Professional Documents
Culture Documents
Journal QR
Cloud Forensics: Challenges and Solutions (Blockchain
Article:
Based Solutions)
Article QR
Affiliation: KIT Cloud Solutions Limited, London, United Kingdom
Copyright
Information: This article is open access and is distributed under the terms
of Creative Commons Attribution 4.0 International License
A publication of the
School of Systems and Technology
University of Management and Technology, Lahore, Pakistan
Cloud Forensics: Challenges and Solutions (Blockchain
Based Solutions)
Hassan Kaleem1*, Ijaz Ahmed2
1
KIT Cloud Solutions Limited, London, United Kingdom
*Corresponding Author: hassanrao.hr@gmail.com
look for relevant studies on cloud the most relevant papers, the
forensics. An enquiry string has inquiry process defined by
been defined to gather all the researchers Dyba and Dingsoyr [6]
published papers on cloud was used. In the first phase of the
forensics. A pilot-based search screening, papers related to our
strategy has been applied to topics were gathered on the basis
specific keywords that are of their titles, excluding studies
associated with this study’s topics. not related to cloud forensics.
Internet search has been Furthermore, the exclusion and
conducted on cloud forensics inclusion criteria were used as
using multiple search engines and follows.
digital libraries to gather relevant Papers that were published other
information about cloud forensics. than technical reports, patents,
To ensure the simplest source of conferences, and journals.
knowledge about cloud forensics, Articles without defining data
all the results were compiled sources and the procedure for
manually. The selected search collection of data.
engines and digital libraries are Articles that were not published in
supported by their scientific the English language.
content. The selected databases Papers that were published before
include IEEE, Springer, and 2011.
Reasearch Gate. Papers that were not relevant to
cloud forensics.
TABLE 2
All the papers have been
included and excluded on this
Sources Search String Context basis. After going through their
IEEE, Cloud Cloud abstracts in the first phase of
Springer, forensics,
ResearchGate. cloud forensics
screening, these researchers
methodology, picked these papers in the next
cloud forensics phase of screening.
challenges and
cloud forensics A. Keywords using Abstract
solution To find relevant papers
IV. SCREENING OF RELEVANT relating to the topic through
PAPERS keywords by using the paper’s
All the papers collected for abstract, we used a technique that
this study were purely related to was designed by Paterson. In the
cloud forensics. To single out only first phase, we studied the abstract
not gather logs or they try to hide that interacts with the cloud. Once
these log files from users because the cases are reported, the
they think they can be used against forensics investigator needs to
them. carefully collect all the evidence
from client’s side as soon as
B. Physical Inaccessibility
possible.
In cloud environment, getting
physical access to data is E. Dependence on CSPs
impossible because the data you In cloud environment,
need is on different geographical everything is owned by the CSPs
locations. The forensics tools that who are responsible for assisting
are developed for investigations clients in case of any incident.
need physical access of the Problems come when CSPs do
system. But in the cloud not assist clients in forensics
environment, the data you need is investigations. This is so because
on a hardware device and that is they think it might be used against
on another geographical location, them. In SaaS and PaaS, clients
and is being used by multiple are fully dependent on cloud for l
users simultaneously. This makes help in identifying evidnce. But
it impossible to seize that the cloud doesn’t have certified
hardware device. forensics experts. And due to its
transparency issues, it is hard to
C. Volatile Data
trust the legitimacy of the data it
Getting access to the volatile provides. Another problem is that
memory (capturing RAM, CSPs use data centers on contracts
temporary file, and tabs) is whereas a forensics investigator
mandatory for a forensics needs to involve all the parties in
investigator. Because once order to extract e evidence.
hardware loses power, the
potential evidence is lost. F. Service Level Agreement
There is a lack of customer
D. Client Side Identification
awareness and international laws
Collecting evidence from regarding cloud environment.
user’s side plays an important role SLA should include important
in forensics investigation. terms related to cloud forensics.
Sometime evidence can be found They are responsible in case of
on user’s side as well. In most of any incident. But in most cases
the cases, SaaS and PaaS user web CSPs donot provide transparency
browser is the only application
School of Systems and Technology
11
Volume 1 Issue 2, Winter 2021
Cloud Forensics: Challenges and Solutions…
evidence from the storage device Autopsy, Encase and Access Data
of the volatile memory. FTK. On the contrary, the tools
that are developed in forensics
E. Bandwidth Limitation
support other branches of digital
The volume of the knowledge forensics like computer forensics
in cloud environment is large. If and mobile forensics.
you're close to taking the image of Complications in cloud
the system in IaaS model, you environment like geographical
would like to stay in mid distribution of data, having no
bandwidth limitation. This is so access to storage devices, make it
because you've got to download impossible to collect evidence
the image files so as to perform through these software. According
analysis. to a need analysis survey on cyber
F. Multi-Jurisdiction forensics [7], 40% of the
participants involved in that
Extracting evidence from survey, think that these forensics
cloud models like SaaS, PaaS and software need improvement.
IaaS is another issue. Due to the
geographical distribution of the B. Volume of Data
data, it is impossible to conduct The volume of knowledge in
investigation. The court order cloud environment is very large
issued for collecting the evidence and is counting daily. Therefore, it
may not be applicable because the is real difficult to extract evidence
data you need is on different from cloud environment and to
location where another country’s perform analysis. In the SaaS and
law is applicable. Another issue is PaaS model it's very difficult to
that whose law will be applicable research the virtual machines
in deciding the case because the directly. The SaaS and PaaS may
parties and the evidence involved have large storage because they
are placed in different legal also contain many other
jurisdictions of the world. applications. It’s very difficult
VII. EXAMINATION AND albeit CSP is cooperating with
ANALYSIS STAGE you.
a log for every activity that is forensics. This paper has been
carried out. A forensics organized in the following
investigator investigates the sections. It provides
incident on the basis of logs. methodologies for digital and
Because cloud is being cloud forensics, offering four
simultaneously used by multiple steps for any digital or cloud
users, who are sharing the same forensics - identify, preserve,
storage and processing network, extract and present. Identification
maintaining confidentially of the is the first stage where you have to
users is the first priority of a collect all the evidence from the
forensics investigator. As cloud environment which is the
discussed earlier in the most difficult part of the process
transparency section, CSPs should due to the geographical
be open to a third party distribution of the system, usage
investigator for checking integrity of the same network by many
of logs. To overcome this issue, a users, and the processing speed.
log block tag system that is based To prove that the incident has
on Merkle Hash Tree is available happened, cloud forensic
[34]. Pourvahab [35] purposed a investigators need to identify the
cloud-based blockchain type of incident (crime) and the
technology for IaaS model. In it, assets which were used (data,
evidence is collected and stored in software and hardware). In the
the forensic architecture of identification stage, a warrant for
blockchain, in which peers are search to access those CSPs
distributed among multiple nodes. infrastructure has to be issued. All
A secure ring verification based the actions that took place to
authentication was purposed for identify the valid evidence, and to
protecting one’s device from notify methods and people used to
unauthorized users. investigate the crime, need to be
properly recorded and
XI. DISCUSSION
documented. This should be done
Different researchers have after identification, acquisition
proposed a number of digital and and collection of the evidence
cloud forensics models. Not all from the desired locations where
follow similar approaches. But the they are stored in the cloud
outcome of all of them are exactly environment. The cloud forensics
the same. Ruan [16] was the first investigators need to separate
to introduce the term cloud digital evidences by disallowing