Challenges in Cloud Forensics.
In this presentation we take a look at the following topics;
What is Cloud Computing ?
Types of Cloud & Cloud Services
What is Cloud Forensics?
Common Cloud Forensics Challenges?
Impact of the ChallengesExisting Methods & Tools
Limitations of Existing Methods
Future Developments
3. Content
3
2 4 6
7
5
3
What is Cloud
Computing ?
What is Cloud
Forensics?
Impact of the
Challenges
Types of Cloud & Cloud
Services
Common Cloud
Forensics Challenges?
Limitations of Existing
Methods
1
Existing Methods &
Tools
Future Developments
8
4. What is Cloud Computing ?
Cloud computing is a means of providing computing
services (including databases, servers, software, and
networking) via the internet, allowing the user to bypass
direct management of those systems. [1]
1
5. “
5
Types of Cloud
Private Cloud
Public Cloud
Hybrid Cloud
Main Types of Cloud Services
IaaS – Microsoft Azure | Cisco Metacloud
PaaS – OpenShift | AWS
SaaS - Cisco WebEx | GSuite
6. 2
What is Cloud Forensics?
“Cloud forensics is the application of digital forensics in
cloud computing as a subset of network forensics to
gather and preserve evidence in a way that is suitable
for presentation in a court of law.”[2]
Cloud Forensics Steps
8. “
8
Impact of the Challenges in
Identification Stage
1) Access to the Evidence in Logs
2) Unknown or Not Accessible Physical Location
9. “
9
Impact of the Challenges in
Collection & Preservation Stage
1) Multi-tenancy & Resource Sharing
2) Chain of Custody
3) Dependence on CSP [4]
10. “
10
Impact of the Jurisdictional
Challenges
1) Jurisdiction Challenges
Involvement of international & local law
enforcement parties
Bulletproof hosting
Right to access data
11. 5
Existing Methods for
Mitigating the Challenges
1) Resource Tagging
2) Isolating cloud instance & Sandboxing
3) RSA Signature [5]
4) SLA specifying the specific forensic Services
12. 7
Tools Using for
Challenge Mitigation
1) UFED Cloud Analyzer
2) FROST
•Google My Activity and Facebook
•iCloud and Google backup
•Uber, Lyft
•DJI drones
•API logs
•Guest firewall logs
•Virtual disks
•API logs
•Guest firewall logs
•Virtual disks
13. 6
Existing Methods
Limitations Related to Jurisdiction
1) International Commiunication and Cooperation
Limitation – Only effective for non urent invetigations
2) Foreign Jurisdiction Remote Examination
Limitation – Risk of damaging the target system
14. 8
Future Developments
1) Method of Evidence Collection and Provenance
Preservation for Cloud Using SDN and Blockchain
Technology [6].
2) Permission Block Chain Based Data Logging and
Integrity Management System for Cloud Forensics [7].
15. “
References
[1] https://www.talend.com/resources/what-is-cloud-computing/
[2] https://kumarshivam-66534.medium.com/cloud-forensics-be18e14230de
[3] A Systematic Survey on Cloud Forensics Challenges, Solutions, and Future Directions | ACM
Computing Surveys. (2022). ACM Computing Surveys (CSUR). Retrieved from
https://dl.acm.org/doi/fullHtml/10.1145/3361216
[4] Ruan, K., et al. Key Terms for Service Level Agreements to Support Cloud Forensics. in IFIP Int. Conf.
Digital Forensics. 2012. Springer.
[5] Lin, C.-H., C.Y. Lee, and T.-W. Wu, A cloud-aided RSA signature scheme for sealing and storing the
digital evidences in computer forensics. International journal of security and its Applications, 2012.
6(2): p. 241-244.
[6] M. Pourvahab and G. Ekbatanifard, "Digital Forensics Architecture for Evidence Collection and
Provenance Preservation in IaaS Cloud Environment Using SDN and Blockchain Technology," in IEEE
Access, vol. 7, pp. 153349-153364, 2019, doi: 10.1109/ACCESS.2019.2946978.
[7] Park, Jun & Park, Jun & Huh, Eui. (2017). Block Chain Based Data Logging and Integrity Management
System for Cloud Forensics. 149-159. 10.5121/csit.2017.71112.
15
In simple terms - Cloud computing is a way to remotely store and access data and programming that utilizes the internet rather than hosting information on your computer’s hard drive.
************************************
Private Cloud:
exclusively created and owned by a business.
managed on a private network.
private cloud could be on-site data centre, or even ask a third-party to host
Public Cloud:
Service is solely offered by a third-party like Microsoft Azure
manages all your hardware, software and other supporting infrastructure.
U can manage your services through your web browser.
Hybrid Cloud:
a perfect combination of public and private clouds
provides your business with more flexibility and will help optimise your current infrastructure, security and compliance.
**************************************************************************************************
Infrastructure as a Service (IaaS)
Provide IT infrastructure from a third-party cloud provider.
rent servers, network, storage, virtual machines and more.
Platform as a Service (PaaS)
offers an environment for you to develop, test, deliver and manage your software applications with ease.
provide storage, network and databases needed for ur developments.
Software as a Service (SaaS)
is a method for delivering your software applications over the internet.
cloud provider will host and manage the software application and infrastructure.
Most of the time it’s a subscription basis on–demand service
***************************************
cloud forensics is also just like any other forensics. Put into simple words, it means to collect and preserve the evidences that they are suitable to present in a court of law.
****************************
Identifying cloud forensics evidences is more complicated than the normal computer forensics evidence identification because of the Decentralized property of cloud.
If we take logs for an instance it provide the creation, storage, processing, and distribution of data across multiple data centres. The availability of cloud system logs are depending on the cloud service model. Therefore accessing the logs of a cloud is smtimes a challenge.
Unlike normal cyber forensics incidents, when it comes to cloud forensics, most of the time the data is not physically accessible. So, in evidence identification, it is a challenge for FI ppl.
******************************************************
Multitenancy means shared hosting, in which server resources are divided among different customers. Multitenancy is the opposite of single tenancy, where a software instance or computer system has 1 end user or group of users. So the challenge here is : since evidence could be located across several locations it makes evidence collection difficult. The distribution of evidence can be across multiple virtual hosts, physical machines, data centres and geographical and legal jurisdictions.
Chain of custody implies how the evidence was collected, analysed and preserved at the aim of presenting the evidence in admissible way at the court of law. Challenge is : the distributed and multi-layered nature of cloud make it harder to verify the chain of custody. Also the verification of how the logs were collected, generated and stores along with who had the access to the logs is also challenging to be verified.
Most CSPs r not motivated to aid FI cuz that could damage their reputation. In case of an incident, the cloud provider will focus upon restoring the service rather than preserving the evidence and handling it in a forensically sound manner. Moreover the integrity of evidence is also depending on the CSP.
************************************************************
Involvement of international & local law enforcement parties : Sometimes FI ppl may hv to work with both international & local law enforcement parties to carry out the investigation which is very time and resource consuming.
Bulletproof hosting : means storing illegal data in countries where it’s difficult for law enforcement agencies to take legal actions. Often located in corrupted countries where the country itself will provide lesser or no support in forensic investigation. Ukraine and Netherlands are two countries where law enforcement agencies can’t easily takedown.
Right to access data : in different jurisdictions which can be varied from place to place.
********************************************************
Unknown or not accessible physical location - The cloud resource consumers do the resource tagging to mark the information assets locations easily. Which can also be used by CSPs for their benefits. In other words when an incident occurs in a server that is in the other side of the world, it can be easier to handle all the laws, jurisdiction, chain of custody related challenges if that resource is been previously tagged. So it makes the investigation much easier.
Multi-tenancy and resource sharing - One technique is to place isolating evidence in a Sandbox. **Instance Relocation, where an incident can be moved inside the cloud. Server Farming, which can be used to re-route the request between user and node. **
Chain of custody - Can be used to verify the chain of custody and data integrity
Dependence on CSP + Jurisdiction Challenges - Good SLA guarantees benefit like accessibility and consistence.
UFED Cloud Analyzer is a windows-based extraction and analysis tool. It allows you to extract, preserve and analyze public and private domain, social-media data, instant messaging, file storage, web pages and other cloud-based content using a forensically sound process.
FROST is an OpenStack cloud computing platform forensics tool. It also requires no interaction with the operating system of guest virtual machines. And also the system is user-drive.
That means its not good for investigations against DOS or DDOS attack cuz in that case we need the answers fast in real time to mitigate the ongoing attack. Rason is there are lot of agencies and even time zones to be consider.
Damaging a system in a foreign jurisdiction is not good at all right.
What they did was actually, encrypt all the data based on the sensitivity level and stored in the cloud server. For encryption they hv used, Sensitivity Aware Deep Elliptic Curve Cryptography algorithm.
The proposed system is able to guarantee the integrity of data while processing more transactions than existing permission-less based blockchains.