See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/278849067

Standard implementation in Cloud forensics

Conference Paper · April 2015

DOI: 10.15308/Synthesis-2015-139-142

CITATION READS

1 361

3 authors, including:

Mladen Đuro Veinović

Singidunum University
143 PUBLICATIONS   231 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

FINIZ 2016 View project

PRIVILEGED IDENTITIES - THREAT TO NETWORK AND DATA SECURITY View project

All content following this page was uploaded by Mladen Đuro Veinović on 21 June 2015.

The user has requested enhancement of the downloaded file.

 Applied informatics and education  SYNTHESIS 2015

International Scientific Conference of IT and Business-Related Research

STANDARD IMPLEMENTATION IN CLOUD FORENSICS

PRIMENA STANDARDA U CLOUD FORENZICI

Vladimir Dobrosavljević, Mladen Veinović, Ivan Barać

Singidunum University, Danijelova 32, Belgrade, Serbia

Abstract: Apstrakt:
Everyday use of cloud services has exponentially increased primarily Prisutan je porat u svakodnevnoj upotrebi usluga distriburanog
because of its popular price and because it is more convenient than the internet računarstva (Cloud services) pre svega zbog popularne cene
alternative physical computing services. Unfortunately, good marketing i brojnih pogodnosti u odnosu na alternativne usluge fizičkog raču-
and lack of knowledge have lead many companies to enter the cloud narstva. Nažalost, dobar marketing i nedostatak znanja primorali su
without first performing a risk and security analysis. What happens mnoge kompanije da koriste ovakve usluge bez prethodno sprovedene
when the cloud gets compromised is that you suffer a breach, and you procene rizika i bezbednosti. Ukoliko je virtuleno okruženje (oblak)
find yourself in a position of having to conduct digital forensics and kompromitovano, vi snosite štetu, i primorani ste da spovedete digi-
collect some data? What to do then? Is there an option to acquire data? talnu forenzičku istragu i povratite podatake. Šta raditi u tom slučaju?
Do you even know the location of your data? Can you tell if someone Postoji li način da se povrate podaci? Da li znate gde se nalaze vaši
else has access to your data? Is the data located in the cloud service podaci? Da li znate da li još neko ima pristup vašim podacima? Da
provider’s data center or they have a data storage service with the 3rd li se podaci nalaze u bazi podataka u virtulenom okruženju (oblaku)
party? It is recommended to consider these issues before the actual pružaoca usluga ili uslugu čuvanja podataka pruža treća strana? Po-
incident has happened. But what can you actually do? This paper željno je pozabaviti se ovim pitanjima pre nego što do problema zaista
shows the standards that can be implemented in Cloud forensics and dođe. Šta zapravo možemo uraditi? Ovaj rad upućuje na standarde
procedures and contracts that will facilitate analysis on a daily basis. koje možemo primeniti u Cloud forenzici (Cloud forensics) kao i na
procedure koje bi olakšale redovno sprovođenje analize.
Ključne reči:
Key words: Softver kao usluga (SaaS), Platforma kao usluga (PaaS), Infrastruktura
SaaS, PaaS, IaaS, SLA, SLO, ISO 27037. kao usluga (IaaS), SLA, SLO, ISO 27037.

1. INTRODUCTION The end-users do not have control over the physical in-
frastructure such as the network, servers and operating
Cloud computing has become a dominant know- how in systems and do not have control over the source code of
information technology, but with its many exciting features and the application in use. All those things limit customer’s
low price for both enterprises and governments come unique ability to analyze log files and do forensics. Nowadays,
and very serious security challenges. SaaS solutions require that very detailed application logs
Cloud itself presents a multi-tenant environment and highly are implemented on each application in cloud and rely
virtualized environment, where processes for conducting foren- on cloud service providers’ support. Quite often, both
sic investigations are not fully developed and implemented. sides must agree on the details about forensics, which is
called Service Level Agreement (SLA).
In this paper, we shall focus on the analysis of the issues
related to cloud forensics, connecting international standards b) PaaS model represents that the customer controls the
with cloud forensics, and focusing on the current integration of entire development platform and all source code ne-
cloud forensics into service level agreements (SLAs). ver leaves the development platform. Given these cir-
cumstances, the customer has a space to install any fo-
rensic tool and implement forensic options within his
2. FORENSIC REQUIREMENTS own application. Remote log collection servers can be
installed and automatic logging option in applications
Law enforcement agencies and government agencies will can be implement creating a single repository of all logs
require more proactive and reactive forensic support. The Cloud and events, where multiple users can access and read
Service Providers will be obliged to log all the activities and have logs, write-once, read-many (called WORM) principle.
forensic support for all services offered and used by the custo- Although application logs cover all the logging needs
mer. Different service distribution models (Software as a Service of end user, some logs in PaaS deployment cloud mo-
- SaaS, Platform as a Service - PaaS, Infrastructure as a Service del need to be done in cooperation with cloud service
- IaaS) offer basic terms of cloud forensics for everyday users. provider. Nevertheless, the end user is responsible for
a) SaaS model represents a model where the customizati- the functionality of the application, while the cloud ser-
on options and preferences of the customer are limited. vice provider should guarantee that the application is
139
E-mail: [email protected] DOI: 10.15308/Synthesis-2015-139-142
 SYNTHESIS 2015  Applied informatics and education

available and operational. In that case, customer needs question life expectancy represents the foundation for digital
to create responsibility boundaries between end- users forensics. Nowadays, evidence mostly exists in the form of the
and cloud service providers when there is a need for fo- volatile data located on the machines, and there is no reason to
rensic data. These responsibilities and boundaries must think that that data will be collected as digital evidence repre-
be documented in SLA between the end-user and cloud senting an important evidence for some case.
service provider.
SLAs may detail some procedures when accessing noti-
fication logs, identification logs, preservation logs, and
access to all potential evidence sources (servers, switches,
routers…).
c) IaaS deployment model, unlike SaaS and Paas, gives the
user the greatest options for configuration along with
great logging features and high level of control. Altho-
ugh end-user controls most of the components of the
system including all log sources, some valuable informa-
tion might only be reached from the inside of the cloud
service provider infrastructure. This triggers the need to
create a SLA between end users and cloud service provi-
ders and devote special attention to forensic data collec- Figure 1: Implementation of ISO standards into the Digital Fo-
tion and logging. rensics process

3. SLA ISO 27037 is the representative of an all-inclusive family of

international standards which have a goal to create a common
starting point in the forensic science. The main goal of ISO stan-
As danger of compromising data becomes more critical
dards implementation in cloud forensics is to define processes
for the business continuity, SLA needs to offer a window for
and usability of evidence discovered during the forensic analysis
forensic investigations. SLAs are agreements that have the le-
in entity that is not under the same jurisdiction like the evi-
gal power, which are validated by the signatures of end user
dence requester. Thus, we can summarize that ISO standards
and cloud service provider. More detailed sections of SLA are
do not need to replace local regulations or navigate national
called objects – Service Level Objects – SLOs. In our case, fo-
government’s authority how to define and specify the digital
rensics SLOs must be defined which determine the procedures
forensic field of operations.
that cloud service provider’s needs to do in case of forensic data
acquisition, including the methodology for evidence identifi-
5. ISO 27037
cation and evidence preservation of possible tampering with
evidence and evidence damage.
ISO 27037 represents a relatively new standard (issued in
Inside of cloud service provides infrastructure, each data October 2012) and the main goal is to set standards for good
node (server, router, switch...) can be a source of forensic practice methods for forensic analysis and processing of digital
data. However, the situation on the field is that the customers evidence material. Although forensic analysts, forensic investi-
do not have access to all parts of the cloud infrastructure but gators, organizations and law enforcement agencies may use
cloud service provides for the needs of the forensic analysis their own custom methods, custom processes and custom con-
allows end users a restricted evidence set. In a virtualized cloud trol processes, people assumed that standardization will lead to
environment, the hardest thing is to localize and identify all the creation of standardized if not identical procedures, making
instances of data. For example, virtual instances of machines it easier to make comparison and contrast the results of such
or applications used by a particular end user may migrate nu- analysis even when performed by totally different persons or
merous numbers of times between various physical instances organizations.
(servers) without or with small amount of recordkeeping. What
One of the most important tasks in forensic data collection
kind of records do exist, and if they might be temporary and
is the collection and preservation of forensics data in such a way
for how long can they be reachable. The access to the forensics
that you can guaranty its integrity. Regular physical evidence or
data, evidence, may also be severely limited by price, degree of
data is very important for the first and subsequent data collec-
implemented technology (e.g., available storage space and other
tors to link and connect all digital forensic evidence, making
storage options…), virtualization multi-tenancy, user’s privacy
sure that the evidence is gathered and protected from tampering
implications and other conditions connected with the cloud ser-
with the evidence. The main thing is that digital evidence must
vice provider infrastructure.
provide integrity and assurance that nothing suspicious has
All what has been noted so far recognizes the validity of SLA happened with the evidence. All this requires that information
and it is very important to understand the sources of potential security controls are conducted and that the control results are
digital evidence and forensic data acquisition that will be avai- met or exceeded.
lable from cloud service providers, data size limit, and safe re- Since ISO 27037 standard is the pioneer in digital foren-
tention periods. All details within SLAs should be documented sics, it only addresses the initial steps of the digital forensics
within SLOs. process: identifying, collecting, acquiring and preserving digital
evidence. Other steps in digital forensics are dealt with in other
4. ISO STANDARDS standards that are still at the development phase.
The first step in the forensics process begins with the poten-
There are many definitions of the Evidence Collection and tial digital evidence identification, as shown in Figure 2. For-
Acquisition. Effective collection of digital evidence in an or- mally, identification is the “process involving the lookup for
der for collection is provided by digital forensics. Evidence in digital evidence and recognition of digital evidence”.
140
DOI: 10.15308/Synthesis-2015-139-142
 Applied informatics and education  SYNTHESIS 2015

“preservation is a process to keep and guarantee the integrity

or/and original contents of the potential digital evidence”. The
most important part of the evidence handling is the preserva-
tion of evidences, because if we used the standard procedures
for acquisition the evidence will be good for nothing if are not
preserved on the proper way. Evidence preservation is a very
important thing to assure credibility in a court of law. Although
digital evidence is notoriously fragile, and must be handled with
most attention, it can be easily changed or destroyed. Since the
court processes can last very long data might be sitting in the
forensic laboratories from six months to a year, potential digital
Figure 2: ISO 27037 procedure for Evidence Handling evidence may lay untouched a very big period of time in safekee-
ping facilities before it is actually used in a legal process. All this
Identification of digital evidence seems like a simple process, indicates that evidence preservation must be considered with
but it is actually quite opposite. There are a lot of small details caution and with most care. Safekeeping facilities require access
and complexities that must be considered. For instance, repre- control policies to prevent/protect the potential evidence from
sentation of digital evidence can be both virtual and physical. tampering with, as well as the appropriate storage conditions.
Suppose we have digital evidence on an USB drive with some
random info. The actual physical location of the evidence is the 6. DIFFERENCES BETWEEN CLOUD FORENSICS
data center where USB drive resides, but the evidence is not the AND TRADITIONAL FORENSICS
actual USB drive but the data loaded on it. Furthermore, the
physical location can be easily changed since the USB drive can Although cloud forensics and traditional forensics have the
be attached to entirely new location and housed in a comple- same basis “forensics”, they are completely different. As regards
tely different data center. Another example is the data on the the traditional forensics, cloud forensics has unique challenges,
servers as a server may not have any attached disk cabinets and techniques and borders. Although most people do not differen-
have its entire storage within a Storage Area Network (SAN) or tiate between cloud and traditional forensics, there are unique
Network Attached Storage (NAS). things for each field of forensics.
After the process of identification and location of the po- The primary challenge in cloud forensics is how to iden-
tential digital evidence, it must either be collected or acquired: tify the evidence. For instance, in IaaS cloud deployment
◆◆ Collection – “Process of gathering digital material that environment, we can easily determine the data location on
might be considered to possess digital evidence.” the servers if the data is located on the direct attached stora-
◆◆ Acquisition – “Process of creating a copy of digital mate- ge. However, along with a virtualization technology progress,
rial within a defined set that might be considered to be more and more servers do not have direct attached storage units
digital evidence.” but mapped storage devices which have become much more
Collection process in a simple way of things represents stan- complex, which is particularly visible in the virtualized cloud
dard law enforcement practice of taking items as evidence mate- environment. For instance, a group of physical disk devices can
rial under authority of a legal officer and taking them for a deta- be represented as a set of logical units (LUNs) and presented
iled analysis by forensic teams. This method has a 100% impact to a cloud user using iSCSI protocol (or to a server supporting
on the functional abilities of the subject of analysis. Acquisition a cloud user using any other protocol FCoE, NFS…), because
is a more used method because it does not impact the subject they are cheaper, more reliable and have better performance
of analysis and minimizes the impact on business continuity of than directly physical disk devices. These logical units may be
an ongoing investigation. All this makes acquisition more pre- easily moved from place to place using the storage migration
ferable method than collection. However, collection is a must in techniques in a different case scenarios (perhaps storage instan-
some cases, especially when it comes to the cloud environment ce “A” needs to be turned off for annual maintenance so the
where everything is virtual, and can simply jump from one re- content of the storage A will be migrated to storage “B”). This is
source to another. the entirely transparent process for end user and he is not aware
of anything happening. From the forensic data acquisition point
We must make a point that the subject of forensic analysis
of view, identification process would have to be fully opened
can easily be copied during the acquisition process and can
and frequent migration must be noted to assure that the correct
easily make a forensic image. For example, forensic evidence
data was acquired.
can be acquired from any type of memory such as: hard drive,
server’s RAM memory… but can be acquired from users all in It is important to note that when data migration occurs it
favor of the investigation. This leads to the conclusion that all does not becomes permanently deleted and the remnants of the
the data acquired are very similar: they represent an identical data can be used as potential evidence, because it is possible to
copies of the subjects of forensic analysis and must be made recover the data from logical units on “A” within the scope of
using a standardized, documented process. The next thing we the investigation.
should do is to include the evidence copied that has not been
tampered with or evidence that the integrity of the copy was 7. SUMMARY
not compromised. This makes acquisition more challenging and
complex than collection because there need to be mechanisms In this paper, we described how we can use standardization
for all the types of the forensic analysis subjects, and this repre- and what mechanisms can be used in forensic investigation in
sents a never-ending process as the technology keeps evolving cloud environments, described the basis of international stan-
on a daily basis. dards that can be applied for cloud forensics, and summarized
Upon the process of collection or acquisition, we come requirements that stand up to cloud forensics into service level
upon the next challenge which represents data preservation. agreements (SLAs) and compared cloud and traditional forensic
ISO 27037 has a definition of a preservation process that says techniques.
141
DOI: 10.15308/Synthesis-2015-139-142
 SYNTHESIS 2015  Applied informatics and education

As new technology gets adopted, security challenges arise REFERENCES

from those adoptions and all challenges are followed with secu-
rity analysis and digital forensics. Cloud, as one of the newest Dykstra, J., & Sherman, A. (2011). Understanding Issues in Cloud
technologies, must be considered and forensic readiness must Forensics: Two Hypothetical Case Studies. Proceedings of
be provided. the 2011 ADSFL Conference on Digital Forensics, Security,
At last, cloud end users must be aware that they need to and Law, pp. 25-31.
make arrangements with cloud service providers to ensure data Dykstra, J., & Sherman, A. (2012). Acquiring Forensic Evidence
collection and acquisition so that cloud service providers can from Infrastructure-as-a-Service Cloud Computing. Digital
respond appropriately to forensic investigation requests because Investigation, 9(2012), 90-98
ends users can easily end up with data loss from hacking acti-
vities in the cloud. Grispos, G., Storer, T., & Glisson, W.B. (2014). Calm Before the
Storm: The Challenges of Cloud Computing in Digital Fo-
When end users decide to transfer their sensitive data and
rensics. Cryptography and Security. 4, 28-48. DOI. 10.4018/
services to the cloud, end users should form a SLA written in
jdcf.2012040103
explicit language with SLOs marked as priority ones to ensure
that they can rely on the cloud service providers when they need ISO. (2012). ISO/IEC 27037:2012 - Information technology -Se-
to perform some digital forensics activities. curity techniques - Guidelines for identification, collection,
Cloud service provides must think about comprehensive acquisition, and preservation of digital evidence. Retrieved
offer of their cloud services and must offer forensic capabilities from http://www.iso27001security.com/html/27037.html
because that will make end users more comfortable and will National Institute of Standards and Technology. (2014). NIST
probably lead to revenue increase. As cloud is seen as a loga- Cloud Computing Forensics Challenge. Retrieved February
rithmic expansion rate, and more and more companies move 12, 2015, from http://csrc.nist.gov/publications/drafts/nis-
their businesses to the cloud, digital forensics will be a key fea- tir-8006/draft_nistir_8006.pdf
ture for accepting the cloud as the best business critical solution. Willson, D. (2013). Legal Issues of Cloud Forensics. Global Knowl-
edge, Expert Reference Series of White Papers, pp. 2-4.
Acknowledgements. I would like to express my great appreciation to
Singidunum University and especially, the professor Mladen Veinović, for
his unselfish support and understanding.

142
DOI: 10.15308/Synthesis-2015-139-142
View publication stats