Cloud application logging for forensics. In:

ABSTRACT Logs are one of the most important pieces of analytical data in a cloud-based service infrastructure. At any point in time, service owners and operators need to understand the status of each infrastructure component for fault monitoring, to assess feature usage, and to monitor business processes. Application developers, as well as security personnel, need access to historic information for debugging and forensic investigations. This paper discusses a logging framework and guidelines that provide a proactive approach to logging to ensure that the data needed for forensic investigations has been generated and collected. The standardized framework eliminates the need for logging stakeholders to reinvent their own standards. These guidelines make sure that critical information associated with cloud infrastructure and software as a service (SaaS) use-cases are collected as part of a defense in depth strategy. In addition, they ensure that log consumers can effectively and easily analyze, process, and correlate the emitted log records. The theoretical foundations are emphasized in the second part of the paper that covers the implementation of the framework in an example SaaS offering running on a public cloud service. While the framework is targeted towards and requires the buy-in from application developers, the data collected is critical to enable comprehensive forensic investigations. In addition, it helps IT architects and technical evaluators of logging architectures build a business oriented logging framework

Calm before the storm: the challenges of cloud computing in digital forensics

Cloud computing is a rapidly evolving information technology (IT) phenomenon. Rather than procure, deploy and manage a physical IT infrastructure to host their software applications, organizations are increasingly deploying their infrastructure into remote, virtualized environments, often hosted and managed by third parties. This development has significant implications for digital forensic investigators, equipment vendors, law enforcement, as well as corporate compliance and audit departments (among others). Much of digital forensic practice assumes careful control and management of IT assets (particularly data storage) during the conduct of an investigation. This paper summarises the key aspects of cloud computing and analyses how established digital forensic procedures will be invalidated in this new environment. Several new research challenges addressing this changing context are also identified and discussed

Forensic Analysis in Access Control: a Case-Study of a Cloud Application

We discuss a case-study we have conducted on forensic analysis in access control. The case-study is an application in the Amazon Web Services (AWS) cloud provider. Forensic analysis is the investigation and analysis of evidence of possible wrongdoing. Access control is used to regulate accesses to computing resources. Both forensic analysis and access control are recognized as important aspects of the security of a system. We first argue that posing the forensic analysis problem in the context of access control is meaningful and useful towards the security of a system. We then summarize results on the computational hardness of the forensic analysis problem for two access control schemes from the research literature. We point out that these results suggest that meaningful logging information can render forensic analysis tractable, even efficient. We then instantiate the forensic analysis in access control problem in the context of a cloud application. A cloud application is a software service that can be accessed over the Internet and uses computing resources provided by a cloud provider. A cloud provider provides computing tools and services that can be administered over the Internet. The cloud provider we have adopted is AWS, and the application is ``Hello Retail'', an image-sourcing application for online retailers. In addressing forensic analysis in this context, our particular focus is the manner in which logging information can be leveraged. We ask two kinds of questions: (i) is particular logging information from AWS necessary to answer forensics analysis questions of interest, and, (ii) is particular logging information sufficient? We observe that from the standpoint of (i), default AWS logs have considerable redundancy. We propose an algorithm to prune logs for efficient forensic analysis. From the standpoint of (ii), we observe that it is not possible to definitively answer "yes" or "no" to forensic analysis questions of interest given only the information AWS permits us to log. We identify additional logging information that, if available, would be sufficient. Together, (i) and (ii) provide us with "goal-directed logging". We conclude by reiterating the benefits of forensic analysis in access control, and with suggestions for goal-directed logging in cloud systems

A forensically-enabled IASS cloud computing architecture

Current cloud architectures do not support digital forensic investigators, nor comply with today’s digital forensics procedures largely due to the dynamic nature of the cloud. Whilst much research has focused upon identifying the problems that are introduced with a cloud-based system, to date there is a significant lack of research on adapting current digital forensic tools and techniques to a cloud environment. Data acquisition is the first and most important process within digital forensics – to ensure data integrity and admissibility. However, access to data and the control of resources in the cloud is still very much provider-dependent and complicated by the very nature of the multi-tenanted operating environment. Thus, investigators have no option but to rely on cloud providers to acquire evidence, assuming they would be willing or are required to by law. Furthermore, the evidence collected by the Cloud Service Providers (CSPs) is still questionable as there is no way to verify the validity of this evidence and whether evidence has already been lost. This paper proposes a forensic acquisition and analysis model that fundamentally shifts responsibility of the data back to the data owner rather than relying upon a third party. In this manner, organisations are free to undertaken investigations at will requiring no intervention or cooperation from the cloud provider. The model aims to provide a richer and complete set of admissible evidence than what current CSPs are able to provide

CloudMe forensics : a case of big-data investigation

The significant increase in the volume, variety and velocity of data complicates cloud forensic efforts, as such big data will, at some point, become computationally expensive to be fully extracted and analyzed in a timely manner. Thus, it is important for a digital forensic practitioner to have a well-rounded knowledge about the most relevant data artefacts that could be forensically recovered from the cloud product under investigation. In this paper, CloudMe, a popular cloud storage service, is studied. The types and locations of the artefacts relating to the installation and uninstallation of the client application, logging in and out, and file synchronization events from the computer desktop and mobile clients are described. Findings from this research will pave the way towards the development of tools and techniques (e.g. data mining techniques) for cloud-enabled big data endpoint forensics investigation