Technical Challenges of Forensic Investigations in Cloud Computing Environments
Technical Challenges of Forensic Investigations in Cloud Computing Environments
Dominik Birk January 12, 2011
Abstract Cloud Computing is arguably one of the most discussed information technology topics in recent times. It presents many promising technological and economical opportunities. However, many customers remain reluctant to move their business IT infrastructure completely to “the Cloud“. One of the main concerns of customers is Cloud security and the threat of the unknown. Cloud Service Providers (CSP) encourage this perception by not letting their customers see what is behind their “virtual curtain“. A seldomly discussed, but in this regard highly relevant open issue is the ability to perform digital investigations. This continues to fuel insecurity on the sides of both providers and customers. In Cloud Forensics, the lack of physical access to servers constitutes a completely new and disruptive challenge for investigators. Due to the decentralized nature of data processing in the Cloud, traditional approaches to evidence collection and recovery are no longer practical. This paper focuses on the technical aspects of digital forensics in distributed Cloud environments. We contribute by assessing whether it is possible for the customer of Cloud Computing services to perform a traditional digital investigation from a technical standpoint. Furthermore we discuss possible new methodologies helping customers to perform such investigations and discuss future issues.
1
Introduction
Although the Cloud might appear attractive to small as well to large companies, it does not come along without its own unique problems and concerns. Outsourcing sensitive corporate data into the Cloud raises concerns regarding the privacy and security of the data. Security policies, companies main pillar concerning security, cannot be easily deployed into distributed Cloud environments. This situation is further complicated by the unknown physical location of the companie’s
Dominik Birk January 12, 2011
Abstract Cloud Computing is arguably one of the most discussed information technology topics in recent times. It presents many promising technological and economical opportunities. However, many customers remain reluctant to move their business IT infrastructure completely to “the Cloud“. One of the main concerns of customers is Cloud security and the threat of the unknown. Cloud Service Providers (CSP) encourage this perception by not letting their customers see what is behind their “virtual curtain“. A seldomly discussed, but in this regard highly relevant open issue is the ability to perform digital investigations. This continues to fuel insecurity on the sides of both providers and customers. In Cloud Forensics, the lack of physical access to servers constitutes a completely new and disruptive challenge for investigators. Due to the decentralized nature of data processing in the Cloud, traditional approaches to evidence collection and recovery are no longer practical. This paper focuses on the technical aspects of digital forensics in distributed Cloud environments. We contribute by assessing whether it is possible for the customer of Cloud Computing services to perform a traditional digital investigation from a technical standpoint. Furthermore we discuss possible new methodologies helping customers to perform such investigations and discuss future issues.
1
Introduction
Although the Cloud might appear attractive to small as well to large companies, it does not come along without its own unique problems and concerns. Outsourcing sensitive corporate data into the Cloud raises concerns regarding the privacy and security of the data. Security policies, companies main pillar concerning security, cannot be easily deployed into distributed Cloud environments. This situation is further complicated by the unknown physical location of the companie’s
References: [1] Cloud computing: Business benefits with security, governance and assurance perspectives. Technical report, ISACA, 2009. [2] R. A. Bares. Hiding in a virtual world: using unconventionally installed operating systems. In ISI’09: Proceedings of the 2009 IEEE international conference on Intelligence and security informatics, pages 276–284, Piscataway, NJ, USA, 2009. IEEE Press. [3] D. Barrett and G. Kipper. Virtualization and Forensics: A Digital Forensic Investigator’s Guide to Virtual Environments. Syngress, 6 2010. [4] N. Beebe. Digital forensic research: The good, the bad and the unaddressed. Advances in Digital Forensics V, pages 17–36, 2009. [5] D. Bem. Virtual machine for computer forensics - the open source perspective. In E. Huebner and S. Zanero, editors, Open Source Software for Digital Forensics, pages 25–42. Springer US, 2010. [6] D. Bem and E. Huebner. Computer forensic analysis in a virtual environment. International Journal of Digital Evidence, 6(2), 2007. [7] D. Brezinski and T. Killalea. Guidelines for evidence collection and archiving, 2002. [8] V. Corey, C. Peterman, S. Shearin, M. Greenberg, and J. Van Bokkelen. Network forensics analysis. IEEE Internet Computing, 6(6):60–66, 2002. [9] EC-Council. Computer Forensics: Investigating Network Intrusions and Cyber Crime (Ec-Council Press Series: Computer Forensics). Course Technology, 1 edition, 9 2009. [10] B. Hay and K. Nance. Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev., 42:74–82, April 2008. [11] A. Juels and B. S. Kaliski. Pors: proofs of retrievability for large files. In In CCS ’07: Proceedings of the 14th ACM conference on Computer and communications security, pages 584–597. ACM, 2007. [12] R. Meadows. Cisco Router and Switch Forensics: Investigating and Analyzing Malicious Network Activity. Elsevier Science, 1st edition, 4 2009. [13] P. Mell. Nist.gov - computer security division - computer security resource center, February 2010. [14] K.-K. Muniswamy-Reddy and M. Seltzer. Provenance as first class cloud data. SIGOPS Oper. Syst. Rev., 43(4):11–16, 2010. [15] M. T. Pereira. Forensic analysis of the firefox 3 internet history and recovery of deleted sqlite records. Digital Investigation, 5(3-4):93–103, 2009. [16] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud! Exploring information leakage in third-party compute clouds. In S. Jha and A. Keromytis, editors, Proceedings of CCS 2009, pages 199–212. ACM Press, Nov. 2009. [17] Y. Shi, K. Zhang, and Q. Li. A new data integrity verification mechanism for saas. In F. Wang, Z. Gong, X. Luo, and J. Lei, editors, Web Information Systems and Mining, volume 6318 of Lecture Notes in Computer Science, pages 236–243. Springer Berlin / Heidelberg, 2010. 6