A forensic acquisition based upon a cluster analysis of non-volatile memory in IaaS

Document Type

Conference Proceeding


Institute of Electrical and Electronics Engineers Inc.

Place of Publication

United States


Security Research Institute




Alqahtany, S., Clarke, N., Furnell, S., & Reich, C. (2017, March). A forensic acquisition based upon a cluster analysis of non-volatile memory in IaaS. In Anti-Cyber Crimes (ICACC), 2017 2nd International Conference on (pp. 123-128). IEEE. Available here.


Cloud computing technologies have significantly changed the way in which organizations implement their information technology infrastructure. It is a new paradigm that turned the long-held promises of computing services into reality. It allows organizations to focus on their business with minimal effort placed upon building, managing and maintaining their IT requirements. However, security and incident management requirements are still extremely challenging. Unfortunately, the underlining architecture of cloud computing poses a range of technical and organizational issues for digital investigators. Due to the dynamic nature of cloud computing, current forensic tools and procedures have ranges of limitations. Such limitations lead to devastating consequences including heavy monetary fines or even forcing the organization out of the business. However, an increasing emphasis has been placed on investigating the issues pertained to data acquisition - as it is the first and most difficult problem to be solved when conducting cloud based digital investigation. This study identifies the challenges in cloud forensics related to data acquisition and proposes a novel technique based upon a cluster analysis of non-volatile memory. The approach achieves forensically reliable images at the same level of integrity as the traditional computer forensic acquisition procedures with the additional capability to restore the virtual hard disk as a forensic image at any given time.



Access Rights

subscription content