Cloud-based Imaging Cloud Storage

Cloud-based Imaging
Cloud Storage
• Cloud Storage has become very common and
therefore, might be used for digital investigation.
• Examples of common cloud storage
• Dropbox
• Google Drive
• SkyDrive
• iCloud
2
Cloud-based systems
•In addition, cloud-based systems are used frequently
in current businesses and therefore, could become
subject of digital forensics analysis.
3
Cloud Forensics
• According to NIST [2]: Cloud computing forensic science is the
application of scientific principles, technological practices and
derived and proven methods to reconstruct past cloud computing
events through identification, collection, preservation, examination,
interpretation and reporting of digital evidence.
4
Trend in Digital Forensics: Cloud Investigation
• In Cloud Investigation, evidence gathering mechanism is a challenge.
• In particular, acquisition of data to investigate on SaaS, PaaS, and IaaS
(where data is in the cloud) is a challenge because of identifying and
then subsequently imaging the data sources.
• In addition, cloud investigations lead to jurisprudence/jurisdictional
problems related to the ownership of the cloud storage and
geographic location.
5
The following possible factors are possible for cloud forensics data collection [2]:
1) Identification of the cloud provider and its partners.
2) The ability to conclusively identify the proper accounts held within the cloud by a consumer.
3) The ability of the forensics examiner to gain access to the desired media.
4) Obtaining assistance of the cloud infrastructure/application provider service staff.
5) Understanding the topology, proprietary policies, and storage system within the cloud.
6) Once access is obtained, the examiner’s ability to complete a forensically sound image of the
media.
7) The sheer volume of the media.
8) The ability to respond in a timely fashion to more than one physical location if necessary.
9) E-discovery, log file collection and privacy rights given a multi-tenancy system.
10) Validation of the forensic image.
11) The ability to perform analysis on encrypted data and the collector’s ability to obtain keys for
decryption.
12) The storage system no longer being local.
13) There is often no way to link given evidence to a particular suspect other than by relying on the
cloud provider’s word.
6
Complex/large digital investigations
• For complex/large digital investigations, an investigation can be
extended to incorporate a range of techniques that can provide
further insights into the case and possibly make the investigation
more efficient.
7
Digital Intelligence
• Businesses regularly collect, manage, and analyze data such as
ratings, comments, emails, different advertisements, transactions,
and all other social networks data to extract valuable information
about digital customer experience.
• Such process is called digital intelligence that drives the
measurement, optimization, and execution of marketing tactics and
business strategies.
• Such data can also be used for digital forensics investigation which is
the forensics capture and analysis of data related to digital
intelligence.
8
Intelligent Forensics
• Intelligent forensics integrates the technological advances and applies
resource in a more intelligent way into forensics investigation.
• A wide range of tools and techniques including artificial intelligence,
computational modelling and social network are used to find digital
evidence much faster then normal relating different items from
different sources to each other.
• We posit that intelligent forensics is an approach that can be adopted
to investigate particularly complex incidents.
9
Artificial Intelligence and Computer Forensics
• If we assume what a digital investigator applies to an investigation can
be formally structured, then it can be used to form knowledge
representation (digital forensic information to reason about).
• Similarly, if the knowledge is structured in such a way as to allow
reasoning then the artificial intelligence concept of ontology (the
formal structure of that representation so that reasoning can be
applied) can be applied.
10
Disk Images
• [1] Digital Forensics to Intelligent Forensics, Alastair Irons, and
Harjinder Singh Lallie, Future Internet, 2014, 6, 584-596;
• [2] Draft NISTIR 8006, NIST Cloud Computing Forensic Science
Challenges.
11