Professional Documents
Culture Documents
Digital Investigation
journal homepage: www.elsevier.com/locate/diin
a r t i c l e i n f o a b s t r a c t
Article history: With the rapid growth of global cloud adoption in private and public sectors, cloud
Received 28 May 2012 computing environments is becoming a new battlefield for cyber crime. In this paper, the
Received in revised form 17 February 2013 researcher presents the results and analysis of a survey that was widely circulated among
Accepted 19 February 2013
digital forensic experts and practitioners internationally on cloud forensics and critical
criteria for cloud forensic capability in order to better understand the key fundamental
Keywords:
issues of cloud forensics such as its definition, scope, challenges, opportunities as well as
Cloud forensics
missing capabilities based on the 257 collected responses.
Definition
Digital investigation
ª 2013 Elsevier Ltd. All rights reserved.
Cloud computing
Survey
* Corresponding author. Tel.: þ353 876121726. The survey was hosted by Zayed University, United
E-mail address: keyun.ruan@ucd.ie (K. Ruan). Arab Emirates (UAE). Before filling out the survey, all
1742-2876/$ – see front matter ª 2013 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.diin.2013.02.004
K. Ruan et al. / Digital Investigation 10 (2013) 34–43 35
Cloud forensics is an application of digital forensics in The difficulty of defining cloud forensics lies in the fact
cloud computing (61% agree or strongly agree, 11% that there is no definition of cloud computing or digital
strongly agree) forensics that is universally accepted. One of the widely
Cloud computing is an interdisciplinary area between used definition of digital forensics was created at the first
digital forensics and cloud computing, although both Digital Forensic Research Workshop (DFRWS) in 2001 and
definitions of digital forensics and cloud computing are it defines digital forensics as:
still under discussion (Ruan et al., 2011a) (57% agree or
“The use of scientifically derived and proven methods to-
strongly agree, 12% strongly agree)
ward the preservation, collection, validation, identifica-
Cloud forensics is network forensics (56% agree or
tion, analysis, interpretation, documentation, and
strongly agree).
preservation of digital evidence derived from digital
sources for the purpose of facilitating or furthering the
According to the results, the respondents believe that
reconstruction of events found to be criminal, or helping to
cloud forensics is not Internet forensics or classical
anticipate unauthorized actions shown to be disruptive to
computer forensics, nor a brand new area. It is rather a
planned operations.” (DFRWS, 2001)
“mixture” of traditional forensic techniques and their ap-
plications in cloud computing environment. According to Ruan et al. (2011a) proposed a three-dimensional model
NIST definition agreed on by the respondents in Section 4.1, to structure the domain of cloud forensics. It includes
cloud computing implies “on-demand network access”, technical dimension, organizational dimension and legal
and as a result, cloud forensics implies network forensics. dimension. Base on analysis above and the NIST Cloud
38 K. Ruan et al. / Digital Investigation 10 (2013) 34–43
Computing Reference Architecture (Liu et al., 2011), which 4.5. Impact of cloud computing on digital forensics
was released after the survey was closed, the researcher
revisited the definition proposed in Ruan et al. (2011a), and 101 participants answered the question on the impact of
hereby propose a working definition of cloud forensics as cloud computing on digital forensics. 46% of the respondents
follows: believe that “cloud computing makes forensics harder”. 37%
of the respondents believe that “cloud computing makes
forensics easier”.
Cloud forensics is the application of digital forensic science
When asked why “cloud computing makes forensics
in cloud computing environments. Technically, it consists
harder”, comments from the participants can be concluded
of a hybrid forensic approach (e.g., remote, virtual,
into following issues:
network, live, large-scale, thin-client, thick-client) towards
the generation of digital evidence. Organizationally it in-
volves interactions among cloud actors (i.e., cloud provider, Reduced access to remote and distributed physical
cloud consumer, cloud broker, cloud carrier, cloud auditor) infrastructure and storage
for the purpose of facilitating both internal and external Lack of physical control and physical location of data
investigations. Legally it often implies multi- jurisdictional Lack of standard interfaces
and multi-tenant situations. Legal issues including multiple ownership, multiple ju-
risdictions, and multiple tenancies
Lack of collaboration from the cloud provider(s)
4.4. Significance of cloud forensics Evidence segregation
Data recovery.
122 participants answered the question on the signifi-
cance of cloud forensics, and the results are shown in Fig. 5. When asked why “cloud computing makes forensics
The respondents have reached consensus on all of the easier”, comments from the participants can be concluded
surveyed aspects: into the following aspects:
Cloud forensics is an important component of cloud Cloud investigations can leverage characteristics of
security cloud computing, e.g., computing power on demand,
Cloud forensics is as important as cloud security elasticity, distributed forensic processing, as well as
Cloud forensics needs more funding and investment in scalable auditing, reporting, logging, imaging and
R&D than it has got at the moment testing. Forensic implementations in the Cloud can also
There will be a lack of awareness until a major critical be cheaper.
incident happens. Cloud investigations will be highly dependent on
provider providing digital evidence through central-
On the contrary, leading organizations driving cloud ized administration and management, so there will
security standards (e.g., NIST, CSA) still largely neglect the be less work for the investigator/law enforcement
importance of integrating forensic capabilities into cloud side.
security in their most recent releases such as Hogan et al. Evidences in cloud environments are harder to destroy
(2011). There is no international body driving collabora- by the criminals as they may be mirrored to multiple
tive efforts on developing cloud forensic standards, locations.
assessing capability gaps and sharing research resources Investigative functionalities can be integrated in cloud
that is comparable to the scale and influence of CSA. Most implementations, e.g., hashing and imaging are easier in
of the challenges posed by cloud computing as analyzed in the Cloud.
Ruan et al. (2011a) still need to be further researched and
addressed.
4.6. Cloud forensics dimensions that there is a “technical” as well as “legal” dimension for
cloud forensics. 69% of the respondents agree that there is
139 participants answered the question on the di- an “organizational/administrative dimension” for cloud
mensions of cloud forensics. 80% of the respondents agree forensics. 43% of them agree that there is a “social
dimension” for cloud forensics. 14% of the respondents Respondents have reached consensus on using cloud fo-
clicked “other” dimensions. “Political” and “personal” di- rensics for “investigations on digital crimes, civil cases, policy
mensions have been mentioned in the comments. violations, etc.” and “regulatory compliance”. Among the 10%
This question was asked based on the multi-dimensional “other uses”, several respondents added that cloud forensics
nature of cloud forensics proposed in Ruan et al. (2011a). could also be used to generate security policy feedback.
Respondents have reached consensus on the technical,
organizational and legal dimensions of cloud forensics, and
5. Cloud forensics techniques and research
they are thus included in the cloud forensics definition
proposed in Section 4.3.
5.1. Challenges
Fig. 9. Research directions. Fig. 10. Parties to be assessed for cloud forensic capability.
K. Ruan et al. / Digital Investigation 10 (2013) 34–43 41
top challenges for cloud forensics, as their significance has 5.2. Opportunities
been agreed on by more than 75% of the respondents.
Jurisdiction Compared to the challenges, more respondents chose to
Lack of international collaboration and legislative remain neutral towards the opportunities of cloud foren-
mechanism in cross-nation data access and exchange sics. 105 participants answered this question, and the re-
Lack of law/regulation and law advisory sults are shown in Fig. 8. The respondents have agreed on
Simple role management (e.g., admin, user) makes it the following 3 opportunities out of the surveyed list:
difficult to categorize suspects Establishment of a foundation of standards and policies
Investigating external chain of dependencies of the for forensics that will evolve together with the
cloud provider (e.g., a cloud provider can use the service technology
from another provider) Dedicated forensic implementations are more cost-
Decreased access to and control over forensic data at all effective when applied on a larger scale and offered as
levels from customer side part of the cloud infrastructure
Exponential increase of digital (mobile) devices access- Forensics-as-a-service (using cloud computing to
ing the cloud deliver forensic services).
42 K. Ruan et al. / Digital Investigation 10 (2013) 34–43
106 participants answered the question on cloud forensic Cloud forensics is the application of digital forensic science
research directions and the results are shown in Fig. 9. The in cloud computing environments. Technically, it consists
respondents consider all of the listed research directions of a hybrid forensic approach (e.g., remote, virtual,
important or very important, which is in alignment with the network, live, large-scale, thin-client, thick-client) towards
significant challenges faced by cloud forensics as analyzed in the generation of digital evidence. Organizationally it in-
Section 5.1. The results strongly show that the area of cloud volves interactions among cloud actors (i.e., cloud provider,
forensics require significant research efforts. cloud consumer, cloud broker, cloud carrier, cloud auditor)
for the purpose of facilitating both internal and external
6. Critical criteria for cloud forensic capability investigations. Legally it often implies multi- jurisdictional
and multi-tenant situations.
6.1. Parties to be assessed for cloud forensic capability Areas of critical importance for research and develop-
ment are also identified and agreed among respondents.
111 participants answered the question on who should be Respondents have researched consensus that cloud foren-
assessed for cloud forensic capability, and the results are sics poses significant challenges to digital forensics, and a
shown in Fig. 10. The respondents have agreed that the Cloud list of top challenges is concluded from the survey results.
Service Provider2 and cloud consumer should be assessed. There is an urgent need in the establishment of cloud
forensic capabilities including a set of toolkits and pro-
6.2. Guideline, agreement, policy, and staffing importance cedures for cloud investigations. However, cloud forensics
also brings opportunities especially in areas of standard
Fig. 11 presents results from 4 separate questions on acceleration, integrated forensic implementations, as well
guideline, agreement, policy and staffing importance as as Forensics-as-a-Service, which should not be neglected.
critical criteria for cloud forensic capability. All of the
surveyed areas have reached majority consensus among 9. Future work
respondents. The list of critical criteria for cloud forensic
capability can be much further expanded, and the survey The working definition of cloud forensics need to be
results from these questions have strongly indicated the further refined and validated. The list of cloud forensic
need to further expand this list. capabilities needs to be extended and further developed
based on some of the survey results and the NIST Cloud
7. Limitations Computing Reference Architecture (Liu et al., 2011).
Gartner. Gartner highlights five attributes of cloud computing. Gartner Mcwillian L. Cloud computing – evolution not revolution. Cloud EXPO
Press; 2009. Releases June 23. Cloud Computing Journal. March 25, 2011, retrieved from, http://
Gartner. Gartner’s top predictions for IT organizations and users, 2011 and cloudcomputing.sys-con.com/node/1767096; 2011. on November 10,
beyond: IT’s growing transparency 2010. 2012.
Hogan M, Liu F, Sokol A, Tong J. NIST cloud computing standards roadmap. Mell P, Grance T. The NIST definition of cloud computing version 15.
National Institute of Standards and Technology; 2011. Special Publi- National Institute of Standards and Technology; 2010.
cation 500-291. Mell P, Grance T. The NIST definition of cloud computing. National Institute
Kleynhans S. The new PC era: the personal cloud. Gartner; 2012. of Standards and Technology; 2011. Special Publication 800-145.
Kusnetzky D. Cloud computing – evolution not revolution. ZDNet. Rackspace. Revolution not evolution: how cloud computing differs from
December 29, 2009, retrieved from, http://www.zdnet.com/blog/ traditional IT and why it matters 2011.
virtualization/cloud-computing-evolution-not-revolution/1541; 2009. Ruan K, Carthy J, Kechadi T, Crosbie M. Cloud forensics: an overview.
on November 10, 2012. Advances in Digital Forensics VII 2011.
Liu F, Tong J, Mao J, Bohn R, Messina J, Badger L, et al. NIST cloud Ruan K, Baggili I, Carthy J, Kechadi T. Survey on cloud forensics and critical
computing reference architecture. NIST Special Publication 500-292. criteria for cloud forensic capability: a preliminary analysis. The
Washington, DC: NIST; 2011. Journal of Digital Forensics, Security and Law 2011.