Technical Issues of Forensic Investigations in Cloud

Computing Environments
Dominik Birk Christoph Wegener
Ruhr-University Bochum Ruhr-University Bochum
Horst Goertz Institute for IT Security Horst Goertz Institute for IT Security
Bochum, Germany Bochum, Germany
Email: dominik.birk@rub.de Email: christoph.wegener@rub.de

Abstract—Cloud Computing is arguably one of the most dis- proper manner which is hardly be possible due to the lack of
cussed information technologies today. It presents many promis- circumstantial information. For auditors, this situation does not
ing technological and economical opportunities. However, many change: Questions who accessed specific data and information
customers remain reluctant to move their business IT infrastruc-
ture completely to the cloud. One of their main concerns is Cloud cannot be answered by the customers, if no corresponding logs
Security and the threat of the unknown. Cloud Service Providers are available.
(CSP) encourage this perception by not letting their customers With the increasing demand for using the power of the
see what is behind their virtual curtain. A seldomly discussed, cloud for processing also sensible information and data, en-
but in this regard highly relevant open issue is the ability to terprises face the issue of Data and Process Provenance in
perform digital investigations. This continues to fuel insecurity
on the sides of both providers and customers. Cloud Forensics the cloud [10]. Digital provenance, meaning meta-data that
constitutes a new and disruptive challenge for investigators. Due describes the ancestry or history of a digital object, is a
to the decentralized nature of data processing in the cloud, crucial feature for forensic investigations. In combination with
traditional approaches to evidence collection and recovery are no a suitable authentication scheme, it provides information about
longer practical. This paper focuses on the technical aspects of who created and who modified what kind of data in the
digital forensics in distributed cloud environments. We contribute
by assessing whether it is possible for the customer of cloud cloud. These are crucial aspects for digital investigations in
computing services to perform a traditional digital investigation distributed environments such as the cloud.
from a technical point of view. Furthermore we discuss possible Unfortunately, the aspects of forensic investigations in dis-
solutions and possible new methodologies helping customers to tributed environment have so far been mostly neglected by the
perform such investigations. research community. Current discussion centers mostly around
I. I NTRODUCTION security, privacy and data protection issues [35], [9], [12].
The impact of forensic investigations on cloud environments
Although the cloud might appear attractive to small as well was little noticed albeit mentioned by the authors of [1] in
as to large companies, it does not come along without its own 2009: ”[...] to our knowledge, no research has been published
unique problems. Outsourcing sensitive corporate data into on how cloud computing environments affect digital artifacts,
the cloud raises concerns regarding the privacy and security and on acquisition logistics and legal issues related to cloud
of data. Security policies, companies main pillar concerning computing environments.” This statement is also confirmed by
security, cannot be easily deployed into distributed, virtualized other authors [34], [36], [40] stressing that further research
cloud environments. This situation is further complicated by on incident handling, evidence tracking and accountability in
the unknown physical location of the companie’s assets. Nor- cloud environments has to be done.
mally, if a security incident occurs, the corporate security team At the same time, massive investments are being made in
wants to be able to perform their own investigation without cloud technology. Combined with the fact that information
dependency on third parties. In the cloud, this is not possible technology increasingly transcendents peoples’ private and
anymore: The CSP obtains all the power over the environment professional life, thus mirroring more and more of peoples’
and thus controls the sources of evidence. In the best case, a actions, it becomes apparent that evidence gathered from
trusted third party acts as a trustee and guarantees for the cloud environments will be of high significance to litigation
trustworthiness of the CSP. or criminal proceedings in the future.
Furthermore, the implementation of the technical architec-
ture and circumstances within cloud computing environments Within this work, we focus the notion of cloud forensics
bias the way an investigation may be processed. In detail, by addressing the technical issues of forensics in all three
evidence data has to be interpreted by an investigator in a major cloud service models and consider cross-disciplinary
aspects. Moreover, we address the usability of various sources
We would like to thank the reviewers for the helpful comments and Dennis
Heinson (Center for Advanced Security Research Darmstadt - CASED) for of evidence for investigative purposes and propose potential
the profound discussions regarding the legal aspects of cloud forensics. solutions to the issues from a practical standpoint. This work

Authorized licensed use limited to: The Islamia University of Bahawalpur. Downloaded on May 26,2021 at 10:29:53 UTC from IEEE Xplore. Restrictions apply.
should be considered as a surveying discussion of an almost special personnel and methods in order to ensure that evidence
unexplored research area. data can be proper isolated and evaluated.
Normally, the process of a digital investigation can be
The paper is organized as follows: We discuss the related separated into three different steps each having its own specific
work and the fundamental technical background information purpose:
of digital forensics, cloud computing and the fault model in 1) In the Securing Phase, the major intention is the preser-
section II and III. In section IV, we focus on the technical vation of evidence for analysis. The data has to be
issues of cloud forensics and discuss the potential sources collected in a manner that maximizes its integrity. This
and nature of digital evidence as well as investigations in is normally done by a bitwise copy of the original
XaaS environments including the cross-disciplinary aspects. media. As can be imagined, this represents a huge
We conclude in section V. problem in the field of cloud computing where you
never know exactly where your data is and additionally
II. R ELATED W ORK do not have access to any physical hardware. However,
Various works have been published in the field of cloud the snapshot technology, discussed in section IV-B3,
security and privacy [9], [35], [30] focussing on aspects for provides a powerful tool to freeze system states and thus
protecting data in multi-tenant, virtualized environments. De- makes digital investigations, at least in IaaS scenarios,
sired security characteristics for current cloud infrastructures theoretically possible.
mainly revolve around isolation of multi-tenant platforms [12], 2) We refer to the Analyzing Phase as the stage in which
security of hypervisors in order to protect virtualized guest the data is sifted and combined. It is in this phase that the
systems and secure network infrastructures [32]. data from multiple systems or sources is pulled together
Albeit digital provenance, describing the ancestry of digital to create as complete a picture and event reconstruction
objects, still remains a challenging issue for cloud environ- as possible. Especially in distributed system infrastruc-
ments, several works have already been published in this tures, this means that bits and pieces of data are pulled
field [8], [10] contributing to the issues of cloud forensis. together for deciphering the real story of what happened
Within this context, cryptographic proofs for verifying data and for providing a deeper look into the data.
integrity mainly in cloud storage offers have been proposed, 3) Finally, at the end of the examination and analysis of
yet lacking of practical implementations [24], [37], [23]. the data, the results of the previous phases will be repro-
Traditional computer forensics has already well researched cessed in the Presentation Phase. The report, created in
methods for various fields of application [4], [5], [6], [11], this phase, is a compilation of all the documentation and
[13]. Also the aspects of forensics in virtual systems have been evidence from the analysis stage. The main intention of
addressed by several works [2], [3], [20] including the notion such a report is that it contains all results, it is complete
of virtual introspection [25]. In addition, the NIST already and clear to understand.
addressed Web Service Forensics [22] which has a huge impact Apparently, the success of these three steps strongly depends
on investigation processes in cloud computing environments. on the first stage. If it is not possible to secure the complete
In contrast, the aspects of forensic investigations in cloud set of evidence data, no exhaustive analysis will be possible.
environments have mostly been neglected by both the industry However, in real world scenarios often only a subset of the
and the research community. One of the first papers focusing evidence data can be secured by the investigator. In addition,
on this topic was published by Wolthusen [40] after Bebee et al an important definition in the general context of forensics is
already introduced problems with in cloud environments [1]. the notion of a Chain of Custody. This chain clarifies how
Wolthusen stressed that there is an inherent strong need for and where evidence is stored and who takes possession of it.
interdisciplinary work linking the requirements and concepts Especially for cases which are brought to court it is crucial
of evidence arising from the legal field to what can be that the chain of custody is preserved.
feasibly reconstructed and inferred algorithmically or in an B. Cloud Computing
exploratory manner. In 2010, Grobauer et al [36] published
a paper discussing the issues of incident response in cloud According to the NIST [16], cloud computing is a model for
environments - unfortunately no specific issues and solutions enabling convenient, on-demand network access to a shared
of cloud forensics have been proposed which will be done pool of configurable computing resources (e.g., networks,
within this work. servers, storage, applications and services) that can be rapidly
provisioned and released with minimal CSP interaction. The
III. T ECHNICAL BACKGROUND new raw definition of cloud computing brought several new
characteristics such as multi-tenancy, elasticity, pay-as-you-go
A. Traditional Digital Forensics and reliability. Within this work, the following three models
The notion of Digital Forensics is widely known as the are used:
practice of identifying, extracting and considering evidence In the Infrastructure as a Service (IaaS) model, the customer
from digital media. Unfortunately, digital evidence is both is using the virtual machine provided by the CSP for installing
fragile and volatile and therefore requires the attention of his own system on it. The system can be used like any

Authorized licensed use limited to: The Islamia University of Bahawalpur. Downloaded on May 26,2021 at 10:29:53 UTC from IEEE Xplore. Restrictions apply.
other physical computer with a few limitations. However, the 2) Unintentional Faults
additive customer power over the system comes along with Inconsistencies in technical systems or processes in the
additional security obligations. Platform as a Service (PaaS) cloud do not have implicitly to be caused by malicious
offerings provide the capability to deploy application packages intent. Internal communication errors or human failures
created using the virtual development environment supported can lead to issues in the services offered to the costumer
by the CSP. For the efficiency of software development process (i.e. loss or modification of data). Although these failures
this service model can be propellent. In the Software as a are not caused intentionally, both the CSP and the
Service (SaaS) model, the customer makes use of a service customer have a strong intention to discover the reasons
run by the CSP on a cloud infrastructure. In most of the and deploy corresponding fixes.
cases this service can be accessed through an API for a thin
client interface such as a web browser. Closed-source public IV. T ECHNICAL I SSUES
SaaS offers such as Amazon S3 and GoogleMail can only be
used in the public deployment model leading to further issues Digital investigations are about control of forensic evidence
concerning security, privacy and the gathering of suitable data. From the technical standpoint, this data can be available
evidences. in three different states: at rest, in motion or in execution.
Furthermore, two main deployment models, private and Data at rest is represented by allocated disk space. Whether
public cloud have to be distinguished. Common public clouds the data is stored in a database or in a specific file format, it
are made available to the general public. The corresponding allocates disk space. Furthermore, if a file is deleted, the disk
infrastructure is owned by one organization acting as a CSP space is de-allocated for the operating system but the data is
and offering services to its customers. In contrast, the private still accessible since the disk space has not been re-allocated
cloud is exclusively operated for an organization but may and overwritten. This fact is often exploited by investigators
not provide the scalability and agility of public offers. The which explore these de-allocated disk space on harddisks.
additional notions of community and hybrid cloud are not In case the data is in motion, data is transferred from one
exclusively covered within this work. However, independently entity to another e.g. a typical file transfer over a network can
from the specific model used, the movement of applications be seen as a data in motion scenario. Several encapsulated
and data to the cloud comes along with limited control for protocols contain the data each leaving specific traces on
the customer about the application itself, the data pushed systems and network devices which can in return be used by
into the applications and also about the underlying technical investigators.
infrastructure. Data can be loaded into memory and executed as a process.
In this case, the data is neither at rest or in motion but
C. Fault Model in execution. On the executing system, process information,
machine instruction and allocated/de-allocated data can be
Be it an account for a SaaS application, a development
analyzed by creating a snapshot of the current system state.
environment (PaaS) or a virtual image of an IaaS environment,
In the following sections, we point out the potential sources
systems in the cloud can be affected by inconsistencies. Hence,
for evidential data in cloud environments and discuss the
for both customer and CSP it is crucial to have the ability
technical issues of digital investigations in XaaS environments
to assign faults to the causing party, even in the presence of
as well as suggest several solutions to these problems.
Byzantine behavior [33].
Generally, inconsistencies can be caused by the following
two reasons: A. Sources and Nature of Evidence
1) Maliciously Intended Faults Concerning the technical aspects of forensic investigations,
Internal or external adversaries with specific malicious the amount of potential evidence available to the investigator
intentions can cause faults on cloud instances or applica- strongly diverges between the different cloud service and
tions. Economic rivals as well as former employees can deployment models.
be the reason for these faults and state a constant threat The virtual machine (VM), hosting in most of the cases
to customers and CSP. In this model, also a malicious the server application, provides several pieces of information
CSP is included albeit he is assumed to be rare in that could be used by investigators. On the network level,
real world scenarios. Additionally, from the technical network components can provide information about possible
point of view, the movement of computing power to a communication channels between different parties involved.
virtualized, multi-tenant environment can pose further The browser on the client, acting often as the user agent
threads and risks to the systems. One reason for this for communicating with the cloud, also contains a lot of
is that if a single system or service in the cloud is information that could be used as evidence in a forensic
compromised, all other guest systems and even the host investigation. Independently from the used model, the
system are at risk. Hence, besides the need for further following three components could act as sources for potential
security measures, precautions for potential forensic evidential data.
investigations have to be taken into consideration.

Authorized licensed use limited to: The Islamia University of Bahawalpur. Downloaded on May 26,2021 at 10:29:53 UTC from IEEE Xplore. Restrictions apply.
 1) Virtual Cloud Instance: The VM within the cloud, files downloaded, information entered in forms or stored in
where i.e. data is stored or processes are handled, contains local HTML5 stores, web-based email contents and persistent
potential evidence [2], [3]. In most of the cases, it is the browser cookies for gathering potential evidence data. Within
place where an incident happened and hence provides a good this context, it is inevitable to investigate the appearance of
starting point for a forensic investigation. The VM instance malicious JavaScript [18] leading to e.g. unintended AJAX re-
can be accessed by both, the CSP and the customer who quests and hence modified usage of administration interfaces.
is running the instance. Furthermore, virtual introspection Generally, the web browser contains a lot of electronic
techniques [25] provide access to the runtime state of the evidence data that could be used to give an answer to both
VM via the hypervisor and snapshot technology supplies of the above questions - even if the private mode is switched
a powerful technique for the customer to freeze specific on [19].
states of the VM. Therefore, virtual instances can be still
running during analysis which leads to the case of live B. Investigations in XaaS Environments
investigations [41] or can be turned off leading to static image Traditional digital forensic methodologies permit investi-
analysis. In SaaS and PaaS scenarios, the ability to access the gators to seize equipment and perform detailed analysis on
virtual instance for gathering evidential information is highly the media and data recovered [11]. In a distributed infras-
limited or simply not possible. tructure organization like the cloud computing environment,
investigators are confronted with an entirely different situation.
2) Network Layer: Traditional network forensics is known They have no longer the option of seizing physical data
as the analysis of network traffic logs for tracing events storage. Data and processes of the customer are dispensed over
that have occurred in the past. Since the different ISO/OSI an undisclosed amount of virtual instances, applications and
network layers provide several information on protocols and network elements. Hence, it is in question whether preliminary
communication between instances within as well as with findings of the computer forensic community in the field of
instances outside the cloud [4], [5], [6], network forensics is digital forensics apparently have to be revised and adapted to
theoretically also feasible in cloud environments. However the new environment.
in practice, ordinary CSP currently do not provide any log Within this section, specific issues of investigations
data from the network components used by the customer’s in SaaS, PaaS and IaaS environments will be discussed.
instances or applications. For instance, in case of a malware In addition, cross-disciplinary issues which affect several
infection of an IaaS VM, it will be difficult for the investigator environments uniformly, will be taken into consideration.
to get any form of routing information and network log data We also suggest potential solutions to the mentioned problems.
in general which is crucial for further investigative steps.
This situation gets even more complicated in case of PaaS or 1) SaaS Environments: Especially in the SaaS model,
SaaS. So again, the situation of gathering forensic evidence the customer does not obtain any control of the underlying
is strongly affected by the support the investigator receives operating infrastructure such as network, servers, operating
from the customer and the CSP. systems or the application that is used. This means
that no deeper view into the system and its underlying
3) Client System: On the system layer of the client, it infrastructure is provided to the customer. Only limited user-
completely depends on the used model (IaaS, PaaS, SaaS) specific application configuration settings can be controlled
if and where potential evidence could be extracted. In most contributing to the evidences which can be extracted from
of the scenarios, the user agent (e.g. the web browser) on the client (see section IV-A3). In a lot of cases this urges the
the client system is the only application that communicates investigator to rely on high-level logs which are eventually
with the service in the cloud. This especially holds for provided by the CSP. Given the case that the CSP does not
SaaS applications which are used and controlled by the run any logging application, the customer has no opportunity
web browser. But also in IaaS scenarios, the administration to create any useful evidence through the installation of any
interface is often controlled via the browser. Hence, in an toolkit or logging tool. These circumstances do not allow a
exhaustive forensic investigation, the evidence data gathered valid forensic investigation and lead to the assumption that
from the browser environment [7] should not be omitted. customers of SaaS offers do not have any chance to analyze
potential incidences.
a) Browser Forensics: Generally, the circumstances lead-
ing to an investigation have to be differentiated: In ordinary a) Data Provenance: The notion of Digital Provenance
scenarios, the main goal of an investigation of the web browser is known as meta-data that describes the ancestry or history of
is to determine if a user has been victim of a crime. In complex digital objects. Secure provenance that records ownership and
SaaS scenarios with high client-server interaction, this consti- process history of data objects is vital to the success of data
tutes a difficult task. Additionally, customers strongly make forensics in cloud environments, yet it is still a challenging
use of third-party extensions [17] which can be abused for issue today [8]. Albeit data provenance is of high significance
malicious purposes. Hence, the investigator might want to look also for IaaS and PaaS, it states a huge problem specifically
for malicious extensions, searches performed, websites visited, for SaaS-based applications:

Authorized licensed use limited to: The Islamia University of Bahawalpur. Downloaded on May 26,2021 at 10:29:53 UTC from IEEE Xplore. Restrictions apply.
 Current global acting public SaaS CSP offer Single
Sign-On (SSO) access control to the set of their services. Suggested Solution:
Unfortunately in case of an account compromise, most of the Depending on the runtime environment, logging mechanisms
CSP do not offer any possibility for the customer to figure could be implemented which automatically sign and encrypt
out which data and information has been accessed by the the log information before its transfer to a central logging
adversary. For the victim, this situation can have tremendous server under the control of the customer. Additional signing
impact: If sensitive data has been compromised, it is unclear and encrypting could prevent potential eavesdroppers from
which data has been leaked and which has not been accessed being able to view and alter log data information on the
by the adversary. Additionally, data could be modified or way to the logging server. Runtime compromise of an PaaS
deleted by an external adversary or even by the CSP e.g. application by adversaries could be monitored by push-only
due to storage reasons. The customer has no ability to proof mechanisms for log data presupposing that the needed
otherwise. Secure provenance mechanisms for distributed information to detect such an attack are logged. Increasingly,
environments can improve this situation but have not been CSP offering PaaS solutions give developers the ability to
practically implemented by CSP [10]. collect and store a variety of diagnostics data in a highly
configurable way with the help of runtime feature sets [38].
Suggested Solution:
In private SaaS scenarios this situation is improved by the fact 3) IaaS Environments: As expected, even virtual instances
that the customer and the CSP are probably under the same in the cloud get compromised by adversaries. Hence, the
authority. Hence, logging and provenance mechanisms could ability to determine how defenses in the virtual environment
be implemented which contribute to potential investigations. failed and to what extent the affected systems have been
Additionally, the exact location of the servers and the data is compromised is crucial not only for recovering from an
known at any time. incident. Also forensic investigations gain leverage from such
Public SaaS CSP should offer additional interfaces for the information and contribute to resilience against future attacks
purpose of compliance, forensics, operations and security on the systems.
matters to their customers. Through an API, the customers From the forensic point of view, IaaS instances do pro-
should have the ability to receive specific information such vide much more evidence data usable for potential forensics
as access, error and event logs that could improve their than PaaS and SaaS models do. This fact is caused through
situation in case of an investigation. Furthermore, due to the the ability of the customer to install and set up the image
limited ability of receiving forensic information from the for forensic purposes before an incident occurs. Hence, as
server and proofing integrity of stored data in SaaS scenarios, proposed for PaaS environments, log data and other forensic
the client has to contribute to this process. This could be evidence information could be signed and encrypted before it
achieved by implementing Proofs of Retrievability (POR) is transferred to third-party hosts mitigating the chance that a
in which a verifier (client) is enabled to determine that a maliciously motivated shutdown process destroys the volatile
prover (server) possesses a file or data object and it can be data.
retrieved unmodified [24]. Provable Data Possession (PDP) Although, IaaS environments provide plenty of potential
techniques [37] could be used to verify that an untrusted evidence, it has to be emphasized that the customer VM is
server possesses the original data without the need for the in the end still under the control of the CSP. He controls the
client to retrieve it. Although these cryptographic proofs hypervisor which is e.g. responsible for enforcing hardware
have not been implemented by any CSP, the authors of [23] boundaries and routing hardware requests among different
introduced a new data integrity verification mechanism for VM. Hence, besides the security responsibilities of the
SaaS scenarios which could also be used for forensic purposes. hypervisor, he exerts tremendous control over how customer’s
VM communicate with the hardware and theoretically can
2) PaaS Environments: One of the main advantages of intervene executed processes on the hosted virtual instance
the PaaS model is that the developed software application is through virtual introspection [25]. This could also affect
under the control of the customer and except for some CSP, encryption or signing processes executed on the VM and
the source code of the application does not have to leave the therefore leading to the leakage of the secret key. Although
local development environment. Given these circumstances, this risk can be disregarded in most of the cases, the impact
the customer obtains theoretically the power to dictate how on the security of high security environments is tremendous.
the application interacts with other dependencies such as
databases, storage entities etc. CSP normally claim this a) Snapshot Analysis: Traditional forensics expect target
transfer is encrypted but this statement can hardly be verified machines to be powered down to collect an image (dead virtual
by the customer. Since the customer has the ability to interact instance). This situation completely changed with the advent
with the platform over a prepared API, system states and of the snapshot technology which is supported by all popular
specific application logs can be extracted. However potential hypervisors such as Xen, VMware ESX and Hyper-V. A snap-
adversaries, which can compromise the application during shot, also referred to as the forensic image of a VM, provides
runtime, should not be able to alter these log files afterwards. a powerful tool with which a virtual instance can be cloned

Authorized licensed use limited to: The Islamia University of Bahawalpur. Downloaded on May 26,2021 at 10:29:53 UTC from IEEE Xplore. Restrictions apply.
by one click including also the running system’s memory. Due Suggested Solution:
to the invention of the snapshot technology, systems hosting As live investigations become more common, the method
crucial business processes do not have to be powered down of Virtual Introspection (VI) for live forensics of virtual
for forensic investigation purposes. The investigator simply instances could be helpful [25]. VI is the process by which
creates and loads a snapshot of the target VM for analysis the state of a virtual machine is observed from either the
(live virtual instance). This behavior is especially important hypervisor or from some virtual machines other than the one
for scenarios in which a downtime of a system is not feasible being examined. However, the fact that the hypervisor has
or practical due to existing SLA. However the information full access to the resources of all VMs represents a significant
whether the machine is running or has been properly powered risk to customers’ data. The issue whether VMs can ever
down is crucial [3] for the investigation. be managed by a hypervisor, while simultaneously being
Live investigations of running virtual instances become protected from a compromised hypervisor remains an open
more common providing evidence data that is not available research problem.
on powered down systems. The technique of live investigation
is mostly influenced by the huge amount of evidence data The loss of huge amounts of volatile data could be
that has to be stored and processed in case of powered down mitigated through frequent data synchronization between
instances. Nevertheless, if no snapshot of the target VM the VM and the persistent storage or a non-cloud based
is used, it cannot be denied that live investigations change storage. However, the loss of volatile data on running systems
the state of the investigated system and the results of the compromised by an adversary cannot be mitigated, if the CSP
investigation may not be repeatable. Unfortunately, this does does not take precautions. One solution to provide the ability
no prevent a lot of companies from mostly performing live of performing an investigation given the case an instance has
investigations due to the bond of legislation and government- been compromised is by providing an API to the customers.
contracting agreements. In case of a malicious behavior or unintended shutdown of the
instance, the customer can read forensic evidence information
b) Volatile Data: Depending on the cloud offer used, over the API which stores significant information for a given
IaaS VM do not have any persistent storage. This means in time.
most of the cases all volatile data is lost if the VM is rebooted
or powered down. The on-demand characteristic of the cloud 4) Cross-Disciplinary Issues: Besides the specific issues
is one reason for such behavior. Furthermore, with the help discussed in the previous sections, several cross-disciplinary
of such measures, CSP force their customers to subscribe to aspects of forensics in cloud infrastructures have to be
further offers for storing data persistently but leading to further considered which count for each single service model alike.
costs. These issues are mainly founded in the general concept of
Generally, this situation leads to several issues: In case cloud computing and do not result from specific service
an adversary compromises a VM with no persistent storage model characteristics. Within this section, we discuss these
synchronization, the adversary could shutdown the system issues in the context of cloud forensics and propose potential
leading to a complete loss of volatile data, if no further coun- solutions.
termeasures are installed. Additionally, the instance could be
abused for sending spam, attack further external and internal a) Lack of Transparency: The lack of knowledge about
targets, join botnets and steal volatile data of the running the internal processes, infrastructure and system components
system. After the attack, the attacker can cancel the contract make the usage of current cloud computing offers a game of
with the corresponding CSP forcing the VM to be powered hazard. Customers of cloud services want transparency which
down and destroy most of the evidence data which is inevitable is not provided in current real world cloud environments.
for further forensic investigations. This problem mainly results This is a comprehensible demand due to the fact that in a
from the unclear situation how CSP handle the termination of lot of cases sensible data is computed on services running in
customer contracts. In real world scenarios, this process is the cloud. Without transparency trust is hardly possible. This
not transparent for the customer bringing up further questions situation leads to the fact that customers have the legitimate
e.g. does data on virtual systems in the cloud get exhaustively fear of the thread of the unknown. From an economical point
deleted and how is this done (see section IV-B4d for further of view, the lack of transparency is one of the main reasons
discussion). why the whole potential of cloud computing is not yet being
Moreover, an interesting perspective is the case in which realized.
the real owner of the image decides to engage in malicious Compared with traditional IT outsourcing, cloud computing
activities through his VM from a veiled IP address and is peculiar in the fact that physical access to the servers is
afterwards claims, someone compromised the password or technically not feasible to customers and investigators alike.
key pair to his VM. In a subsequent forensic investigation, It lies in the nature of cloud computing that the exact location
it will be difficult to prove the opposite due to the lack of of where data is being processed in most of the cases cannot be
evidences. determined. Consequentially, even determining the applicable
body of law that governs and potentially restricts the scope

Authorized licensed use limited to: The Islamia University of Bahawalpur. Downloaded on May 26,2021 at 10:29:53 UTC from IEEE Xplore. Restrictions apply.
and proper measures of an investigation is a challenge. of cloud forensics. In most of the cases, they are the
The issue of unknown data location is further enhanced reason for the complexity of proving a hypothesis during
by the technical obfuscation of the underlying infrastructure. an investigation. However, properly speaking, the issue of
The CSP provides almost no information about the system missing evidence data exists even in ordinary digital and
environment in which customer data is stored or processed. non-digital forensic investigations [14]. They always lead
This fact has several reasons as adversaries could use technical to further problems during the investigation phases because
information about infrastructure and system usage for launch- pieces of the whole incident story are missing. From a
ing attacks against the CSP or the customers [12] alike. In theoretical point of view, this states a paradox due to the fact
addition, CSP do not want their customers to see the workload that the cloud offers a huge amount of potential forensic data
of their service offer. Competitors could use this information sources.
for improving their own range of services or use it to harm
the reputation of the company. Suggested Solution:
In the context of cloud forensics, the lack of transparency CSP should profit from the fact that plenty of evidence data
and trust results in untrustworthy evidence data. The is available in current cloud environments. Network, process
combination of limited access to evidence data and insufficient and access logs should be provided to customers over a
infrastructure transparency provided by the CSP tremendously specific read-only API which leads to the fact that customers
exacerbates the ability to perform a digital investigation. obtain an improved ability to remodel interruptions in the
time-series of potential future investigations. Fortunately, this
Suggested Solution: approach could be applied to all three service models in
Unfortunately, building an open, scalable and reusable order to verify and monitor specific actions and processes
cloud computing architecture which satisfies the wishes of services, applications or instances but in some scenarios,
of both customers and CSP still faces challenges in tensions between privacy and gathering forensic evidence
the areas of technology breakthrough and best industry is caused, since the latter produces detailed records of
practices. Nevertheless, a long-term trust relationship between virtual machines, customers and corresponding user accounts.
customer and CSP can only be established if open-source Furthermore, investigators should be able to handle data
software frameworks [26] substitute present proprietary evidence from multiple sources which still states a problem
cloud platforms. Additionally, CSP have to break the silence for the research community [13]. Digital investigation always
and defer to the wishes of customers concerning forensics postulate the correlation of different sources of forensic
and security of cloud platforms by providing requested evidence for ensuring better results of the investigation. Data
information. The cloud services offered by CSP have to be Fusion methods for collection and correlation of evidence
made accountable [34] meaning that actions are undeniably data could be a possible solution to this problem [39].
linked to the node that performed it, systems and applications
maintain a record of past actions and evidences of faults can c) Compliance Issues: Companies are forced to stick to
be verified independently by a third party. various regulations and rules for being able to take part in
the global market. This situation gets even more complicated
b) Loss of Evidence Data: Tracking and monitoring in cloud environments given the dynamic nature of the dif-
user activity is a common process concerning compliance ferent service models. Especially in the field of credit card
requirements and also contributes to the identification of processing, the Payment Card Industry Data Security Standard
potential security issues and to future forensic investigations. (PCI DSS) [42] as a worldwide information security standard
Depending on the service model, access to relevant log data defined by the Payment Card Industry Security Standards
will be significantly decreased. Although, cloud environments Council was established to help the payment card industry
theoretically provide a huge amount of potential evidence to prevent credit card fraud through increased controls around
data that could be used for an investigation, the CSP mostly data.
decides which amount of evidence data can be accessed by One of the requirements given by the PCI DSS is the strict
the customer. As discussed in section IV-B, customers of detachment between the systems processing credit card data
SaaS services obtain almost no ability to gather information of and other systems. This means, only one primary function
evidence. In other models such as IaaS and PaaS this situation per server should be implemented for preventing functions
slightly changes. In addition, this is aggravated by the fact that require different security levels from co-existing on the
that real network and router logs cannot be gathered by the same server. In public cloud offers, the implementation of
customer for forensic purposes. And even if these data is given such a requirement is not straightforward due to the multi-
to the customer, the difficulty of putting all the evidential data tenant host systems. Moreover, until the release of v2.0 of
in the correct context still exists [13]. the PCI standard, it was unclear if the VM or the physical
Due to these facts, interruptions in the time-series of the hardware is meant to be the system component. In the latest
forensic observations, also referred to as missing observations, release v2.0 of the PCI standard, the PCI council clarified
may occur [15]. Missing observations, as a specific definition that system components also include any virtualization compo-
for uncertainty, represent an important issue in the discussion nents such as virtual machines, virtual switches/routers, virtual

Authorized licensed use limited to: The Islamia University of Bahawalpur. Downloaded on May 26,2021 at 10:29:53 UTC from IEEE Xplore. Restrictions apply.
appliances, virtual applications/desktops, and hypervisors. In importance for the customer, the CSP as well as for the
case virtualization technologies are used, each VM is only adversary.
allowed to host one specific function. Unfortunately, although Unfortunately, several questions still remain unanswered
the current version of PCI DSS tries to discuss the impact by global acting CSP: How can the customer be sure, that
of highly virtualized infrastructures, it is still unclear how the e.g. an email in a SaaS scenario or sensitive data on a VM
requirements shall be realized in public cloud environments. have substantially been deleted by the CSP and how does he
The latest release v2.0 of the PCI standard also postulates warranty that no traces (e.g. meta-data etc.) of the original
convenient logging mechanisms and the ability to track asset is still stored?
user activities on machines computing credit card data.
These mechanisms are critical in preventing, detecting, or Suggested Solution:
minimizing the impact of a data compromise. Furthermore, In traditional IT environments, various techniques have
the PCI council stresses that the presence of logs in been developed to counter Data Remanence [28], [29]. In
all environments allows thorough tracking, alerting, and distributed cloud environments, deletion of data is mainly in
analysis when something goes wrong. In case of a forensic the hands of the CSP. While this issue can be easily solved in
investigation, determining the cause of a compromise is very encrypted storage scenarios by throwing away the key, secure
difficult, if not impossible, without system activity logs. As deletion of unencrypted data in processing scenarios still
mentioned before, the customer can only access a limited remains a huge problem which cannot be solved without the
amount of evidence data and will probably face missing help of the CSP. Generally, one solution could be the usage of
observations in the forensic time-series of the investigation. a TPA [30] which evaluates the quality of an offered deletion
Hence, achieving compliance with standards like PCI DSS service. However, this still remains an unsatisfying situation
will hardly be possible in public cloud offers which is also for the customers albeit providing an ability to verify the
caused by the fact that CSP offer from none to generic status of dynamic data stored in the cloud on behalf of the
audit reports instead of answering to the specific policy and cloud client.
compliance requirements of single customers.
Recently, the aspects of so called Trusted Cloud Computing
Suggested Solution: have been focused by researchers, combining the notion of
The solution to leave the cloud and search for an alternative Trusted Computing with cloud computing [21]. The major
compliant non-cloud service provider is eventually feasible aim of such an approach is to provide the customer with
for customers but often comes along with higher costs for the ability to verify confidentiality and integrity of their data
the offered service. Hence, another possibility is to force and computation. Theoretically, the Trusted Platform Module
the CSP to adopt to the customer’s compliance requirements (TPM) can provide hardware-based verification of hypervisor
but as expected, this solution will hardly be accepted by the and integrity of the virtual instance running. With the help of
CSP. Therefore, customers should check their compliance such methods, trusted log files and trusted deletion of data
requirements before moving data and processes to the cloud could be theoretically provided to the customer. However,
and also figure out, which CSP offers the best service effective and practice-oriented results [27], [31] are still
according to the specific customer needs. In return, CSP pending.
should offer as much transparency as possible for simplifying
these customer steps. In order to verify deployed compliance e) SLA Verification: An important sub-aspect of cloud
agreements, a Third Party Auditor (TPA) could be used forensics is obtaining evidence of system states concerning
acting as a trustee between the customer and the CSP. These the cloud itself. CSP make generous concessions to their
potential solutions count also for other standards such as the customers in their SLAs or other forms of contracts. Consid-
Health Insurance Portability and Accountability Act (HIPAA), ering the distribution of control between CSP and customer,
ISO2700x, Sarbanes-Oxley Act (SOX) etc. it becomes apparent that it remains almost impossible for the
customer to verify the actual performance of these agreements.
d) Secure Data Deletion: File deletion is all about con- Suppose that a customer made a contract with a CSP which
trol and states an intricate problem for customers since the guarantees data redundancy for the customer data. How can
advent of cloud computing. In current cloud environments, the customer prove that this agreement is fulfilled? How could
CSP do not offer any verification process providing the ability he prove before a court that it was violated?
for the customer to verify that data stored in the cloud has CSP can be bound to a specific SLA which assures e.g. data
been deleted exhaustively. However, the function of exhaustive availability or backup procedures to the costumers. However,
deletion of data is an important supposition for the storage it could be possible that with ordinary cloud environments the
and processing of sensitive assets. Methods and functions of SLA assignments cannot be fulfilled. This means, customer
digital forensics could not only be used by valid investigators data have to be misplaced without the customer’s knowledge
but also by malicious intruders for retrieving sensitive data for fulfilling the SLA assignments. Due to the fact that the
out of compromised cloud instances and applications. Hence, customer has no way of knowing where his data is actually lo-
the deletion of evidence in cloud environments is of greater cated, the CSP can prevent penalties for breach of contract by

Authorized licensed use limited to: The Islamia University of Bahawalpur. Downloaded on May 26,2021 at 10:29:53 UTC from IEEE Xplore. Restrictions apply.
resettling the data to another location without the customer’s data (authenticity) and that the data retrieved was exactly the
knowledge. This action could cause huge risks to the privacy data supplied by the originator (integrity). Thus, especially for
and the security of customer’s data. cases which are brought to court it is crucial that the chain of
Finally, the cloud service used by the customer is just custody is preserved. Establishing a chain of custody means
another part of his huge infrastructure chain which he has to that an investigator can bring uninterrupted proof in form of
trust. Problematically, the different relationships cannot be documentation about who had control over the evidence be-
secured by one overlapping SLA, but require several SLA tween collection and presentation in court. In cloud computing
one for each relationship. For the customer, this situation is environments, this is challenging. In order to be of use in trail,
not satisfying because the efficient execution of his business the evidence data goes on a journey from the crime scene,
depends on too many attributes. mostly located at the CSP, to court in a validated and secure
manner. The question is whether it can be assured that this
Suggested Solution: chain has not been contaminated. For example, a snapshot of
Third-party auditing is currently considered to be one a VM that could be used as digital evidence in front of a court,
potential solutions to this problem. This means, a trusted and is created under the supervision of the hypervisor run by the
approved external party audits the security measures provided CSP. How can this hypervisor be trusted?
by the CSP. This is a first step into the right direction,
but does not consider specific requirements given by single V. C ONCLUSION
customers. Cloud customers demand the ability to run their There is no doubt that cloud computing has various se-
own security audits, ensure that proper security measures curity benefits for SMB which under ordinary circumstances
are always in place and be able to control their security struggle with limited budgets for security resources. However,
policies inside their own private cloud [32]. Without further regarding digital forensics, the loss of control caused by
concessions concerning transparency by the CSP, this issue cloud environments and vendors presents a huge challenge
cannot be solved. for investigators. It is a fact, that security incidents in cloud
environments cross boundaries of responsibility and access
f) Missing Best Practices: In the context of digital in- and hence, preliminary findings of the computer forensic
vestigations, incidents are discrete computer events that are community in the field of digital forensics have to be revised
deterministic in nature and have a temporal causal sequence. and adapted to the new environment. Investigators need the
This fact is given in ordinary environments as well as in cloud possibility of reconstructing the corresponding environment
environments. From a theoretical point of view this means for recreating scenarios and test hypothesizes. In the fast
that each investigation can be solved if the needed sources fluctuating world of cloud computing, without control and
and resources are available. Unfortunately, these perfect cir- accountability for the customers, this is not possible anymore.
cumstances are not given in real world scenarios due to the Within this work, we introduced the fundamental issues of
previous discussed problems. forensic investigations in cloud environments. We outlined the
For example, it should be emphasized that evidence data current challenges and proposed various potential solutions.
must remain unchanged and the investigator must be com- Basically, the issues discussed within this work are mainly
petent and later able to give testimony, explaining relevance caused by one reason: The absence of global standards in
and implications of all actions. Furthermore, strict logs and cloud computing environments causes a lot of problems rang-
records have to be kept for all steps of the investigation. In ing from security, compliance and proper deployment to the
cloud environments, this is difficult to handle: Evidence data is question of how an investigation within such an environment
located in different locations under various controls and hence, shall be processed. The introduction of global standards for
the chain of custody is difficult to preserve. processing as well as storing data in cloud environments would
Aside from the mentioned technical issues, the question on simplify potential investigations tremendously. Investigators
how a digital investigation should be conducted in order to would know where they have to look for potential evidence and
maximize the probative value (i.e. credibility) of the evidence. processes of handling evidence would be clear and transparent.
Digital evidence acquisition and analysis have to evolve along However, when new standards or adjustments to existing
with the technology that is their subject. Currently, guidelines standards are needed, as it is the case with cloud computing,
and best practice guides on gathering digital evidence are creating too many standards inhibiting innovation should be
rare and often outdated. There are no guidelines specific to avoided.
evidence gathered in the cloud, not to speak of precedent that
could define legal requirements on data retrieval, handling R EFERENCES
and storage.
[1] N. Beebe, Digital Forensic Research: The Good, the Bad and the
Unaddressed, Advances in Digital Forensics V, 2009
Suggested Solution: [2] D. Barrett and G. Kipper, Virtualization and Forensics: A Digital Forensic
In order to assure compliance with the issues mentioned above, Investigator’s Guide to Virtual Environments, Syngress, 2010
[3] R. Bares, Hiding in a virtual world: using unconventionally installed
strict preservation of a chain of custody is essential. It is operating systems, in Proceedings of the 2009 IEEE International Con-
important that the investigator can prove who created the ference on Intelligence and Security Informatics (ISI’09), 2009

Authorized licensed use limited to: The Islamia University of Bahawalpur. Downloaded on May 26,2021 at 10:29:53 UTC from IEEE Xplore. Restrictions apply.
[4] R. Meadows, Cisco Router and Switch Forensics: Investigating and [31] R. Geambasu, T. Kohno, A. Levy and H. Levy, Vanish: Increasing
Analyzing Malicious Network Activity, Elsevier Science, 2009 Data Privacy with Self-Destructing Data, in Proceedings of the 18th
[5] EC-Council, Computer Forensics: Investigating Network Intrusions and Conference on USENIX Security Symposium, 2009
Cyber Crime, Ec-Council Press Series, 2009 [32] R. Chow, P. Golle, M. Jakobsson, R. Shi, J. Staddon, R. Masuoka, and J.
[6] V. Corey, C. Peterman, S. Shearin, M.S. Greenberg and J. Van Bokkelen, Molina, Controlling Data in the Cloud: Outsourcing Computation without
Network Forensics Analysis, IEEE Internet Computing Journal, 2002 Outsourcing Control, in Proceedings of the 2009 ACM Cloud Computing
[7] M. Pereira, Forensic Analysis of the Firefox 3 Internet History and Security Workshop (CCSW ’09), 2009
Recovery of Deleted SQLite Records, Digital Investigation Journal, 2009 [33] L. Lamport, R. Shostak and M. Pease, The Byzantine Generals Problem,
[8] L. Rongxing, L. Xiaodong, L. Xiaohui and S. Sherman, Secure Prove- ACM Transactions on Programming Languages and Systems Journal,
nance: The Essential of Bread and Butter of Data Forensics in Cloud 1982
Computing, in Proceedings of the 5th ACM Symposium on Information, [34] A. Haeberlen, A Case for the Accountable Cloud, in Proceedings of the
Computer and Communications Security (ASIACCS ’10), 2010 3rd ACM SIGOPS International Workshop on Large-Scale Distributed
[9] L. Kaufman, Data Security in the World of Cloud Computing, IEEE Systems and Middleware (LADIS’09), 2009
Security and Privacy Journal, IEEE Educational Activities Department, [35] Y. Zhang, A. Juels, A. Oprea and M. Reiter, HomeAlone: Co-Residency
2009 Detection in the Cloud via Side-Channel Analysis, to be published at
[10] K. Muniswamy-Reddy and M. Seltzer, Provenance as First Class Cloud Security and Privacy IEEE Symposium, 2011
Data, ACM SIGOPS Operating Systems Review, 2010 [36] B. Grobauer and T. Schreck, Towards Incident Handling in the Cloud:
[11] A. Reyes, R. Brittson, K. O’Shea and J. Steele, Cyber Crime In- Challenges and Approaches, in Proceedings of the 2010 ACM Cloud
vestigations: Bridging the Gaps Between Security Professionals, Law Computing Security Workshop (CCSW ’10), 2010
Enforcement, and Prosecutors, Syngress, 2007 [37] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peterson,
[12] T. Ristenpart, E. Tromer, H. Shacham and S. Savage, Hey, You, Get Off D. and Song, Provable Data Possession at Untrusted Stores, in Proceed-
of My Cloud! Exploring Information Leakage in Third-Party Compute ings of the 14th ACM Conference on Computer and Communications
Clouds, in Proceedings of the 16th ACM Conference on Computer and Security (CCS ’07), 2007
Communications Security (CCS ’09), 2009 [38] S. Mehrotra, Introducing Windows Azure Diagnos-
[13] A. Case, A. Cristina, L. Marziale, G. Richard and V. Roussev, FACE: tics, http://blogs.msdn.com/b/sumitm/archive/2009/11/18/
Automated Digital Evidence Discovery and Correlation, in Proceedings introducing-windows-azure-diagnostics.aspx, 2009
of the Eighth Annual DFRWS Conference, 2008 [39] S. Satpathy, S. Pradhan and B. Ray, A Digital Investigation Tool based
[14] A. Patcha and J.-M. Park, Network Anomaly Detection with Incomplete on Data Fusion in Management of Cyber Security Systems, International
Audit Data, Computer Networks Journal, 2007 Journal of Information Technology and Knowledge Management, 2010
[15] E. Eleazar, Anomaly Detection over Noisy Data Using Learned Prob- [40] S.D. Wolthusen, Overcast: Forensic Discovery in Cloud Environments,
ability Distributions, in Proceedings of the Seventeenth International Fifth International Conference on IT Security Incident Management and
Conference on Machine Learning (ICML ’00), 2000 IT Forensics (IMF ’09), 2009
[16] P. Mell and T. Grance, The NIST Definition of Cloud Computing, Version [41] B. Hay, K. Nance and M. Bishop, Live Analysis: Progress and Chal-
15, 2009 lenges, IEEE Security & Privacy Journal, 2009
[17] A. Barth, A. Porter Felt, P. Saxena and A. Boodman Protecting Browsers [42] Payment Card Industry Data Security Standard (PCI DSS), https://www.
from Extension Vulnerabilities, in Proceedings of the 17th Network and pcisecuritystandards.org/security standards/index.php
Distributed System Security Symposium (NDSS), 2010
[18] B. Adida, A. Barth and C. Jackson, Rootkits for JavaScript Environ-
ments, in Proceedings of the 3rd USENIX Conference on Offensive
Technologies, 2009
[19] G. Aggrawal, E. Bursztein, C. Jackson and D. Boneh, An Analysis of
Private Browsing Modes in Modern Browsers, in Proceedings of 19th
Usenix Security Symposium, 2010
[20] D. Bem Virtual Machine for Computer Forensics - the Open Source
Perspective, Open Source Software for Digital Forensics, Springer, 2010
[21] N. Santos, K. P. Gummadi and R. Rodrigues, Towards Trusted Cloud
Computing, in Proceedings of the 2009 Conference on Hot Topics in
Cloud Computing (HotCloud’09), 2009
[22] A. Singhal, M. Gunestas, A. Singhal, D. Wijesekara and D. Gallagher,
Forensics Web Services (FWS), NIST Interagency Report Draft, 2010
[23] Y. Shi, K. Zhang and Q. Li, A New Data Integrity Verification Mech-
anism for SaaS, Web Information Systems and Mining, Spinger LNCS,
2010
[24] A. Juels and B. Kaliski, PORs: Proofs of Retrievability for Large
Files, in Proceedings of the 14th ACM Conference on Computer and
Communications Security (CCS ’07), 2007
[25] B. Hay and K. Nance, Forensics Examination of Volatile System Data
using Virtual Introspection, ACM SIGOPS Operating Systems Review,
2008
[26] D. Nurmi, R. Wolski, C. Grzegorczyk, G. Obertelli, S. Soman, L. Yous-
eff and D. Zagorodnov, The Eucalyptus Open-Source Cloud-Computing
System, in Proceedings of the 9th IEEE/ACM International Symposium
on Cluster Computing and the Grid (CCGRID ’09), 2009
[27] Y. Tang, P. Lee, J. Lui and R. Perlman, FADE: Secure Overlay Cloud
Storage with File Assured Deletion, SecureComm, 2010
[28] P. Gutmann, Secure Deletion of Data from Magnetic and Solid-State
Memory, in Proceedings of the 6th Conference on USENIX Security
Symposium, Focusing on Applications of Cryptography, 1996
[29] C. Wright, D. Kleiman and S. Sundhar, Overwriting Hard Drive Data:
The Great Wiping Controversy, Information Systems Security, LNCS
Springer, 2008
[30] Q. Wang, C. Wang, J. Li, K. Ren and W. Lou, Enabling Public
Verifiability and Data Dynamics for Storage Security in Cloud Computing,
Information Systems Security, LNCS Springer, 2008

Authorized licensed use limited to: The Islamia University of Bahawalpur. Downloaded on May 26,2021 at 10:29:53 UTC from IEEE Xplore. Restrictions apply.