cloud forensics: challenges only ahead

Cyber Times International Journal of Technology & Management

Vol. 8 Issue 1, October March 2015

1

CLOUD FORENSICS: CHALLENGES ONLY AHEAD

Anupam Tiwari CEH, CCCSP, Chartered Engineer,

GFSU Certified Cyber Security Professional, B.E, M-Tech (Computer Science), PGERP, PGDIS, PGDBM

Min of Defense [email protected]

ABSTRACT

Cloud Computing is emerging amongst all the bombilate words of acclivitous technologies as the most prodigious maturations in the chronicles of computing. As it still takes time to settle, a new egressing challenge as felt whilst its implementation across has been a relatively more newfangled field known as Cloud Forensics. Today as Cloud still needs time to mature and offer its full exploitation, the even newer subfield Cloud Forensics is a carking cause to negate immediate acceptance of cloud computing with open arms. The research in this field is still in parturient stages to say from perspective of the way cases and incidents are being handled on ground today.

To bring out few key pertinent issues that immediately come to the fore include Distributed storage instead of the traditional Local storage which was easy to confiscate by the forensic team or we take the issue of shared storage in a multi user environment that may be hired on a time bound deal by the user from the CSP[1] or even if a particular user associated with data location is identified, secerning it from other users is never going to be easy owing to confidentiality and privacy issues!!!

In this paper we discuss and build upon the challenges as available today to the forensics industry focused on growing Clouds.

KEYWORDS: Cloud[2], Cloud Forensics[3], Computing, Cyber Security, Digital Forensics, Evidence, Platform as a Service, Software as a Service, Cloud Service Provider, Virtual Machine

I. INTRODUCTION

Cloud computing is apace developing IT noteworthy development and has come forth as a foreboding direction for cost-effective and reliable service delivery for a variety of users. Many countries and leading organizations have already accredited and embarked on to exploit into Cloud Computing strengths, proffering the latest services to a variety of user spanning citizens, industries and businesses across the globe. Whilst all this good news, bright

prospects being offered by cloud computing there lays a rising concern about the trustworthiness, security and forensics aspect of the same. Cloud offers unique opportunities for malicious individuals to launch attacks without any tell tale signs remaining behind. Lets get it clear with an easy sample setup. Billu, recently released from prison decides to go hi-tech for his next crime. He decides this time to offer Crime ware as a Service[4]. He fixes a deal with a competitor of a leading online shopping website and subsequently decides



2

to use Cloud services to launch a distributed denial of service by hiring machines from a CSP instead of investing in infrastructure of hardware and Software. The victim shopping site that renders a lot of revenue as it suffices the demand of traffic consisting of pan global users goes down for few hours and as a result of the attack perforce the user traffic to get deviated to the competitors online shopping site. After the attack, Billu terminates all the hired virtual machines[5] and colludes with the CSP to provide fiddled logs in case of any investigations by any agencies.

Now from perspective of the probing agencies there exists a lot of gap in existence of standards and policies from every node involved in such a typical case including CSP and User. Standards to be complied by the CSP, Terms & conditions

to be standing between CSP and the user remain to be resolved still to fulfill even the basic security and Forensics aspects. The challenges seen from the view point of a Digital Forensic[6] specialist are abounding.

Figure 1: Typical Forensic Process

Imagine the above fields as seen in the figure in context of Cloud Computing. The versatile characteristics of cloud computing simply perplex the basic prerequisite of forensics in Cloud. The variety of challenges offered by cloud computing in context of forensics is discussed below;

Figure 2: Control over Data in Clouds

II. STORAGE

The Cloud Storage is not local, it can range panning across continents. So in a typical case as above where does the forensic expert look for extracting remnants of logs

and data. What will he confiscate? In tralatitious computer forensics case, investigators have entire hold over the evidence including router logs, process logs, and hard disks thats in front of their eyes.

Collection

Examination Analysis Reporting

Media Data Information Evidence

On Site Infrastructure

Platform

Software

Storage

Application

Data

Runtime

Middleware

O/S

Virtualization

Server

Networking

Storage

Application

Data

Runtime

Middleware

O/S

Virtualization

Server

Networking

Storage

You Manage

Vendor

Application

Data

Runtime

Middleware

O/S

Virtualization

Server

Networking

Storage

Application

Data

Runtime

Middleware

O/S

Virtualization

Server

Networking



3

Alas, in the case of cloud computing, the hold over data varies as per variety of service models available viz SaaS[7], PaaS[8], and IaaS[9]. Even the delivery model makes a lot of difference incl Public, Private or Hybrid etc. Thus dispersed nature of the Cloud based systems directly effectuates control over the functional layers. Figure 2 shows that SaaS offers actually no control to the user whereas IaaS proffers highest

III. SHARING OF SPACE

Cloud computing is a multiuser arrangement, while conventional computing is an adept system. This makes the whole process more daedal for ascertaining any forensic excavates. In a typical environ cloud make the matter more tortuous the malicious criminal may simply rent and shut down the virtual environment, data across several Virtual Machines share the same physical hardware and setup. And this makes the forensic process even intricate to work on. In any case even if the same is extracted in some way technically, it becomes hard to testify in the court. Besides new generation attacks like Side Channel attacks [10] only make the whole process more complex.

IV. DELETION OF DATA

In IT systems any time something is deleted, does it actually get deleted? No, what seems like a file deletion is actually a referenced entity that is deleted, the references to that entity are not deleted and they remain as they were prior, expecting to be overwritten ahead. And such reference deletion besides being uncommitted at a particular point for recovery has a higher chance of being missed if the same space becomes available to be a part of another customized requirement of any other user which is highly likely owing to the graduating demand in the market of the clouds. Besides real time regular backups of these

overwritten shared storage makes the forensics process actually unmanageable.

V. EVIDENCE COORDINATION

In any typical forensic process, the forensic team is always interested to know and correlate all the events that happened around the incident reported. How will correlation of all activities be done in a cloud environ wherein not one but multiple CSPs may be involved. Different CSPs will offer miscellanea of architectures and platforms leading to interoperability issues.

VI. VIRTUAL MACHINE CHECKPOINTS

Reconstruction of Virtual machines or cloning[11] an exact existing state though possible technically vide a variety of algorithms ,remain to be validated and recognized by the court of law owing to lack of accepted standards available currently in the environs of the Cloud. Fargo/VM Fork[12] are usable platforms presently in technology prevue which enable speedy cloning of running VMs for remoting functionality but without any constituted and accepted standards.

VII. TIME STAMP SYNCHRONEITY

Precise time synchrony is of vital importance for any network forensics, and is a brobdingnagian challenge when seen in the light of cloud environs where it must be synched across multiple physical machines located across continents with different time zones, platforms and infrastructure. Time stamp synchronization is vital in respect of audit logs used as origin of evidence in the any digital investigations, Precise time synchronization arrogates greater importance and is critical to issues to be dissolved during network forensics, which is exacerbated by the fact that a cloud environment needs to synchronize time



4

stamps that is coherent with different devices spanning variety of time zones.

VIII. LOG FORMATS INTEROPERABILITY

Multifariousness of logs in different formats and concomitant conjugation has been a conventional issuance in network forensics and this is exasperated in cloud environs because it is exceedingly unmanageable to commix these varieties from different sources and make some useful analytics.

IX. INTEROPERABILITY IN CSPs

Interoperability means the ability for multiple cloud platforms to work together and interoperate that desires existence of abstraction betwixt application data logic and system interfaces. Though standards today are setting in but still a long way to go before we come out of the proprietary architecture challenges of various CSPs.

X. NO SINGLE POINT OF FAILURE FOR CRIMINALS

The current lack of standards and policies in cloud forensics is a win-win situation for any criminal to commit crime. There is no single point of failure in the typical setup of cloud services letting criminals to be convicted in a square mode. No single PC/terminal can be held as an evidence for the forensic team as required in schema of things in digital forensics. No one computer in a group that holds all of the data necessary for the forensic investigator to reconstruct the information about the crime. A vicious organization can opt one CSP for a storage solution, another CSP for hosting services and route everything through another CSP.

XI. REAL TIME MONITORING

Unless otherwise specific monitoring is being done on a network, the colossally humongous size of any CSP infrastructure makes it impossible to monitor a network in real time. A typical cloud infrastructure may be composed of rented time on thousands of systems around, owned and run by scads of variety of CSPs. With a diverse infrastructure traversing across geographic locations, even resolving where to look to place sensors will be staggeringly baffling.

XII. EVIDENCE SEPARATION

Collection of evidence vide various logs, metadata etc. in a Cloud setup though difficult to collate is possible today owing to the improving versions of CSPs interface to the user and investigators. But the difficult work commences after collation that necessitates separating critical logs with junk logs owing to the vastness of logs of multiple users spread over variety of locations. It remains a challenge for CSPs and law agencies to isolate resources during investigations without infracting the confidentiality of other users sharing the same brick

XIII. CHAIN OF CUSTODY (CoC)

Refers to the chronological documentation showing the seizure, custody, control, transfer, analysis, and disposition of electronic evidence. Working in a conventional case, the chain of custody would be relatively easy to work on viz a viz Cloud environs where neither the location is fixed, neither the architecture is known, neither straight forward logs are available. In fact, the chain of custody of data may be impossible to verify. Without a committed and bounded by law/standards CSP, the challenge in cloud forensics only gains exponentially.

XIV. MULTIPLE DEPENDENCIES



5

The technological architecture any cloud is based makes it possible for eager profit making CSPs to hire services in form of Storage, Infrastructure or Software etc. making the chain of dependencies more longer and complex. Each link of this long multiple chain will be individual challenges in itself as discussed above vide various attributes.

XV. DATA MIRRORING

Data mirroring[13] refers to the real-time operation of copying data, as a precise copy, from one location to a local or remote storage medium. In a cloud setup, mirroring data comes as a feature for safe guarding data of users and customers. Data mirroring across multiple machines in variety of legal domains spanning geographic locations over another variety of algorithms custom-made differently makes the forensics an actually complex case to work on. Mirroring policies, standards and customized setup makes it all tougher for the forensic rep that may be involved in investigating such scenarios with nowhere to start from.

XVI. TRUST VALIDATION

The example we discussed above with Billu colluding with the CSP is possible practically in the market today owing to non-existence of any recognized and accepted potent trust standards and SLAs amongst various agencies involved in the setup. Cloud setups have numerous layers of abstraction, from hardware to virtualization to guest operating systems. The integrity and trustworthiness of forensic data is dependent on the cumulative trustiness of the layers that could potentially fudge data integrity.

XVII. TRAINED PERSONNELS[14]

Availability of trained personnels and investigators remains a serious cause of concern owing to lack of training materials

that prepare investigators on cloud computing technology/forensics operating policies and procedures. As on date most digital forensic training materials are actually kind of superannuated and are not relevant in a typical cloud setup. This lack of knowledge steps in to arrest remote investigations where systems are not physically accessible and there is an absentia of right tools to efficaciously look into any case. More or less the hit and trial method rules in most of the cases which should not be the case anytime.

XVIII. CONCLUSION AND FUTURE SCOPE

Cloud is a certain futurity relating to every attribute of our lives in future be it Banking, Education, Mobiles, Sports, Corporate Houses, HR, Automobiles Commerce, Aviation and we can actually relate every field associated with our lives with this potent technology. But like always shining side of moon, there is dark side to it too and simply taking it on without preparing for the side effects that come along will indeed be a failure of without time for reaction. Cybercrime have only been increasing over the years with a recent stat showing an increase upto 10.4% in 2014 vis a vis last year. These crimes if quantified will figure in millions and the interesting is that each of this crime has a forensic associated with it. Emerging and associated new technologies like Big Data[15] only make the surface for cyber criminals bigger and wide with more ambiguities. Data Provenance[16] is an even bigger challenge in the field of forensics.

With the challenges as discussed and bought out above, it seems not very near when the challenges are resolved and the forensics as a field is not seen with an exclamation mark in terms of purposing cases. All the challenges as bought out above are still open and must be in various stages of research across globe. From a user perception actually there is little to be done except logging and exploiting interface, the



6

prime task remains between the CSP and legal authorities between various countries. CSPs need to provide a robust interface with multiple transpositions of prognosticated requirements. Coming up with a common legal binding amongst variety of countries with diverse cultures will itself be a challenge. Though things have started to build up viz the Common Criteria for Information Technology Security which is an International Standard (ISO/IEC 15408) [17] for security certification. Recently Twenty-six countries agreed on reform to improve cyber security through international public-private collaboration and forensics is a definite agenda vide this. Every incident of Cyber Crime reported has a forensic angle to it and so the Common Criteria setup will ensure that future in cloud forensics is not as undefined as might have been without such an initiatory. At least the infancy stage is ON for the rising giant technology.

ACKNOWLEDGEMENT

I am very grateful to the Col. (Retd.) Mahesh Khera, President, Broadband India Forum and the world of open source which has enabled me to understand and put my thoughts on this very critical but still un attended subject. Special thanks to Dr. Anup Girdhar, CEO - Founder, Sedulity Solutions & Technologies who gave me an opportunity to present this paper and has been my guide over my various interactions with him in courses I have pursued over a period of time.

REFERENCES

[1] Webopedia, Cloud Service Provider Available at, [Accessed 12th Jan 2015]

[2] Wikipedia , Cloud Computing Available at , [Accessed 12th Jan 2015].

[3] Wikipedia, Cloud Forensics Available at , [Accessed 14th Jan 2015]

[4] RWSP, Crimeware as a service Available at , [Accessed 15th Jan 2015]

[5] Webopedia ,Virtual Machine , Available at , [ Accessed 17th Jan 2015]

[6] Wikipedia, Digital Forensics , Available at, [ Accessed 19th Jan 2015]

[7] Wikipedia , Software as a Service , Available at ,[Accessed 19 Jan 2015]

[8] Wikipedia , Platform as a Service , Available at ,[Accessed 19 Jan 2015]

[9] Microsoft, Infrastructure as a Service, Available at, [Accessed 21 Jan 2015]

[10] NIST ,Side Channel Attacks, Available at , [Accessed 22 Jan 2015]

[11] Cloning, Virtual Machine, Available at < https://www.vmware.com/support/ws55/doc/ws_clone_overview.html >, [Accessed 29 Jan 2015]

[12] VM Fork, Virtual Machine, Available at yellow bricks , [Accessed 30 Jan 2015]

[13] Data Mirroring , Cloud , Available at < http://www.techopedia.com/definition/1068/data-mirroring >, [Accessed 08 Feb 2015]

[14] NIST Cloud Computing Forensic Science Challenges, Available at < http://csrc.nist.gov/publications/drafts/nistir-8006/draft_nistir_8006.pdf > , [Accessed 05th Mar 2015]

[15] Big Data, Available at < http://www.sas.com/en_us/insights/big-data/what-is-big-data.html>, [Accessed 17 Feb 2015]

[16] Wikipedia, Data Provenance Available at < http://en.wikipedia.org/wiki/Provenance#Data_provenance > , [Accessed 19th Feb 2015]

[17] ISO/IEC 15408, Available at < http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50341 > , [Accessed 27th Feb 2015]

cloud forensics: challenges only ahead

Documents