SECURING THE CLOUD Why Are Clouds Not Forensics Friendly ?

Today’s cloud computing architectures often lack support for computer forensic investigations. Besides this, the existing digital forensics tools cannot cope with the dynamic nature of the cloud. This paper explores the challenges of digital forensics in the cloud, possible attacks on cloud-evidence, and mitigation strategies against those challenges. Digital Forensics in the Cloud To identify the actual attacker in the above attack scenario, we need to execute digital forensics procedures in clouds. Currently, extensive research is going on to protect clouds from external or internal attackers. However, in case of an attack, we need to investigate the incident. Besides protecting the cloud, it is important to focus on this issue. Unfortunately, cloud forensics is not yet a popular research topic and there has been little research on adapting digital forensics for use in cloud environments. In this paper, we address the problems of cloud forensics and some mitigation strategies, which have significant real-life implications in investigating cloud-based cyber-crime and terrorism. Understanding Cloud Forensics NIST defines digital forensics as an applied science for “the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data” [1]. Figure 1 illustrates the process flow of digital forensics. Cloud forensics can be defined as applying all the processes of digital forensics in the cloud environment. Ruan et al. defined cloud forensics as a subset of network forensics [2], because cloud computing is based on extensive network access, and network forensics handles forensic investigation in private and public networks. However, cloud forensics also includes investigating file systems, process, cash, and registry history. Different steps of digital forensics shown in Figure 1 vary according to the service and deployment model of cloud computing. For example, the evidence collection procedure of Software-as-a-Service (SaaS) and Infrastructureas-a-Service (IaaS) will be different. For SaaS, we solely depend on the Cloud Service Provider (CSP) to get the application log. In contrast, in IaaS, we can acquire the virtual machine image from customers and can initiate the examination and analysis phase. In the public deployment model, we rarely can get physical access to the evidence, but this is guaranteed in the private cloud deployment model. Introduction Cloud computing offers immense opportunities for business and IT organizations by providing highly scalable infrastructure resources, pay-as-you-go service, and low-cost on-demand computing. While clouds attract diverse organizations, the security and trustworthiness of cloud infrastructure has become a rising concern. Clouds can be a target of attacks or can be used as a tool to launch attacks. Malicious individuals can easily exploit the power of cloud computing and can perform attacks from machines inside the cloud. Many of these attacks are novel and unique to clouds. To illustrate the use of clouds for malicious purpose, we consider the following hypothetical scenario: Bob is a successful businessman who runs a shopping website in the cloud. The site serves a number of customers every day and his organization generates a significant amount of profit from it. Therefore, if the site is down even for a few minutes, it will seriously hamper not only their profit but also the goodwill. Mallory, a malicious attacker, decided to attack Bob’s shopping website. She rented some machines in a cloud and launched a Distributed Denial of Service attack to the shopping website using those rented machines. As a result, the site was down for an hour, which had quite a negative impact on Bob’s business. Consequently, Bob asked a forensic investigator to investigate the case. The investigator found that Bob’s website records each visiting customer’s IP address. Analyzing the visiting customer records, the investigator found that Bob’s website was flooded by some IP addresses which are owned by a cloud service provider. Eventually, the investigator issued a subpoena to the corresponding cloud provider to provide him the network logs for those particular IP addresses. On the other hand, Mallory managed to collude with the cloud provider after the attack. Therefore, while providing the logs to the investigator, the cloud provider supplied a tampered log to the investigator, who had no way to verify the correctness of the logs. Under this circumstance, Mallory will remain undetected. Even if the cloud provider was honest, Mallory could terminate her rented machines and leave no trace of the attack. Hence, the cloud provider could not give any useful logs to the investigator. Fig. 1: Process Flow of Digital Forensics Fig. 2: Customers’ control over different layers in different service model Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number.