Isolating a cloud instance for a digital forensic investigation

Cloud Computing is gaining acceptance and increasing in popularity. Organizations often rely on Cloud resources to effectively replace their in house computer systems. In a Cloud environment an instance is typically accepted to be a virtual system resource established within that Cloud. Multiple instances can be contained a single node. The Cloud itself consists of multiple nodes. The Cloud structure has no predefined or fixed boundaries. Digital Forensics (DFs) can be considered the science of finding a root cause of a particular incident. Isolating the incident environment is generally accepted within the Forensic Community to be an integral part of a Forensic process. We consider this isolation is also needed in a Digital Forensic Investigations (DFIs). The isolation prevents any further contamination or tampering of possible evidence. In order to isolate the incident the Cloud instance is isolated. The node instance is effectively placed in a controlled environment to enable a controlled DF investigation to be conducted. This paper will introduce possible techniques to isolate these Cloud instances to facilitate an investigation. The techniques include, but are not limited to Instance Relocation, Server Farming, Address Relocation, Failover, Sandboxing, Man in the Middle (MITM) and Let’s Hope for the Best (LHFTB). A discussion of each of these techniques will be given. This discussion will include a description of each techniques, the advantages and disadvantages of using the techniques and the visibility of the techniques.