A State-Of-The-Art Review of Cloud Forensics

Cloud computing and digital forensics are emerging fields of technology. Unlike traditional digital forensics where the target environment can be almost completely isolated, acquired and can be under the investigators control; in cloud environments, the distribution of computation and storage poses unique and complex challenges to the investigators. Recently, the term “cloud forensics” has an increasing presence in the field of digital forensics. In this state-of-the-art review, we included the most recent research efforts that used “cloud forensics” as a keyword and then classify the literature into three dimensions: (1) survey-based, (2) technology-based and (3) forensics-procedural-based. We discuss widely accepted standard bodies and their efforts to address the current trend of cloud forensics. Our aim is not only to reference related work based on the discussed dimensions, but also to analyse them and generate a mind map that will help in identifying research gaps. Finally, we summarize existing digital forensics tools and the available simulation environments that can be used for evidence acquisition, examination and cloud forensics test purposes

A forensic acquisition and analysis system for IaaS

Cloud computing is a promising next-generation computing paradigm that offers significant economic benefits to both commercial and public entities. Furthermore, cloud computing provides accessibility, simplicity, and portability for its customers. Due to the unique combination of characteristics that cloud computing introduces (including on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), digital investigations face various technical, legal, and organizational challenges to keep up with current developments in the field of cloud computing. There are a wide variety of issues that need to be resolved in order to perform a proper digital investigation in the cloud environment. This paper examines the challenges in cloud forensics that are identified in the current research literature, alongside exploring the existing proposals and technical solutions addressed in the respective research. The open problems that need further effort are highlighted. As a result of the analysis of literature, it is found that it would be difficult, if not impossible, to perform an investigation and discovery in the cloud environment without relying on cloud service providers (CSPs). Therefore, dependence on the CSPs is ranked as the greatest challenge when investigators need to acquire evidence in a timely yet forensically sound manner from cloud systems. Thus, a fully independent model requires no intervention or cooperation from the cloud provider is proposed. This model provides a different approach to a forensic acquisition and analysis system (FAAS) in an Infrastructure as a Service model. FAAS seeks to provide a richer and more complete set of admissible evidences than what current CSPs provide, with no requirement for CSP involvement or modification to the CSP’s underlying architecture

Digital Forensics Investigation Frameworks for Cloud Computing and Internet of Things

Rapid growth in Cloud computing and Internet of Things (IoT) introduces new vulnerabilities that can be exploited to mount cyber-attacks. Digital forensics investigation is commonly used to find the culprit and help expose the vulnerabilities. Traditional digital forensics tools and methods are unsuitable for use in these technologies. Therefore, new digital forensics investigation frameworks and methodologies are required. This research develops frameworks and methods for digital forensics investigations in cloud and IoT platforms

A FORENSICALLY-ENABLED IAAS CLOUD COMPUTING ARCHITECTURE

Cloud computing has been advancing at an intense pace. It has become one of the most important research topics in computer science and information systems. Cloud computing offers enterprise-scale platforms in a short time frame with little effort. Thus, it delivers significant economic benefits to both commercial and public entities. Despite this, the security and subsequent incident management requirements are major obstacles to adopting the cloud. Current cloud architectures do not support digital forensic investigators, nor comply with today’s digital forensics procedures – largely due to the fundamental dynamic nature of the cloud. When an incident has occurred, an organization-based investigation will seek to provide potential digital evidence while minimising the cost of the investigation. Data acquisition is the first and most important process within digital forensics – to ensure data integrity and admissibility. However, access to data and the control of resources in the cloud is still very much provider-dependent and complicated by the very nature of the multi-tenanted operating environment. Thus, investigators have no option but to rely on the Cloud Service Providers (CSPs) to acquire evidence for them. Due to the cost and time involved in acquiring the forensic image, some cloud providers will not provide evidence beyond 1TB despite a court order served on them. Assuming they would be willing or are required to by law, the evidence collected is still questionable as there is no way to verify the validity of evidence and whether evidence has already been lost. Therefore, dependence on the CSPs is considered one of the most significant challenges when investigators need to acquire evidence in a timely yet forensically sound manner from cloud systems. This thesis proposes a novel architecture to support a forensic acquisition and analysis of IaaS cloud-base systems. The approach, known as Cloud Forensic Acquisition and Analysis System (Cloud FAAS), is based on a cluster analysis of non-volatile memory that achieves forensically reliable images at the same level of integrity as the normal “gold standard” computer forensic acquisition procedures with the additional capability to reconstruct the image at any point in time. Cloud FAAS fundamentally, shifts access of the data back to the data owner rather than relying on a third party. In this manner, organisations are free to undertaken investigations at will requiring no intervention or cooperation from the cloud provider. The novel architecture is validated through a proof-of-concept prototype. A series of experiments are undertaken to illustrate and model how Cloud FAAS is capable of providing a richer and more complete set of admissible evidence than what current CSPs are able to provide. Using Cloud FAAS, investigators have the ability to obtain a forensic image of the system after, just prior to or hours before the incident. Therefore, this approach can not only create images that are forensically sound but also provide access to deleted and more importantly overwritten files – which current computer forensic practices are unable to achieve. This results in an increased level of visibility for the forensic investigator and removes any limitations that data carving and fragmentation may introduce. In addition, an analysis of the economic overhead of operating Cloud FAAS is performed. This shows the level of disk change that occurs is well with acceptable limits and is relatively small in comparison to the total volume of memory available. The results show Cloud FAAS has both a technical and economic basis for solving investigations involving cloud computing.Saudi Governmen

Cloud Forensic: Issues, Challenges and Solution Models

Cloud computing is a web-based utility model that is becoming popular every day with the emergence of 4th Industrial Revolution, therefore, cybercrimes that affect web-based systems are also relevant to cloud computing. In order to conduct a forensic investigation into a cyber-attack, it is necessary to identify and locate the source of the attack as soon as possible. Although significant study has been done in this domain on obstacles and its solutions, research on approaches and strategies is still in its development stage. There are barriers at every stage of cloud forensics, therefore, before we can come up with a comprehensive way to deal with these problems, we must first comprehend the cloud technology and its forensics environment. Although there are articles that are linked to cloud forensics, there is not yet a paper that accumulated the contemporary concerns and solutions related to cloud forensic. Throughout this chapter, we have looked at the cloud environment, as well as the threats and attacks that it may be subjected to. We have also looked at the approaches that cloud forensics may take, as well as the various frameworks and the practical challenges and limitations they may face when dealing with cloud forensic investigations.Comment: 23 pages; 6 figures; 4 tables. Book chapter of the book titled "A Practical Guide on Security and Privacy in Cyber Physical Systems Foundations, Applications and Limitations", World Scientific Series in Digital Forensics and Cybersecurit

A Domain Specific Language for Digital Forensics and Incident Response Analysis

One of the longstanding conceptual problems in digital forensics is the dichotomy between the need for verifiable and reproducible forensic investigations, and the lack of practical mechanisms to accomplish them. With nearly four decades of professional digital forensic practice, investigator notes are still the primary source of reproducibility information, and much of it is tied to the functions of specific, often proprietary, tools. The lack of a formal means of specification for digital forensic operations results in three major problems. Specifically, there is a critical lack of: a) standardized and automated means to scientifically verify accuracy of digital forensic tools; b) methods to reliably reproduce forensic computations (their results); and c) framework for inter-operability among forensic tools. Additionally, there is no standardized means for communicating software requirements between users, researchers and developers, resulting in a mismatch in expectations. Combined with the exponential growth in data volume and complexity of applications and systems to be investigated, all of these concerns result in major case backlogs and inherently reduce the reliability of the digital forensic analyses. This work proposes a new approach to the specification of forensic computations, such that the above concerns can be addressed on a scientific basis with a new domain specific language (DSL) called nugget. DSLs are specialized languages that aim to address the concerns of particular domains by providing practical abstractions. Successful DSLs, such as SQL, can transform an application domain by providing a standardized way for users to communicate what they need without specifying how the computation should be performed. This is the first effort to build a DSL for (digital) forensic computations with the following research goals: 1) provide an intuitive formal specification language that covers core types of forensic computations and common data types; 2) provide a mechanism to extend the language that can incorporate arbitrary computations; 3) provide a prototype execution environment that allows the fully automatic execution of the computation; 4) provide a complete, formal, and auditable log of computations that can be used to reproduce an investigation; 5) demonstrate cloud-ready processing that can match the growth in data volumes and complexity

Proceedings of the 15th Australian Digital Forensics Conference, 5-6 December 2017, Edith Cowan University, Perth, Australia

Conference Foreword This is the sixth year that the Australian Digital Forensics Conference has been held under the banner of the Security Research Institute, which is in part due to the success of the security conference program at ECU. As with previous years, the conference continues to see a quality papers with a number from local and international authors. 8 papers were submitted and following a double blind peer review process, 5 were accepted for final presentation and publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, and I would like to take this opportunity to thank the conference committee for their tireless efforts in this regard. These efforts have included but not been limited to the reviewing and editing of the conference papers, and helping with the planning, organisation and execution of the conference. Particular thanks go to those international reviewers who took the time to review papers for the conference, irrespective of the fact that they are unable to attend this year. To our sponsors and supporters a vote of thanks for both the financial and moral support provided to the conference. Finally, to the student volunteers and staff of the ECU Security Research Institute, your efforts as always are appreciated and invaluable. Yours sincerely, Conference ChairProfessor Craig ValliDirector, Security Research Institute Congress Organising Committee Congress Chair: Professor Craig Valli Committee Members: Professor Gary Kessler – Embry Riddle University, Florida, USA Professor Glenn Dardick – Embry Riddle University, Florida, USA Professor Ali Babar – University of Adelaide, Australia Dr Jason Smith – CERT Australia, Australia Associate Professor Mike Johnstone – Edith Cowan University, Australia Professor Joseph A. Cannataci – University of Malta, Malta Professor Nathan Clarke – University of Plymouth, Plymouth UK Professor Steven Furnell – University of Plymouth, Plymouth UK Professor Bill Hutchinson – Edith Cowan University, Perth, Australia Professor Andrew Jones – Khalifa University, Abu Dhabi, UAE Professor Iain Sutherland – Glamorgan University, Wales, UK Professor Matthew Warren – Deakin University, Melbourne Australia Congress Coordinator: Ms Emma Burk

Container and VM Visualization for Rapid Forensic Analysis

Cloud-hosted software such as virtual machines and containers are notoriously difficult to access, observe, and inspect during ongoing security events. This research describes a new, out-of-band forensic tool for rapidly analyzing cloud based software. The proposed tool renders two-dimensional visualizations of container contents and virtual machine disk images. The visualizations can be used to identify container / VM contents, pinpoint instances of embedded malware, and find modified code. The proposed new forensic tool is compared against other forensic tools in a double-blind experiment. The results confirm the utility of the proposed tool. Implications and future research directions are also described

Forensic Methods and Tools for Web Environments

abstract: The Web is one of the most exciting and dynamic areas of development in today’s technology. However, with such activity, innovation, and ubiquity have come a set of new challenges for digital forensic examiners, making their jobs even more difficult. For examiners to become as effective with evidence from the Web as they currently are with more traditional evidence, they need (1) methods that guide them to know how to approach this new type of evidence and (2) tools that accommodate web environments’ unique characteristics. In this dissertation, I present my research to alleviate the difficulties forensic examiners currently face with respect to evidence originating from web environments. First, I introduce a framework for web environment forensics, which elaborates on and addresses the key challenges examiners face and outlines a method for how to approach web-based evidence. Next, I describe my work to identify extensions installed on encrypted web thin clients using only a sound understanding of these systems’ inner workings and the metadata of the encrypted files. Finally, I discuss my approach to reconstructing the timeline of events on encrypted web thin clients by using service provider APIs as a proxy for directly analyzing the device. In each of these research areas, I also introduce structured formats that I customized to accommodate the unique features of the evidence sources while also facilitating tool interoperability and information sharing.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Digital Forensics AI: on Practicality, Optimality, and Interpretability of Digital Evidence Mining Techniques

Digital forensics as a field has progressed alongside technological advancements over the years, just as digital devices have gotten more robust and sophisticated. However, criminals and attackers have devised means for exploiting the vulnerabilities or sophistication of these devices to carry out malicious activities in unprecedented ways. Their belief is that electronic crimes can be committed without identities being revealed or trails being established. Several applications of artificial intelligence (AI) have demonstrated interesting and promising solutions to seemingly intractable societal challenges. This thesis aims to advance the concept of applying AI techniques in digital forensic investigation. Our approach involves experimenting with a complex case scenario in which suspects corresponded by e-mail and deleted, suspiciously, certain communications, presumably to conceal evidence. The purpose is to demonstrate the efficacy of Artificial Neural Networks (ANN) in learning and detecting communication patterns over time, and then predicting the possibility of missing communication(s) along with potential topics of discussion. To do this, we developed a novel approach and included other existing models. The accuracy of our results is evaluated, and their performance on previously unseen data is measured. Second, we proposed conceptualizing the term “Digital Forensics AI” (DFAI) to formalize the application of AI in digital forensics. The objective is to highlight the instruments that facilitate the best evidential outcomes and presentation mechanisms that are adaptable to the probabilistic output of AI models. Finally, we enhanced our notion in support of the application of AI in digital forensics by recommending methodologies and approaches for bridging trust gaps through the development of interpretable models that facilitate the admissibility of digital evidence in legal proceedings