Cloud Forensics: A Meta-Study of Challenges, Approaches, and Open Problems

Shams Zawoad Ragib Hasan

University of Alabama at Birmingham University of Alabama at Birmingham
Birmingham, Alabama 35294-1170 Birmingham, Alabama 35294-1170
Email: zawoad@cis.uab.edu Email: ragib@cis.uab.edu

Abstract—In recent years, cloud computing has become $270 billion in 2020 [2]. According to Gartner Inc., the
arXiv:1302.6312v1 [cs.DC] 26 Feb 2013

popular as a cost-effective and efficient computing paradigm. strong growth of cloud computing will bring $148.8 billion
Unfortunately, today’s cloud computing architectures are not revenue by 2014 [3]. Cloud computing is getting popular
designed for security and forensics. To date, very little research
has been done to develop the theory and practice of cloud not only in the private industry, but also in the government
forensics. Many factors complicate forensic investigations in sector. According to a research from INPUT, the US Federal
a cloud environment. First, the storage system is no longer government’s spending on the cloud will reach $792 million
local. Therefore, even with a subpoena, law enforcement agents by 2013 [4].
cannot confiscate the suspect’s computer and get access to the Clouds use the multi-tenant usage model and virtual-
suspect’s files. Second, each cloud server contains files from
many users. Hence, it is not feasible to seize servers from ization to ensure better utilization of resources. However,
a data center without violating the privacy of many other these fundamental characteristics of cloud computing are
users. Third, even if the data belonging to a particular suspect actually a double-edged sword – the same properties also
is identified, separating it from other users’ data is difficult. make cloud-based crimes and attacks on clouds and their
Moreover, other than the cloud provider’s word, there is usually users difficult to prevent and investigate. According to a
no evidence that links a given data file to a particular suspect.
For such challenges, clouds cannot be used to store healthcare, recent IDCI survey, 74% of IT executives and CIOs referred
business, or national security related data, which require audit security as the main reason to prevent their migration to
and regulatory compliance. the cloud services model [5]. Some recent attacks on cloud
In this paper, we systematically examine the cloud forensics computing platforms strengthen the security concern. For
problem and explore the challenges and issues in cloud foren- example, a botnet attack on Amazon’s cloud infrastructure
sics. We then discuss existing research projects and finally, we
highlight the open problems and future directions in cloud was reported in 2009 [6]. Besides attacking cloud infras-
forensics research area. We posit that our systematic approach tructure, adversaries can use the cloud to launch attack on
towards understanding the nature and challenges of cloud other systems. For example, an adversary can rent hundreds
forensics will allow us to examine possible secure solution of virtual machines (VM) to launch a Distributed Denial
approaches, leading to increased trust on and adoption of cloud of Service (DDoS) attack. After a successful attack, she
computing, especially in business, healthcare, and national
security. This in turn will lead to lower cost and long-term can erase all the traces of the attack by turning off the
benefit to our society as a whole. VMs. A criminal can also keep her secret files (e.g., child
pornography, terrorist documents) in cloud storage and can
destroy all evidence from her local storage to remain clean.
I. I NTRODUCTION
To investigate such crimes involving clouds, investigators
Cloud computing has emerged as a popular and inex- have to carry out a digital forensic investigation in the cloud
pensive computing paradigm in recent years. In the last environment. This particular branch of forensic has become
5 years alone, we have seen an explosion of applications known as Cloud Forensics.
of cloud computing technology, for both enterprises and According to an annual report of Federal Bureau of
individuals seeking additional computing power and more Investigation (FBI), the size of the average digital forensic
storage at a low cost. Small and medium scale industries case is growing at 35% per year in the United States.
find cloud computing highly cost effective as it replaces the From 2003 to 2007, it increased from 83GB to 277 GB in
need for costly physical and administrative infrastructure, 2007 [7]. This rapid increase in digital forensics evidence
and offers the flexible pay-as-you-go structure for payment. drove the forensic experts to devise new techniques for
Khajeh-Hosseini et al. found that an organization could save digital forensics. At present, there are several established
37% cost if they would migrate their IT infrastructure from and proven digital forensics tools in the market. With the
an outsourced data centre to the Amazon’s Cloud [1]. A proliferation of clouds, a large portion of these investigations
recent research by Market Research Media states that the now involves data stored in or actions performed in a cloud
global cloud computing market is expected to grow at an computing system. Unfortunately, many of the assumptions
30% Compound Annual Growth Rate (CAGR) reaching of digital forensics are not valid in cloud computing model.
For example, in a cloud environment, investigators do not pooling, rapid elasticity, and measured service. Parkhill
have physical access to the evidence – something they proposed utility computing long ago [10] and Michael et
usually have in traditional privately owned and locally al. mention cloud computing as a new term for “computing
hosted computing systems. As a result, cloud forensics as a utility” [11]. They defined cloud computing as a
brings new challenges from both technical and legal point combination of Software-as-a-Service and utility computing,
of view and has opened new research area for security and but they consider private clouds outside of cloud computing.
forensics experts.
Classification according to service model. According to
Contributions. In this article, we present a systematic the nature of service model used by the Cloud Service
analysis of the cloud forensics problem. The contributions Provider (CSP), cloud computing can be divided into three
of this paper are as follows: categories: Software as a Service (SaaS), Platform as a Ser-
• We present a systematic summary of the challenges and vice (PaaS), and Infrastructure as a Service (IaaS) [8]. Figure
issues in cloud forensics. 1 illustrates the three service models in cloud computing
• We provide a comprehensive analysis of proposed so- architecture.
lutions for cloud forensics in the three different service
models of publicly deployed cloud computing. Software as a Service (SaaS). This model provides the
• We also identify the usages and advantages of cloud consumers the facility of using cloud service provider’s
computing in digital forensics and enumerate the software application running on cloud infrastructure. This
current open problems of cloud forensics. approach is different from traditional software package dis-
tribution to individuals or organizations. In this model, there
Organization. The rest of the article is organized as is no need for software distribution. Consumers can access
follows: Section II provides the background knowledge of the application through the web browsers in computers or
cloud computing, digital forensics, and cloud forensics. Sec- mobile devices. Usually, there is a monthly subscription fee
tion III presents the challenges in cloud forensics and section to use the service. This fee can sometimes vary according
IV discusses the existing proposed solutions. Section V to the number of users of an organization. In this model,
provides an evaluation of existing digital forensics tools in a customers do not have any control over the network, servers,
cloud environment. In Section VI, we discuss the advantages operating systems, storage, or even on the application, except
of cloud forensics over traditional computer forensics and some access control management for multi-user application.
Section VII describes some use cases of cloud computing Some of the examples of SaaS are : Salesforce [12], Google
in digital forensics. Section VIII presents the open problems Drive [13], and Google calender [14].
of cloud forensics and finally, we conclude in Section IX. Platform as a Service (PaaS). In PaaS, customers can
II. BACKGROUND deploy their own application or a SaaS application in the
cloud infrastructure. Normally, the customers pay accord-
In this section, we provide a brief overview of cloud com-
ing to the bandwidth usage and database usage. They do
puting and computer forensics. We also discuss the unique
not manage or control the underlying cloud infrastructure
nature of clouds, which make digital forensics investigations
including network, servers, operating systems, or storage,
difficult.
but have control over the deployed applications and some
A. Cloud computing application hosting environment configurations. Customers
Definition. According to the definition by the National can only use the application development environments,
Institute of Standards and Technology (NIST), “Cloud com- which are supported by the PaaS providers. Two examples
puting is a model which provides a convenient way of on- of PaaS are: Google App Engine (GAE) [15] and Windows
demand network access to a shared pool of configurable Azure [16]. Customers can host their own developed web
computing resources (e.g., networks, servers, storage, appli- based application on these platforms.
cations, and services), that can be rapidly provisioned and Infrastructure as a Service (IaaS). This model allows a
released with minimal management effort or service provider customer to rent processing power and storage to launch his
interaction” [8]. The Open Cloud Manifesto Consortium own virtual machine. It alleviates the costly process of main-
defines cloud computing as “the ability to control the taining own data center. One of the important features is that
computing power dynamically in a cost-efficient way and the the customers can scale up according to their requirement.
ability of the end user, organization, and IT staff to utilize the It allows their applications to handle high load smoothly.
most of that power without having to manage the underlying On the other hand, they can save cost when the demand
complexity of the technology” [9]. is low. Customers have full control over operating systems,
Cloud computing has some important characteristics – storage, deployed applications, and possibly limited control
On-demand self-service, broad network access, resource of selecting networking components (e.g., host firewalls).
 User

Front end

Network

SaaS
Cloud (Web) applications

Management access

IAAA mechanisms

Service & APIs

Cloud software environment

PaaS

Computational Communication

Storage

resources

Provider

IaaS

Cloud software infrastructure

Kernel (OS/ Apps)

Hardware

Facilities

Service customer
Supporting (IT) infrastructure

Cloud-specific infrastructure

Figure 1. Three service models of Cloud Computing [17]

An example of IaaS is Amazon EC2 [18]. EC2 provides gorized into four categories – private cloud, public cloud,
users with access to virtual machines (VM) running on its community cloud, and hybrid cloud [8].
servers. Customers can install any operating system and can Private cloud. In private cloud model, the cloud infras-
run any application in that VM. It also gives the customers tructure is fully operated by the owner organization. It is
the facility of saving the VM status by creating an image the internal data center of a business organization. Usually,
of the instance. The VM can be restored later by using that the infrastructure is located at the organizations’ premise.
image. Private cloud can be found in large companies and for
Other service models. Motahari-Nezhad et al. proposed research purpose.
a more specific service model, which is Database as a Community cloud. If several organizations with common
Service (DaaS) [19]. This is a special type of storage concerns (e.g., mission, security requirements, policy, and
service provided by the cloud service provider. Most of the compliance considerations) share cloud infrastructure then
providers offer the customers to store data in a key-value this model is referred as community cloud.
pair, rather than using traditional relational database. Also
data of multiple users can be co-located in a shared physical Public cloud. In the public cloud model, the Cloud Service
table. Two of the examples of DaaS are: Amazon SimpleDB Providers (CSP) owns the cloud infrastructure and they
[20] and Google Bigtable [21]. The query language to store, make it available to the general people or a large industry
retrieve, and manipulate the data depends on the provider. group. All the examples given in the service based cloud
There is a monthly fee depending on the incoming and categorization are public cloud.
outgoing volume of data and machine utilization. Hybrid cloud. As the name suggests, the hybrid cloud
infrastructure is a composition of two or more clouds
Classification according to deployment model. According (private, community, or public).(e.g., cloud bursting for
to the deployment model, cloud computing can be cate- load-balancing between clouds). Hybrid Cloud architecture
requires both on-premises resources and off-site (remote) FRCP amendment, that are contributing in today’s digital
server based cloud infrastructure. forensics are:
Figure 2 shows three different deployment models of • FRCP defines the discoverable material and introduces
cloud computing – private, public, and hybrid cloud. the term Electronically Stored Information (ESI). Under
B. Computer Forensics this definition, data stored in hard disk, RAM, or Virtual
Machine (VM) logs, all are discoverable material for
Computer forensics is the process of preserving, col-
the forensic investigation.
lecting, confirming, identifying, analyzing, recording, and
• It introduces data archiving requirements.
presenting crime scene information. Wolfe defines computer
• It addresses the issue of format in production of ESI. If
forensics as “a methodical series of techniques and pro-
the responding party objects about the requested format,
cedures for gathering evidence, from computing equipment
then it suggests a model for resolving dispute about the
and various storage devices and digital media, that can be
form of production.
presented in a court of law in a coherent and meaningful
• It provides a Safe Harbor Provision. Under the rule of
format” [22]. According to a definition from NIST [23],
safe harbor, if someone loses data due to routine faithful
computer forensic is “an applied science to identify a
operation, then the court may not impose sanction on
incident, collection, examination, and analysis of evidence
her for failing to provide ESI. [22], [26].
data”. In computer forensics, maintaining the integrity of
the information and strict chain of custody for the data C. Cloud forensics
is mandatory. Several other researchers define computer
We define Cloud forensics as the application of computer
forensic as the procedure of examining computer system to
forensic principles and procedures in a cloud computing
determine potential legal evidence [24], [25].
environment. Since cloud computing is based on extensive
From the definitions, we can say that computer forensics
network access, and as network forensics handles forensic
is comprised of four main processes:
investigation in private and public network, Ruan et al.
• Identification: Identification process is comprised of
defined cloud forensics as a subset of network forensics
two main steps: identification of an incident and identi- [27]. They also identified three dimensions in cloud forensics
fication of the evidence, which will be required to prove – technical, organizational, and legal. According to the
the incident. authors’ knowledge, till now this is only definition of cloud
• Collection: In the collection process, an investigator
forensics.
extracts the digital evidence from different types of Cloud forensics procedures will vary according to the
media e.g., hard disk, cell phone, e-mail, and many service and deployment model of cloud computing. For SaaS
more. Additionally, he needs to preserve the integrity and PaaS, we have very limited control over process or
of the evidence. network monitoring. Whereas, we can gain more control
• Organization: There are two main steps in organiza-
in IaaS and can deploy some forensic friendly logging
tion process: examination and analysis of the digital mechanism. The first three steps of computer forensics will
evidence. In the examination phase, an investigator vary for different services and deployment models. For
extracts and inspects the data and their characteristics. example, the collection procedure of SaaS and IaaS will
In the analysis phase, he interprets and correlates the not be same. For SaaS, we solely depend on the CSP to
available data to come to a conclusion, which can prove get the application log, while in IaaS, we can acquire the
or disprove civil, administrative, or criminal allegations. Virtual machine instance from the customer and can enter
• Presentation: In this process, an investigator makes an
into examination and analysis phase. On the other hand, in
organized report to state his findings about the case. the private deployment model, we have physical access to
This report should be appropriate enough to present to the digital evidence, but we merely can get physical access
the jury. to the public deployment model.
Figure 3 illustrates the flow of aforementioned processes
in computer forensics. III. C HALLENGES OF CLOUD FORENSICS
Legal basis. Before 2006, there had been no separate US In this section, we examine the challenges in cloud
Federal law for computer forensics investigation in civil forensics, as discussed in the current research literature. We
cases. For criminal cases, investigators still use the 1986 present our analysis by looking into the challenges faced by
Computer Fraud and Abuse Prevention Act. As computer investigators in each of the stages of computer forensics (as
based crime was increasing rapidly, the Advisory Committee described in Section II-B). Some of the important challenges
on Civil Rules took initiative to resolve this issue at 2000. we address here are: forensic data acquisition, logging,
Finally at 2006, an amendment to Federal Rules of Civil preserving chain of custody, limitation of current forensics
Procedure (FRCP) was published, which is known as e- tools, crime scene reconstruction, cross border law, and
discovery amendment [26]. Some important factors in the presentation.
 Private Cloud
Hybrid Cloud
Public Cloud

On Premise Infrastructure
CSP Infrastructure

Figure 2. Three different cloud deployment models

Incident Examination

Identification

Identification
Collection
Organization
Presentation

Evidence
Identification
Analysis

Figure 3. Computer Forensics Process Flow

A. Forensic Data Acquisition and tools assume that we have physical access to the
computers. However, in cloud forensics, the situation is
Collection of the digital evidence is the most crucial step
different. Sometimes, we do not even know where the data
of forensic procedure. Any errors that have occurred in the
is located as it is distributed among many hosts in multiple
collection phase will propagate to the evidence organization
data centers. A number of researchers address this issue in
and reporting phase, which will eventually affect the whole
their work [28], [29], [30], [31], [32], [33].
investigation process. According to Birk, evidence can be
available in three different states in cloud – at rest, in motion, Less Control in Clouds and Dependence on the CSP. In
and in execution [28]. Data that occupies the disk space is traditional computer forensics, investigators have full control
called data at rest. Data that can be transferred from one state over the evidence (e.g., a hard drive confiscated by police).
to another state is referred to as data in motion. Sometimes, In a cloud, unfortunately, the control over data varies in
we have executable data, for example, image snapshot. We different service models. Figure 4 shows the limited amount
can load and run an image snapshot to get the data in rest and of control that customers have in different layers for the
data in motion. In cloud forensics, data collection procedure three service models – IaaS, PaaS, and SaaS. For this
also varies depending on the service and deployment model reason, we mostly depend on the CSP to collect the digital
of clouds. evidence from cloud computing environment. This is a
Some of the factors that make the data acquisition process serious bottleneck in the collection phase.
in cloud forensic harder than traditional computer forensics
In IaaS, users have more control than SaaS or PaaS.
are discussed below.
The lower level of control has made the data collection in
Physical Inaccessibility. Physical inaccessibility of digital SaaS and PaaS more challenging than in IaaS. Sometimes,
evidence makes the evidence collection procedure harder in it is even impossible. If we manage to get the image of
cloud forensics. The established digital forensic procedures an IaaS instance, it will make our life easy to investigate
 Access Control
Access Control
Access Control

Application
Application
Application

Data
Data
Data

Operating System
Operating System
Operating System

Servers
Servers
Servers

Network
Network
Network

SaaS
PaaS
IaaS

Customers have control

Customers do not have control

Figure 4. Customers’ control over different layers in different service model

the system. For SaaS and PaaS, we need to depend on the payment customers can get persistent storage, this is not
CSP. We can only get a high level of logging information common for small or medium scale business organizations.
from this two service models. As customers have control Moreover, a malicious user can exploit this vulnerability.
over the application deployed in PaaS, they can keep log of After doing some malicious activity (e.g., launch DoS attack,
different actions to facilitate the investigation procedure. On send spam mail), an adversary can power off her virtual
the contrary in SaaS, customers basically have no control to machine instance, which will lead to a complete loss of
log the actions. the volatile data and make the forensic investigation almost
Dykstra et al. presented the difficulty of data acquisition impossible. Birk also mentioned a serious problem regarding
by using a hypothetical case study of child pornography the volatile nature of evidence in cloud. The problem states
[29]. To investigate this case, the forensics examiner needs that some owner of a cloud instance can fraudulently claim
a bit-for-bit duplication of the data to prove the existence that her instance was compromised by someone else and
of contraband images and video, but in a cloud, he can- had launched a malicious activity. Later, it will be difficult
not collect data by himself. At first, he needs to issue a to prove her claim as false by a forensic investigation [35].
search warrant to the cloud provider. However, there are Trust Issue. Dependence on the third party also poses trust
some problems with the search warrant in respect of cloud issue in investigation procedure. In the child pornography
environment. For example, warrant must specify a location, case study, Dykstra et al. highlighted the trust issue in
but in cloud the data may not be located at a precise location collecting evidence [29]. After issuing a search warrant,
or a particular storage server. Furthermore, the data can not the examiner needs a technician of the cloud provider to
be seized by confiscating the storage server in a cloud, as the collect data. However, the employee of the cloud provider
same disk can contain data from many unrelated users. To who collects data is most likely not a licensed forensics
identify the criminal, we need to know whether the virtual investigator and it is not possible to guarantee his integrity
machine has a static IP. Almost in all aspects, it depends on in a court of law [33]. The date and timestamps of the data
the transparency and cooperation of the cloud provider. are also questionable if it comes from multiple systems.
Volatile Data. Volatile data cannot sustain without power. Dykstra et al. experimented with collecting evidence from
When we turn off a Virtual Machine (VM), all the data cloud environment. One of the shortcomings they found is
will be lost if we do not have the image of the instance. that it is not possible to verify the integrity of the forensic
This issue is highlighted in several research works [28], disk image in Amazon’s EC2 cloud because Amazon does
[30], [31], [32], [34]. Though IaaS has some advantages not provide checksums of volumes, as they exist in EC2.
over SaaS and PaaS, volatile storage can be a problem in Large Bandwidth: In Section I, we have seen that the
IaaS model if data is not always synchronized in persistent amount of digital evidence is increasing rapidly. Guo et al.
storage, such as, Amazon S3 or EBS. If we restart or turn pointed out the requirement of large bandwidth issue for time
off a VM instance in IaaS (e.g., in Amazon EC2), we will critical investigation [30]. The on-demand characteristic of
lose all the data. Registry entries or temporary internet files, cloud computing will have vital role in increasing the digital
that reside or be stored within the virtual environment will evidence in near future. In traditional forensic investigation,
be lost when the user exits the system. Though with extra we collect the evidence from the suspect’s computer hard
disk. Conversely, in cloud, we do not have physical access get what they need exactly – nothing more, nothing less and
to the data. One way of getting data from cloud VM is obviously, in a secure way.
downloading the VM instance’s image. The size of this Dependence on the CSP. Currently, to acquire the logs, we
image will increase with the increase of data in the VM extensively depend on the CSPs. The availability of the logs
instance. We will require adequate bandwidth and incur varies depending on the service model. In SaaS, customers
expense to download this large image. do no get any log of their system, unless the CSP provides
Multi-tenancy. In cloud computing, multiple VM can the logs. In PaaS, it is only possible to get the application log
share the same physical infrastructure, i.e., data for multiple from the customers. To get the network log, database log,
customers may be co-located. This nature of clouds is or operating system log we need to depend on the CSP. For
different from the traditional single owner computer system. example, Amazon does not provide load balancer log to the
In any adversarial case, when we acquire evidence two issues customers [38]. In a recent research work, Marty mentioned
can arise. First, we need to prove that data were not co- that he was unable to get MySql log data from Amazon’s
mingled with other users’ data [29], [30]. And secondly, Relational Database Service [37]. In IaaS, customers do not
we need to preserve the privacy of other tenants while have the network or process log.
performing an investigation [33]. Both of these issues make Absence of Critical Information in Logs. There is no
acquiring digital evidence more challenging. The multi- standard format of logs. Logs are available in heterogeneous
tenancy characteristic also brings the side-channel attacks formats – from different layers and from different service
[36] that are difficult to investigate. providers. Moreover, not all the logs provide crucial infor-
B. Logging mation for forensic purpose, e.g., who, when, where, and
Analyzing logs from different processes plays a vital why some incident was executed.
role in digital forensic investigation. Process logs, network C. Chain of Custody
logs, and application logs are really useful to identify a
malicious user. However, gathering this crucial information Chain of custody is defined as a verifiable provenance
in cloud environment is not as simple as it is in privately or log of the location and possession history of evidence
owned computer system, sometimes even impossible. Cloud from the point of collection at the crime scene to the
forensic researchers have already identified a number of point of presentation in a court of law. It is one of the
challenges in cloud based log analysis and forensics [30], most vital issues in traditional digital forensic investiga-
[33], [37]. We briefly discuss these challenges below. tion. Chain of custody should clearly depicts how the
evidence was collected, analyzed, and preserved in order
to be presented as admissible evidence in court [39]. In
Decentralization. In cloud infrastructure, log information
traditional forensic procedure, it starts with gaining the
is not located at any single centralized log server; rather
physical control of the evidence, e.g., computer, and hard
logs are decentralized among several servers. Multiple users’
disk. However, in cloud forensics, this step is not possible.
log information may be co-located or spread across multiple
In a cloud, investigator can acquire the available data from
servers.
any workstation connected with the internet. Due to the multi
Volatility of Logs. Some of the logs in cloud environment jurisdictional laws, procedures, and proprietary technology
are volatile, especially in case of VM. All the logs will be in cloud environment, maintaining chain of custody will
unavailable if the user power off the VM instance. Therefore, be a challenge [34], [40]. In a hypothetical case study of
logs will be available only for certain period of time. compromised cloud based website, Dykstra et al. pointed
Multiple Tiers and Layers. There are several layers and that as multiple people may have access to the evidence and
tiers in cloud architecture. Logs are generated in each tier. we need to depend on the CSP to acquire the evidence, the
For example, application, network, operating system, and chain of custody preservation throughout the investigation
database – all of these layers produce valuable logs for process is questionable [29]. According to Birk et al. the
forensic investigation. Collecting logs from these multiple chain of custody will be a problem in cloud forensic as the
layers is challenging for the investigators. trustworthiness of hypervisor is also questionable [28].
Accessibility of Logs. The logs generated in different
layers are need to accessible to different stakeholders of D. Limitations of Current of Forensic Tools
the system, e.g., system administrator, forensic investigator, Due to the distributed and elastic characteristic of cloud
and developer. System administrators need relevant log to computing, the available forensic tools cannot cope up
troubleshoot the system. Developers need the required log with this environment. Some researchers highlighted the
to fix the bug of the application. Forensic investigators need limitations of current forensic tools in their work [27],
logs that can help in their investigation. Hence, there should [32], [40]. Tools and procedures are yet to be developed
be some access control mechanism, so that everybody will for investigations in virtualized environment, especially on
 Challenges of Cloud Exists in Work
hypervisor level. Ruan et al. expressed the need of forensic- Forensics
aware tools for the CSP and the clients to collect forensic IaaS PaaS SaaS
data [27]. Physical inaccessibility 3 3 3 [28], [29], [30],
[31], [33], [32].
E. Crime Scene Reconstruction Dependence on CSP 3 3 3 [29]
Volatile Data 3 5 5 [28], [30], [31],
To investigate a malicious activity, sometimes the in- [34], [32]
vestigators need to reconstruct the crime scene. It helps Trust Issue 3 3 3 [29], [33]
Large bandwidth 3 5 5 [30]
them to understand how an adversary launched the attack. Multi-tenancy 3 3 5 [29], [30], [33]
However, in cloud environment, that could be a problem Decentralization of Logs 3 3 3 [37], [30]
[32]. If an adversary shut down her virtual instance after a Volatility of logs 3 5 5 [37], [33]
Logs in multiple tiers and 3 3 3 [37]
malicious activity or undeploy his malicious website, then layers
reconstruction of the crime scene will be impossible. Accessibility of logs 3 3 3 [37]
Depending on CSP for 3 3 3 [30]
F. Cross Border Law logs
Absence of critical infor- 3 3 3 [37]
Multi-jurisdictional or cross border law is intensifying the mation in logs
challenge of cloud forensics. Data centers of the service Chain of Custody 3 3 3 [34], [40], [29],
providers are distributed worldwide. However, the privacy [28]
Problem of current foren- 3 3 3 [27], [32], [40]
preservation or information sharing laws are not in harmonic sic tools
throughout the world, even it may not be same in different Crime scene reconstruc- 3 3 5 [32]
states of a country. Cross border legislation and cross border tion
Cross border law 3 3 3 [41], [42], [34],
red tape issues came in several cloud forensic research [27]
works [27], [41], [42] which make the evidence collection Presentation 3 3 3 [32]
process challenging. In particular, such a process should not Compliance issue 3 3 5 [32]
violate the laws of a particular jurisdiction. Furthermore,
Table I
the guideline of admissible evidence, or the guideline for S UMMARY OF C HALLENGES IN C LOUD F ORENSICS
preserving chain of custody can vary among different re-
gions. It may happen that the attacker is accessing the cloud
computing service from one jurisdiction, whereas the data
she is accessing reside in different jurisdiction. Differences
that has direct impact on digital forensics. Hasan et al. state
in laws between these two locations can affect the whole
that trustworthy data retention should provide the long-term
investigation procedure, from evidence collection, presenting
retention and disposal of organizational record to prevent
proofs to capture the attacker. Moreover, for multi-tenancy
unwanted deletion, editing, or modification of data during
case, we need to preserve the privacy of the tenants when
the retention period. It should also prevent recreation of
we collect data of other tenant, sharing the same resources.
record once it has been removed [43]. While there are still
However, the privacy and privilege rights may vary among
some open problems to ensure the secure data retention
different countries or states.
at storage level, the cloud computing model imposes some
G. Presentation new challenges. Popovic et al. mentioned some issues about
retention and destruction of record in cloud computing. For
The final step of digital forensic investigation is presen-
example, who enforces the retention policy in the cloud,
tation, where an investigator accumulates his findings and
and how are exceptions, such as, litigation holds managed?
presents to the court as the evidence of a case. Challenges
Moreover, how can the CSPs assure us that they do not
also lie in this step of cloud forensics. Proving the evidence
retain data after destruction of it [44]? There are several
in front of the jury for traditional computer forensics is
laws in different countries, which mandate the trustworthy
relatively easy compared to the complex structure of cloud
data retention. Just in United States, there are 10,000 laws
computing. Jury members possibly have basic knowledge
at the federal and state levels that force the organizations
of personal computers or at most privately owned local
to manage records securely [43]. Some of the laws and
storage. But the technicalities of a cloud data center, running
regulations are stated below:
thousands of VM, accessed simultaneously by hundreds of
users is far too complex for them to understand [32]. • Sarbanes-Oxley Act: This act mandates public compa-
nies to provide disclosure and accountability of their
H. Trustworthy data retention financial reporting, subject to independent audits [45].
Large business organization and medicals cannot move • The Health Insurance Portability and Accountability
to cloud because of some compliance issues. Trustworthy Act (HIPAA): This act requires privacy and confiden-
data retention is one of the mandatory compliance issues tiality of patient medical record [46].
 • The Securities and Exchange Commission (SEC) rule less cumulative trust is required. For example, in Guest OS
17a-4: According to this law, traders, brokers, and layer, we require trust in Guest OS, hypervisor, host OS,
financial companies need to maintain their business hardware, and network layer. While, in network layer, we
records, transactions, and communications for a number require trust in only the network. Examiners can examine
of years [47]. evidence from different layer to ensure the consistency of
• Federal Information Security Management Act: This the digital evidence. For forensic examination, we need to
law regulates information systems used by the Federal choose the appropriate layer, which depends on the data
government and affiliated parties [48]. available in the layer and trust in the available data [51].
• The Gramm-Leach-Bliley Act:According to this law, Wolthusen suggested an interactive evidence presentation
financial institutions must have a policy to protect and visualization mechanism to overcome the trust issue
information from any predictable threats in integrity [31]. Ko et al. proposed TrustCloud – a trust preserving
and data security [49]. framework for cloud [52].
• European Commission data protection legislation:
In 2012, European Commission proposes major B. Integrity Preservation
reformation of the 1995 data protection legislation Integrity preservation of the digital evidence is a crucial
to strengthen the privacy and confidentiality of step in cloud forensic investigation. Without integrity preser-
individuals’ data [50]. vation, the validity of the evidence will be questionable and
the jury can object about it. Generating a digital signature on
All of the above laws mandate trustworthy data reten- the collected evidence and then checking the signature later
tion. Compliance with all of these laws is challenging in is one way to validate the integrity. As data is distributed
cloud computing environment. For example, the SOX act among multiple servers, this procedure is not simple, rather
mandates that the financial information must be resided quite complicated. However, cloud researchers proposed
in an auditable storage, which the CSPs do not provide. some mechanisms to generate and check the signature of
Business organization cannot move their financial informa- distributed cloud data.
tion to cloud infrastructure as it does not comply with Hegarty et al. also proposed a distributed signature de-
the act. As cloud infrastructure does not comply with tection framework that will facilitate the forensic investi-
HIPAA’s forensic investigation requirement, hospitals cannot gation in cloud environment [53]. Traditional techniques
move the patients’ medical information to cloud storage. of signature detection for digital forensic are not efficient
As business and healthcare organizations are the two most and appropriate due to the distributed nature of cloud com-
data consuming sectors, cloud computing cannot achieve puting. Current model of file storage is comprised of two
the ultimate success without including these two sectors. components – Meta data Servers (MDS) and Object Storage
These sectors are spending extensively to make their own Devices (OSD). The hash value of each file is stored in the
regulatory-compliant infrastructure. A regulatory-compliant MDS as an e-tag and integrity is checked each time after
cloud can save this huge investment. Hence, we need to uploading / downloading a file. In the proposed framework,
solve the audit compliance issue to bring more customers in the first step is to send a list of target buckets to the Forensic
cloud world. Cluster Controller (FCC), along with a file containing the
target MD5 hash values. The FCC then initializes and
Table I gives an overview of the challenges in three queries to Analysis Nodes (AN) for getting the number of
service models of cloud computing for publicly deployed files contained in targeted bucket. Upon receiving the round
cloud. one signature file from FCC, each AN retrieves the e-tags
of the bucket. The signatures in the round one signature
file are compared with the signatures generated from the e-
IV. C URRENT S OLUTIONS tags by the AN. After getting feedback from all ANs, FCC
In this section, we discuss some existing proposed solu- terminates the ANs. They tested their framework by two
tions, which can mitigate some of the challenges of cloud ways – using Amazon S3 and by emulating a cloud platform.
forensics. They achieved zero false positive and false negative rate and
found significant improvement in terms of data required at
A. Trust Model AN.
In Section III, we have already seen that for forensic
data acquisition, we need to depend on the CSP heavily. C. Logging
This inevitably affects trust and evidence integrity. Dykstra Log information is vital for forensic investigations. A lot
et al. proposed a trust model with six layers: Guest appli- of researchers have explored logging in the context of a
cation / data, Guest OS, Virtualization, Host OS, Physical cloud. Marty proposed a log management solution, which
hardware, and Network. The further down the stack is, the can solve several challenges of logging as discussed in
Section III [37]. In the first step of the logging solution, application and can log variety of access information in a
logging must be enabled on all infrastructure components to configurable way. Hence for PaaS, they proposed a central
collect logs. The next step is for establishing a synchronized, log server, where customer can store the log information. In
reliable, bandwidth efficient, and encrypted transport layer to order to protect log data from possible eavesdropping and
transfer log from the source to a central log collector. The altering action, customers can encrypt and sign the log data
final step deals with ensuring the presence of the desired before sending it to the central server.
information in the logs. The proposed guideline tells us to
focus on three things: when to log, what to log, and how D. Cloud Management Plane
to log. The answer to when to log depends on the use Data acquisition from cloud infrastructure is a challenging
cases, such that business relevant logging, operations based step in cloud forensics. CSPs can play a vital role in this step
logging, security (forensics) related logging, and regulatory by providing a web based management console like AWS
and standards mandates. At minimum, he suggested to log management console. Dykstra et al. recommended a cloud
the timestamps record, application, user, session ID, severity, management plane for use in IaaS model [51]. From the
reason, and categorization, so that we can get the answer of console panel, customers as well as investigators can collect
what, when, who, and why (4 W). He also recommended VM image, network, process, database logs, and other digital
syntax for logging, which was represented as a key-value evidence, which cannot be collected in other ways. Only
pair and used three fields to establish a categorization problem with this solution is that, it requires an extra level of
schema – object, action, and status. He also implemented an trust – trust in the management plane. In traditional evidence
application logging infrastructure at a SaaS company, where collection procedure, where we have physical access to the
he built a logging library that can be used in Django. This system, this level of trust is not required.
library can export logging calls for each severity level, such
as, debug, info, error, and others. For logging in javascript E. Solution of Legal Issues
layer, he built an AJAX library to store the logs in server
side. Then he tuned the apache configuration to get the logs Legal issue is a great obstacle in cloud forensics. Cross
in desired format and to get the logs from load balancer. border legislations often hinder the forensic procedures.
For logging the back-end operations, he used Log4j as the At present, there is a massive gap in the existing Service
backend was built in java. While there are several advantages Level Agreement (SLA), which neither defines the respon-
to this approach, this work does not provide any solution sibility of CSPs at the time of some malicious incident,
about logging network usage, file metadata, process usage, nor their role in forensic investigation. Researches gave
and many other important evidence, which are important for emphasis on sound and robust SLA between cloud service
forensic investigation in IaaS and PaaS models. providers and customers [29], [42], [35]. To resolve the
To facilitate logging in clouds, Zafarullah et al. proposed transparency issues, the CSP should build a long-term trust
logging provided by OS and the security logs [41]. In order relationship with customers. A robust SLA should state
to investigate digital forensics in cloud, they set up cloud how the providers deal with the cyber crimes, i.e., how
computing environment by using Eucalyptus. Using Snort, and to which extent they help in forensic investigation
Syslog, and Log Analyzer (e.g., Sawmill), they were able to procedure. In this context, another question can come – how
monitor the Eucalyptus behavior and log all internal and we can be sure of the robustness of a SLA. To ensure the
external interaction of Eucalyptus components. For their quality of SLA, we can take help from a trusted third party
experiment, they launched a DDoS attack from two virtual [35]. To overcome the cross border legislation challenges,
machine and analyzed bandwidth usage log and processor Biggs proposed an international unity for introducing an
usage log to detect the DDoS attack. From the logs in international legislation for cloud forensics investigation
/var/eucalyptus/jetty-request-05-09-xx file on Cloud Con- [42]. By implementing a global law throughout the world,
troller (CC) machine, it is possible to identify the attacking we can make the investigation procedure smooth enough to
machine IP, browser type, and content requested. From complete in a time limit.
these logs, it is also possible to determine the total number
of VMs, controlled by single Eucalyptus user and VMs F. Virtual Machine Introspection
communication patterns. Their experiment shows that if the Virtual Machine Introspection (VMI) is the process of
CSPs come forward to provide better logging mechanism, externally monitoring the runtime state of VM from either
cloud forensics will be benefited greatly. the Virtual Machine Monitor (VMM), or from some virtual
To get necessary logs from all the three service models, machine other than the one being examined. By runtime
Bark et al. proposed that CSP could provide network, pro- state, we are referring to processor registers, memory, disk,
cess and access logs to customer by read only API [35]. By network, and other hardware-level events. Through this
using these APIs, customer can provide valuable information process, we can execute a live forensic analysis of the
to investigator. In PaaS, customers have full control on their system, while keeping the target system unchanged [54]. In
 Proposed Solution Suitable for Work Challenges Proposed Solution
IaaS PaaS SaaS Trust issue for depending on CSP Trust Model
Trust Model 3 3 5 [51], [31], Preserving integrity Distributed signature detection
[52] framework
Distributed signature detec- 5 5 3 [53] Decentralization of logs, logs in mul- Log management solution
tion framework tiple tiers and layers, absence of crit-
Log management solution 5 3 5 [37] ical information in logs, Volatility of
OS and the security logs 3 5 5 [41] logs
API provide by CSP for 3 3 3 [35] Depending on CSP for logs API provide by CSP for logs
logs Dependability on CSP for data acqui- Cloud management plane
Cloud management plane 3 3 3 [51] sition
Robust SLA 3 3 3 [29], [42], Compliance issue, dependability on Robust SLA
[35] CSP
Trusted Third Party 3 3 3 [35] Compliance issue, Developing a ro- Trusted third party
Global unity 3 3 3 [42] bust SLA
Virtual Machine Introspec- 3 5 5 [54] Cross border law Global unity
tion Live forensics issue Virtual machine introspection
Continuous synchronization 3 3 5 [35] Volatile Data Continuous synchronization
Trusted Platform Module 3 3 5 [35], [51] Trust issues of cloud computing Trusted platform module
(TPM) (TPM)
Isolating a Cloud Instance 3 5 5 [56] Multi-tenancy issue Isolating a cloud instance
Data Provenance in Cloud 3 3 3 [35], [29] Chain of custody Data provenance in cloud

Table II Table III

S UMMARY OF S OLUTIONS IN C LOUD F ORENSICS A NALYSIS OF C HALLENGES AND P ROPOSED S OLUTIONS

this work, Hay et al. showed that if a VM instance is com- H. Trusted Platform Module (TPM)
promised by installing some rootkit to hide the malicious To preserve the integrity and confidentiality of the data,
events, it is still possible to identify those malicious events several researchers proposed TPM as the solution [35],
by performing VMI. They used an open source VMI library, [51]. TPM for cloud computing was proposed by several
Xen (VIX) suite to perform their experiment. However, this researchers previously for ensuring trust in cloud computing
tool is no longer maintained under this name, it is now [57], [58]. By using TPM, we can get machine authenti-
known as LibVMI [55]. cation, hardware encryption, signing, secure key storage,
and attestation. It can provide the integrity of the running
G. Continuous Synchronization virtual instance, trusted log files, and trusted deletion of
In order to provide the on demand computational and data to customers. However, Dykstra et al. mentioned that
storage service, CSPs do not provide persistent storage to TPM is not totally secure and it is possible to modify a
VM instance. If we turn off the power or reboot the VM, running process without being detected by TPM. Moreover,
we will eventually lose all the data reside in the VM. To at present, CSPs have heterogeneous hardware and few of
overcome the problem of volatile data, Birk et al. mentioned them have TPM. Hence, CSPs cannot ensure a homogeneous
about the possibility of continuous synchronization of the hardware environment with TPM in near future.
volatile data with a persistent storage [35]. However, they I. Isolating a Cloud Instance
did not provide any guideline about the procedure. There
can be two possible ways of continuous synchronization. A cloud instance must be isolated if any incident take
place on that instance. Isolation is necessary because it
• CSPs can provide a continuous synchronization API
helps to protect evidence from contamination. However, as
to customers. Using this API, customers can preserve multiple instances can be located in one node, this task
the synchronized data to any cloud storage e.g., Ama- becomes challenging. Delport et al. presented some possible
zon S3, or to their local storage. Implementing this techniques of cloud isolation [56]. Moving a suspicious in-
mechanism will be helpful to get the evidence from stance from one node to another node may result in possible
a compromised VM, even though the adversary shut loss of evidence. To protect evidence, we can move other
down the VM after launching any malicious activity. instances reside in the same node. The first technique that is
• However, if the adversary is the owner of a VM, the
proposed is instance relocation. To move an instance, data on
above-mentioned mechanism will not work. Trivially, the secondary storage, content of the virtual memory, (e.g.,
she will not be interested to synchronize her malicious swap memory), and the running processes must be moved.
VM. To overcome this issue, CSPs by themselves can Relocation can be done in two ways – manual and automatic.
integrate the synchronization mechanism with every In the manual mode, the administrator has all the power to
VM and preserve the data within their infrastructure. move the instance. In automatic mode, the CSP move the
instance from one node to another. While moving, the chal- used EnCase and Accessdata FTK to remotely acquire foren-
lenge is to ensure confidentiality, integrity, and availability sic evidence. They conducted three experiments to collect
of other users’ data. The second technique is server farming, data from three different layers and got success in all the
which can be used to re-routing request between user and experiments. In the first experiment, they collected forensic
node. The third technique is failover, where there is at least data remotely from the guest OS layer of cloud. Encase
one server that is replicating another. There are three ways Servlets and FTK Agents are the remote programs, which
of failover – Client-based failover, DNS-based failover and were used to communicate and collect data. For the second
IP-address takeover. Address relocation is another technique, experiment, they prepared an Eucalyptus cloud platform and
which is actually a special case of DNS-based failover. When collected data from the virtualization layer. In the third
it is detected that the main computer has failed, the traffic experiment, they tested the acquisition at the host operating
is rerouted to the backup server. However, this procedure system layer by Amazon’s export feature. They found that
depends on the success of replication. We can also isolate an though it is possible to export data from S3, it is not possible
instance by placing it in a sandbox. One approach of creating from EBS.
a sandbox is installing a sandboxing application in cloud
operating system. Another approach is creating a virtual VI. A DVANTAGE
box around an instance and observe all the communication Though cloud forensics is a complicated process and
channel. The third technique is placing a Man in the Middle imposes new challenges in digital forensic procedure, it
(MITM) between cloud instance and hardware. In that way, offers some advantage over traditional computer forensics.
we can get log information from CPU, RAM, hard drive, Several researchers highlight the availability of computing
and network. To get benefit from this mechanism, the CSP environment through VM, which can be helpful to acquire
should embrace this technique for implementation in its the computing environment for forensic investigation [32],
cloud. [34]. We can use the VM image to use as a source of digital
evidence. The computation and storage power of cloud com-
J. Data Provenance in Cloud puting can also boost up the investigation process [33], [34].
Provenance provides the history of an object. By im- Cloud computing can reduce the time for data acquisition,
plementing secure provenance, we can get some impor- data copying, transferimg and data cryptanalysis. Forensic
tant forensic information, such as, who owns the data at image verification time will be reduced if a cloud application
a given time, who accesses the data, and when. Some generates cryptographic checksum or hash. Ruan et al.
researchers have applied the principles of provenance to highlighted some advantages of cloud forensics, such as, cost
cloud forensics [29], [35]. Secure provenance can ensure effectiveness, data abundance, overall robustness, scalability
the chain of custody in cloud forensics as it can provide and flexibility, standards and policies, and forensics-as-a-
the chronological access history of evidence, how it was service [27]. If the CSPs integrate forensic facilities in cloud
analyzed, and preserved. There have been several projects environment, or they offer forensics-as-a-service to the cus-
for secure provenance in cloud computing [59], [60], but tomer by utilizing the immense computing power, then the
no CSP has practically implemented any of the mechanisms customers do not need to implement any forensic schemes.
yet. In that way, cloud forensics will be cost effective for small
and medium scale enterprise. Currently, Amazon replicates
Table II gives an overview of the solution in three different data in multiple zones to overcome the single point failure.
service model of cloud computing. Table III provides an In case of data deletion, this data abundance can be helpful to
analysis of challenges and solution, i.e. which solution is collect evidence. Amazon S3 automatically generates MD5
applicable to overcome which challenge. hash of an object when we store the object in S3, which
removes the need of external tools and reduces the time
V. E VALUATION OF CURRENT FORENSIC TOOLS IN for generating hash. Amazon S3 also provides versioning
CLOUD support. From the version log, we can get some crucial
There are some popular and proven digital forensics tools information for investigation, such as, who accessed the data,
used by forensic investigators, e.g., Encase, Accessdata FTK, and when, what was the requestor’s IP, and what was the
and others. Though the data acquisition procedure is differ- change in a specific version. Roussev et al. showed that for
ent in a cloud environment compared to traditional computer large-scale forensics analysis, cloud computing outperforms
forensics, these tools can be used for data acquisition from the tradition forensic computing technique [61].
cloud environment. So far, there has been a single work
that evaluates the capability of some available forensic tools VII. C LOUD COMPUTING USAGE IN DIGITAL FORENSICS
in cloud environment [51]. To evaluate the capability of While cloud computing model often makes digital foren-
forensic tool, Dykstra et al. mostly focus on data acquisition sics difficult, the use of cloud computing technology can
step. They chose Amazon EC2 for their experiment, and also facilitate the traditional digital forensic investigation
 Open Problems
procedure. Lin et al. proposed an RSA signature based Overcome the dependence on the CSP
scheme, where they showed how we can use the RSA Making proof of concept for cloud management plane and forensics-
signature scheme to safely transfer data from mobile devices as-a-service
Acquiring large volume of data remotely for time critical case
to cloud storage [62]. It ensures the authenticity of data and
Preserving chain of custody by secure data provenance
thus helps in maintaining a trustworthy chain of custody in Guideline and implementation of global unity to overcome the cross
forensic investigations. By using RSA signature protocol, a border issue
verifier can verify the evidence in the court. They described Crime scene reconstruction in cloud environment
Modifying the existing forensics tools to cope up with cloud paradigm
the steps of uploading the digital evidences to the forensic Identifying the precise location and jurisdiction of certain datum
data center preserving privacy and downloading for verifica- Security visualization of logs
tion. In this process, the cloud computing center computes Forensic time line analysis of logs
the RSA signature and send the signature to cloud storage Log review, log correlation and policy monitoring
center, which save the final output. The final output can Table IV
later be downloaded to check the integrity of the data. They O PEN P ROBLEMS OF C LOUD F ORENSICS AT A G LANCE
conducted an experiment of their method in both cloud and
traditional environment and get better result in cloud.
Buchanan et al. proposed a cloud-based Digital Foren-
sics Evaluation Test (D-FET) platform to measure the per- Marty proposed some open research topics in application
formance of the digital forensics tools [63]. The quality level logging, which are: security visualization, forensic
metrics are: true-positives, false-positives, and operational time-line analysis, log review, log correlation, and policy
performance (e.g., the speed of success, CPU utilization, monitoring [37]. Wolthusen identified another critical open
and memory usage). They described how they set up the problem, which is identifying the precise location and juris-
virtualization environment and how they ran their experi- diction under which a certain datum lies [31].
ment there. Table IV provides an overview of the open problems in
cloud forensics.
VIII. O PEN PROBLEMS
In Section IV, we have seen that researchers have pro- IX. C ONCLUSION
posed several solutions to mitigate some challenges. Unfor- With the increasing use of cloud computing, there is
tunately, only a few of the proposed solutions have been an increasing emphasis on providing trustworthy cloud
tested with real world scenarios. Besides that, to the best forensics schemes. Researchers have explored the challenges
of the authors’ knowledge, CSPs have not adopted any of and proposed some solutions to mitigate the challenges. In
the proposed solution yet. There are a good number of this article, we have summarized the existing challenges
open problems. Cloud management plane or API to get and solutions of cloud forensics to answer the question –
the necessary logs can decrease the dependence on CSP. Where does cloud forensics stand now? Current research
However, as we do not have physical access, we still need efforts suggest that cloud forensics is still in its infancy.
to depend on CSP for various forensic data acquisition There are numerous open problems that we have mentioned
purposes, e.g., collecting temporary registry logs, identifying in Section VIII. By analyzing the challenges and existing
deleted files from hard disk, etc. Therefore, diminishing the solutions, we argue that CSPs need to come forward to
dependence on CSP is still unsolved. resolve most of the issues. There is very little to do from
Limited bandwidth is another critical issue. If the cloud the customers’ point of view other than application logging.
storage is too high then bandwidth will be a challenge for All other solutions are dependent on CSPs and the policy
time critical case. This issue has not been resolved yet. makers. For forensics data acquisition, CSPs can shift their
Several researchers have proposed secure data provenance responsibility by providing robust API or management plane
to mitigate the chain of custody issue. However, no concrete to acquire evidence. Legal issues also hinder the smooth
work has been done yet, which can show how we can pre- execution of forensic investigation. We need a collaborative
serve the chain of custody by secure provenance. To mitigate attempt from public and private organizations as well as
the cross border issue, researchers have proposed global research and academia to overcome this issue. Solving all the
unity, but there is no guideline about how this will turn challenges of cloud forensics will clear the way for making
out into reality. Moreover, no solution has been proposed for a forensics-enabled cloud and allow more customers to take
crime scene reconstruction or presentation issues. Modifying the advantages of cloud computing.
the existing forensic tools, or creating new tools to cope up
with cloud environment is another big issue that has not R EFERENCES
been resolved yet. [1] A. Khajeh-Hosseini, D. Greenwood, and I. Sommerville,
Several researchers also discussed some open problems “Cloud migration: A case study of migrating an enterprise
of cloud forensics. About logging issue in cloud forensics, it system to iaas,” in proceedings of the 3rd International
 Conference on Cloud Computing (CLOUD). IEEE, 2010, [18] Amazon EC2, “Amazon elastic compute cloud (amazon ec2),”
pp. 450–457. http://aws.amazon.com/ec2/, [Accessed July 5th, 2012].

[2] Market Research Media, “Global cloud computing market [19] H. Motahari-Nezhad, B. Stephenson, and S. Singhal, “Out-
forecast 2015-2020,” http://www.marketresearchmedia.com/ sourcing business to cloud computing services: Opportunities
2012/01/08/global-cloud-computing-market/, [Accessed July and challenges,” IEEE Internet Computing, Palo Alto, vol. 10,
5th, 2012]. 2009.
[3] Gartner, “Worldwide cloud services market to surpass [20] Amazon, “Amazon simpledb,” http://aws.amazon.com/
$68 billion in 2010,” http://www.gartner.com/it/page.jsp?id= simpledb/, 2012, [Accessed July 5th, 2012].
1389313, 2010, [Accessed July 5th, 2012].
[21] F. Chang, J. Dean, S. Ghemawat, W. Hsieh, D. Wallach,
[4] INPUT, “Evolution of the cloud: The future of cloud comput- M. Burrows, T. Chandra, A. Fikes, and R. Gruber, “Bigtable:
ing in government,” http://iq.govwin.com/corp/library/detail. A distributed storage system for structured data,” ACM Trans-
cfm?ItemID=8448&cmp=OTC-cloudcomputingma042009, actions on Computer Systems (TOCS), vol. 26, no. 2, p. 4,
2009, [Accessed July 5th, 2012]. 2008.
[5] Clavister, “Security in the cloud,” http://www.
[22] J. Wiles, K. Cardwell, and A. Reyes, The best damn cyber-
clavister.com/documents/resources/white-papers/
crime and digital forensics book period. Syngress Media
clavister-whp-security-in-the-cloud-gb.pdf, Clavister White
Inc, 2007.
Paper, [Accessed July 5th, 2012].

[6] Amazon, “Zeus botnet controller,” http://aws.amazon.com/ [23] K. Kent, S. Chevalier, T. Grance, and H. Dang, “Guide to
security/security-bulletins/zeus-botnet-controller/, Amazon integrating forensic techniques into incident response,” NIST
Security Buletin, [Accessed July 5th, 2012]. Special Publication, pp. 800–86, 2006.

[7] FBI, “Annual report for fiscal year 2007,” 2008 Regional [24] D. Lunn, “Computer forensics–an overview,” SANS Institute,
Computer Forensics Laboratory Program, 2008, [Accessed vol. 2002, 2000.
July 5th, 2012].
[25] J. Robbins, “An explanation of computer forensics,” National
[8] P. Mell and T. Grance, “Draft NIST working definition of Forensics Center, vol. 774, pp. 10–143, 2008.
cloud computing-v15,” 21. Aug 2009, 2009.
[26] K. . L. Gates, “E-discovery amendments to the federal rules
[9] Open Cloud Consortium, “Open cloud manifesto,” The Open of civil procedure go into effect today,” http://bit.ly/UJU5cs,
Cloud Manifestto Consortium, 2009. December 2006, [Accessed July 5th, 2012].

[10] D. Parkhill, “The challenge of the computer utility,” Addison- [27] K. Ruan, J. Carthy, T. Kechadi, and M. Crosbie, “Cloud
Wesley Educational Publishers Inc, US, 1966. forensics: An overview,” in proceedings of the 7th IFIP
International Conference on Digital Forensics, 2011.
[11] A. Michael, F. Armando, G. Rean, D. Anthony, K. Randy,
K. Andy, L. Gunho, P. David, R. Ariel, S. Ion et al., “Above [28] D. Birk, “Technical challenges of forensic investigations in
the clouds: A Berkeley view of cloud computing,” EECS cloud computing environments,” in Workshop on Cryptogra-
Department, University of California, Berkeley, Tech. Rep. phy and Security in Clouds, January 2011.
UCB/EECS-2009-28, 2009.
[29] J. Dykstra and A. Sherman, “Understanding issues in cloud
[12] Salesforce, “Social enterprise and crm in the cloud - sales- forensics: Two hypothetical case studies,” Journal of Network
force.com,” http://www.salesforce.com/, 2012, [Accessed July Forensics, vol. b, no. 3, pp. 19–31, 2011.
5th, 2012].
[30] H. Guo, B. Jin, and T. Shang, “Forensic investigations in
[13] Google, “Google drive,” https://drive.google.com/start#home,
cloud environments,” in Computer Science and Information
[Accessed July 5th, 2012].
Processing (CSIP), 2012 International Conference on. IEEE,
[14] ——, “Google calendar,” https://www.google.com/calendar/, 2012, pp. 248–251.
[Accessed July 5th, 2012].
[31] S. Wolthusen, “Overcast: Forensic discovery in cloud environ-
[15] GAE, “Google app engine,” http://appengine.google.com, ments,” in proceedings of the Fifth International Conference
[Accessed July 5th, 2012]. on IT Security Incident Management and IT Forensics (IMF).
IEEE, 2009, pp. 3–9.
[16] Azure, “Windows azure,” http://www.windowsazure.com,
[Accessed July 5th, 2012]. [32] D. Reilly, C. Wren, and T. Berry, “Cloud computing: Pros
and cons for computer forensic investigations,” International
[17] B. Grobauer and T. Schreck, “Towards incident handling Journal Multimedia and Image Processing (IJMIP), vol. 1,
in the cloud: challenges and approaches,” in Proceedings no. 1, pp. 26–34, March 2011.
of the 2010 ACM workshop on Cloud computing security
workshop, ser. CCSW ’10. New York, NY, USA: ACM, [33] M. D. Ludwig Slusky, Parviz Partow-Navid, “Cloud comput-
2010, pp. 77–86. [Online]. Available: http://doi.acm.org/10. ing and computer forensics for business applications,” Journal
1145/1866835.1866850 of Technology Research, vol. 3, July 2012.
[34] M. Taylor, J. Haggerty, D. Gresty, and R. Hegarty, “Digital [50] European Parliament, “Legislative documents,” http://ec.
evidence in cloud computing systems,” Computer Law & europa.eu/justice home/fsj/privacy/law/index en.htm, 2006,
Security Review, vol. 26, no. 3, pp. 304–308, 2010. [Accessed July 5th, 2012].

[35] D. Birk and C. Wegener, “Technical issues of forensic in- [51] J. Dykstra and A. Sherman, “Acquiring forensic evidence
vestigatinos in cloud computing environments,” Systematic from infrastructure-as-a-service cloud computing: Exploring
Approaches to Digital Forensic Engineering, 2011. and evaluating tools, trust, and techniques,” DoD Cyber Crime
Conference, January 2012.
[36] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey,
you, get off of my cloud: exploring information leakage [52] R. Ko, P. Jagadpramana, M. Mowbray, S. Pearson, M. Kirch-
in third-party compute clouds,” in Proceedings of the 16th berg, Q. Liang, and B. Lee, “Trustcloud: A framework for
ACM conference on Computer and communications security. accountability and trust in cloud computing,” in proceedings
ACM, 2009, pp. 199–212. of IEEE World Congress on Services SERVICES), 2011.
IEEE, 2011, pp. 584–588.
[37] R. Marty, “Cloud application logging for forensics,” in pro-
ceedings of the 2011 ACM Symposium on Applied Computing. [53] R. Hegarty, M. Merabti, Q. Shi, and B. Askwith, “Forensic
ACM, 2011, pp. 178–184. analysis of distributed data in a service oriented computing
platform,” in proceedings of the 10th Annual Postgraduate
[38] AWS, “Amazon web services,” http://aws.amazon.com, [Ac- Symposium on The Convergence of Telecommunications, Net-
cessed July 5th, 2012]. working & Broadcasting, PG Net, 2009.

[39] J. Vacca, Computer forensics: computer crime scene investi- [54] B. Hay and K. Nance, “Forensics examination of volatile
gation. Delmar Thomson Learning, 2005, vol. 1. system data using virtual introspection,” ACM SIGOPS Op-
erating Systems Review, vol. 42, no. 3, pp. 74–82, 2008.
[40] G. Grispos, T. Storer, and W. Glisson, “Calm before the storm:
The challenges of cloud computing in digital forensics,” In- [55] LibVMI, “LibVMI: An introspection library,” http://code.
ternational Journal of Digital Crime and Forensics (IJDCF), google.com/p/vmitools/, [Accessed July 5th, 2012].
2012.
[56] M. K. Waldo Delport, Martin S. Olivier, “Isolating a cloud
[41] Zafarullah, F. Anwar, and Z. Anwar, “Digital forensics for instance for a digital forensic investigation,” in proceedings of
eucalyptus,” in Frontiers of Information Technology (FIT). the Information and Computer Security Architecture (ICSA),
IEEE, 2011, pp. 110–116. 2011.
[42] S. Biggs and S. Vidalis, “Cloud computing: The impact [57] F. Krautheim, D. Phatak, and A. Sherman, “Introducing the
on digital forensic investigations,” in In proceedings of the trusted virtual environment module: a new mechanism for
International Conference for Internet Technology and Secured rooting trust in cloud computing,” Trust and Trustworthy
Transactions,ICITST. IEEE, 2009, pp. 1–6. Computing, pp. 211–227, 2010.
[43] M. Gertz and S. Jajodia, Handbook of database security: [58] N. Santos, K. Gummadi, and R. Rodrigues, “Towards trusted
applications and trends. Springer-Verlag New York Inc, cloud computing,” in proceedings of the 2009 conference on
2008. Hot topics in cloud computing. USENIX Association, 2009,
p. 3.
[44] K. Popovic and Z. Hocenski, “Cloud computing security is-
sues and challenges,” in proceedings of the 33rd International [59] K. Muniswamy-Reddy, P. Macko, and M. Seltzer, “Prove-
Convention MIPRO, 2010. IEEE, 2010, pp. 344–349. nance for the cloud,” in proceedings of the 8th USENIX
conference on File and storage technologies. USENIX
[45] Congress of the United States, “Sarbanes-Oxley Act,” http: Association, 2010, pp. 15–14.
//thomas.loc.gov, 2002, [Accessed July 5th, 2012].
[60] K. Muniswamy-Reddy and M. Seltzer, “Provenance as first
[46] Centers for Medicare and Medicaid Services, “The Health In-
class cloud data,” ACM SIGOPS Operating Systems Review,
surance Portability and Accountability Act of 1996 (HIPAA),”
vol. 43, no. 4, pp. 11–16, 2010.
http://www.cms.hhs.gov/hipaa/, 1996, [Accessed July 5th,
2012].
[61] V. Roussev, L. Wang, G. Richard, and L. Marziale, “A cloud
computing platform for large-scale forensic computing,” Ad-
[47] Securities and Exchange Commission, “Guidance to broker-
vances in Digital Forensics V, pp. 201–214, 2009.
dealers on the use of electronic storage media under the
national com-merce act of 2000 with respect to rule 17a-
[62] C. Lin, C. Lee, and T. Wu, “A cloud-aided RSA signature
4(f).” http://www.sec.gov/rules/interp/34-44238.htm, 2001,
scheme for sealing and storing the digital evidences in com-
[Accessed July 5th, 2012].
puter forensics,” International Journal of Security and Its
[48] Congress of the United States, “The E-Government Act. U.S. Applications, vol. 6, no. 2, April 2012.
Public Law 107-347,” 2002.
[63] W. Buchanan, J. Graves, N. Bose, R. Macfarlane, B. Davison,
[49] ——, “Gramm-Leach-Bliley Financial Services Mod- and R. Ludwiniak, “Performance and student perception eval-
ernization Act. Public Law No. 106-102, 113 Stat. 1338,” uation of cloud-based virtualised security and digital forensics
1999. labs.” in HEA ICS Conference, 2011.