INSPECT- An Intelligent and Reliable Forensic Investigation through Virtual Machine Snapshots

Abstract

Cloud computing is emerging as a popular paradigm that provides significant advances and utility-oriented services over shared virtualized resources. Despite the advantage of the cloud services, the majority of cloud users are reluctant to access the cloud due to unprecedented security threats in the cloud environment. The increasing cloud vulnerability incidences show the significance of cloud forensic techniques for the criminal investigation. It is challenging to gather the evidence from the abundant cloud data and identifying the source of the attack from the crime scene. Moreover, the Cloud Service Provider (CSP) confines the investigator to carry out the forensic investigation due to the prime concerns in the multi-tenant cloud infrastructure. To cope up with these constraints, this paper presents INSPECT, an investigation model that accomplishes adaptive evidence acquisition with adequate support for dynamic Chain of Custody presentation. By utilizing the VM log files, the INSPECT approach forensically acquires the corresponding evidence from the cloud data storage based on the location of malicious activity. It enhances the evidence acquisition and analysis process by optimally selecting and exploiting the required forensic fields alone instead of analyzing the entire log information. The INSPECT applies the Modified Fuzzy C-Means (M-FCM) clustering with contextual initialization method on the acquired evidence to recognize the source of the attack and improves the trustworthiness of the evidence through the submission of the chain of custody. By analyzing the Service Level Agreement (SLA) of the cloud users, it facilitates the source of attack identification from the clustered data. Furthermore, it isolates the evidence to avert deliberate modification by an adversary in the multi-tenant cloud. Eventually, INSPECT presents the evidence along with the chain of custody information regarding the crime scene. It enables the law enforcement authority to explore the evidence through the chain of custody information and to reconstruct the crime scene using the VM snapshots associated with timestamp data. The experimental results reveal that the INSPECT approach accomplishes a high level of accuracy in the investigation with the improved trustworthiness over the multi-tenant cloud infrastructure.