussed later in this paper.
Challenges:
In the examination phase, an investigator extracts and inspects the data and their characteristics. In the analysis phase, he interprets and correlates the available data to come to a conclusion, which can prove or disprove civil, administrative, or criminal allegations [1].
In the Digital Imaging Process (DIP) model once the data is collected and preserved various examination techniques and several software tools are available to aid the investigators. FTK (Forensic Tool Kit) and Encase are widely used commercial forensic tool suites; another Open source tool is Sleuth tool kit. These all tools are used to perform filtering and pattern matching for searching the content or files or file types. By using these tools one can recover the data deleted or modified. In entire analysis phase the evidence need to be evaluated. The generated report supports the evidence help to regenerate the crime event. It is also possible to correlate evidence with cloud users. The evidence generated in the analysis phase is validated to compare with the alternative sources of evidence to confirm that the evidence is not altered. The examination and analysis phase of cloud forensics is similar to digital forensics examination and analysis phase [3].
Challenges:
In this process, an investigator makes an organized report to state his findings about the case. This report should be appropriate enough to present to the jury.[1]
The gathered evidence in the digital investigation process is needed to be submitted in the court of law to prove the crime. For that the investigator submits a report with summarized investigation process and explained conclusion. At the end of investigation, the investigator needs to present a report and it must be useful for cross- examination. The result report should be used by an organization to improve their security policy and must be documented for future investigation [3].
Expert witnesses could be faced with the additional challenge of having to explain the concept of cloud computing to a jury. It must be remembered that juries in common law systems are made up of individuals from the general-public, very often, people who only use a personal computer to perform simple tasks. It can be expected that before a judge can allow a jury to listen to evidence retrieved from the cloud, they must understand what a ‘cloud’ is, and how it works. This could further prolong court proceedings and expert witnesses will be faced with the daunting task of ensuring juries fully understand the concept of the cloud. The evolution of cloud computing forensics is in its infancy. Currently there is not a standard method or tool set for conducting cloud investigations, or even for evaluating and certifying proposed tools. The presentation of evidence derived from a cloud service will likely be problematic in the near future [5].
|
Phases |
Challenges |
|
Identification |
1. Accessing the evidence in logs 2. Volatile data 3. Lack of control on the system 4. Lack of customer awareness |
|
Collection & Presevation |
1. Data integrity 2. Cloud Instance Isolation 3. Digital Provenance 4. Chain of Custody |
|
Examination & Analysis |
1. Lack of available cloud forensic tools 2. Evidence correlation across multiple sources 3. Crime-scene reconstruction |
|
Reporting & Presentation |
1. Lack of knowledge 2. Reporting |
Table 1: Summary of Challenges to Digital Forensics in Cloud Environments
Conclusion:
It is identified that cloud forensics is a cross discipline between digital forensics and cloud computing. Various aspects of forensic in cloud computing and the cloud forensic have been reviewed. With more use of cloud computing, there is an issue for providing trustworthy cloud forensic schemes. According to current scenario of the world, more business organizations are moving data on cloud environments. As there is development in IT sector, there will be more complexities for crime investigator in accessing, retrieving and getting the data as evidence. With more technology the crime can be done easily (Cybercrime) and demand of forensic investigation on cloud will be more. These investigations have to suffer from lack of guidance, tools and technique to retrieve evidence in forensically good way. Also cloud service provider should provide robust API for acquiring evidence. Solving all the challenges of cloud forensics will clear the way for making a forensics-enabled cloud and allow more consumers to take the advantages of cloud computing. There is also the need for re-examine laws because of the need to move forward and combating criminals. Finally, there is also the need for the digital forensics community to begin establishing standard empirical mechanisms to evaluate frameworks, procedures and software tools for use in a cloud environment. Only when research has been conducted to show the true impact of the cloud on digital forensics, can we be sure how to alter and develop alternative frameworks and guidelines as well as tools to combat cyber-crime in the cloud. As Cloud computing is a business model which presents a range of new issues to digital forensics practitioners and the digital forensics community in general. There is an urgent need for forensic investigators to adapt existing forensic practices and develop an evidence-based forensically sound methodology [6] that would enable forensic investigators to identify, preserve, collect, examine and analyses data fragments in the cloud computing environment.
REFERENCES
[1] Challenges and Proposed Solutions for Cloud Forensic Puraj Desai, Mehul Solanki, Akshay Gadhwal, Aalap
Shah, Bhumika Patel Department Of Computer Science and Technology Uka Tarsadia University Bardoli, Surat, Gujarat 394350, Puraj Desai et al Int. Journal of Engineering Research and Applications www.ijera.com ISSN : 2248-9622, Vol. 5, Issue1( Part 2), January 2015, pp.37-42
[2] Arafat, Md & Mondal, Bipasha & Rani, Sreeti. (2017). Technical Challenges of Cloud Forensics and Suggested Solutions. International Journal of Scientific and Engineering Research. 8. 1142. 10.14299/ijser.2017.08.004.
[3] Deevi Radha Rani1 *, Sk. Nazma Sultana2 and Pasala Lourdu Sravani1, Department of CSE, VFSTR University, Vadlamudi – 522213, Andhra Pradesh,Challenges of Digital Forensics in Cloud Computing Environment, Indian Journal of Science and Technology, DOI:10.17485/ijst/2016/v9i17/93051, Year: 2016, Volume: 9, Issue: 17, Pages: 1-7
[4] Cloud Computing: The Digital Forensics Challenge, Gertruida Meyer, Adrie Stander, InSITE 2015 pp. 285-299, https://doi.org/10.28945/2239
[5] Grispos, George & Storer, Tim & Glisson, William. (2012). Calm Before the Storm: The Challenges of Cloud Computing in Digital Forensics. International Journal of Digital Crime and Forensics (IJDCF). 4. 28-48. 10.4018/jdcf.2012040103.
[6] Evidence Collection and Forensic Challenges in Cloud Environment Abdullahi Aminu Kazaure . Aman Jantan . Mohd Najwadi Yusoff .Aminu Maigari. Mohamad Khairi Ishak. Nor Rizuan Mat Noor, MACE Technical Journal (MTJ) MTJ Vol.1(01) [December 2019], pp. 8-18 eISSN: 2710-663
