Вы находитесь на странице: 1из 44

See discussions, stats, and author profiles for this publication at: https://www.researchgate.


Digital Forensic Investigation and Cloud Computing

Chapter · January 2015

DOI: 10.4018/978-1-4666-6539-2.ch057

1 249

4 authors, including:

Joshua I James Pavel Gladyshev

Hallym University, Chuncheon, South Korea University College Dublin


Some of the authors of this publication are also working on these related projects:

IoT Forensic Investigation View project

Cyber Peacekeeping View project

All content following this page was uploaded by Joshua I James on 04 July 2017.

The user has requested enhancement of the downloaded file.

Cybercrime and Cloud
Applications for Investigation
Keyun Ruan
University College Dublin, Ireland
Managing Director: Lindsay Johnston
Editorial Director: Joel Gamon
Book Production Manager: Jennifer Yoder
Publishing Systems Analyst: Adrienne Freeland
Development Editor: Austin DeMarco
Assistant Acquisitions Editor: Kayla Wolfe
Typesetter: Christy Fic
Cover Design: Jason Mull

Published in the United States of America by

Information Science Reference (an imprint of IGI Global)
701 E. Chocolate Avenue
Hershey PA 17033
Tel: 717-533-8845
Fax: 717-533-8661
E-mail: cust@igi-global.com
Web site: http://www.igi-global.com

Copyright © 2013 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in
any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher.
Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or
companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark.

Library of Congress Cataloging-in-Publication Data

Cybercrime and cloud forensics: applications for investigation processes / Keyun Ruan, editor.
p. cm.
Includes bibliographical references and index.
Summary: “This book presents a collection of research and case studies of applications for investigation processes in cloud
computing environments, offering perspectives of cloud customers, security architects as well as law enforcement agencies
on the new area of cloud forensics”-- Provided by publisher.
ISBN 978-1-4666-2662-1 (hardcover) -- ISBN 978-1-4666-2693-5 (ebook) -- ISBN 978-1-4666-2724-6 (print & perpetual
access) 1. Computer crimes--Investigation. 2. Forensic sciences--Data processing. 3. Cloud computing. 4. Computer
crimes--Investigation--Case studies. 5. Cloud computing--Case studies. I. Ruan, Keyun, 1986-
HV8079.C65C95 2013

British Cataloguing in Publication Data

A Cataloguing in Publication record for this book is available from the British Library.

All work contributed to this book is new, previously-unpublished material. The views expressed in this book are those of the
authors, but not necessarily of the publisher.

Chapter 1
Digital Forensic Investigation
and Cloud Computing
Joshua I. James
University College Dublin, Ireland

Ahmed F. Shosha
University College Dublin, Ireland

Pavel Gladyshev
University College Dublin, Ireland

This chapter aims to be a high-level introduction into the fundamental concepts of both digital forensic
investigations and cloud computing for non-experts in one or both areas. Once fundamental concepts
are established, this work begins to examine cloud computing security-related questions, specifically
how past security challenges are inherited or solved by cloud computing models, as well as new secu-
rity challenges that are unique to cloud environments. Next, an analysis is given of the challenges and
opportunities cloud computing brings to digital forensic investigations. Finally, the Integrated Digital
Investigation Process model is used as a guide to illustrate considerations and challenges during an
investigation involving cloud environments.

INTRODUCTION concerns have been raised about the security of

cloud environments. As seen with traditional
Cloud computing is a topic that has been gaining computing, a growing concern for security leads
popularity with businesses and end users in recent to consideration of incident response and eventu-
years. A certain level of hype and inconsistent ally digital forensic investigation capabilities. This
definition has lead to some confusion about work endeavors to examine the implications of
what cloud computing is, and what services it cloud computing on digital forensic investigations.
can provide. Along with general confusion, some To accomplish this, a high-level introduc-
tion into fundamental concepts of both digital
forensic investigations and cloud computing for
DOI: 10.4018/978-1-4666-2662-1.ch001
non-experts will be given. A brief overview of

Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
Digital Forensic Investigation and Cloud Computing

the history and advancement of digital forensic is because digital evidence cannot be directly
science, legal considerations surrounding digital observed that the admissibility of such evidence
forensic investigations, the current state of digital in court is under constant scrutiny (Casey, 2004).
crime, types of digital forensic examinations, and To help establish digital forensics as a credible
an introduction into current digital forensic inves- forensic science, digital forensic science was
tigation process models will be given to build the defined at the first Digital Forensics Research
reader’s understanding of digital forensic science. Workshop (DFRWS) in 2001 as:
Next, fundamental concepts of cloud computing,
such as service and deployment models, will be The use of scientifically derived and proven meth-
covered. Once fundamental knowledge of cloud ods toward the preservation, collection, validation,
computing is established, some cloud computing identification, analysis, interpretation, docu-
security issues will be examined, followed by an mentation and presentation of digital evidence
analysis of the challenges and opportunities cloud derived from digital sources for the purpose of
computing brings to digital forensic investigations. facilitating or furthering the reconstruction of
Finally, a digital forensic investigation model will events found to be criminal, or helping to antici-
be used as a guide to illustrate digital forensic pate unauthorized actions show to be disruptive
investigation challenges when applied to cloud to planned operations.
Digital investigation, however, predates this
academic definition. Several notable but less
DIGITAL FORENSIC SCIENCE developed definitions were previously proposed,
such as those submitted by McKemmish (1999)
This section is a brief overview of the history and and Civie and Civie (1998). Likewise, beyond
advancement of digital forensic science. Legal academic definitions, research and digital inves-
considerations surrounding digital forensic inves- tigations were already taking place prior to 2001.
tigations, primarily focused on law in the United For example, Pollitt (1995) claimed that “[f]or a
States, are discussed as well as the current state of number of years now, law enforcement agencies
digital crime and how digital investigators are ad- have been seizing computers and other electronic
dressing this global problem. Key digital forensic devices.” A growing interest in digital forensic in-
definitions, types of digital forensic examinations, vestigation is confirmed by looking at other works
and an introduction into current digital forensic of the early 1990s (Collier & Spaul, 1992a, 1992b;
investigation process models are given to build Clede, 1993; Spafford & Weeber, 1993). Hannan
the reader’s understanding of the field. (2004) claims “forensic computing origins lay in
the late 1980s…,” which is when computer-based
History and Advancement of evidence was encountered more often by police
Digital Forensic Science (Jones, 2004), and is perhaps true for forensic
computing as a field or separate science (Garfinkel,
Digital forensics1 is a branch of the forensic 2010), but from a legal perspective computers and
sciences that deals with the analysis of digital computer evidence were topics of concern before
evidence from digital sources (Palmer, 2001). then. For example, the U.S. Computer Fraud and
Unlike traditional forensic sciences, a digital fo- Abuse Act was first enacted in 1984 (USDoJ,
rensic analysis attempts to analyze non-physical 2002), and also in the early 1980s Computer in
evidence, or evidence that cannot be directly Court - A Guide to Computer Evidence for Lawyers
observed by humans without interpretation. It and Computing Professionals (Kelman & Sizer,

Digital Forensic Investigation and Cloud Computing

1982) was published that considers fundamental forensic investigations, the resulting evidence must
legal issues in relation to computer evidence. Even be admissible in court (Carrier, 2006). As stated
prior to this work, the admissibility of computer by Cohen (2010), “[o]n a global level, the most
evidence from digital devices has been discussed commonly applied standards are similar to the
as early as 1974 (Tapper, 1974), with references to U.S. Federal Rules of Evidence and the Daubert
computer technology in trials appearing as early decision.” In the United States, the admissibility of
as 1962. In the mid-1970s computer evidence scientific evidence was primarily examined using
became more of a focus (Roberts, 1974; DeHetre, the Frye standard—from Frye v. United States,
1975; Jenkins, 1975) rapidly evolving through the 293 F. 1013 (1923)—where accepted scientific
late 1970s when the computer was compared to evidence is based on the scientific community’s
an expert witness (Teubner, 1978), and the basic general acceptance of the employed technique.
tenants for admissibility of computer evidence The Frye standard was superseded in 1993 by the
were explored (Connery & Levy, 1979); most of Daubert standard (Daubert v. Merrell Dow, 509
which is still relevant today. This increased inter- U.S. 579 [1993]; General Electric Co. v. Joiner,
est in the mid-1970s correlates to the increasing 522 U.S. 136 [1997]; Kumho Tire Co. v. Carmi-
reliance on computer systems in business, and chael, 526 U.S. 137 [1999]), although not without
an increasing availability and usage among the criticism (Gutheil & Bursztajn, 2005; Giannelli,
public (Polsson, 2011). Even with a considerable 2006). The Daubert standard allows a judge to
amount of evolution and previous work, Wilsdon determine the reliability of scientific evidence
and Slay (2005) claim that there are issues when during what is called a “Daubert Hearing,” usu-
it comes to implementation of past research and ally before the trial. Four general categories are
development in digital forensic investigations; a used as guidelines when assessing a scientific
claim reiterated by Pollitt (2007) and Garfinkel technique: testing, error rate, publication of the
(2010). technique, and acceptance from the scientific
Despite a multitude of technological, and in community (Carrier, 2003). The Daubert standard
some ways philosophical, changes to the field of was introduced to reduce the misuse of scientific
digital investigation, the DFRWS definition is still evidence, but still not all states in the U.S. have
widely accepted. Alternatives, or amendments, adopted the Daubert standard; either keeping with
have been proposed (Hannan, 2004; Kent, et al., the Frye standard or opting for their own testing
2006), but the DFRWS definition has remained methods (O’Connor, 2010). For additional infor-
popular. Since the time of this definition, the areas mation on global legal considerations concerning
of evidence preservation, collection, validation, digital crime, digital forensic investigations, and
identification, analysis, interpretation, documen- admissibility of digital evidence, please see the
tation, and presentation have been continually Additional Reading.
developed, and various process models and stan- The field of digital forensic investigation has
dards for each phase of digital investigations have had to cope with the rapid creation and adoption
been proposed. However, no one standard has yet of digital devices. A growing number of inter-
to see global acceptance (Wilsdon & Slay, 2005; connected devices can be exploited from almost
Hunton, 2012; Lim, et al., 2012), and according anywhere in the world, but law enforcement still
to James and Gladyshev (2010) the majority of struggle with the concept of jurisdiction in an
organizations are creating their own Standard online world without borders, sometimes resulting
Operating Procedures (SOP), which are not always in illegal, or at least questionable, cross-border ac-
directly based on a common standard. But regard- tions by law enforcement (Lemos, 2001; Anderson,
less of the process used, when considering digital 2012). While research, legal and even practical

Digital Forensic Investigation and Cloud Computing

foundations of digital forensics have been slowly most investigations today involve some sort of digi-
forming, a continuing lack of communication tal component. Cisco (2012) estimates that “[b]y
between government, corporate and academic the end of 2012, the number of mobile-connected
entities worldwide has been a limiting factor in devices will exceed the number of people on
the effectiveness of investigating global digital earth.” In more saturated regions when a crime
crimes (Broadhurst, 2006; Jang, 2012). happens, both criminals and bystanders are likely
to be producing digital information, which may be
Continued Lack of Communication in of use in the investigation of a non-digital crime.
an Increasingly Connected World Amateur pictures and videos taken by cell phones
have captured abuse, and even murder (Barnard,
According to Internet World Stats (2011), from 2009; CNN, 2009), and have been used as evidence
late 2000 to late 2011 there has been an estimated in court (Nguyen, 2012). Further, text messages,
528.1% worldwide growth in Internet users, cell phone logs and geo-location services are also
numbering 361 million in 2000 to 2.267 billion commonly analyzed by law enforcement in digital
at the end of 2011, a trend which is expected to and non-digital crime investigation. This presents a
continue (IBTimes, 2010; Meeker, 2012). Cisco difficult situation for digital forensic investigators.
(2012) estimates that there will be over 10 billion The field of digital forensic science is relatively
mobile-connected devices by 2016. Further, tradi- new, technologies are rapidly advancing, and the
tional and non-traditional digital devices - such as scope of the digital investigator’s job continually
TVs and kitchen appliances - are expected to be expands. Yet funding for digital investigators in
increasingly connected to the Internet, contribut- law enforcement is slow to increase (Gogolin,
ing to a forecasted 50 billion devices connected 2010). This may change with the perceived2
by 2020 (Higginbotham, 2010). This growth in growing threat of a full-scale “cyber war3,” and
users, devices, and associated services has given some countries may begin to focus budgets on
rise new possibilities for business and communi- digital investigation and security (Paul, 2012).
cations, as well as digital crime. Statistics from Regardless, digital forensic investigators must
the Internet Crime Complaint Center (IC3) (IC3, attempt to keep up with rapidly advancing digital,
2011), a US-based organization, show that there as well as traditional, criminals while ensuring the
was a 3.4% increase in complaints filed from 2010 integrity of the science of digital forensics. Rapid
to 2011, with 303,809 and 314,246 complains per changes in digital forensic science, however, can-
year, respectively. McAfee (2010) gives an over- not come from digital forensic investigators alone.
view of the growth of digital crime from 2000 to Improved collaboration and communication is
2010, claiming that the cybercriminal community needed between the currently siloed digital crime
evolved from hackers simply looking for a chal- investigation players—military, law enforcement,
lenge, to organized gangs looking to profit off corporate, and academia—and must be focused at
the rapidly increasing use of connected devices a global, not national, level (Jones, 2012).
and services. Some gangs are well established,
and in 2011 a single highly-organized gang was Digital Forensic Investigation
suspected of being responsible for up to a third of
all data thefts (Williams, 2011). Digital forensic Carrier (2006) differentiates between ‘digital
investigators, however, not only need to deal with investigations’ and ‘digital forensic investiga-
booming online criminal activity, but also the tions,’ claiming that “[a] digital investigation is
use of digital devices related to more traditional a process to answer questions about digital states
crimes. For example, Gogolin (2010) claims that and events,” while “[a] digital forensic investiga-

Digital Forensic Investigation and Cloud Computing

tion is a special case… where procedures and of examination. The depth of forensic examina-
techniques that are used will allow the results tions was not always considered, and each piece
to be entered into the court of law.” Under this of suspect storage media normally received a fully
definition, when an investigator is conducting a in-depth analysis. Since the capacity of common
digital forensic investigation, the focus is on ensur- data storage media has, and still is, growing
ing that the overall investigation process is able rapidly—combined with a growing number of
to produce evidence that is admissible in court. cases involving digital storage devices—some
While this is a requirement for law enforcement, investigators are finding it impractical to conduct
non-LE entities do not always consider the admis- in-depth analysis on each piece of media. “[F]ew
sibility of evidence when beginning an internal [Digital Forensic Laboratories] can still afford to
investigation. This may lead to administrators create a forensic duplicate of every piece of media
or technicians unknowingly overwriting data of and perform an in-depth forensic examination of
evidential value that may later be unusable by all data on those media… It makes little sense to
law enforcement once it was found that the case wait for the review of each piece of media if only
needed to be escalated to a criminal investigation. a handful of them will provide data of evidentiary
It is for this reason that all digital investigators significance” (Casey, et al., 2009). This philoso-
should be competent, and able to consider how phy has led to the growing acceptance of digital
their actions could affect future legal recourse forensic triage (Rogers, et al., 2006; Koopmans,
(ACPO, 2008). “[A]ny case involving computer 2010; Mislan, et al., 2010), as well as the concept
forensics should always be treated as though it of a preliminary analysis; both of which will be
were going to court, and that any documentation discussed further.
and evidence will eventually be turned over to a Casey, Ferraro et al. (2009) described a three-
prosecuting attorney” (Shinder and Cross 2008). tiered model of forensic examination to enable
Digital forensic investigations are comprised of the “tailoring [of] forensic examination[s] of
many different sub-fields. The general sub-fields digital evidence to the type of crime or case un-
include computer forensics, network forensics and der investigation.” This model includes a survey/
cellular phone, or mobile device, forensics: each triage forensic inspection, a preliminary forensic
of which is comprised of more specific forensic examination, and finally an in-depth forensic
studies, e.g. file system, memory, and software examination. Many law enforcement agencies
analysis. Further, specific sub-fields are forming are currently considering, and even implement-
with the advancement of technology, such as ing this model (Goss, 2010). Though, corporate
critical infrastructure investigations (Purdy, 2010) and contract-sector digital forensic analysts are
and Cloud forensics (Ruan, et al., 2011). While currently more likely than law enforcement to use
the technical aspects of an investigation may be triage and preliminary analysis techniques (James
specific to the suspect device, the examination & Gladyshev, 2010).
and investigation process models can be generi-
cally applied. Triage Forensic Inspection
Koopmans (2010) proposed a definition of digital
Digital Forensic Investigation Phases forensic triage that is derived from the definition
of triage in the medical context:
When considering digital forensic process mod-
els, there are essentially two layers of abstraction A process for sorting injured people into groups
that are discussed: the depth of digital forensic based on their need for or likely benefit from
examination, and the process phases of each type

Digital Forensic Investigation and Cloud Computing

immediate medical treatment. Triage is used in Koopmans’ definition, triage is not designed to
hospital emergency rooms, on battlefields, and normally remove media from needing further
at disaster sites when limited medical resources examination, and only allows for a shallow, fo-
must be allocated. cused view of found evidence—aka low hanging
fruit—that helps in the prioritization of all the ex-
Koopmans then applies the medical definition hibits. However, some organizations, such as ADF
to computer forensics, resulting in computer triage Solutions (2011), claim that “triage can identify
being defined as: “A process of sorting computer and eliminate negative computers with the same
systems into groups, based on the amount of degree of confidence as can full forensic examina-
relevant information or evidence found on these tions.” Differences in definition have caused some
computer systems.” Casey et al. (2009) defines confusion within the digital forensic community.
triage as a “[t]argeted review of all available media This claim, however, is very different technically
to determine which items contain the most use- and philosophically from triage as previously
ful evidence and require additional processing.” defined, and should instead be considered as a
In Rogers et al. (2006), and later expanded by preliminary forensic examination.
Mislan et al. (2010), triage is a process, normally
performed on-scene, that is used to: Preliminary Forensic Examination
A more in-depth examination than triage, pre-
1. Assess the severity of a crime and prioritiz- liminary forensic examinations have “the goal of
ing it accordingly; quickly providing investigators with information
2. Assess the offender’s possible danger to that will aide them in conducting interviews and
society; developing leads” (Casey, et al., 2009). Depending
3. Obtain actionable intelligence in exigent on the results found during triage, the type of case,
circumstances (e. g., missing person, military and the policy of the department, a preliminary
operations, risk of evidence destruction); analysis might be deep enough to justify discon-
4. Identify the richest sources of digital evi- tinuing analysis on that particular media if nothing
dence pertaining to an investigation; was found. Because preliminary analysis is more
5. Identify victims that are or may be at acute in-depth than triage, it usually takes longer, and
risk; as such may or may not be conducted on-scene.
6. Identify potential charges related to the cur- Several tools with various preliminary analysis
rent situation; and workflows exist, such as SPEKTOR, ADF Triage-
7. Determine whether a certain item requires Examiner, and Cybercrime Technologies’ Rapid
deeper inspection, such as recovery of de- Evidence Acquisition Project. Most are designed
leted information or decoding of encrypted to be easy to use, and are highly automated. This
data. allows first responders with minimal training to
be able to conduct preliminary analysis. Again,
Generally, the key point with digital forensic depending on the organization’s policy, if suspect
triage is that triage can be used to identify the traces are found during a preliminary analysis, the
‘richest sources’ of digital evidence at the scene, media will continue to receive an in-depth analysis
allowing the detected media’s in-depth examina- with a focus on the already discovered traces. If
tion to be focused and expedited. Triage is an no suspect traces were found, then further analysis
extremely high-level examination, designed to may not be necessary.
be fast, not thorough. Under this philosophy, and

Digital Forensic Investigation and Cloud Computing

In-Depth Forensic Examination fied by the attendees as core processes [of digital
An in-depth forensic examination is usually analy- forensic investigations]” (Pollitt, 2007).
sis conducted with media that has been seized, and
is much more thorough than the previous tiers of National Institute of Justice
examination. Because of this, in-depth forensic The U.S. Department of Justice (DoJ) National
examination also takes a considerable amount of Institute of Justice (NIJ), created an electronic
time longer (Goss, 2010). This is also the most crime scene investigation guide for law enforce-
manual level of analysis; however, some tasks can ment in 2001. In this work, a four-phase process
be automated. Casey et al. (2009) defines an in- model was proposed. This model, however, was
depth forensic examination as a “[c]omprehensive later expanded in the second edition of the guide
forensic examination of items that require more (NIJ, 2008). The overall model consists of prepa-
extensive investigation to gain a more complete ration, preservation, documentation, collection,
understanding of the offense and address specific examination, analysis, and reporting.
questions.” This can be considered the standard
depth of analysis. The type of case and the used • Preparation: Knowledge about the types
digital forensic investigation process model dic- of devices commonly encountered, poten-
tates if the previous two tiers of examination will tial evidence sources, investigative tools,
be used, but there will rarely, if ever, be a case and equipment for collection, packaging
where an in-depth analysis is not necessary to and transportation of electronic evidence.
answer questions about suspect media. • Preservation: Securing and evaluating the
crime scene; ensuring the safety of persons
Digital Forensic Investigation Process and protecting the integrity of all evidence.
Models • Documentation: Documentation of the
scene, and electronic evidence.
“[T]he reality is that there is no single process for • Collection: “The search for, recognition of,
digital forensics” (Carrier, 2008). Various process [and] collection of… electronic evidence.”
models have been proposed, and commonly used • Examination: “Helps to make the evi-
models will be briefly discussed; however, as stated dence visible and explain its origin and
before, there is no one accepted standard, and the significance.”
majority of organizations are creating their own • Analysis: “Looks at the product of the ex-
SOP, which may or may not be based on an existing amination for its significance and probative
process model. For a comprehensive overview of value to the case.”
other proposed models, see Additional Reading. • Reporting: “A written report that outlines
the examination process and the pertinent
Digital Forensic Research Workshop 2001 data recovered completes an examination.”
In 2001 the Digital Forensic Research Workshop
identified an investigative process for Digital National Institute of Standards and
Forensic Science (Palmer, 2001). This process Technology
included identification, preservation, collection, The National Institute of Standards and Technol-
examination, analysis, presentation, and decision ogy (NIST) proposed a four-phase model in the
phases (see Figure 1). In Figure 1, the items in special publication 800-86 (Kent, et al., 2006). This
gray were the most agreed upon, and “were identi- model includes collection, examination, analysis
and reporting phases (see Figure 2).

Digital Forensic Investigation and Cloud Computing

Figure 1. Digital forensic research workshop 2001 diagram of the digital investigation process where
the gray area is the area of focus for the workgroup

Figure 2. National institute of standards and technology, four-phase digital investigation model proposed
in SP 800-86 (Kent, et al., 2006)

In this model each phase is defined as such: • Reporting: “Preparing and presenting the
information resulting from the analysis
• Collection: “Identify potential sources of phase”
data and acquire data from them”
• Examination: “Assessing and extracting Integrated Digital Investigation Process
the relevant pieces of information from the Carrier and Spafford (2003) proposed a investiga-
collected data” tion process model that considered the physical
• Analysis: “Study and analyze the data to investigation along with the digital investigation
draw conclusions from it”

Digital Forensic Investigation and Cloud Computing

Figure 3. Integrated digital investigation process phases (Carrier & Spafford, 2003)

Figure 4. Integrated digital investigation process breakdown of physical crime scene investigation phase
(Carrier & Spafford, 2003)

(see Figure 3). This model, named the Integrated ings in a way that is admissible in court. To ac-
Digital Investigation Process (IDIP), takes a complish this, preparation beforehand is necessary,
holistic approach to crime scene investigation, as is meticulous documentation throughout the
where the physical crime scene reconstruction entire process. A particular model may be better
(see Figure 4) effects, and is affected by, the suited to a certain organization, but generally each
digital crime scene reconstruction (see Figure 5) model will accomplish these main goals. One
to form a complete theory of happened events. issue is in the standardization and verification of
Unlike the previous models, the IDIP feeds back models used. Ensuring that the investigation and
between the physical and digital investigation examination processes are valid is a topic of
phases. However, the overall model can be de- concern that can only begin to be alleviated when
scribed as: Readiness, Deployment, Preservation, rigor is introduced into each phase of a digital
Survey, Documentation, Search, Reconstruction, forensic investigation.
Presentation, and Review.
All of the previously discussed process mod- Formal Methods
els have a common core. While each model has The concept of digital forensics as a science has
components that will continue to be debated, each been debated, and a call for formalizing digital
model generally attempts to secure suspect data, forensic investigations has been proposed by aca-
analyze the secured data, and report on the find- demics and practitioners alike (Stephenson, 2003;

Digital Forensic Investigation and Cloud Computing

Figure 5. Integrated digital investigation process breakdown of digital crime scene investigation phase
(Carrier & Spafford, 2003)

Gladyshev & Patel, 2004). “[T]he digital inves- in a system that is powered on, and is more prone
tigation process can be considered scientific if it to change. Persistent data is data available when
formulates and tests hypotheses that are scientific” the system has been shut down. It must be said
(Carrier, 2006). Various formal models have been that all data has a degree of volatility, or suscep-
proposed for digital investigation processes, such tibility to change, and the speed in which data is
as the computer history model (Carrier & Spafford, likely to change, ordered from fastest to slowest,
2006), finite state machine models (Gladyshev, is known as the Order of Volatility (OoV). Farmer
2004; James, et al., 2010), and others (Willas- and Venema (2005) give an example of a “rough
sen, 2008; Rekhis & Boudriga, 2010). Research guide” for the order of volatility for different
into the formalization of digital investigations is locations of data storage, assuming a live system
increasing, but these techniques are usually still (see Table 1).
too theoretical to be practically applied. Going Digital investigators must consider the impli-
forward, however, newly implemented digital cations of collecting each type of data, and be
investigation processes must be based on formal able to prioritize the data by the order of volatil-
methods in order to ensure validation and integrity ity. The order of volatility, and even availability
of the process, and to guarantee the field is backed of data, differs between a live system and an of-
by scientific, rather than improvised, methods. fline system.

Digital Evidence Post-Mortem Data Forensic Acquisition and

The Scientific Working Group on Digital Evidence Many digital investigators have been taught to
(SWGDE) define digital evidence as “[i]nforma- physically disconnect the power, or “pull the plug,”
tion of probative value that is stored or transmitted on a suspect computer that is powered on at a crime
in binary form” (SWGDE, 2009). There are two scene (NIJ, 2008). Disconnecting the power would
states of data that digital forensic investigators ensure that evidence would not be modified by
must work with: live (non-persistent) data and processes running on the suspect system. Pulling
post-mortem (persistent) data. Live data is data

Digital Forensic Investigation and Cloud Computing

Table 1. Approximation of the lifespan of data by

to make a copy of specific partitions on the disk,
order of volatility
known as a logical disk image.
Registers, peripheral memory, caches, etc. nanoseconds By hashing the suspect bit-level data on the
[Random Access Memory] nanoseconds
media before acquisition, the resulting hash value
Network state milliseconds
becomes the standard with which to compare to
ensure 1) the data on the suspect disk has not
Running processes seconds
changed through actions of the examiner, 2) the
Disk minutes
created forensic image is an exact copy of the
Floppies, backup media, etc. years
original suspect media, and 3) the suspect data
CD-ROMs, printouts, etc. tens of years
can be verified by a third-party. Hashing static
data at the time of acquisition allows investigators
throughout the chain of custody to verify that any
the plug became standard practice until relatively
previous, or current, processes have not altered
recently when investigators, and the legal system
the data they are working with. Persistent data
in general, started considering volatile data, such
may be verified by utilizing the fact that the data
as data in Random Access Memory, that was
should not change over time. Because of this, a
being lost. Once the power had been removed, a
hash of the data can be compared with the original,
digital investigator was able to copy the persistent
even years later. In the case of a post-mortem data
data, such as data written to the hard drive before
analysis, the hard drive of a suspect computer can
powering down. Because persistent data is static,
be removed and hashed, and a forensic disk image,
it is relatively easy to verify that the data has not
or exact copy of the data, could be created. The
changed over time. Verification of static data for
disk image could then be hashed. If both hash
digital forensic investigation purposes is normally
values are exactly the same, then the data on the
done using a cryptographic hash.
hard drive, and within the disk image, can be said
“A hash function (H) is a transformation that
to be the same. Hashing and imaging is normally
takes an input m and returns a fixed-size string,
done after powering down the suspect computer.
which is called the hash value h (that is, h = H(m))”
The hashing process is not instantaneous, and
(Public-Key Cryptography Standards, 2009). Hash
shutting down ensures that no data changes while
values are used in digital forensic investigations
hashing process is taking place. In many situations,
to verify the integrity of data. Hash value in the
however, powering down a critical server may not
context of digital forensics are defined as “numeri-
be feasible, or data that is relevant to the case may
cal values, generated by hashing functions, used
not be persistent. In these cases, live data forensics
to substantiate the integrity of digital evidence…”
may be the only alternative.
(SWGDE, 2009).
Once a suspect’s device is shut down, an ex-
Live Data Forensic Acquisition and Verification
aminer can make a bit-by-bit copy of the storage
media, known as a ‘forensic image’ (Shipley & Live data forensics has been proposed to “provide
Door, 2012). A common way to acquire the sus- additional information that is not available in a
pect’s storage media is by removing the suspect disk-only forensic analysis” (Adelstein, 2006).
hard drive, and attaching it to a workstation using Live data forensics is conducted on a running
a hardware or software write-blocker to ensure no suspect system, and is used to collect volatile
data can be written. Once connected, many tools data—such as the contents of RAM—that may
exist to make a bit-by-bit copy of either the whole contain encryption keys, chat fragments, active
physical disk, known as a physical disk image, or network connections, active processes, cache, etc.

Digital Forensic Investigation and Cloud Computing

Live forensic imaging of a suspect drive may pect’s operating system must be used to access the
also be done on critical systems that cannot be needed data4. When retrieving information from
shut down. There are a number of benefits and RAM, for example, a program must be loaded into
drawbacks to live data forensics. Sometimes live the running memory, changing its contents. Even
data forensics is necessary because the system just inserting a USB key into a running suspect
may be critical to business continuity, shutting system will alter the system. However, Principle
down may create legal liability for examiners, or 2 of the ACPO guideline states:
the system may have encrypted media that will
be inaccessible when dismounted (Bilby, 2006). In circumstances where a person finds it necessary
In these situations, live data forensics may be the to access original data held on a computer or on
best way to collect evidence, although not ideal. storage media, that person must be competent to
Several challenges with live data forensics must do so and be able to give evidence explaining the
be considered. relevance and the implications of their actions.
First, the suspect system is still running, and
data is likely to be changing as it is being collected. Principle 2 essentially allows the use of live
Because of this, it is impossible for a third party data forensics in extraordinary situations, as pre-
to verify that the data collected is correct. This is viously mentioned, as long as the investigator is
similar to previously discussed fingerprint extrac- both competent, and knows the full impact of his
tion methods. Acquiring a copy of the fingerprint or her actions.
alters the original, making it impossible to be Finally, live data forensics usually relies on
verified by a third party. In the case of digital the suspect system. Alternative methods of RAM
forensics, to acquire RAM (from the suspect acquisition, such as the so-called ‘cold boot at-
machine) a program must first be loaded into the tack’ (Halderman, et al., 2009) and FireWire
suspect RAM. Meaning that to collect the data, acquisition methods (Martin, 2007; Gladyshev
some data must be altered. Further, acquiring RAM & Almansoori, 2010) have been proposed, but
takes time, and during that time processes may be these methods also have associated risks. Carrier
starting or stopping and users may be connecting (2006) claims that the suspect system cannot be
and disconnecting from the suspect system. By trusted. Rootkits or other malware in the suspect
the time the entire contents of RAM have been system can provide various anti-forensic functions,
acquired, the state of the RAM has changed resulting in unreliable evidence (Bilby, 2006).
from when collection began. Hashing methods To minimize the reliance on the suspect system,
for verification of live data are only useful for Carrier suggests that analysis applications should
the data that has been collected and is no longer use their own file system code rather than relying
changing. Data that has been collected cannot be on the kernel and system calls, and to use trusted
verified after acquisition since the original data binaries on write-protected media; a technique
is constantly changing, and is no longer the same most live data forensic tools, such as Microsoft’s
as at the time of acquisition. In addition, there is Computer Online Forensic Evidence Extractor
a possibility of crashing the suspect system when (COFEE) (Mansfield-Devine, 2010; Microsoft,
attempting live data forensics, which has potential 2010) are using. These techniques do not com-
to disrupt, or even corrupt, critical business data. pletely remove the risk of malicious code on the
Second, when conducting live data forensics, suspect system affecting a forensic investigation,
the investigator will make changes to the system. but, assuming Principle 2 of the ACPO guideline
However, in order to collect volatile evidence, the has been met, they do reduce the risk to a level
suspect’s computer must remain on, and the sus- that tends to be accepted in court.

Digital Forensic Investigation and Cloud Computing

Regardless of the drawbacks, live data foren- can be completely, or even partially, provided by
sics is sometimes the only option for collecting any number of Cloud Service Providers (CSP).
evidence. Live forensic data has been accepted in Cloud computing encompasses each of these
court (Adelstein, 2006), and since computer sys- three service layers, which will be discussed fur-
tems are becoming increasingly more distributed, ther, but some layers are neglected when defini-
data center oriented, and services are becoming tions focus on particular technologies rather than
more ‘Cloud’ based, traditional post-mortem data cloud computing as a whole concept (Vaquero,
forensics becomes less of an option. et al., 2008). Armbrust et al. (2009) submit that
“cloud computing refers to both the applications
delivered as services over the Internet and the
CLOUD COMPUTING: SECURITY hardware and systems software in the datacen-
AND DIGITAL FORENSICS ters that provide those services.” NIST (Mell &
Grance, 2011) has proposed an arguably more
This section introduces cloud computing, related comprehensive definition for Cloud Computing
terminology, and service and deployment models. that is gaining in popularity:
Once fundamental knowledge of cloud comput-
ing is established, some key cloud computing Cloud computing is a model for enabling ubiqui-
security challenges will examined, followed chal- tous, convenient, on-demand network access to a
lenges cloud computing brings to digital forensic shared pool of configurable computing researches
investigations. (e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned
What is the Cloud? and released with minimal management effort or
service provider interaction.
The concept of cloud computing, and the services
provided via the “Cloud,” has received increasing Further, NIST identifies five ‘essential charac-
interest from the public, private companies and teristics’ of cloud computing, these being on-de-
even government organizations (Paquette, et al., mand self-service, broad network access, resource
2010; Russell & Hammons, 2012), and as such are pooling, rapid elasticity, and measured service.
introducing more opportunities for cyber criminals When each of these essential characteristics are
and new challenges for law enforcement (Biggs & met, it allows for “the illusion of infinite computing
Vidalis, 2009). Many believe cloud computing is researches available on demand… [as well as] the
a computing paradigm shift, while others believe ability to pay for the use of computing resources
that cloud is a collection of old technologies with a on a short-term basis as needed” (Armbrust, et al.,
new name for marketing purposes (Johnson, 2008; 2009). In other words, computing resources can
Armbrust, et al., 2009; Ellison, 2009). An obscure be sold to customers as a utility, much like water
understanding of both the underlying technologies or electricity, where the customer is able to use
and new business model opportunities—and where as much as they want, when they want, and only
each begin and end—has lead to some confusion pay for what they have used.
in the definition of cloud computing. This confu- Armbrust, Fox et al. (2010) claim that when
sion in definition appears to come from the fact computing resources can be sold as a utility,
that cloud computing is primarily comprised of there are at least three use cases that “favor utility
three service layers5: infrastructure, platform, and computing over conventional hosting.” The first
application (Mell & Grance, 2011), each of which is when a company must build their data center
to be able to serve the peak load. At times when

Digital Forensic Investigation and Cloud Computing

load is less than peak, infrastructure is being Infrastructure as a Service

underutilized. They claim that “cloud computing The first of the three primary service layers is
lets an organization pay by the hour for comput- the infrastructure layer, which is comprised of
ing resources, potentially leading to cost savings computing hardware, and a software abstraction
even if the hourly rate to rent a machine from a layer. Computing hardware in the Cloud is rela-
cloud provider is higher than the rate to own one.” tively unchanged from pre-cloud infrastructures;
The second case is when a customer does not datacenters, for example, still largely use the same
yet know the demand for their services. Since com- hardware. Some companies are attempting to
puting resources in the Cloud can be provisioned market their hardware as specifically ‘for cloud’
as needed, as a user base rises or falls, so too can (Duffy, 2009; Myslewski, 2009), which focus on
the amount of computing resources provisioned faster delivery, convergence or multi-processing,
by the customer be added and removed. Rapid but these technologies may also be useful for non-
provisioning allows a customer to be more flexible cloud infrastructures.
in situations where load may be highly variable Still in the infrastructure layer, but on top of the
or rapidly increase as popularity grows. hardware, is a software layer, termed hypervisor.
The third case is for batch processing needs. “[The hypervisor] provides an abstraction layer
Since the cost of processing using one machine for that allows each physical server to run one or more
1,000 hours, and 1,000 machines for one hour is ‘virtual servers,’ effectively decoupling the operat-
the same, companies who require batch processing ing system and its applications from the underlying
can potentially save time on their processing needs. physical server” (Xen, 2011). For cloud services,
Choo (2010) expands on these points, consid- at this layer is also a management stack that allows
ering the benefit of “avoid[ing] the expense and resource pooling. Many separate servers can then
time-consuming task of installing and maintaining be added to the resource pool, creating the illusion
hardware infrastructure and software applica- of an infinite amount of resources. This concept is
tions,” claiming that hardware investments and quite similar to distributed, or grid, computing6.
administrative costs may be reduced when utilizing The difference is in resource allocation for a task.
cloud infrastructure. With cloud computing the customer is allocated
Although cloud computing may provide a “a small fraction of the total cloud resource pool”
number of benefits, it is not without potential (Eucalyptus, 2010), allowing multiple customers
drawbacks. Risks in terms of security and inves- to use separate fractions of resources from the
tigation will be discussed in later sections, but pool at the same time. In traditional distributed
many potential risks, to both the CSP and the systems, a customer’s task will attempt to utilize
cloud customer, are dependent on the service and most, if not all, of the resource pool until their
deployment models utilized. task is complete. This means other customers
must wait in a queue until tasks before them are
Cloud Computing: Service Models complete (McGuigan, 2011).
With cloud computing, a company effectively
Cloud computing is primarily comprised of three has a large pool of processing and storage of which
service layers (Mell & Grance, 2011). These three a small portion of the whole can be rented to cus-
layers are also essentially business models, or the tomers when needed, usually on a pay-per-usage
level at which cloud services are normally sold scheme. This is referred to as Infrastructure as a
by a Cloud Service Provider. Service (IaaS). To create the illusion of infinite
resources IaaS requires a considerable investment

Digital Forensic Investigation and Cloud Computing

in hardware, and has high associated running Software as a Service

costs. Hobson (2010) claims that “Cloud Service The third of the three primary layers is the software
Providers like Amazon, Google and Microsoft layer. At the software later, a provider’s applica-
are driving the push, because they have excess tions are provided to the customer. This is known
capability to spare.” As described previously, an as Software as a Service (SaaS). As the top tier,
attractive feature of IaaS to many companies is a the software layer relies on both the platform and
possible operating cost reduction by letting an IaaS infrastructure layers for both hosting, and to al-
provider handle the hardware and maintenance, locate more or less resources for the application
rather than buying and maintaining more hardware based on the application’s needs. The customer,
than they need, or running the risk of having too however, normally has no control over the plat-
few resources during a spike in customer activity. form and infrastructure layers that the application
is running on. Google Docs and Apple’s iCloud
Platform as a Service are examples of software as a service (Wang,
The second of the three primary service layers is et al., 2011). The applications are hosted by a
the platform layer. The platform layer relies on the provider, and are delivered to a client through a
previously mentioned infrastructure layer, and has gateway. The client, in the case of Google Docs,
the goal of providing a Web-accessible platform for example, does not install any applications lo-
for customers. The customer, however, normally cally, and can save user data either locally or to
has no control over the infrastructure layer that available storage provided by the infrastructure
the platform is built upon. “This cloud comput- and application layers.
ing model provides a platform for developers to
code, test and experiment [with] new software Other Service Models
without the complexity of setting up and main- Other service models exist which are built on top
taining test, development and production servers” of some, or all, of the three previously mentioned
(Brennels, 2010), and is known as Platform as a primary layers. One such example is Recovery as
Service (PaaS). a Service (RaaS), which is essentially a backup of
The platform provided is usually either a base servers and data to a cloud that can be made live
operating system or a full software stack7 used in case of failure or emergency. Gartner (Pettey,
to deliver a solution. Whatever the platform, 2011) defines RaaS as “the managed replication
the reason for it is generally storage, applica- of virtual machines and production data in a
tion development, and hosting, especially for service-provider’s cloud, together with the means
providing services to many concurrent users. to activate the VMs to support either recovery
Some platform services, for example, are Google testing or actual recovery operations.” Failing
Apps, Microsoft’s Azure, and Amazon’s EC2. over to backed-up systems that can immediately
By utilizing the flexibility of the resource pool be made live in the Cloud has a potential benefit
at the infrastructure level, the provided platform of being faster than receiving and recovering from
can quickly be allocated more or less resources, tape backups, with possibly less data loss in the
or multiple platforms—sometimes referred to as process (Brennels, 2010).
instances—can be created and configured, allow- Another proposed model is Security as a Ser-
ing the “increase or decrease [of] capacity within vice (SecaaS). The Cloud Security Alliance (2011)
minutes, not hours or days” (Amazon, 2011). define Security as a Service as “the provision of
security applications and services via the Cloud
either to cloud-based infrastructure and software

Digital Forensic Investigation and Cloud Computing

or from the Cloud to the customers’ on-premise exclusive use by a single organization….” This
systems.” In the same way cloud computing po- allows the organization to utilize some of the
tentially reduces computing costs for companies, benefits of cloud computing, such as resource
SecaaS may “… enable enterprises to make use pooling, hardware abstraction, robustness and fast
of security services in new ways, or in ways that instance deployment and configuration, while still
would not be cost effective if provisioned locally.” keeping both physical and policy level control of
A final example is Forensics as a Service all hardware, software and services. The resources
(FaaS). When conducting digital forensic investi- in a private cloud are utilized only for the single
gations, large amounts of data must be processed. organization, referred to as ‘single tenant’ envi-
Efforts have begun to utilize the resources cloud ronment. Operating a private cloud, however, still
computing provides, and apply them to digital requires an investment in infrastructure and knowl-
forensic processing needs (Didone & de Queirozb, edge. Because of this, over or under provisioning
2011; Carrier, 2012). The majority of work thus of resources is still possible, and costs associated
far has focused on utilizing processing capabili- with infrastructure, running and maintenance may
ties, normally for law enforcement or consulting still be a burden on the organization. Since this
companies. But just like other described service model is single tenant the costs are not distributed,
models, cloud-based forensic services as software, making it the most expensive model.
or even a platform, could potentially be provided
to users cloud-based infrastructure or on-premise Public Cloud
systems. Potentially reducing the time from inci- Public clouds are cloud services offered to the
dent detection to forensic investigation. public via a CSP. Unlike a private cloud, the
These are only a few examples in a trend to- organization running the cloud service does so
wards what Hewlett-Packard (2011) describes as to offer cloud resources to external customers.
“Everything as a Service” (XaaS). Multiple customers then lease resources from a
shared resource pool, referred to as a ‘multi-tenant’
Cloud Computing: Deployment Models environment. The CSP then takes on the burden of
installing, running, and maintaining the provided
Organizations have a wide range of needs, and are infrastructure. Since the infrastructure/platform/
looking to cloud computing to reduce operating software security concerns are managed by the
costs. An organization, however, may not feel dedicated CSP, some organizations may benefit
comfortable entrusting their entire infrastructure, from better security practices than they would be
hosting and storage needs to an off-site, uncon- able to create and implement in-house. Since this
trollable CSP. Likewise, some organizations, such model is multi-tenant, the costs are distributed
as government entities, may have higher security over a large number of customers, making it the
standards and requirements than average cloud least expensive model. With this model, cloud
customers. Three primary deployment models customers may trust the CSP for hosting, storage
are commonly used to meet the almost endless and general access to the customer’s data—all of
combination of needs from organizations that still which could be revoked or removed by the CSP,
want to receive the benefits of cloud computing. e.g. if the customer stopped paying, or the CSP
went out of business (Kravets, 2012). CSPs offer
Private Cloud comprehensive Service Level Agreements (SLA)
NIST (Mell & Grance, 2011) defines a private to define what they are and are not responsible
cloud as “infrastructure [that] is provisioned for for. While the customer may have some control

Digital Forensic Investigation and Cloud Computing

over whether their data is stored nationally or This definition is also sometimes referred to
internationally, they do not generally have physi- as a combination cloud. Under this definition,
cal access to their host, and can lose a great deal two or more of the previously described deploy-
of policy-level control. Lower running costs and ment models are joined together, but still remain
increased ease of deployment, however, are at- unique entities. The benefit of this model is one
tractive for many organizations regardless of this of flexibility, and also potential cost savings. Two
loss of control. common methods are normally used to achieve
this goal, cloud bursting and cloud brokering.
Community Cloud “Cloud bursting combines existing cloud infra-
A community cloud is a deployment where mul- structure with remote resources from one or more
tiple organizations pool their resources to achieve public clouds to provide extra capacity to satisfy
a common goal. By pooling the resources for the peak demand periods” (Moreno-Vozmediano, et
community, costs are distributed between the al., 2012). For example, an organization that has
members, allowing for the benefits of a cloud its own private cloud may temporarily exceed its
while being less expensive than a private cloud. internal capacity. Instead of increasing investment
A community cloud works when each member in infrastructure for a temporary overutilization,
has similar task, policy, and security needs, but some services can be expanded to a public CSP. To
liability, internal security, and distribution of take advantage of cloud bursting, an organization
investment and maintenance costs are all chal- must first identify mission critical and non-critical
lenges with this deployment. For these reasons, data. The organization, then, could control what
this model may not be ideal for business critical data is hosted on the public cloud, ensuring that
hosting needs since a business may have less mission critical data never leaves their area of
physical or policy control of their data without physical or policy level control.
the assurance of an SLA. A cloud broker, according to Grivas et al.
(2010), has knowledge of existing cloud service
Hybrid Cloud offerings from multiple CSPs, and the relation
between business processes and the cloud services.
For this work, the hybrid cloud deployment model A cloud customer is able to request a business
will not be considered one of the primary models; process change, and the broker discovers and binds
however, it is a noteworthy, often used extension new services from one or more CSPs to provide
to the primary cloud deployment models. This the desired process changes for the customer.
model also has yet to see a widely accepted com- This allows customers to focus on their business
mon definition. The debated definition from NIST processes instead of devoting time and resources
(Mell & Grance, 2011) is: towards discovering, testing and comparing the
plethora of cloud service offerings. A cloud bro-
The [hybrid] cloud infrastructure is a composi- ker could potentially broker services for only one
tion of two or more clouds (private, community, CSP or cloud deployment, but normally brokerage
or public) that remain unique entities but are occurs across multiple CSPs (Bloomberg, 2011),
bound together by standardized or proprietary potentially resulting in a hybrid cloud deployment
technology that enables data and application for the customers.
portability (e.g., cloud bursting for load-balancing
between clouds).

Digital Forensic Investigation and Cloud Computing

Cloud Computing Security and systems being a secondary concern. This attitude
Investigation Challenges has been carried over from traditional computing,
which could possibly result in the same, or similar,
New concepts in cloud computing have created security challenges, such as those presented by the
new challenges for security teams and researchers Computer Research Association (2003) in the Four
alike (Vouk, 2008). Cloud computing service and Grand Challenges in Trustworthy Computing.
deployment models have a number of potential If both security and insecurity from traditional
benefits for businesses and customers, but security computing are inherited by cloud computing, both
and investigation challenges—some inherited may be augmented with the increased complexity
from ‘traditional’ computing, and some unique of the cloud model, the way that services are de-
to cloud computing—create uncertainty and po- livered, and on-demand extreme-scale computing.
tential for abuse as cloud technologies proliferate. Each cloud deployment and service model has its
This section looks at security challenges relating own considerations as far as security and liability
to cloud computing. Further, challenges cloud are concerned. For example, in a private, single-
computing poses to digital forensic investigation tenant cloud where all services may be hosted
will also be given. on-premise, the risks are similar to on-premise,
non-cloud hosting. The organization has end-to-
Cloud Computing and Security end control, can implement and target security
Challenges systems, and can control critical data flow and
storage policies. A challenge with this model
According to a survey from Ponemon Institute is that the organization must have the expertise
(2011), only 35% of IT respondents and 42% to be able to create, implement, and maintain a
of compliance respondents believe their orga- comprehensive security strategy for increasingly
nizations have adequate technologies to secure complex systems.
their IaaS environments. The report shows that Several works have previously examined some
respondents believe IaaS is less secure than their cloud security concerns (Armbrust, et al., 2009;
on-premise systems, however, “[m]ore than half Jansen, 2011; Balduzzi, et al., 2012; Kui, et al.,
(56 percent) of IT practitioners say that security 2012; Zissis & Lekkas, 2012). The majority of
concerns will not keep their organizations from these works can generally be classified as using a
adopting cloud services.” A drive towards cloud Confidentiality, Integrity, and Availability (CIA)
service offerings is reiterated by Gartner (2012), model, extended by introducing the concept of
who forecasts that spending on cloud computing ‘trust.’
at each service model layer will more than double
by 2016. At the same time Ernst and Young (2011) Confidentiality
found that there is a perceived increase in risk by In the CIA model, confidentiality is used to de-
adopting cloud and mobile technologies, and many scribe the limitation of access to data (or informa-
respondents believe that these risks are not cur- tion) to only authorized users. Cloud computing
rently being adequately dealt with. However, North introduces a number of confidentiality concerns.
Bridge (Skok, 2012) suggests that confidence Some reasons for this include multiple—possibly
in cloud computing is increasing, even though competing—customers utilizing the same hard-
maturity of the technologies remains a concern8. ware, the remote and dispersed nature of the cloud
An increased confidence in cloud computing service provider, possible layering of services from
and a drive to improve business processes while multiple CSPs, the legality of data disclosure to
reducing costs are leading to security of such

Digital Forensic Investigation and Cloud Computing

a third-party, and general access management, authentication, etc, by examining shell history;
among others. Gellman (2009) states that “[c] and in some cases they were also able to recover
loud computing has significant implications for deleted files, such as the aforementioned keys
the privacy of personal information as well as for and history logs.
the confidentiality of business and governmental Kui et al. (2012), Balduzzi et al. (2012), and
information,” claiming that a user’s privacy and Zissis and Lekkas (2012) all identify multi-tenancy
confidentiality risks vary significantly with the as a confidentiality risk with could computing.
terms of service and privacy policy established by Kui et al. claims, “side-channel attacks present
the cloud provider, and potentially along with the new risks to cloud users’ information in the mul-
jurisdiction in which the data is physically stored. titenant environment.” It has been shown that an
Messmer (2011) claims that access control in attacker can force a machine under their control
cloud environments is somewhat difficult, and to co-locate on the same hardware as a victim,
may not meet data protection regulations. Kui et allowing for the possibility of side-channel at-
al. (2012) identify access control in outsourced tacks9 (Ristenpart, et al., 2009). From this, stolen
cloud environments as ‘critical,’ defining secure cryptographic keys and passwords, and general
identity authentication as a challenge when data spying are possible. Likewise, Balduzzi et al. gave
is outsourced to a CSP. “[The] data users and an example of scanning other VM instances on the
cloud servers aren’t in the same trusted domain; network, and determining open ports and poten-
the server might no longer be fully trusted as an tially vulnerable services. Zissis and Lekkas, on
omniscient reference monitor for defining and the other hand, submit, “Data [persistence] may
enforcing access control policies and managing lead to the unwilling disclosure of private data,”
user details.” Kui et al. suggest that user authen- claiming that “a user may claim a large amount of
tication may be untrustworthy when outsourced disk space and then scavenge for sensitive data.”
due to server compromise beyond the customer’s While some confidentiality considerations can
domain of control, or potential insider attacks be reasonably remedied by choosing a reputable
from the CSP. CSP that provides an SLA that suits the organi-
Balduzzi et al. (2012) demonstrated that po- zation as well as “certifications of quality and
tential confidentiality risks exist for users who operational control” (Ingthorsson, 2010), other
create and distribute images for use in the Cloud, implications, such as legal requirements of the
claiming that, for example, “an attacker can gather CSP to produce details of customer activities to
SSH private keys [from a virtual machine image] to law enforcement may not be able to be avoided.
break into other machines, or use forgotten Ama- For example, in some cases in the United States,
zon Web Services (AWS) keys to start instances at the government may demand customer details
the image provider’s cost.” In their research they from Internet Service Providers unbeknownst to
were able to recover forgotten AWS and SSH keys the customer. “There have been thousands of such
that were immediately usable to start new instances requests lodged since the [the Patriot Act] was
at the key owner’s expense; last login information passed, and the F.B.I.’s own audits have shown
that could be used to collect usernames, target that there can be plenty of overreach…” (Zittrain,
machines, and potentially passwords; browser 2009). Legal, liability, and other jurisdiction issues
history, from which they found traces of a user’s are not necessarily new privacy considerations
company and personal email login information; brought on by the use of cloud computing, but
authentication credentials and potentially inter- the level of outsourcing, and the possibly global
esting commands to extract user and database dispersion of the CSP raises new concerns on the
login information, credit card information, VNC ease of information leakage.

Digital Forensic Investigation and Cloud Computing

Most of these privacy issues stem from the sophisticated insider attacks on [customer data].”
fact that an organization essentially loses control They cite authentication as an issue in cloud envi-
when their data is given to a third party. Cloud ronments “due to the increased number of entities
computing adds to this risk by introducing the and access points…” that could potentially lead
multi-tenant and service-layering aspects, which to a manipulation of software that can affect the
could possibly be abused. integrity of customer data.

Integrity Availability
Integrity in the CIA model normally refers to the Cloud computing resources are designed for high
trustworthiness of data or information. Jansen availability, however, Jansen (2011) submits that
(2011) claims that using cloud services, espe- cloud service providers “can and do experience
cially in multi-tenant environments, may increase outages and performance slowdowns.” Temporary
risk to the integrity of data, both in storage and outages have occurred with Amazon (Kosner,
processing. “Multi-tenancy in VM-based cloud 2012), Google (2012), and Microsoft (Parnell,
infrastructures, together with the subtleties in the 2012) cloud services, caused by software, hard-
way physical resources are shared between guest ware or external issues. In these cases, service
VMs, can give rise to new sources of threats.” was eventually restored, but each left customers
For example, malicious code may circumvent without access to services and data for a period
VM isolation methods, and interfere with the of time.
hypervisor or other guest VMs. IBM (2010) Jansen also claims, “It is possible for a service
claims that 35% of known vulnerabilities in server provider to experience serious problems, like
virtualization allow an attacker to escape from a bankruptcy or facility loss, which affect service for
guest virtual machine to either another guest or extended periods or cause a complete shutdown.”
the hypervisor itself. Cloud providers have gone out of business before,
Even without circumventing isolation methods being bought by other companies that may allow
within the CSPs infrastructure, Balduzzi et al. current users a short period of time to retrieve their
(2012) showed that traditional software vulner- data (Scheier, 2009), while in other cases mas-
abilities, such as non-updated software, may still sive, irrevocable data loss has occurred (Bright,
lead to malware infection that could result in 2008). Missing a payment could be as drastic,
questionable integrity of stored data and running and the only assurance of what will happen to a
services. customer’s is if the consequences are specified in
Another area that may have an impact on the an SLA with the CSP. However, an SLA may not
integrity of data is computation outsourcing. Kui always ensure data can be returned. For example,
et al. (2012) submit that “the Cloud’s operational Megaupload, a once popular file-sharing portal,
details aren’t transparent enough to users. Conse- had company assets seized by New Zealand
quently, various motivations can cause the Cloud authorities, denying customers service since the
to behave unfaithfully and return incorrect results.” seizure. Although the seizure and international
Hardware problems, software bugs, or outsider or sharing of seized data were deemed to be illegal
insider attacks could potentially compromise the by a New Zealand High Court (Chirgwin, 2012),
integrity of processed data. service has not resumed, and customers are being
Zissis and Lekkas (2012) focus instead on the denied access to legitimate data (Kravets, 2012).
social aspect of integrity, claiming “the cloud Armbrust et al. (2009) believe that for high-
model presents a number of threats including availability, there should be no single point of

Digital Forensic Investigation and Cloud Computing

failure. However, they claim, “the management of point in most work dealing with security in cloud
a Cloud Computing service by a single company computing is the concept of trust. In the traditional
is in fact a single point of failure,” again citing CIA model, critical data and services were normal-
hardware and software issues or CSPs going out ly under physical and policy control of the owner.
of business. Further, Jansen and Armbrust, Fox In this case—except for insider threats—trust is
et al. mention Distributed Denial of Service at- implicit. The owner had a considerable amount of
tacks (DDoS) that could potentially cripple cloud direct control over confidentiality, integrity, and
services, claiming that with enough computers, accessibility. If any of these areas were lacking,
even cloud services could become saturated. Since the owner could make infrastructure or policy
multiple cloud service layers are used, each layer changes to improve, and for these reasons, the
could be a potential point of attack to disrupt owner questioning their own level of trust was
service to the client. not explicitly stated. “In traditional architectures,
Jansen further claims that there is a ‘value trust was enforced by an efficient security policy,
concentration’ when data from multiple com- which addressed constraints on functions and flow
panies is hosted in the Cloud. This potentially among them, constraints on access by external
means that cloud services may be more enticing systems and adversaries including programs and
to hackers since one CSP is likely to host data for access to data by people” (Zissis & Lekkas, 2012).
multiple clients. If the hacker is able to penetrate Trust in the Cloud, however, is not implicit. Many
the CSP, they may then gain data from multiple articles have been written questioning if data in
companies without targeting each of the companies the Cloud is more secure than on-premise systems
individually. (Kaufman, 2009). This is because many companies
The CSP is not the only potential point of fail- do not so easily trust external groups, even well
ure. The client side that relies on cloud services known CSPs, to store and process critical data.
may also be targeted. For example, anti-virus For example, Ernst and Young (2011) found that
software is increasingly utilizing cloud computing “almost 90% of respondents believe that external
for analysis of code. The response to cloud-based certification would increase their trust in cloud
malicious code analysis was viruses that filter computing.”
client-side network traffic to prevent the anti-virus Jansen (2011) claims that cloud customers are
agent from communicating certain information to relinquishing direct control over many aspects of
the cloud service (Microsoft, 2011). Since client- security. This “confers an unprecedented level of
server communication is a requirement the access trust onto the service provider.” This trust assumes
cloud-based services, denial of service can be that the CSP—and every CSP that is providing a
achieved by attacking any point of communication. service supporting the CSP the cloud customer
The distributed nature of cloud computing is using—has proper controls and auditing in
can allow for high availability if deployed cor- place to mitigate threats such as insider access,
rectly. A major challenge, however, is not only and vulnerabilities that each used cloud service
the traditional challenges of availability of data, introduces.
but also the dependence on external third parties Zissis and Lekkas (2012) claim that in cloud
to be able to access critical data. computing the concept of perimeter security
becomes “fuzzy.” With traditional security, a
Trust perimeter of trust is created, and entities outside
Some of the challenges mentioned previously are of this perimeter are considered suspicious. In the
not unique to cloud computing, but a recurrent cloud model, critical data and business processes
are outside of the perimeter of trust. For this rea-

Digital Forensic Investigation and Cloud Computing

son, “the ability to clearly identify, authenticate, their capabilities and what amount of risk they
authorize, and monitor who or what is accessing are willing to take.
the assets of an organization is essential to pro-
tecting an information system from threats and Other Cloud Security Concerns
vulnerabilities.” Zissis and Lekkas also propose Beyond the previously mentioned challenges,
that organizations should consider hybrid ap- data and vendor lock-in is a concern with cloud
proaches, where critical systems, processes and services (Armbrust, et al., 2009; Kim, 2012). Data
data are isolated, and may be provided where and vendor lock-in can become a challenge when
the infrastructure is trusted, while non-critical Application-Programming Interfaces (API) are not
systems, process and data maybe hosted by less- standardized. If interfaces are not standardized, it
trusted CSPs. may become difficult for cloud customers to move
Cloud computing is sold as a utility, or pay- from one CSP to another, or even utilize multiple
per-use, service. Kui et al. (2012) identify that CSPs for data redundancy purposes.
“because users might have little or no visibility Armbrust et al. also identify ‘reputation fate
into the cloud infrastructure, they’re often unable sharing’ as a risk. They state that “reputations do
to directly connect their actual cloud resource not virtualize well,” claiming that one customer
consumption and the usage charges.” Without a can impact the reputation of the CSP and all
guarantee on resource consumption measurement, co-hosted users. For example, a spammer using
and the ability to verify and audit charges, charges the CSP’s IP range, may get those IP addresses
may be undisputable. For example, issues for which blacklisted (Kerbs, 2008). This could potentially
the customer should not be liable could cause disrupt service of legitimate cloud customers if
excessive charges against which the customer they are later assigned an IP address that has been
may not be able to dispute. Further, charges could blacklisted.
also potentially be falsified by the CSP. Without Ernst and Young (2011) claim that “a compa-
verifiable resource metering, a customer has no ny’s physical boundaries are disappearing as more
way to prove or disprove a claim. of its data is transmitted over the Internet.” Because
When services are hosted in a public, multi- of the distributed nature of cloud computing, the
tenant, cloud, for example, the customer trusts physical location of data and the jurisdiction in
the CSP for service. The customer is trusting which the data is located is a major concern that
that the CSP is able to competently create, imple- is seeing an increase in research (Ward & Sipior,
ment and maintain a security strategy, not just 2010; Hu, et al., 2012; Vaciago, 2012).
for external attacks, but also from other tenants The essence of the jurisdictional challenge
in the same cloud, and that their multi-tenant is that a CSP may have data centers in multiple
blanket approach to security will be adequate for countries, each with unique laws about how and
all customers. Likewise, the customer must trust what data can be imported, exported, stored,
the CSP itself to not misuse the customer’s data. and accessed. Depending on the CSP, and the
Security comparisons of cloud deployments, and underlying CSPs used to support the services, it
even between cloud and non-cloud infrastructures, may be difficult for a cloud customer to specify
is somewhat a moot point because “it is possible and audit the jurisdiction(s) in which they will
to deploy a private cloud in a way that is far less allow their data to be stored. A customer having
secure than the current batch of public clouds just adequate knowledge of each of the legal systems
as it is possible to deploy any infrastructure in an where their data may be stored is a challenge that
insecure way” (Wolski, 2010). Ultimately, it comes would require considerable resources for research
down to the organization’s realistic evaluation of

Digital Forensic Investigation and Cloud Computing

on the side of the cloud customer. A mistake could (Ponemon, 2011; Ruan, et al., 2012). If security
allow critical data to be stored in countries with tasks are not precisely assigned, a customer may
lax cybercrime and/or data privacy laws (Choo, be unwittingly vulnerable, and determination of
2010). Ruan et al. (2012) submit that service level liability when an incident occurs may be difficult.
agreements should define the level of control the For more security challenges in the Cloud see
cloud customer over the jurisdiction(s) in which Additional Reading.
customer data is allowed to reside, as well as al-
low the cloud customer or trusted third-party the Cloud Computing and Investigation
ability to audit such restrictions. An SLA with the Challenges
initial CSP must also include the ability to control
and audit data stored on underlying CSP services. Many of the technologies that make up cloud
Many of the previously discussed security services, such as virtualization, have existed since
considerations normally placed the cloud environ- before the utility computing business model was
ment as the target of an attack, however, cloud practical on a large scale. Because infrastructure,
services may also be used as the originator of platform, and software hosting technologies have
attacks (Choo, 2010). For example, a proof of existed for business and personal use for some
concept cloud-based DDoS infrastructure has time, techniques for digital investigation of inci-
been developed to conduct large-scale DDoS at- dents relating to these technologies may be well
tacks using cloud resources for less than a similar known. For example, forensic acquisition and
criminal botnet would cost (Bryan & Anderson, verification of hard drives is a common task in
2010; Lemos, 2010). digital forensic investigations. Many times the
Further, Roth (2011) demonstrated that the same acquisition methods for a physical disk may
large amount of compute available in the cloud also work for virtual disks associated with a virtual
environment may be used as an extremely fast, machine. Many of the digital forensic acquisi-
and relatively inexpensive means of cracking tion, verification, and analysis techniques may
passwords. Cloud computing allows the ability be able to be applied to cloud investigations, but
for a customer to design massively parallel and cloud does pose some new challenges for digital
GPU assisted environments, applying the cost and forensic investigators. The following are a few of
time benefits of cloud computing to brute force10 the many potential challenges cloud computing
password cracking. brings to digital investigation.
This work has described a number of security In traditional investigations, the suspect or
concerns for both CSPs and cloud customers. victim’s computers may normally be the main
However, even though these are concerns, Kui et source of information about an incident. For
al. (2012) identify that “designing security into example, in a child exploitation case, a suspect
cloud benefits users and CSPs, [and] inevitably may have stored illicit images on their local hard
increased overhead for both.” They submit that drive. By finding and analyzing the images, the
additional overhead (such as increased processing investigator may be able to determine that the im-
requirements) could increase the cost of the cloud ages were, in fact, illegal. Other information, such
services, which may conflict with the economic as the recently opened files list, may be used to
benefits that companies are hoping to realize by support that the suspect had knowledge of the im-
using these cloud services. ages. However, if the suspect is using cloud-based
Finally, within organizations and between storage, the images may not be stored locally. In
cloud customers and CSPs the ownership for se- this case, the investigator may be able to show that
curity in the Cloud is not always precisely defined the suspect had knowledge of the images, but not

Digital Forensic Investigation and Cloud Computing

whether the images were actually illegal. Saliba be liable for damages while the server is down.
(2012) claims that cloud services may reduce the Taking servers down in a cloud environment may
amount of direct evidence available on a suspect’s have an impact on many customers, creating more
disk, but sometimes provide more information liability. Further, data may be stored on virtual stor-
about the user and cloud service that would help age spanning multiple servers, or even geographic
in acquiring a subpoena or warrant. As more data locations, meaning that hard disk acquisition may
is stored in the Cloud, and services reduce the not be practical, or even produce the desired data.
client-side impact, fewer evidential traces may Liability and reconstruction of virtual storage in
be found. Instead, investigators will have to rely cloud environments from physical disk images
on more cooperation from CSPs that may not be remains a challenge.
in the same jurisdiction. Storage in the Cloud is attractive to users be-
When suspect data is stored in the Cloud the cause it is highly accessible and relatively cheap.
data may be in one jurisdiction while the suspect As previously mentioned, the amount of data on
machine connecting to the service may be in personal hard drives is becoming too large for most
another jurisdiction. This scenario is becoming a law enforcement agencies to acquire and store all
challenge for law enforcement in many countries, the data. Cloud services, however, are currently
especially with mobile cloud-attached devices. offering Gigabytes of space for free with the op-
In many countries, investigators may access data tion to pay for more storage. The amount of stored
stored remotely if given permission by the suspect data could quickly add up across multiple cloud
(verbal conformation, entering the password, etc.). service offerings, resulting again in too much data
However, there has been very little definition for law enforcement to process and store.
of what to do if data is stored on a non-national Since acquisition of a whole physical disk may
cloud service that is currently connected while the not be practical or possible, and the quantity of
investigator begins a live analysis of the suspect data may be too large to effectively process and
system. If the data is accessible, an investigator store, selective data acquisition may be required.
may save a considerable amount of time by ac- Selective data acquisition implies a preliminary
quiring the data from the connected service rather analysis, or some prior knowledge, to reduce the
than waiting for international requests. However, overall dataset an investigator is interested in. The
authority on this matter is not always clear. In the challenge with this method is an intrinsic chal-
author’s experience, a lack of definition on the lenge in digital forensic investigations; how do
scope of acquisition of data on non-national remote we know what we do not know? In other words,
connections sometimes depends on the country, even if all possible data could be acquired, how
and many times depends on the investigator’s do we know that no evidence has been missed? If
preliminary analysis of the remotely stored data this question cannot be easily answered when all
as well as the likelihood of receiving the data if data is available, how can an investigator justify
an international request was made. reducing the dataset, and potentially excluding
Investigators physically accessing the CSP may inculpatory and/or exculpatory evidence? Some
also be more difficult, and may be impossible if investigators are currently focusing on data sources
the data is distributed over several geographic that they believe are likely to provide the richest
locations (Taylor, et al., 2011). In traditional in- sources of information, but justifiable exclusion
vestigations, a computer or server may possibly be remains a challenge.
taken down, and its physical disks imaged. Taking Because of the distributed, multi-layered na-
down production servers is increasingly rare for ture of cloud computing, chain of custody for the
server environments since law enforcement may data may be impossible to verify (Barbara, 2009).

Digital Forensic Investigation and Cloud Computing

Without strict controls it may be impossible to Symposium on Cybercrime Response specifically

determine where exactly the data was stored, who discuss international law enforcement commu-
had access, and was leakage or contamination of nication and collaboration efforts. Such confer-
data possible. If data is stored in a cloud where ences allow law enforcement to create informal
multiple users and CSPs potentially have access, communication channels, and sometimes help in
association of the data to the suspect is a challenge the creation of bilateral agreements for coopera-
to establish beyond a reasonable doubt. tion, but these channels have their limits. Global
When an incident occurs on the side of the CSP, law enforcement communication channels, such
the CSP may be more concerned with restoring as INTERPOL’s I-24/7 network or the G8 24/7
service than with preserving evidence. Further, network, connect many countries, but are limited
the CSP may begin its own investigation into an by their structure and bureaucracy. Many officers
incident without taking proper precautions to have found the global networks to be somewhat
ensure the integrity of potential evidence. In more effective if the request was not overly urgent,
severe cases, CSPs may not report or cooperate however, these networks have failed to address
in investigation of incidents for fear of reputa- real-time requests for help from countries under
tional damage. The challenge in this case is with DDoS attack. Many times, law enforcement will
the competence and trustworthiness of the CSP. prefer faster, informal channels to begin an inter-
A CSP would be an effective, immediate first- national investigation, rather that traversing such
responder, but questions about the integrity and networks. However, multi-country operations,
chain of custody of the acquired evidence may such as “Operation Unmask” (Norton, 2012),
make admissibility difficult. To meet this chal- show the potential of these networks to assist in
lenge law enforcement should work with CSPs, large-scale coordination efforts. Overall, users,
and ensure proper documentation is being created businesses and even criminals are utilizing tech-
and forensically sound processes are being used. nologies, such as cloud computing, to be able to
Another challenge is with feature of rapid rapidly find and share (and exploit) new ideas.
elasticity in cloud environments. Data associated These groups are no longer considering physical
with newly created virtual machine instances may and political borders. Law enforcement, however,
only be available for a limited time. To this au- is currently restricted by a lack of effective global
thor’s knowledge, no research has been conducted communication channels, political issues, and
on determining available data associated with jurisdiction that make policing in a globally con-
removed VM instances. If a new VM instance is nected world even more of a challenge.
created and either compromised or used to attack,
evidential traces may be available in the VM. If
the VM instance is then de-allocated, investigators DIGITAL FORENSIC INVESTIGATION
currently do not know whether evidential traces AND CLOUD COMPUTING
or the entire VM instance cloud be recovered.
The final challenge in this non-comprehensive As more businesses and users adopt cloud comput-
list is the issue of international communication. ing, security challenges, such as those previously
As mentioned previously, cloud computing blurs discussed, will be increasingly targeted and ex-
physical, policy, and jurisdictional boundaries ploited. There are many technological and politi-
globally. However, law enforcement at a global cal challenges where investigation of potentially
level has yet to find effective, timely, and efficient criminal incidents in the Cloud are concerned.
international communication and cooperation Investigators, however, must still be able to acquire
channels. Conferences such as the International and analyze data in a methodical, rigorous, and

Digital Forensic Investigation and Cloud Computing

forensically sound manner. This section explores data sources before an incident occurs can greatly
the general application of a current digital foren- help in efficient incident response, and with the
sic investigation process model—specifically timely and sound acquisition of relevant data. For
the Integrated Digital Investigation Process—to this reason, this work recommends that CSPs and
cloud computing, and describes cloud investiga- law enforcement work together to model threats,
tion considerations at each phase of the model. their potential impact, and potential evidential
trace data sources before an incident occurs.
Readiness Phase This will assist the CSP in preserving potential
evidence during incident response, and will help
Carrier and Spafford (2003) state that “the goal of law enforcement have a better idea of what data
the readiness phases is to ensure that the opera- will be available, and how to handle such data, if
tions and infrastructure are able to fully support a particular incident occurs.
an investigation.” The operations readiness phase To help in the identification of threats, their
involves the on-going training of personnel, such impact on a system, and their potential evidential
as first responders and lab technicians, and the traces, this work proposes an extension to the
procurement and testing of equipment needed for Spoofing, Tampering, Repudiation, Information
the investigation. Disclosure, Denial of Service, and Elevation of
Operation readiness should include education Privilege (STRIDE) model (Swiderski & Snyder,
in cloud-related technologies, such as hypervisors, 2004). The STRIDE model is used to help under-
virtual machines, and cloud-based storage. Per- stand the result of a specific threat being exploited
sonnel should have general knowledge of how to in a system, and has previously been applied to
interact with cloud technologies at the infrastruc- probabilistic risk assessment in cloud environ-
ture, platform, and software layers, and understand ments (Saripalli & Walters, 2010). In this work,
the effect their actions have on the environment. we propose to extend the STRIDE model beyond
They should understand the methods and tools risk assessment and potential exploitation results,
available to collect investigation-relevant data in to add the identification of possible investigation-
each layer of the Cloud. Different CSPs may have relevant traces produced by the exploitation. We
proprietary systems, so training on the use and term this the ‘Investigation STRIDE model,’ or
investigation of these proprietary systems should I-STRIDE.
be considered, if possible. Finally, personnel As shown in Figure 6, the I-STRIDE process
should have the hardware and software necessary is conducted by first deconstructing a service into
to acquire relevant data from the Cloud. its dependent components. A risk assessment is
Infrastructure readiness is an on-going pro- conducted per component, and risk mitigation
cess to ensure that investigation-relevant data is techniques are derived. This work proposes that
available when an incident occurs. Infrastructure each risk identified by I-STRIDE, has associated
readiness is a responsibility of the CSP, the level investigation-relevant data sources. When a threat
of which may be defined in the SLA between the to a component has been identified, an investigator
CSP and the cloud customer. Because of the differ- may determine what data is likely to be effected
ent in operations between CSPs, and the differing by the threat. From this subset of effected data,
level of logging and data retention requested by specific data sources that may be of evidential
cloud customers, law enforcement may have dif- value can be identified. These potential evidential
ficulty considering the type and amount of data data sources may then be used for pre-investigation
that may be available. planning and data targeting purposes.
The training of personnel, identification of
potential risks, and identification of potential

Digital Forensic Investigation and Cloud Computing

Application of I-STRIDE to a Deployed • Node Controller (NC): Executed on every

Cloud Architecture node that is designated for hosting and al-
lows management of VM instances.
To show the applicability of the I-STRIDE model • Walrus: Allows the storage and manage-
to cloud environments, assessment of a small ment of persistent data.
cloud computing infrastructure based on the Open
Source distribution of Eucalyptus (2011) will be Figure 7 shows the Eucalyptus components and
given as an example. The components of this their connection and communication channels.
platform will be explained, and an analysis using The scope of this case will be limited to asset-
the I-STRIDE model will be conducted against centric11 threat modeling. The assets in this case
this deployment. are will be defined as each of the Eucalyptus
The Eucalyptus architecture is composed of components, and will also include a cloud client.
five high-level components that are essentially In this experiment, threats (see Table 2) were
standalone Web services (Eucalyptus, 2010). identified and exploited in the deployed Eucalyp-
These components include: tus architecture. An analysis of which assets were
affected and how, was conducted. After, an inves-
• Cloud Controller (CLC): The cloud con- tigation was conducted to determine potential
troller is the main entry point for the cloud evidential data sources. Identified threats, their
environment. CLC is responsible for “ex- description, the affected asset, the impact on the
posing and managing the underlying virtu- asset, and the location of potential evidential data
alized resources.” sources are listed in Table 2.
• Cluster Component (CC): CC is respon- Using the I-STRIDE model could help CSPs
sible for managing the execution of VM and law enforcement identify an investigation
instances. starting point if a specific incident occurred. This
• Storage Controller (SC): Provides block- level of readiness would potentially allow for
level network storage that can be dynami- improved pre-planning, first response and coop-
cally attached by VMs instances. eration once an incident occurred.

Figure 6. The I-STRIDE process model for risk assessment, mitigation, and investigation

Digital Forensic Investigation and Cloud Computing

Figure 7. Deployed eucalyptus architecture

Deployment Phase CSP may already have authorization from the CSP
to investigate, where a law enforcement officer
The deployment phase of the IDIP is split into would need authorization to begin the case, and
detection and notification and confirmation and may need to procure warrants. Similarly, if the
authorization phases. In the detection and noti- owner of the system in which the incident took
fication phase, an incident is detected, and the place gives consent for the investigation, that may
appropriate people are notified. In the case of be all the authorization that is necessary, but if
cloud, detection and notification may come from consent is not given, then other legal approval
the CSP, cloud customer or a third party. may be required.
Once an investigator has been notified of
an incident, they may then need to confirm the Physical Crime Scene
incident, and must get authorization to conduct Investigation Phase
an investigation. Authorization depends on the
investigator’s affiliation, and where the incident The IDIP includes a physical crime scene inves-
took place. For example, an investigator for the tigation phase. The purpose of the physical crime

Digital Forensic Investigation and Cloud Computing

Table 2. Threats, impact, and potential evidential data sources identified for a cloud environment using
the I-STRIDE model

Threat Description Asset Threat Impact Potential Evidential

XML Denial of Attacker crafts XML message Cloud Controller Denial of Service XML parser logs at the
Service with a large payload, Cloud Client cloud controller
recursive content or with
malicious DTD schema.
Information Web service fault messages Cloud Controller Privacy Compromised Web Services
Leakage contain information that Cluster Controller (CSP/Customer) Definition Language
attacker could use to Node Controller (WSDL) configuration file
compromise cloud privacy Cloud Client may contain traces of the
leaked information
Replay Attack Attacker could issue Cloud Controller Denial of Service SOAP message timestamp
Flaws recurrence overloaded Simple Cloud Client and message payload to
Object Access Protocol identify the message flaws
(SOAP) messages over HTTP
to overwhelm the CSP and
stop the service
WSDL Parameter Attacker could embed Cloud Controller Denial of Service Detailed investigation of
Tampering command line code into Cluster Controller WSDL file could identify
WSDL documents or Node Controller parameter tampering
command shell to execute the Cloud Client
WSDL Scanning Attacker could use Cloud Controller Privacy Compromised Detailed investigation of
information in the WSDL file Cluster Controller (Customer) WSDL file could identify
to guess the business rules Node Controller the compromised business
and method, e.g. stock rules and method
quoting and trading services
Schema Poisoning Attacker could compromise Cloud Controller Denial of Service Detailed investigation of
the XML schema grammar Cloud Client XML parser logs at the
and manipulate the data cloud controller may contain
evidence of XML schema
Cross Site
Attacker injects malicious Cloud Client Privacy Compromised None
Scripting (XSS) client-side code into Web (Customer)

scene investigation is to extract physical evidence, both at the suspect and victim’s side, and possibly
and reconstruct the physical scene. Information in different countries or jurisdictions.
from the physical crime scene investigation may The physical crime scene investigation phase is
later feed into, and provide context for, the digital comprised of sub-phases including preservation,
crime scene. survey, documentation, search and collection, and
When considering cloud computing, identifica- reconstruction. These will be discussed further in
tion of where the relevant physical crime scene the context of the digital crime scene investigation.
may be is a challenge. For example, if a hacker However, “the search and collection phase of the
remotely accesses a cloud service to exploit an- physical crime scene is where the digital crime
other remote user, the physical crime scene may scene investigation begins” (Carrier & Spafford,
or may not be at the CSPs data center, depending 2003). The search and collection phase is used to
on the exploit. The crime scene instead may be collect evidence and provide more information
that may be relevant.

Digital Forensic Investigation and Cloud Computing

Digital Crime Scene The IDIP then proposes a documentation

Investigation Phase phase to document all digital evidence when it
is found. Thorough documentation, however,
From the physical crime scene search and col- should be conducted in parallel with all other
lection phase begins the digital crime scene phases in the IDIP. Thorough documentation
investigation. Similar to the physical crime scene can later be referred to if any part of the process
potentially being spread out among multiple physi- is questioned. The documentation phase also in-
cal locations, so too may the digital crime scene. cludes data verification tasks, such as verifying
For example, evidence may be on both the CSPs the hash of acquired data. In the cases where live
infrastructure as well as the victim’s computer. data forensics in necessary, some acquired data
The first sub-phase on the digital scene inves- may not be able to later be verified. In these cases,
tigation is preservation of the scene. If the crime precise documentation acts as verification for the
scene can be identified, for example, where an investigator’s actions.
incident occurred and evidential traces are likely to Next is the search and collection phase. This
be found, then the scene must be preserved. If the phase is a thorough analysis of data and infor-
crime scene is a victim’s computer, preservation mation acquired in the survey phase. If the data
may be as simple as removing the computer from has been acquired in the survey phase, then data
the network, or creating a forensic disk image. If, analysis should be similar irrespective of whether
however, the crime scene is ‘at’ a cloud service, the data sources were acquired from a cloud en-
preservation becomes a challenge since many users vironment or not. Some cloud-related challenges,
may be accessing the service, potentially changing however, might be in the analysis of unknown or
the scene. With a cloud service, and investigator proprietary data structures. This challenge is not
should consider the best way to preserve the cur- unique to data acquired from cloud environments,
rent state of the service, while having a minimal but since cloud software that creates proprietary
impact on the system. data structures would only be hosted in the Cloud,
Once preservation has taken place, as well as reverse engineering the data structure may be
possible, a survey and acquisition of potential evi- more difficult.
dential sources takes place. Again, if the scene is Once relevant data has been extracted, then the
a suspect or victim computer, traditional imaging crime scene is reconstructed. “[The reconstruc-
and post-mortem triage and acquisition may be tion phase] uses the scientific method to test and
possible. Taking a cloud service offline, however, reject theories based on the digital evidence”
may not be possible. In the case where the scene (Carrier & Spafford, 2003). The reconstruction
must remain ‘live,’ live data forensics is neces- phase is where an investigator determines what the
sary. The survey phase attempts to extract obvious observed data means in relation to the investiga-
pieces of digital evidence that will potentially tion. This is also the phase where an investigator
give the investigator an idea about the suspect and attempts to determine if there is sufficient evidence
crime. At this stage, the I-STRIDE model could to support the theory, or whether more evidence
be used to assist in conducting a targeted survey would be necessary.
of the system. Once potential evidential sources Based on the results from the reconstruction
have been identified, they are then forensically phase, survey and acquisition of the digital crime
acquired. Depending on legal and technological scene may again be required to collect data deter-
restrictions, a computer’s full physical disk may be mined by the analysis to potentially be relevant.
acquired, or a targeted acquisition may be required. Otherwise, the digital crime scene theory is fed
back into the physical crime scene investigation

Digital Forensic Investigation and Cloud Computing

model, where more physical evidence may need and during the investigation of incidents in cloud
to be acquired and analyzed, potentially starting environments.
another digital crime scene investigation. Much more research is necessary concerning
digital forensic investigations in cloud environ-
Review Phase ments, but beyond technical challenges cloud
computing is already testing the limits of com-
The final phase of the IDIP involves reviewing munication and collaboration between interna-
the process and results, attempting to determine tional law enforcement. As cloud computing
what worked, what did not, and what changes to blurs geographical borders for businesses, end
the process need to take place. The review phase users and even criminals, law too must begin
should be used to guide education, research and to look to a more open, global system; a system
tool development efforts that feed back into the where everyone—law enforcement, private sector,
readiness phase. From the results of the review academia, and even the public—can play a role to
phase, new methods may be created to deal with detect, research and reduce digital crime. Cyber-
before unknown situations that are specific to crime affects every Internet connected country,
cloud environments. and without effective international collaboration,
laws, and efficient communication channels that
support international collaboration, cybercrime
CONCLUSION will continue unchecked.

Cloud computing has a number of benefits, such

as high availability, potentially lower cost, and REFERENCES
potentially improved security. However, cloud
computing also has a number of associated risks. Adelstein, F. (2006). Live forensics: Diag-
Some of these risks have been inherited from tradi- nosing your system without killing it first.
tional computing models, while the cloud business Communications of the ACM, 49(2), 63–66.
model introduces others. As more businesses and doi:10.1145/1113034.1113070
end users move their data and processing to cloud ADF. (2011). ADF solutions. Retrieved 31 January,
environments, these environments will increas- 2011, from http://www.adfsolutions.com/
ingly become the target, or even the originator, of
malicious attacks. For this reason, digital forensic Amazon. (2011). Amazon elastic compute cloud
investigation methods must be tested against cloud (Amazon EC2). Retrieved 15 February, 2011, from
computing environments with the help of CSPs to http://aws.amazon.com/ec2/
ensure digital evidence is available, and integrity
Anderson, N. (2012). Mega-victory: Kim dotcom
can be maintained and verified.
search warrants invalid, mansion raid illegal. Re-
This work has shown how current digital
trieved 11 July, 2012, from http://arstechnica.com/
forensic investigation process models may be
used to derive cloud-specific considerations
when planning an investigation. In addition, in
investigations of cloud environments the CSP will Armbrust, M. (2009). Above the clouds: A Berkeley
likely be involved. This work has proposed a risk view of cloud computing. Berkeley, CA: University
and investigation assessment model (I-STRIDE) of California.
that can act as a base for CSPs and law enforce-
ment to more effectively work together before

Digital Forensic Investigation and Cloud Computing

Armbrust, M. (2010). A view of cloud comput- Bright, P. (2008). Storms in the cloud leave
ing. Communications of the ACM, 53(4), 50–58. users up creek without a paddle. Ars Technica.
doi:10.1145/1721654.1721672 Retrieved from http://arstechnica.com/microsoft/
Arms, W. (2000). Digital libraries. Retrieved 10
February, 2011, from http://www.cs.cornell.edu/
wya/DigLib/MS1999/Glossary.html Broadhurst, R. (2006). Developments in the
global law enforcement of cyber-crime. Po-
Balduzzi, M., et al. (2012). A security analysis
licing: An International Journal of Police
of amazon’s elastic compute cloud service. In
Strategies & Management, 29(3), 408–433.
Proceedings of the 27th Annual ACM Symposium
on Applied Computing, (pp. 1427-1434). Trento,
Italy: ACM. Bryan, D. M. N., & Anderson, M. (2010). Cloud
computing: A weapon of mass destruction? In
Barbara, J. J. (2009). Cloud computing: Another
DEFCON 18. Las Vegas, NV: DEF CON Com-
digital forensic challenge. Forensic Magazine.
munications, Inc.
Retrieved from http://www.forensicmag.com/
article/cloud-computing-another-digital-forensic- Carrier, B. D. (2003). Open source digital foren-
challenge sics tools: The legal argument. @stake Research
Barnard, A. (2009). Could your phone testify
against you? The New York Times Upfront, 142. Carrier, B. D. (2006). Basic digital forensic investi-
gation concepts. Retrieved 28 January, 2011, from
Biggs, S., & Vidalis, S. (2009). Cloud comput-
ing: The impact on digital forensic investigations.
Washington, DC: IEEE. Carrier, B. D. (2006). A hypothesis-based ap-
proach to digital forensic investigations. (PhD
Bilby, D. (2006). Low down and dirty: Anti-
Thesis). Purdue University. West Lafayette, IN.
forensic rootkits. Retrieved from http://www.
blackhat.com/presentations/bh-jp-06/BH-JP-06- Carrier, B. D. (2006). Risks of live digital forensic
Bilby-up.pdf analysis. Communications of the ACM, 49(2),
56–61. doi:10.1145/1113034.1113069
Bloomberg, J. (2011). Cloud brokering: Building
a cloud of clouds. Retrieved 23 July, 2012, from Carrier, B. D. (2008). A brief introduction to the
http://www.zapthink.com/2011/04/19/cloud- computer history model. Retrieved 2 February,
brokering-building-a-cloud-of-clouds/ 2011, from http://www.digital-evidence.org/
Brennels. (2010). Cloud 101 - Recovery as a
service (RaaS) is here! Retrieved 16 February, Carrier, B. D. (2012). Sleuth kit hadoop. Retrieved
2011, from http://cloudrecovery.info/2010/02/17/ 22 July, 2012, from http://www.sleuthkit.org/
cloud-101-%E2%80%93-recovery-as-a-service- tsk_hadoop/
Carrier, B. D., & Spafford, E. H. (2003). Getting
Brennels. (2010). Cloud 101 - The four type of physical with the digital investigation process.
cloud services? Retrieved 14 February, 2011, from International Journal of Digital Evidence, 2(2),
http://cloudrecovery.info/2010/02/08/cloud-101- 1–20.

Digital Forensic Investigation and Cloud Computing

Carrier, B. D., & Spafford, E. H. (2006). Categories Collier, P. A., & Spaul, B. J. (1992a). A forensic
of digital investigation analysis techniques based methodology for countering computer crime.
on the computer history model. Digital Investiga- Artificial Intelligence Review, 6(2), 203–215.
tion, 3, 121–130. doi:10.1016/j.diin.2006.06.011 doi:10.1007/BF00150234
Casey, E. (2004). Digital evidence and computer Collier, P. A., & Spaul, B. J. (1992b). Forensic
crime: Forensic science, computers and the in- science against computer crime in the United King-
ternet. Amsterdam, The Netherlands: Elsevier dom. Journal - Forensic Science Society, 32(1),
Academic. 27–34. doi:10.1016/S0015-7368(92)73043-6
Casey, E. (2009). Investigation delayed is justice Connery, E. M., & Levy, S. B. (1979). Computer
denied: proposals for expediting forensic exami- evidence in federal courts. Commercial Law
nations of digital evidence*. Journal of Forensic Journal, 84, 266–276.
Sciences, 54(6), 1353–1364. doi:10.1111/j.1556-
CRA. (2003). Four grand challenges in trust-
worthy computing. Retrieved from http://www.
Chirgwin, R. (2012). Megaupload seizures ille- cyber.st.dhs.gov/docs/CRA%20Grand%20Chal-
gal says NZ high court. Retrieved 24 July, 2012, lenges%202003.pdf
from http://www.theregister.co.uk/2012/06/28/
DeHetre, J. D. (1975). Data processing evidence-
Is it different? Chicago-Kent Law Review, 52,
Choo, K. K. R. (2010). Cloud computing: Chal- 567–599.
lenges and future directions. Trends & Issues in
Didone, D., & de Queirozb, R. J. G. B. (2011).
Crime and Criminal Justice, 400, 381–400.
Forensic as a service - FaaS. Paper presented at
Cisco. (2012). Cisco visual networking index: the Sixth International Conference on Forensic
Global mobile data traffic forecast update, 2011– Computer Science - ICoFCS 2011. Florianopolis,
2016. Retrieved 11 July, 2012, from http://www. Brazil.
Duffy, J. (2009). Cisco unveils cloud comput-
ing platform for service providers. Retrieved
10 February, 2011, from http://www.infoworld.
Civie, V., & Civie, R. (1998). Future technologies com/d/cloud-computing/cisco-unveils-cloud-
from trends in computer forensic science. In Pro- computing-platform-service-providers-113
ceedings of Information Technology Conference,
Ellison, L. (2009). Why Larry Ellison hates cloud
1998. IEEE Press.
computing. Retrieved from http://techpulse360.
Clede, B. (1993). Investigating computer crimes. com
Law and Order, 41(7), 99–102.
Eucalyptus. (2010). Eucalyptus user guide. New
CNN. (2009). CNN: Her name was Neda. Re- York, NY: Eucalyptus Systems, Inc.
trieved from http://www.youtube.com/watch?v
Eucalyptus. (2010). Resources. Retrieved 9 Feb-
ruary, 2011, from http://www.eucalyptus.com/
Cohen, F. B. (2010). Fundamentals of digital resources/info/cloud-myths-dispelled - q2
forensic evidence. Handbook of Information and
Communication Security. Retrieved from http://

Digital Forensic Investigation and Cloud Computing

Eucalyptus. (2011). Eucalyptus: The open source Gladyshev, P., & Patel, A. (2004). Finite state
cloud platform. Retrieved 27 February, 2011, from machine approach to digital event reconstruc-
http://open.eucalyptus.com/ tion. Digital Investigation, 1(2), 130–149.
EY. (2011). Into the cloud, out of the fog: Ernst &
Young’s 2011 global information security survey: Gogolin, G. (2010). The digital crime tsunami.
34. New York, NY: Ernst & Young. Digital Investigation, 7(1-2), 3–8. doi:10.1016/j.
Farmer, D., & Venema, W. (2005). Forensic
discovery. Reading, MA: Addison-Wesley Pro- Google. (2012). Google mail - Service details.
fessional. Retrieved 24 July, 2012, from http://www.google.
Frye v. United States, 293 U.S. 1013 (1923).
Daubert v. Merrell Dow Pharmaceuticals, 509
U.S. 579 (1993). Goss, J. (2010). Forensic triage: Managing the
risk. (Master of Science Thesis). University Col-
Garfinkel, S. L. (2010). Digital forensics research:
lege Dublin. Dublin, Ireland.
The next 10 years. Digital Investigation, 7(1),
S64–S73. doi:10.1016/j.diin.2010.05.009 Grivas, S. G. (2010). Cloud broker: Bringing in-
telligence into the cloud. Washington, DC: IEEE.
Gartner. (2012). Forecast: Public cloud services,
worldwide, 2010-2016, 2Q12 update. New York,
NY: Gartner. Gutheil, T. G., & Bursztajn, H. J. (2005). Attorney
abuses of Daubert hearings: Junk science, junk
Gellman, R. (2009). Privacy in the clouds: Risks
law, or just plain obstruction? The Journal of the
to privacy and confidentiality from cloud comput-
American Academy of Psychiatry and the Law,
ing. Paper presented at the World Privacy Forum.
33(2), 150–152.
Washington, DC.
Halderman, J. (2009). Lest we remember:
General Electric Co. v. Joiner, 522 U.S. 136 (1997).
Cold-boot attacks on encryption keys. Com-
Giannelli, P. (2006). Judicature - Scientific munications of the ACM, 52(5), 91–98.
evidence. Retrieved from http://goextranet.net/ doi:10.1145/1506409.1506429
Hannan, M. (2004). To revisit: What is forensic
computing? Paper presented at the 2nd Australian
Computer, Network & Information Forensics
Gladyshev, P. (2004). Formalising event recon- Conference. Perth, Australia.
struction in digital investigations. (PhD Thesis).
Hewlett-Packard. (2011). Everything as a service.
University College Dublin. Dublin, Ireland.
Retrieved 16 February, 2011, from http://www.
Gladyshev, P., & Almansoori, A. (2010). Reliable hp.com/hpinfo/initiatives/eaas/index.html
acquisition of RAM dumps from intel-based apple
Higginbotham, S. (2010). Ericsson CEO predicts
mac computers over firewire. In Proceedings of
50 billion internet connected devices by 2020.
the Second International Conference on Digital
Retrieved 27 January, 2011, from http://gigaom.
Forensics and Cyber Crime (ICDF2C). Abu
Dhabi, UAE: ICST.

Digital Forensic Investigation and Cloud Computing

Hobson, E. W. (2010). What is cloud computing? Jang, Y. (2012). Need of open network approach
Retrieved 12 February, 2011, from https://sites. for cyber security organizational. In Proceedings
google.com/site/cloudinvestigations/whatis of the International Symposium on Cybercrime
Response 2012. Jung-gu, Republic of Korea:
Hu, Y. J. (2012). Towards law-aware semantic
Cyber Terror Response Center.
cloud policies with exceptions for data inte-
gration and protection. New York, NY: ACM. Jansen, W. A. (2011). Cloud hooks: Security and
doi:10.1145/2254129.2254162 privacy issues in cloud computing. Washington,
DC: IEEE. doi:10.1109/HICSS.2011.103
Hunton, P. (2012). Managing the technical re-
source capability of cybercrime investigation: A Jenkins, M. M. (1975). Computer-generated evi-
UK law enforcement perspective. Public Money dence specially prepared for use at trial. Chicago-
& Management, 32(3), 225–232. doi:10.1080/0 Kent Law Review, 52, 600–609.
Johnson, B. (2008). Cloud computing is a trap,
IBM. (2010). IBM x-force 2010 mid-year trend warns GNU founder Richard Stallman. Retrieved
and risk report. New York, NY: IBM X-Force. from http://guardian.co.uk
IBTimes. (2010). Number of internet users in Jones, N. (2004). Training and accreditation -
emerging markets to double by 2015: Report. Who are the experts? Digital Investigation, 1(3),
International Business Times. 189–194. doi:10.1016/j.diin.2004.07.009
IC3. (2011). 2011 internet crime report. Internet Jones, R. (2012). Towards a global criminol-
Crime Complaint Center. Retrieved from http:// ogy? Edinburgh, UK: Edinburgh School of Law
www.ic3.gov Research.
Ingthorsson, O. (2010). Cloud computing - Data Kaufman, L. M. (2009). Data security in the world
privacy and compliance. Cloud Computing Top- of cloud computing. IEEE Security & Privacy,
ics. Retrieved from http://cloudcomputingtopics. 7(4), 61–64. doi:10.1109/MSP.2009.87
Kelman, A., & Sizer, R. (1982). Computer in court
- A guide to computer evidence for lawyers and
Internet World Stats. (2011). Internet usage sta- computing professionals. London, UK: Gower.
tistics: The internet big picture. Retrieved 11 July,
Kent, K., et al. (2006). Guide to integrating forensic
2012, from http://internetworldstats.com/stats.htm
techniques into incident response. National Insti-
James, J. (2010). Analysis of evidence using tute of Standards and Technology. Retrieved from
formal event reconstruction. Digital Forensics http://cybersd.com/sec2/800-86Summary.pdf
and Cyber Crime, 31, 85–98. doi:10.1007/978-
Kerbs, B. (2008). Amazon: Hey spammers, get off
my cloud! Retrieved 27 July, 2012, from http://
James, J. I., & Gladyshev, P. (2010). 2010 report voices.washingtonpost.com/securityfix/2008/07/
of digital forensic standards, processes and ac- amazon_hey_spammers_get_off_my.html
curacy measurement. Retrieved 22 December,
Kim, R. (2012). Vendor lock-in and the challenge
2010, from http://www.forensicfocus.com/2010-
to platform as a service. Retrieved 27 July, 2012,
from http://gigaom.com/cloud/vendor-lock-in-
and-the-challenge-to-Platform as a Service/

Digital Forensic Investigation and Cloud Computing

Koopmans, M. (2010). The art of triage with (g) McAfee. (2010). A good decade for cybercrime.
PXE. (Master of Science). Dublin, Ireland: Uni- Santa Clara, CA: McAfee, Inc.
versity College Dublin.
McGuigan, B. (2011). What is distributed
Kosner, A. W. (2012). Amazon cloud goes down fri- computing? Retrieved 10 February, 2011, from
day night, taking Netflix, Instagram and Pinterest http://www.wisegeek.com/what-is-distributed-
with it. Retrieved 24 July, 2012, from http://www. computing.htm
McKemmish, R. (1999). What is forensic com-
puting. Trends and Issues in Crime and Criminal
Justice, 118.
Kravets, D. (2012). Feds tell megaupload users to
Meeker, M. (2012). Internet trends. D10 Con-
foreget about their data. Retrieved 22 July, 2012,
ference. Retrieved 11 July, 2012, from http://
from http://www.wired.com/threatlevel/2012/06/
Kui, R. (2012). Security challenges for the public view-video/?refcat=d10
cloud. IEEE Internet Computing, 16(1), 69–73.
Mell, P., & Grance, T. (2011). The NIST defini-
tion of cloud computing. National Institute of
Kumho Tire Co. v. Carmichael, 526 U.S. 137 Standards and Technology, 7.
Messmer, E. (2011). How one municipality is
Lemos, R. (2001). FBI hack raises global security securing Google apps, docs. Retrieved from http://
concerns. Retrieved 11 July, 2012, from http:// csonline.com
Microsoft. (2010). Computer online forensic evi-
Lemos, R. (2010). Cloud-based denial of serice dence extractor (COFEE). Retrieved 4 February,
attacks looming, researchers say. Retrieved 27 2011, from http://www.microsoft.com/industry/
July, 2012, from http://www.darkreading.com/ government/solutions/cofee/default.aspx
Microsoft. (2011). TrojanDropper:Win32/
Lim, K.-S. (2012). On-the-spot digital investiga- Bohu.A. Malware Protection Center. Retrieved 25
tion by means of LDFS: Live data forensic system. February, 2011, from http://www.microsoft.com/
Mathematical and Computer Modelling, 55(1), security/portal/Threat/Encyclopedia/Entry.aspx?
223–240. doi:10.1016/j.mcm.2011.05.019 Name=TrojanDropper%3AWin32%2FBohu.A
Mansfield-Devine, S. (2010). Fighting foren- Mislan, R. P. (2010). The growing need for
sics. Computer Fraud & Security, 1, 17–20. on-scene triage of mobile devices. Digital
doi:10.1016/S1361-3723(10)70112-3 Investigation, 6(3-4), 112–124. doi:10.1016/j.
Martin, A. (2007). Firewire memory dump of
a Windows XP computer: A forensic approach. Moreno-Vozmediano, R. (2012). Key challenges
Retrieved from http://www.friendsglobal.com/pa- in cloud computing to enable the future internet
pers/FireWire%20Memory%20Dump%20of%20 of services. IEEE Internet Computing, 99.

Digital Forensic Investigation and Cloud Computing

Myslewski, R. (2009). Intel puts cloud on a Pettey, C. (2011). Gartner says 30 percent of
single megachip. Retrieved 10 February, 2011, midsize companies will use recovery-as-a-service
from http://www.theregister.co.uk/2009/12/02/ by 2014. New York, NY: Gartner.
Pollitt, M. (1995). Principles, practices, and pro-
Nguyen, L. (2012). Tori Stafford trial: Cellphone cedures: An approach to standards in computer
record shows gap during abduction, murder. Re- forensics. Retrieved from http://www.digitalevi-
trieved 13 July, 2012, from http://www.canada. dencepro.com/Resources/Principles.pdf
Pollitt, M. (2007). An ad hoc review of digital foren-
sic models. Washington, DC: IEEE. doi:10.1109/
NIJ. (2008). Electronic crime scene investigation:
Polsson, K. (2011). Chronology of personal com-
A guide for first responders (2nd ed). Retrieved 2
puters. Retrieved 25 January, 2011, from http://
February, 2011, from http://www.ojp.usdoj.gov/
htm Ponemon. (2011). The security of cloud infra-
structure: Survey of U.S. IT and compliance
Norton, Q. (2012). 25 alleged anons arrested in
practitioners. New York, NY: Ponemon Institute.
international crackdown. Retrieved 27 July, 2012,
from http://www.wired.com/threatlevel/2012/02/ Purdy, C. (2010). Industry’s first forensic-base
anonymous-arrested-interpol/ critical infrastructure security solution. Retrieved
29 January, 2011, from https://http://www.guid-
O’Connor, T. (2010). Admissibility of scien-
tific evidence under daubert. Retrieved 26,
January, 2011, from http://www.drtomoconnor.
Palmer, G. (2001). DFRWS technical report: A 0000296&id=1000000267&blogid=2523
road map for digital forensic research. In Digital
Rekhis, S., & Boudriga, N. (2010). Formal
Forensic Research Workshop. Utica, NY: G.
digital investigation of anti-forensic attacks. In
Proceedings of the Fifth International Workshop
Paquette, S. (2010). Identifying the security on Systematic Approaches to Digital Forensic
risks associated with governmental use of cloud Engineering. IEEE Press.
computing. Government Information Quarterly,
Ristenpart, T., et al. (2009). Hey, you, get off of
27(3), 245–253. doi:10.1016/j.giq.2010.01.002
my cloud: exploring information leakage in third-
Parnell, B.-A. (2012). Microsoft’s Azure cloud party compute clouds. In Proceedings of the 16th
down and out for 8 hours. Retrieved 24 July, 2012, ACM Conference on Computer and Communica-
from http://www.theregister.co.uk/2012/02/29/ tions Security. ACM Press.
Roberts, J. J. (1974). A practitioner’s primer on
Paul, W. (2012). Cyber war, formal verification computer-generated evidence. The University of
and certified infrastructure. Verified Software: Chicago Law Review. University of Chicago. Law
Theories, Tools, Experiments, 1(1). School, 41(2), 254–280. doi:10.2307/1599148

Digital Forensic Investigation and Cloud Computing

Rogers, M. (2006). Computer forensics field tri- Security as a Service. (2011). Security as a service
age process model. Journal of Digital Forensics. defined categories of service 2011. Washington,
Security and Law, 1(2), 27–40. DC: Security as a Service Working Group. ACPO.
(2008). Good practice guide for computer based
Roth, T. (2011). Breaking encryption in the cloud:
electronic evidence. Washington, DC: ACPO.
GPU accelerated supercomputing for everyone. In
Proceedings of Black Hat DC 2011. Black Hat. Shinder, D., & Cross, M. (2008). Scene of the
cybercrime. New York, NY: Syngress Media.
RSA. (2009). Public-key cryptography standards
(PKCS). Retrieved 21 May, 2012, from http:// Shipley, T. G., & Door, B. (2012). Forensic
www.rsa.com/rsalabs/node.asp?id=2176 imaging of hard disk drives- What we thought
we knew. Retrieved 15 July, 2012, from http://
Ruan, K., et al. (2011). Cloud forensics: An over-
view. I Advances in Digital Forensics, 7.
Ruan, K., et al. (2012). Cloud forensics: Key terms we-knew-2/
for service level agreements. Paper presented at the
Skok, M. J. (2012). Future of cloud comput-
Eigth Annual IFIP WG 11.9 International Confer-
ing 2012. Waltham, MA: Northbridge Venture
ence on Digital Forensics. Pretoria, South Africa.
Russell, K., & Hammons, S. (2012). Citizen
Smith, S. E. (2011). What is cyberwar? Retrieved
engagement platform. Boulder, CO: Office of
28 January, 2011, from http://www.wisegeek.com/
Information Technology.
Saliba, J. (2012). Finding evidence in an online
Spafford, E. H., & Weeber, S. A. (1993). Soft-
world - Trends and challenges in digital foren-
ware forensics: Can we track code to its au-
sics. Retrieved from http://www.cybercrimetech.
thors? Computers & Security, 12(6), 585–595.
in-online.html Stephenson, P. (2003). Using a formalized
approach to digital investigation. Computer
Saripalli, P., & Walters, B. (2010). QUIRC: A
Fraud & Security, 7, 17–20. doi:10.1016/S1361-
quantitative impact and risk assessment frame-
work for cloud security. IEEE. doi:10.1109/
CLOUD.2010.22 SWGDE. (2009). SWGDE/SWGIT digital &
multimedia evidence glossary version: 2.3.
Scheier, R. L. (2009). What to do if your cloud
Washington, DC: Scientific Working Group on
provider disappears. Cloud Computing. Re-
Digital Evidence.
trieved from http://www.infoworld.com/d/cloud-
computing/what-do-if-your-cloud-provider- Swiderski, F., & Snyder, W. (2004). Threat model-
disappears-508 ing. Redmond, WA: Microsoft Press.
Schneier, B. (2010). The threat of cyberwar has Tapper, C. (1974). Evidence from computers.
been grossly exaggerated. Schneier on Security. Rutgers Journal of Computers and the Law, 4,
Retrieved from http://www.schneier.com/blog/ 324–406.

Digital Forensic Investigation and Cloud Computing

Taylor, M. (2011). Forensic investigation of cloud Wilsdon, T., & Slay, J. (2005). Digital forensics:
computing systems. Network Security, 3, 4–10. Exploring validation, verification & certification.
doi:10.1016/S1353-4858(11)70024-1 In Proceedings of the First International Workshop
on Systematic Approaches to Digital Forensic
Teubner, A. L. (1978). The computer as expert
Engineering (SADFE 2005). IEEE.
witness: Toward a unified theory of computer
evidence. Jurimetrics Journal, 19, 274–297. Wolski, R. (2010). Top 5 questions posted
on “cloud computing” [part 1/3]. Eucalyptus.
USDoJ. (2002). Prosecuting computer crimes.
Retrieved from http://www.eucalyptus.com/
Washington, DC: United States Department of
Justice, Computer Crime & Intellectual Property
Xen. (2011). Xen hypevisor - Leading open source
Vaciago, G. (2012). Cloud computing and data
hypervisor for servers. Retrieved 10 February,
jurisdiction: A new challenge for digital foren-
2011, from http://www.xen.org/products/xenhyp.
sics. Retrieved from http://www.thinkmind.
ws_2012_1_20_70033 Zissis, D., & Lekkas, D. (2012). Addressing cloud
computing security issues. Future Generation
Vaquero, L. M. (2008). A break in the clouds:
Computer Systems, 28(3), 583–592. doi:10.1016/j.
Towards a cloud definition. ACM SIGCOMM
Computer Communication Review, 39(1), 50–55.
doi:10.1145/1496091.1496100 Zittrain, J. (2009). Lost in the cloud. The New
York Times.
Vouk, M. A. (2008). Cloud computing-Issues,
research and implementations. IEEE.
Wang, W. Y. C. (2011). Toward the trend of cloud
computing. Journal of Electronic Commerce
Research, 12(4). Amazon. (2011). Amazon elastic compute cloud
Ward, B. T., & Sipior, J. C. (2010). The internet (Amazon EC2). Retrieved 27 February, 2011, from
jurisdiction risk of cloud computing. Information http://aws.amazon.com/ec2/
Systems Management, 27(4), 334–339. doi:10.10 Armbrust, M. (2009). Above the clouds: A Berkeley
80/10580530.2010.514248 view of cloud computing. Berkeley, CA: University
Willassen, S. (2008). Using simplified event of California.
calculus in digital investigation. In Proceedings Balduzzi, M., et al. (2012). A security analysis
of the 2008 ACM Symposium on Applied Comput- of amazon’s elastic compute cloud service. In
ing. ACM Press. Proceedings of the 27th Annual ACM Symposium
Williams, C. (2011). Cybercrime gang responsible on Applied Computing, (pp. 1427-1434). Trento,
for a third of all data thefts. The Telegraph. Italy: ACM Press.
Baryamureeba, V., & Tushabe, F. (2004). The
enhanced digital investigation process model.
Asian Journal of Information Technology, 5(7).

Digital Forensic Investigation and Cloud Computing

Carrier, B., & Spafford, E. (2003). Getting physical Higgins, K. J. (2011). Proposed nonprofit would
with the digital investigation process. Interna- bridge law enforcement, enterprise security
tional Journal of Digital Evidence, 2(2), 1–20. worlds. Retrieved 27 February, 2011, from http://
Carrier, B. D. (2006). A hypothesis-based ap-
proach to digital forensic investigations. (PhD
Thesis). Purdue University. West Lafayette, IN.
Choo, K. K. R. (2010). Cloud computing: Chal-
Hobson, E. W. (2010). Digital investigations in
lenges and future directions. Trends & Issues in
the cloud. White Paper. New York, NY: QinetiQ.
Crime and Criminal Justice, 400, 381–400.
Home Office. (2010). Codes of practice and
CoE. (2001). Concention on cybercrime. Buda-
conduct for forensic science providers and prac-
pest, Romania: Council of Europe.
titioners in the criminal justice system. New York,
CSA. (2010). Cloud security alliance top threats NY: Crown Copyright.
to cloud computing v1.0. New York, NY: Cloud
NIST. (2010). Cloud computing. Retrieved 27
Security Alliance (CSA).
February, 2011, from http://csrc.nist.gov/groups/
Dhanjani, N. (2009). Hacking: The next genera- SNS/cloud-computing/
tion. Sebastopol, CA: O’Reilly Media, Inc.
OpenNebula. (2011). The open source toolkit for
Eucalyptus. (2010). Eucalyptus community. cloud computing. Retrieved 27 February, 2011,
Retrieved 27 February, 2011, from http://open. from http://opennebula.org/
Pollitt, M. (2007). An ad hoc review of digital foren-
Feliz, T. (2010). Cloud computing: 10 web oper- sic models. Washington, DC: IEEE. doi:10.1109/
ating systems. AdmixWeb. Retrieved from http:// SADFE.2007.3
Roth, T. (2011). Breaking encryption in the cloud:
Finley, K. (2010). 5 cloud-oriented operating GPU accelerated supercomputing for everyone. In
systems available now. ReadWrite Cloud. Proceedings of Black Hat DC 2011. Black Hat.
Gellman, R. (2009). Privacy in the clouds: Risks to Thomas, K. (2010). Microsoft cloud data breach
privacy and confidentiality from cloud computing. heralds things to come. PCWorld Business Center.
New York, NY: World Privacy Forum.
USDoS. (2011). U.S. department of state freedom
Google. (2011). Top ten advantages of Google’s of information act (FOIA). Retrieved 27 February,
cloud. Retrieved 28 February, 2011, from http:// 2011, from http://www.state.gov/m/a/ips/
Xen. (2011). Xen cloud platform. Retrieved 27
February, 2011, from http://www.xen.org/prod-
Gustin, S. (2011). GFail: Google very sorry after ucts/cloudxen.html
the cloud eats 150,000 gmail accounts. Wired.
Zimmerman, S., & Glavach, D. (2011). Cyber
forensics in the cloud. IAnewsletter, 14(1), 4–7.

Digital Forensic Investigation and Cloud Computing

In this survey, 35% or respondents were
customers and 65% were vendors. For these
Also known as Computer Forensics or Cyber statistics, separation between customer and
Forensics. vender was not shown, and inclusion of vend-
Some researchers believe various groups ers could potentially bias results in favor of
have exaggerated the threat of a cyber war confidence in cloud services.
(Schneier, 2010). 9
A side channel attack uses physical aspects
“Cyberwar is a form of war which takes of a system as sources of information about
places on computers and the Internet, through digital data or processes, such as power
electronic means rather than physical ones” consumption, sound, and electromagnetic
(Smith, 2011). waves.
Some data, such as imaging Random Access 10
Brute-force password cracking is essentially
Memory, can be acquired directly from an attempting every possible key combination
external FireWire connection (Gladyshev & until the correct password is found.
Almansoori, 2010). 11
Asset-centric threat modeling first identifies
The layers of Cloud Computing can also an organization’s assets, and then focuses
be described in depth by using the Open on identification of threats to the identified
Systems Interconnection (OSI) model. assets.
Distributed computing – computing systems 12
XSS is not specific to Eucalyptus, and is
in which services to users are provided by added to illustrate a threat to an asset—the
teams of computers collaborating over a cloud client—that will likely have no in-
network (Arms, 2000). house traces associated, but is an in-house
A combination of programs that work to- security issue.
gether to produce a given result.


View publication stats