Identifying evidence for cloud forensic analysis

Abstract

Cloud computing provides increased flexibility, scalability, failure tolerance and reduced cost to customers. However, like any computing infrastructure, cloud systems are subjected to cyber-attacks. Post-attack investigations of such attacks present unusual challenges including the dependence of forensically valuable data on the deployment model, multiple virtual machines running on a single physical machine and multi-tenancy of clients. In this chapter, we use our own attack samples to show that, in the attacked cloud, evidence from three different sources can be used to reconstruct attack scenarios. They are (1) IDS and application software logging, (2) cloud service API calls and (3) system calls from VMs. Based on our example attack results, we present the potential design and implementation of a forensic analysis framework for clouds, which includes logging all the activities from both the application layer and lower layers. We show how a Prolog based forensic analysis tool can automate the process of correlating evidence from both the clients and the cloud service provider to reconstruct attack scenarios for cloud forensic analysis.