By Christine Chelimo
Cloud computing is the delivery of computing services without a direct active management by the users. Instead of buying and owning a computer resource you can “rent” a machine on a pay as you go rate from Cloud service providers (CSPs). Digital forensic investigation is the use of scientifically derived and proven methods toward the preservation, collection,validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.
Supposing an individual, rents a machine in the cloud, and commits a crime in a virtual environment, from an anonymous computer and shuts down the machine, where does the investigation start?
Supposing the victim’s machine or website stores IP addresses, a physical machine would still be required to access the virtual machine. This is where logging is important in the CSP environment .Logging is an important source of evidence but the main challenge is the integrity. At the lowest level forensics will start from computer browser history between the client and cloud. The rented machine in this scenario is used to launch an attack, and the victim captures the CSP’s machine. In this case, the investigator has to issue a subpoena to the CSP requesting access to the logs to determine the physical machine that rented the service. In many cases, the attacker or the investigator may collude with the CSP to alter the logs and the CSP may supply tampered logs which is difficult to verify its correctness. Victim sees the CSP machine, CSP sees the virtual machine used to attack the victim. CSP sees the IP used by the attacker(maybe physical computer) to access the CSP machine used to attack the victim. And this might present geographical and jurisdiction challenges (where CSP is located in another country, say USA) . Furthermore, it may delay the case as the CSP might take a long time to comply. Considering that there are two angles to this:
What if a cyber attack took place on the side of the client who enjoys the services of a CSP?
What if the cyber criminals were using a CSP platform to carry out an attack?
How would you go about the two aspects?
Even if the cloud provider is honest, an attacker can terminate the rented machine and leave no traces of the attack. Also for the physical machine, the attacker could have used fake identifications and erase traces of the existence of that machine. By applying Locard’s exchange principle, coupled with enterprise theory of investigation and the possibility of the attacker leaving their trace, we may have a starting point . The availability of the potential Digital Evidence will all depend on the integrity of all the parties. As long as the logs are securely stored and their integrity is not tampered with.
How about Live data forensics acquisition ?
One of the main reasons to carry out live acquisition is in such a case of cloud storage.The CSP has to securely store their logs and capture as much as they can. Digital forensics can be proactive also, in that digital forensic readiness tools and measures are used to capture potential digital evidence that may be later used for event reconstruction. In this cases, Secure Logging As A Service(SeClaas) platform would be important for the purposes of ensuring the integrity of the logs and the availability of the evidence while maintaining the confidentiality of the CSP customers. In summary, secure logging as a service and the integrity by all parties in the digital crime scene(attacker, CSP and the victim’s investigator) form the basis of successful Digital forensics in the cloud.