A forensic acquisition and analysis system for IaaS: Architectural model and experiment
Security Research Institute
Cloud computing has been advancing at a feverish pace. It has become one of the most important research topics in computer science and information systems. Cloud computing offers enterprise-scale platforms in a short time frame with little effort. Thus, it delivers significant economic benefits to both commercial and public entities. Despite this, the security and subsequent incident management requirements are major obstacles to adopting the cloud. Current cloud architectures do not support digital forensic investigators, nor comply with today's digital forensics procedures - largely due to the dynamic nature of the cloud. When an incident has occurred, an organization-based investigation will seek to provide potential digital evidence while minimizing the cost of investigation. However, all members engaging in digital forensics must rely, to a very significant degree, upon the assistance of cloud providers to present relevant evidence. Unfortunately, providers often lack appropriate tools and features to perform adequate acquisition and analysis. Therefore, dependence on the CSPs is considered one of the most significant challenges when investigators need to acquire evidence in a timely yet forensically sound manner from cloud systems. This paper aims to achieve two objectives: the first objective is the development and validation of a forensic acquisition system in an Infrastructure as a Service (IaaS) model in order to ensure organizations remain in complete control, remove the burden/liability from the CSPs and make it easy to acquire the evidence in a forensically sound and timely manner. Secondly, it is to investigate the technical implications and costs resulting from such a system on the day-to-day operation of a cloud system.