Cloud computing pros and cons for computer forensic investigations
Upcoming SlideShare
Loading in...5
×
 

Cloud computing pros and cons for computer forensic investigations

on

  • 2,692 views

 

Statistics

Views

Total Views
2,692
Views on SlideShare
2,690
Embed Views
2

Actions

Likes
1
Downloads
106
Comments
0

1 Embed 2

http://192.168.6.184 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cloud computing pros and cons for computer forensic investigations Cloud computing pros and cons for computer forensic investigations Document Transcript

  • International Journal Multimedia and Image Processing (IJMIP), Volume 1, Issue 1, March 2011 Cloud Computing: Pros and Cons for Computer Forensic Investigations Denis Reilly, Chris Wren, Tom Berry School of Computing and Mathematical Sciences Liverpool John Moores University, UK D.Reilly, C.Wren, T.Berry{@ljmu.ac.uk} Abstract Forensic examination of such devices can reveal a wealth of evidence that would otherwise be Cloud computing is a relatively new concept that unavailable using conventional policing methods.offers the potential to deliver scalable elastic Indeed, several high profile murder cases haveservices to many. The notion of pay-per use is benefited from digital evidence gathered via aattractive and in the current global recession hit computer forensic examination [1].economy it offers an economic solution to an Although cloud computing has many benefits toorganizations’ IT needs. Computer forensics is a offer, there is still a degree of speculation over itsrelatively new discipline born out of the increasing security (or lack of security). More particularly, thereuse of computing and digital storage devices in are still questions to be answered relating to itscriminal acts (both traditional and hi-tech). ability to support forensic investigations. ThroughComputer forensic practices have been around for this paper we intend to highlight a number of issuesseveral decades and early applications of their use relating to computer forensics in cloud computingcan be charted back to law enforcement and military and provide our own thoughts on how these issuesinvestigations some 30 years ago. In the last decade may hinder or encourage the uptake of cloudcomputer forensics has developed in terms of computing.procedures, practices and tool support to serve the The remainder of this paper is structured aslaw enforcement community. However, it now faces follows: section 2 provides more background onpossibly its greatest challenges in dealing with cloud cloud computing and describes the keycomputing. Through this paper we explore these characteristics and models underlying cloudchallenges and suggest some possible solutions. computing. Section 3 provides background on computer forensics and describes the processes and1. Introduction techniques that are the basis for computer forensics in law enforcement. Section 4 goes on to describe The last few decades have witnessed several Virtualization, which is an important accompanimentnotable step changes which have shaped future to cloud computing, which enables resources to bepractices in computing and IT. Cloud computing is shared within clouds. In section 5 we merge the twotipped as the next notable step change, which together and describe the main pros and cons relatingpotentially may change the way in which to the application of computer forensic proceduresorganizations realize their computing and IT needs. within cloud environments. Section 6 draws overallCloud computing provides an attractive ‘pay-per- conclusions and expresses our views on how we seeuse’ model of computing, which allows the future emerging.organizations to effectively outsource theircomputing and IT requirements and focus on their 2. Cloud computing – silver lining orcore business, paying only for what they use. In the dark storm?current global economic climate of global recessionmany organizations incur huge costs in terms of Cloud computing intends to realize the concept ofequipment and manpower expenditure keeping large computing as a utility, just like water, gas, electricitydated legacy systems running. Cloud computing aims and telephony. It also embodies the desire ofto provide a clean effective solution by allowing computing resources as true services. Software andsuch organizations to migrate their data to a cloud, computing platform and computing infrastructurewhich promises high speed access and 99.99% may all be regarded as services with no concern as toavailability, typically provided by trusted household how or from where they are actually provided. Thevendors, such as Microsoft, Amazon, Google, potential of cloud computing has been recognized byYahoo. major industry players such that the top five software Computer forensics has emerged as a discipline to companies by sales revenue all have major cloudassist law enforcement agencies in addressing the offerings [2].increasing use of digital storage devices in criminal There is still no universal definition of cloudacts (both traditional and hi-tech). UK police forceshave found that computing devices (including mobile computing, however, there is sufficient literaturephones) feature in many of the day-to-day crimes. available in the community that portrays the basicCopyright © 2011, Infonomics Society 26
  • International Journal Multimedia and Image Processing (IJMIP), Volume 1, Issue 1, March 2011principles [3,4]. The view taken by several authors is multiple such sites (distributed datacenters) and eachthat cloud computing is an extension of cluster site perhaps with a different structure and services.computing, or more specifically Cloud Computing = Logically a cloud consists of a front-end and aCluster Computing + Software as a Service [3]. back-end which are connected through a network.What is relatively clear is that cloud computing is The front end is generally a web browser or anybased on five key characteristics, three delivery application which is using cloud services. The backmodels, and four deployment models [5]. end is the network of servers, system and application software and data storage system. Servers are2.1. Characteristics and models typically organized into server farms to suit specific application software. The back-end is generally a The five key characteristics are: three-tier arrangement (Figure 1), comprising:  On-demand self-service physical machines and storage, virtual machines and  Ubiquitous network access a service level agreement layer (SLA). The SLA is  Location independent resource pooling responsible for the monitoring of the service contract  Rapid elasticity to ensure its fulfillment in real-time.  Pay per use. The three delivery models are:  Software as a Service (SaaS): use of provider’s applications over a network  Cloud Platform as a Service (PaaS): deployment of customer-created applications to a cloud  Cloud Infrastructure as a Service (IaaS): rental of processing, storage, network capacity, and other fundamental computing resources. To be considered “cloud” the delivery modelsmust be deployed on top of cloud infrastructure thatsatisfies the five characteristics. The four deployment models are:  Private (internal) cloud: enterprise owned or leased, behind a firewall Figure 1. Cloud computing layers [6]  Public (external) cloud: sold to the public, mega-scale infrastructure (e.g. Amazon The actual service contract will also detail criteria EC2) associated with any computer forensic investigations,  Hybrid cloud (virtual private cloud): such as jurisdiction and data seizure. The jurisdiction composition of two or more clouds (e.g. covers the local laws that apply to the service Amazon VPC) provider and consumer. Data seizure covers the  Community cloud: shared infrastructure for seizure of the providers equipment to capture data specific community (e.g. academic clouds). and applications belonging to a particular consumer. The contract will also detail how such seizure is2.2. Cloud architecture likely to affect other consumers that use the same Physically a single-site cloud is realized as a provider. This inability to seize only the data relatingdatacenter, which consists of: to an individual suspect is one of the problems  Compute nodes (split into racks) relating to forensic investigations of cloud datacenters that will be discussed further in section 5.  Switches, connecting the racks Cloud datacenters operate on the assumption that  A network topology, e.g., hierarchical the demand for resources is not always consistent  Storage (backend) nodes connected to the amongst clients and as a consequence the physical network servers are unable to run at their full capacity. To  Front-end for submitting jobs accommodate this server virtualization technique are  Services: physical resource set, software used. Server virtualization, which is discussed services. further in section 4, is a method of running multiple independent virtual operating systems on a single A geographically distributed cloud may consist of physical computer. Through server virtualizationCopyright © 2011, Infonomics Society 27
  • International Journal Multimedia and Image Processing (IJMIP), Volume 1, Issue 1, March 2011cloud providers can maximize physical resources to forensics to refer to the process of investigatingmaximize the investment in hardware. computing devices based on off-the-shelf operating Data is central to cloud computing and data systems (Windows, Unix, MacOS) that wouldsecurity is of utmost importance in cloud datacenters. typically be found in cloud computing environments.All data are backed up at multiple locations, which However, in the strict sense digital forensics is thedramatically increases the data storage to multiple more general term to classify the forensic processestimes in clouds. This also presents issues to computer applied to a variety of digital devices in order toforensic investigations. On the one hand data is acquire digital evidence. Digital forensics includes,likely to be mobile as it is moved amongst servers amongst others: computer forensics, intrusionand it may be difficult to seize the original data with forensics, network forensics and mobile devicemultiple copies in existence. On the other hand the forensics.availability of backups taken over time may provide Computer forensics has its roots data recovery anduseful evidence that would otherwise have beenoverwritten. These issues, amongst others, are factors in additional guidelines and proceduresdiscussed further in section 5. designed to create a legal audit trail. Intrusion forensics is a branch of digital forensics that has its2.3. Cloud examples roots in intrusion detection and is concerned with attacks or suspicious behaviour directed against Two popular cloud computing facilities are computers. Network forensics focuses on theAmazon Elastic Compute Cloud (EC2) and Google network as the source of possible evidence andApp Engine. Amazon EC2 is part of a set of involves the monitoring and analysis of networkstandalone services which include S3 for storage, traffic for information gathering. Often aEC2 for hosting and the simpleDB database. Google combination of intrusion and network forensicsApp Engine is an end-to-end service, which techniques will be used to deal with attacks forcombines everything into one package to provide a which network traffic is significant. Mobile devicePaaS facility. With Amazon EC2, users may rent forensics is concerned with the recovery of evidencevirtual machine instances to run their own software from mobile devices, primarily mobile phones, dueand users can monitor and increase/decrease the to the abundance of mobile phones used innumber of VMs as demand changes. To use Amazon conventional crimes. Our consideration of forensicEC2 users would: procedures applied to cloud computing is largely  Create an Amazon Machine Image (AMI): concerned with computer forensics with some incorporate applications, libraries, data and consideration of intrusion/network forensics. associated settings There is to date no single definition of computer  Upload AMI to Amazon S3 forensics, which is often regarded as more of an art than a science, although several similar definitions  Use Amazon EC2 web service to configure are available [7,8,9]. A suitable definition for the security and network access purpose of this paper is that according to [7],  Choose OS, start AMI instances namely: “The application of computer investigation  Monitor & control via web interface or and analysis techniques to determine potential APIs. evidence”. This definition suffices as it contains the Google’s App Engine allows developers to run three important keywords and phrases underlyingtheir web applications on Google’s infrastructure. To computer forensics, namely: “computer”,do so a user would: “investigation/analysis” and “evidence”. Central to  Download App Engine SDK computer forensics is evidence, or more particularly  Develop the application locally as a set of digital evidence, which we consider below. python programs  Register for an application ID 3.1. Digital evidence  Submit the application to Google. Digital evidence is defined by [10] as: “Any Having provided an overview of cloud computing information of probative value that is either stored orwe may now consider computer forensics before we transmitted in a digital form”. Typically, digitalthen proceed to consider the two together. evidence may include files stored on a computer hard drive, file fragments or data items stored in memory,3. Computer forensics – law enforcement digital video or audio, or packets transmitted over aperspective network. Digital evidence presents several challenges over its conventional counterpart and The In this paper we use the term computer these challenges are born out of the characteristics ofCopyright © 2011, Infonomics Society 28
  • International Journal Multimedia and Image Processing (IJMIP), Volume 1, Issue 1, March 2011digital evidence: took place. In line with physical forensic science  Vast quantity of potential evidence: tens of computer forensics aims to reconstruct a series of thousands of files in a single computer – let events linking a suspect to a crime using available alone a network evidence. This can prove very time consuming due to  Easily contaminated: rebooting a system the sheer quantity of potential evidence in a digital may remove vital traces of evidence and environment. Typically an investigation may entail contaminating some evidence may the linking of mobile phone conversations, or contaminate it all reconstructing the sequence of events in hacking  Crime identification: a crime may not attacks between victim, target and intermediates. become apparent for months or years (e.g. Emphasis is placed on event-based reconstruction fraud) and time-lining.  Vast number of potential suspects: several Time million Internet users. Time A Time B Time C Time D Time E Time F Digital evidence (once gathered) must satisfy the Access Pay for Download View Change Forwardsame legal requirements as conventional evidence, network service image image image image (network (credit (file created) (last access) (last write) (e-mail log)i.e. it must be: log) card bill)  Authentic – the evidence must be original and relate to the alleged crime under Figure 2. Example time-line of events investigation  Reliable – the evidence must have been Time-lining provides an association of timestamps collected using reliable procedures that if with each event or data item of interest in order to necessary could be repeated by an reconstruct a sequence of events. Time-lining is independent party to achieve the same result assisted by the fact that the majority data items are  Complete – the evidence may be used to time-stamped. As shown in Figure 2 the sequence of prove guilt as well as innocence events when an image is downloaded and changed  Believable – the evidence should be can be time-lined to provide a more complete convincing to juries and presented in such a picture. Time-lining can use time-stamps such as file way that they can make sense of it creation, access, modification times, which when  Admissible – the evidence was collected correlated with other information build up time graph using procedures that In conform to of activities that are consistent with non-computer common law and legislative rules (i.e. crime events Admissible). 3.3. Procedures The additional problem with digital evidence isthat it exists in both a logical context and a physical In addition to digital evidence computer forensicscontext. Data is stored physically on storage media investigations is also characterized by procedures, or(e.g. a hard drive) in blocks or clusters. However, as more formally process models. The process modelsblocks or clusters are difficult for human users to specify generalized steps that are used to conduct amake sense of data is grouped together in logical complete investigation. The steps cover the practicalconstructs such as files and directories, which users and theoretical aspects of an investigation and mostare comfortable with. Both the physical and the importantly the legal aspects. Currently in the UK,logical context need to be considered during the much of the computer forensics work is conductedacquisition, analysis and presentation of digital by law enforcement agencies (Police, UK Borderevidence. While digital evidence is central to any Agency, Customs and Excise) and the processcomputer forensic investigation, the procedures used models reflect a law enforcement ethos. Althoughto acquire the evidence and subsequently analyze and law enforcement agencies provide the main drivingpresent the evidence prove just as important and such force, the need for computer forensics in theprocedures are considered further below. corporate sector is gaining momentum, particularly in the US.3.2. Dynamic evidence – time-lining Police forces in the UK adhere to a guide which specifies the principles and procedures that should be Static digital evidence artefacts alone are often followed when dealing with incidents involvinginsufficient when it comes to establishing a case for digital evidence. The Association of Chief Policeprosecution, what is needed is a collective of related Officers (ACPO) Guidelines for Computerartefacts that effectively facilitate the reconstruction Investigations and Electronic Evidence [11] is athe digital environment in which the alleged crimeCopyright © 2011, Infonomics Society 29
  • International Journal Multimedia and Image Processing (IJMIP), Volume 1, Issue 1, March 2011thorough and complete document, which specifies be able to give evidence explaining thethe procedures and steps that officers should take in relevance and the implications of theirdealing with a variety of situations associated with actionscomputers and digital evidence. By following such  Principle 3: an audit trail or other record ofguidelines officers can guarantee that any evidence all processes applied to computer-basedsatisfies legal requirements, i.e. it is: authentic, electronic evidence should be created andreliable, complete, believable and admissible. preserved. An independent third party For the purpose of this paper we may regard the should be able to examine those processescomputer forensic process according to the six stage and achieve the same resultsmodel proposed by [12].  Principle 4: the person in charge of the  Identification: determine items, components investigation (the case officer) has overall and data possible associated with the responsibility for ensuring that the law and allegation or incident; employ triage these principles are adhered to. techniques In addition to the above principles the ACPO  Preservation: ensure evidence integrity or guide describes best practices to be followed for each state stage in a computer forensic investigation. The best  Collection: extract or harvest individual practices range from how to conduct the search and data items or groupings seizure stage of an investigation through to  Examination: scrutinize data items and their presenting evidence in court and dealing with attributes (characteristics) witness statements. The ACPO search and seizure  Analysis: fuse, correlate and assimilate guidelines are particularly relevant when considering material to produce reasoned conclusions cloud computing as these are the most difficult to  Presentation: report facts in an organized, satisfy due to the remoteness of cloud datacenters. clear, concise and objective manner. The search and seizure guidelines describe how This six stage process model and several other investigators should prepare for the search andsimilar models [13,14] form the basis of the majority record all details of the investigation scene and ifof computer forensic investigations. Crucial to any necessary take photographs and video footage. Theforensic investigation is the preservation of evidence guidelines go on to describe how equipment shouldsuch that the original evidence is not changed in any be seized and ‘bagged and tagged’ (to avoidway. With respect to examination many forensic tampering). Any seized storage media should then beinvestigations involve examining a computing device cloned or imaged, as described below before thewhen it is switched off and has no electrical power analysis can commence. Analysis is usually(so called ‘dead’ forensics). Occasionally, a ‘live’ conducted at the physical level were disk partitionsforensic investigation is performed where the are examined and then at the logical level on a file-computing device is found in a switched on state. by-file basis. Later in section 5 we consider howUnder such a situation vital evidence may be such search and seizure would be impractical togathered from examining the device’s memory and conduct during a cloud datacenter.the processes and network connections that are Analysis of storage media should take place on acurrently active. bit-by-bit clone or image of the original media (typically a hard disk). It is important that the image3.4. ACPO principles and guidelines is an exact copy of the original media so that it contains deleted files and areas of the media that a The ACPO principles are stated below and it is normal backup would not copy. Once the image hasessential that computer forensic investigations been taken, both the original and image must then bewithhold these principles. Later in section 5 we authenticated, which typically involves computing adiscuss the issues that cloud computing raises in checksum for the original and the image at time therelation to these principles. image was taken. This authentication may be  Principle 1: no action taken by law achieved through a one-way hash function, such as enforcement agencies or their agents should MD5, which can provide a unique hash of a file or a change data on a computer or storage media complete disk image and any subsequent which may subsequently be relied on in modification will alter MD5 signature. court Having considered the characteristics of digital  Principle 2: in circumstances where a evidence and the procedures to be followed in person finds it necessary to access original computer forensics investigations we are already data held on a computer or storage media, able to see how such investigations will face that person must be competent to do so and challenges in a cloud computing environment. To aCopyright © 2011, Infonomics Society 30
  • International Journal Multimedia and Image Processing (IJMIP), Volume 1, Issue 1, March 2011large extent the nature of computer forensics relies main stumbling block is the fact that it may beupon direct access to possible sources of evidence. impractical for the computer forensic investigators toHowever, where cloud computing is concerned, such get their hand on the physical devices likely todirect access is not possible as the cloud exists as a contain digital evidence. This in turn suggests that anremote datacenter, typically in another country. alternative or revised computer forensic processHowever, as we shall see later in section 5, cloud needs to be developed to meet the needs of cloudcomputing does bring several advantages to the table computing investigations.where computer forensics is concerned. 4. Virtualization3.5. Computer forensics and cloud computing In computing terms virtualization is a broad term As we have seen through this section computer that refers to the abstraction of computing resources.forensics (and its variants) is a rapidly increasing Virtualization abstracts a physical resource into aimportant discipline, which has come about and virtualized resource that can be shared. A usefulflourished due to the abundance of computing analogy is to consider the water supply to a house asdevices and indeed their uses with crimes, both a resource:conventional and hi-tech (digital) crime. If we  Option 1 - have your own well (physical)consider mobile phones, saturation of mobile  Option 2 - water supplied by water servicetelephony in a country is generally acknowledged to (virtualized)have been achieved when 82 percent of the  Option 3 - buy bottled water (cloud solutionpopulation own a mobile phone. In the UK it is - no long term contract, access water as andreported that over 73 percent of the population own a when needed).mobile or have access to a mobile [15]. It is The main incentive for virtualization is that itestimated that 6 out of every 10 crimes committed enables multiple users to share the same resourceswill involve some use of a mobile phone, which may but maintains separation based on data or applicationrange from road traffic accidents up to the more owner. Within a cloud many resources can beserious crimes such as murder. With this abundance virtualized: servers, storage, software, platform,of digital crime computer forensics has had to infrastructure, etc. and for this reason virtualizationformalize, adapt and evolve into a methodology is used extensively. Server virtualization is the mostcapable of supporting today’s law enforcement widely used form of virtualization throughofficers. technologies such as VMware, and Citrix XenServer. Cloud computing is touted as the next major step With server virtualization one physical machine ischange in the way that organizations plan, develop divided into many virtual servers (also called virtualand enact their IT strategies. However, where machines or VMs). At the core of such virtualizationcomputer forensics is concerned, cloud computing is the concept of a hypervisor (virtual machinehas not been thoroughly considered in terms of its monitor). A hypervisor is a thin software layer thatforensic readiness. However, cloud computing hascarefully considered security and indeed it was intercepts operating system calls to hardware.forced to right from the very outset. The reason for Hypervisors typically provide a virtualized CPU andthis is that security is an essential requirement for memory facility for the guests they are hosting. Inany IT application – no individual, or organization the case of the water supply example, the waterwants insecure data and they don’t want their company represents the hypervisor by managing thepersonal data exposed to any unauthorized users. On relationship between the physical supply (reservoirs,the other hand, computer forensics or forensic pumping stations) and the virtual consumersreadiness is not an essential requirement, it is seen as (homes).more of a luxury. This is largely due to a lack of From a computer forensics point of view severallegislation, on a global scale, requiring that any authors have assessed the advantages/disadvantagescomputer installation implements a forensic of virtual machines in relation to computer forensicsreadiness plan. To a certain extent, one cannot argue investigations [16,17,18]. In general, the findings arewith this as security is required at all times, whereas mixed, VMs can provide several advantages, forcomputer forensics is only required when an incident example VMWare provides a snapshot facility,takes place. However, for computer forensics to be which can be used to provide a ‘picture’ of yoursuccessful, it generally requires that certain measures system at the time the snapshot is taken. Theare taken before the actual incident occurs (e.g. some snapshot provides an image of the computer’s hardform of logging is enabled). As we shall discuss drive, which consists of the data on the hard drive,shortly, certain aspects of the computer forensic the VMware configuration for that virtual machineprocess can be applied to cloud computing, but the and the BIOS configuration. There are also a numberCopyright © 2011, Infonomics Society 31
  • International Journal Multimedia and Image Processing (IJMIP), Volume 1, Issue 1, March 2011of snapshot files that are created when the snapshot 5. Cloud computing – forensics pros andis first taken and these files contain the changes that conshave occurred to the virtual machine since thesnapshot was taken. Thus, over time, the snapshot At the time of writing opinion is somewhatfiles will grow as the machine is used more and divided as to whether or not cloud computing wouldmore. Taken together, the snapshot may seem like an assist computer forensics investigations or resist suchideal source of potential evidence, however, the use investigations. We begin this section by generalizingof VM artifacts in court is still questionable. On the both sides of the argument and then go on todownside it is argued that there are notable changes consider the pros and cons in more detail. On the oneto a VM environment when a VM image is booted hand the computer forensic process model wouldinto a new environment intended to faithfully re- need to change and adopt a different set ofcreate the original. Once the image is booted new procedures to accommodate investigationsdata may be written thus modifying it. Any image performed on cloud systems. On the other handwhich is known to have undergone change in some computer forensic investigations could takeway would be challenged in court, which is why the advantage of the services and resources provided bytraditional “make a bit-wise copy of the original…” cloud systems to assist the investigation. In theapproach is still preferred when it comes to sections below we elaborate further on thesepresenting evidence in court. arguments. Although there is a degree of scepticism relatingto the use of virtual forensic investigations the 5.1. Prospotential has been witnessed within the computerforensic community [18]. To a certain extent this has The main benefit of cloud computing isbeen driven by the upsurge in the use of centralized data, having the data all in the same placevirtualization within organizations. It is also the case assists in forensic readiness, which leads to quicker,that the use of virtualization may prove beneficial coordinated response to incidents. With centralizedwhen investigating a suspect system, which itself data IaaS providers can build a dedicated forensicuses virtualization. However, conventional computer server within the cloud, which is ready for use whenforensic techniques can be used to investigate a needed. Other benefits to computer forensics stemsuspect system, which does not use virtualization. from the services and resources that cloud systemsThis may serve as a pointer that cloud forensics can offer, or more precisely the scale and power ofshould indeed be based on virtualization. Indeed these services. Firstly, the availability of potentiallyseveral researchers are active in developing APIs for peta-bytes of storage and high availability computeuse with virtualization, which could have benefits for intense resources come as a great advantage to thecloud computing. One such project is VIX [17], computer forensic investigator. Over a period of timewhich considers Virtual Introspection for Xen an investigator may amass a number of hard drivevirtualization. Virtual Introspection makes it possible images, which could potentially be stored on thefor the state of a virtual machine to be monitored and cloud, taking advantage of IaaS. Indeed, thisexamined from a Virtual Machine Monitor (VMM) approach has been used by [19], who describes howor other virtual machine. during operation. a number of images were transferred to Amazon’s S3 We conclude this section with some concrete use using the HTTP/REST API. Secondly, the highcases relating to virtualization in cloud computing. availability compute intense resources can be usedThrough virtualization a typical cloud use case could for compute intense jobs that forensic investigatorsbe 40,000 VMs provided by 512 Servers with 1000 may need to carry out. For example, forensicusers. Such a cloud may typically contain 128TBs of investigators may need to crack passwords,storage across multiple storage technologies and encryption keys or examine many images, all of48TBs of memory. A real cloud example in the useof virtualization is the Amazon EC2 which employs which can be costly in terms of CPU and memory.Xen VMs in one of three sizes: small, large or extra Additional benefits include inbuilt hashlarge, which relate to EC2 compute units. Each VM authentication for authentication of disk images, asinstance is sized according to platform (32-bit or 64- mentioned previously. For example, Amazon S3bit), the amount of memory available, the amount of generates an MD5 hash when an object is stored,instance storage and the number of EC2 compute which means that it is no longer necessary tounits. generate time-consuming MD5 checksums. In a forensic investigation, various log files can provide a rich source of information. However, logging is often an afterthought and consequently insufficient disk space is allocated and logging is either non-existentCopyright © 2011, Infonomics Society 32
  • International Journal Multimedia and Image Processing (IJMIP), Volume 1, Issue 1, March 2011or minimal. The scale of cloud storage events and create a timeline. In addition to dataimplementation means that logging can be performed acquisition and loss of control there are several otherand tuned to a required level and logs can be made drawbacks which can hinder the investigation, whichavailable as required. Modern operating systems are discussed further below.offer extended logging in the form of a C2 audit trail. The loss of important artefacts, which could beHowever, this is rarely enabled for fear of potentially crucial evidence. For example registryperformance degradation and log size. With cloud entries, temporary files and memory may be difficult,computing enhanced logging can be realized and the if not impossible to access in cloud datacentersgranularity of logging can be set accordingly. (generally due to virtualization). Metadata may also A final issue, which is thought of as both a benefit be lost if data is downloaded from a cloud. Metadataand a drawback is virtualization. As mentioned such as file creation, modification and access timespreviously, virtualization is used in clouds to allow can provide a useful source of potential evidence tomultiple users to share the same resources and many the forensic investigator. Although some cloudresources can be virtualized – software, platform, systems (Amazon S3) do provide a means toinfrastructure etc. It was also mentioned that authenticate data (via MD5 checksums), manyforensically sound collection of data involves a bit- investigators still prefer to perform their ownby-bit duplicate of a disk image using appropriate authentication, rather than rely on cloud hashsoftware. In live investigations the acquisition of authentication.memory images is a more involved time consuming A further shortcoming is the lack of tool supporttask of freezing memory before removing power available for dealing with cloud datacenters.form a host to be duplicated. However these Although computer forensics is a relatively newmechanisms are not necessary within a virtual discipline, it has matured to the point where there isenvironment where disk and memory images can be sufficient tool support for dealing with conventionalcollected quite easily via snapshot and other localized investigations. Tools such as EnCase, Helixadministrative functionality. However, this method and FTK can be used to assist the forensicof acquisition has yet to be proven forensically sound investigator with tasks ranging from the initial databy law enforcement agencies (i.e. ACPO guidelines). acquisition through to providing written documentation, presentable in a court of law.5.2. Cons The final problem stems from the legal/people aspect of computer forensics in that whatever digital The main drawback of cloud computing from a evidence is acquired from an investigation it mustforensic perspective is that of data acquisition – still be presented to a jury, who will pass judgementknowing exactly where the data is and actually on a case. In conventional computer forensicsacquiring the data. The search and seizure investigators have to present their findings to the juryprocedures used in the conventional computer and this often requires that the investigator needs toforensic process are impractical due to evidence explain, using technical jargon, how the evidencebeing stored in cloud datacenters. It is also difficult if was acquired and what exactly the evidence means. This can prove challenging when dealing withnot impossible to maintain a chain of custody conventional localized computer systems, let alonerelating to the acquisition of the evidence. cloud datacenters which may be several thousandEssentially, cloud computing means that miles away, running 40,000 VMs across 512 serversinvestigators are unable to conform to the ACPO accessed by 1000 tenants of which the accessed isguide, as it is difficult if not impossible to satisfy one. This may prove far too much for a jury memberACPO principles. The ACPO guide specifies four to comprehend, give that on average the jury willbasic principles relating to procedures and level of only have a basic grasp of using a home PC!competency required for the handling of evidence.As clouds exist as remote datacenters these 6. Conclusionsprinciples cannot be satisfied, which consequentlymakes the ACPO guide redundant, which in turn Through this paper we have considered cloudwould cast doubt over the evidence’s authenticity, computing as a notable step change which will affectintegrity and admissibility in a UK court of law. future practices in computing and IT. We alsoOverall, there is a general loss of control over the considered computer forensics as a process usedforensic investigation process simply due to the data largely by law enforcement agencies to acquirebeing stored elsewhere, where it is inaccessible. This digital evidence associated with some alleged crimein turn hinders crime scene reconstruction as the lack or incident. We then went on to discuss how cloudof knowledge of where data is actually stored means computing will impact on computer forensicsthat it is difficult to piece together a sequence of investigations and considered both sides of theCopyright © 2011, Infonomics Society 33
  • International Journal Multimedia and Image Processing (IJMIP), Volume 1, Issue 1, March 2011argument in terms of pros and cons associated with [8] Li, X., Seberry, J., (2003) Forensic computing, Lecturecloud computing in relation to computer forensics. In Notes in Computer Science, Springer, vol. 2904/2003,conclusion we can say that this impact is yet to be ISBN: 978-3-540-20609-5.taken up by either party. In other words cloud [9] Caloyannides, M., (2001) Privacy protection andproviders have not yet fully addressed how they will computer forensics, Artech House, Boston, ISBN 1-58053-implement forensic readiness. Similarly, forensic 830-4.investigators have not yet put forward procedures fordealing with cloud investigations. One could argue [10] Standard Working Group on Digital Evidencethat the ball is very much in the court of the forensic (SWGDE) (1999) Digital evidence standards andinvestigators. However, computer forensics is still an principles, http://www.swgde.org/documents.html, (20evolving discipline and it has rose to previous June 2010).challenges in the past. Mobile phones, wireless [11] 7Safe Computer Forensics, (2009) ACPO guidelinestechnology, encryption, and live memory analysis for computer investigations and electronic evidence,have all presented challenges to computer forensics, http://www.7safe.com/electronic_evidence/ (20 Juneyet these have been dealt with by the computer 2010).forensic community to expand the armoury of lawenforcement agencies. To conclude, the authors are [12] Stephenson, P., (2003) Modeling of post Incident rootconfident that the computer forensic community will cause analysis, International Journal of Digital Evidence,rise to the challenge of cloud computing and it will vol. 2(2).likewise be met with standardized processes andfurther tools in the computer forensics armoury. [13] Reith, M., Carr, C., Gunsch, G., (2002) An examination of digital forensic models, International Journal of Digital Evidence, vol. 1(3).7. References [14] Carrier, B., Spafford, E., (2003) Getting physical with[1] Summers, C., (2003) Mobile phones – the new the digital investigation process, International Journal offingerprints, BBC News Online, Digital Evidence, vol. 2(2).http://news.bbc.co.uk/1/hi/uk/3303637.stm (23 June 2010). [15] Institute for Communications, Arbitration and[2] Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, Forensics, (2010) Mobile phone security solutionsJ., Masuoka, R., Molina, J., (2009) Controlling data in the http://www.security-technologynews.com/article/mobile-cloud: outsourcing computation without outsourcing phone-security-solutions.html (21 June 2010).control, Proceedings of the 2009 ACM Workshop onCloud Computing Security, Chicago, Illinois, USA, ISBN: [16] Bem, D., Huebner, E., (2007) Computer forensic978-1-60558-784-4. analysis in a virtual environment, International Journal of Digital Evidence, vol. 6(2).[3] Armbrust, M., Fox, A., Griffith, R., Joseph, A., Katz,R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., [17] Hay, B., Nance, K., (2008) Forensic examination ofStoica, I., Zaharia, M., (2010) A view of cloud computing, volatile system data using virtual introspection, ACMCommunications of the ACM, vol. 53(4), ISSN: 0001- SIGOPS Operating Systems Review, vol. 42(3) ISSN:0782. 0163-5980.[4] Buyya, R., Yeo, C.S., Venugopal, S., Broberg, J., [18] Shavers, B., (2006) VMWare as a forensic tool,Brandic, I., (2009) Cloud computing and emerging IT Forensic Focus, http://www.forensicfocus.com/vmware-platforms: vision, hype and reality for delivering forensic-tool, (22 June 2010).computing as the 5th utility, Future Generation ComputerSystems, Vol. 25(6), Elsevier Science Publishers, ISSN: [19] Garfinkel, S., (2007) Commodity grid computing with0167-739X. Amazon’s S3 and EC2, login, USENIX, vol. 32(1), pp7- 13.[5] NIST (2010) Definition of cloud computing v15,Computer Security Division, Computer Security ResourceCenter, http://csrc.nist.gov/groups/SNS/cloud-computing/(18 June 2010).[6] VIVEK School of ERP, (2010) Cloud Computing,http://acharyavivek.blog.co.in/2010/04/12/cloud-computing-2/ (21 June 2010)[7] Mohay, G., Anderson, A., Collie, B., De Vel, O.,McKemmish, R., (2003) Computer and intrusion forensics,Artech House, Boston, ISBN 1-58053-369-8.Copyright © 2011, Infonomics Society 34