Cloud forensics: An overview

Keyun Ruan, Prof. Joe Carthy, Prof. Tahar Kechadi, Mark Crosbie* Centre for Cybercrime Investigation, University College Dublin, * IBM Ireland Ltd {keyun.ruan, joe.carthy, tahar.kechadi}@ucd.ie, mcrosbie@ie.ibm.com

Abstract
Cloud computing is estimated to be one of the most transformative technologies in the history of computing. Cloud organizations, including the providers and customers of cloud services, have yet to establish a well-defined forensic capability. Without this they are unable to ensure the robustness and suitability of their services to support investigations of criminal activity. In this paper, we take the first steps towards defining the new area of cloud forensics, and analyze its challenges and opportunities.

Keywords: Cloud forensics, cloud computing, digital forensics 1. Introduction

Cloud computing has the potential to become one of the most transformative developments in the history of computing, following the footsteps of mainframes, minicomputers, PCs (Personal Computers), and smart phones (Perry et al., 2009). It is radically changing the way how information technology services are created, delivered, accessed and managed. According to a May 2008 forecast by Merrill Lynch (2008), the volume of the cloud computing market opportunity will amount to $160 billion by 2011. According to an October 2008 forecast by IDC (International Data Corporation) (Gens, 2008), spending on cloud services is growing at five times the rate of traditional on-premises IT (Information Technology). Even more striking than this high growth rate is the contribution the growth of cloud offerings will soon make to the overall growth of the IT market; Cloud computing services will generate approximately one-third of the net new growth within the IT industry. In March 2009, Gartner (2009) forecasted that the worldwide cloud service market is expected to reach $150.1 billion in 2013. Businesses around the world are rapidly adopting cloud computing. The 2009 F5 cloud computing survey (F5 Network and Applied Research West, 2009) found that, 66% of 250 IT managers interviewed have dedicated budget funds for the Cloud, 71% expect cloud computing budgets to grow over the next two years. One conclusion from the survey is that cloud computing is gaining critical mass among large enterprises: 82% of the respondents said they are "in some stage of trial, implementation or use of public clouds" and 83% said the same for use of private clouds. Government agencies are also seeing a shift into cloud adoption. A recent InformationWeek government survey (Foley, 2010) of IT managers in federal government found that 22% planned to implement cloud computing over the next 12 months and another 22% within two years. According to research from INPUT (2009), in the United States, public sector investment in cloud

computing is likely to more than double in the next five years, and US Federal government spending on the Cloud will increase steadily, reaching $792 million by 2013. Over the last decade, the number of crimes that involve computers and Internet has grown, spurring an increase in companies and products that aim to assist law enforcement in using digital evidence to determine the perpetrators, methods, timing and victims of computer crime. As a result, digital forensics has evolved to assure proper presentation of computer and cyber crime evidentiary data in court. According to Federal Bureau of Investigation [FBI] 2008 statistics, in the United States, the size of the average digital forensic case is growing at the rate of 35% per year from 83 GB in 2003 to 277 GB in 2007. With storage capacity growth outpacing network bandwidth and latency improvements, forensic data is not only getting bigger, but is also growing significantly larger relative to the ability to process them in a timely manner, as stated by Roussev et al. (2009). The rise of cloud computing not only has exacerbated the problem of scale for digital forensic activities, but also created a brand new front for cybercrime investigation with various challenges. Digital forensic practitioners must extend digial forensic knowledge and tools into cloud computing environments, and help cloud organizations, including both CSP (Cloud Service Provider) and cloud customers, to establish a forensic capability in order to reduce cloud security risks. Otherwise, cloud organizations will have difficulties in carrying out investigations on critical incidents happened in the Cloud such as criminal intrusions and major policy violations, as well as collaborating with law enforcement in cases of resource confiscation, etc. In this paper, we take the first step to give an overview of the new area, cloud forensics, and analyze its challenges and opportunities.

2. Discussion on the definitions of cloud forensics

2.1 Cloud forensics
We propose in this paper the definition of cloud forensics as the application of digital forensics in cloud computing as a subset of network forensics, as shown in Figure 1.

Figure 1. Where is cloud forensics?

Firstly, we identify cloud forensics as a cross-discipline between cloud computing and digital forensics. There are various definitions for both cloud computing and digital forensics to this date, and in this paper we adopt the current definitions for both cloud computing and digital forensics from NIST:

Digital forensics is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. (Kent et al.,2006) Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing has five essential characteristics, i.e., on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service. It has three service models, i.e., Cloud Software as a Service (SaaS), Cloud Platform as a Service (PaaS) and Cloud Infrastructure as a Service (IaaS). And it has four deployment models, i.e., private cloud, community cloud, public cloud and hybrid cloud. (Mell and Grance, 2009) Secondly, we recognize cloud forensics as a subset of network forensics (DFRWS, 2001), as network forensics deals with forensic investigations in any kind of public or private networks, and cloud computing is based on broad network access, thus technically, cloud forensics should follow the main phases of network forensic process with extended or novel techniques tailored for cloud computing environment in each phase.

2.2 The three dimensions of cloud forensics

As we can see from the NIST definition, cloud computing is an evolving paradigm with complex aspects. Its essential characteristics have dramatically reduced the cost of IT which is driving the global trend in the rapid strategic adopting of cloud computing in businesses and governments (EurActiv, 2011). To ensure service availability and cost-effectiveness, major CSPs, such as Amazon, Salesforce.com, and Google all have data centers around the world in different jurisdictions providing cloud services. Data stored in one data center is replicated to multiple locations to ensure abundance and reduce the risk of single point of failure. Of course these points of replication are potentially under many separate jurisdictions. Segregation of duties between the CSP and the customer in forensic responsibilities becomes different in different service models, and interactions between multiple tenants sharing same cloud resources are different in different deployment models. As a result, multi-jurisdiction and multi-tenancy have become a default setting for cloud forensics, creating much more legal challenges. Sophisticated collaborations between the CSP and the customer, or between multiple tenants sharing same resources, or among international law enforcement are required in most of the cloud forensics cases. In order to analyze the problem more comprehensively, and to emphasize the fact that cloud forensics is a multidimensional issue instead of only a technical issue, we would like to extend the definition of cloud forensics across three major dimensions; organizational, legal and technical, as shown in Figure 2.

Figure 2. Cloud forensic three-dimensional model

2.2.1

The technical dimension The technical dimension involves a set of tools and procedures to carry out the forensic process in cloud computing environments. We emphasize some of the key aspects in the technical dimension as follows: 1. Forensic data collection Cloud forensic collection is the process of identifying, labelling, recording, and acquiring forensic data from the possible sources of data in the Cloud. These data sources include client-side artefacts that reside on client premises, and provider-side artefacts reside on provider infrastructure. Since the segregation of duties is different in different cloud service models, the tools and procedures to collect forensic data are also different. In different deploy models, provider-side artefacts are different, e.g., in public clouds, provider-side artifacts need to be segregated among multiple tenants, whereas in private clouds, there is no such need. The sequence order in which data is collected is defined according to the volatility of data; highly volatile data (i.e. RAM images) should be collected first, followed by data with lower volatility. The collection process should follow procedures that preserve the integrity of data, with clearly-defined segregation of duties between client and provider, and without breaching law(s) and regulation(s) under the jurisdiction(s) where data is collected, or compromising confidentiality of any other tenant(s) sharing the same resource(s). 2. Elastic, static and live forensics Rapid elasticity is one of the essential characteristics of cloud computing. Cloud compute and storage resources can be provisioned and deprovisioned on demand. As a result, cloud investigation tools also need to be elastic; in most cases large scale static and live forensic tools are required, such as e-discovery, data

acquisition, data recovery, evidence examination, evidence analysis tools and tools to collect volatile data. 3. Evidence segregation Another essential characteristic of cloud computing is resource pooling. IT cost is reduced in multi-tenant environments where various resources are shared. However, cloud forensics involves the reverse process of evidence segregation, but the underlying components that make up the cloud infrastructure, e.g., CPU (Central Processing Unit) caches, GPU (Graphis Processing Units), etc., were not designed for strong compartmentalization in a multi-tenant architecture (CSA, 2009). Tools and procedures to segregate forensic data in the cloud among muliple tenants in different deployment models and different service models need to be developed. 4. Investigations in virtualized environments Virtualization is a key technology used to implement cloud services. However tools and procedures are yet to be developed for investigations in virtualized environment, e.g. hypervisor investigations. On the other hand, while operations are mostly virtualized in cloud environments, investigations in most cases require evidence retrieval from physical locations. Loss of data control is one of the major security challenges in the Cloud (CSA, 2009). In cloud forensics, tools and procedures need to be developed to physically locate forensic data at a given timestamp, and physically trace forensic data at a given time period, taking into considerations of the jurisdiction(s) of the physical locations. 5. Pro-active preparations Pro-active measures can be taken as preparations to make forensic investigation easier. Such measures include designing forensic-aware cloud applications, and pro-actively collecting forensic data in the Cloud using tools provided by the CSP or tools developed from the customer side. It often involves a set of design principles, such as conducting regular snapshots to remote storage, regularly tracking authentication and access-control records and performing object-level auditing of all access. 2.2.2 The organizational dimension

Figure 4. Cloud forensic organizational structure

Forensic investigations in cloud computing environments always involves at least two parties: the CSP, and the cloud customer. When the CSP outsources services to other parties, the scope of investigation widens. Figure 4 shows the proposed organizational structure needed in order to carry out cloud forensic activities efficiently and effectively with a joint effort. 2.2.2.1 Organizational structure for each cloud organization In order to establish a forensic capability, each cloud organization, including the providers and customers of cloud services, is required to define a structure of internal staffing, provider-customer collaboration, and external assistance fulfilling the following roles: Investigators: the investigators (on the provider side and on the customer side) are responsible for collaborative investigation allegations of misconduct in the Cloud and working with external assistance or law enforcement when needed. They not only need knowledge of how to carry

out investigations from their own sides, but also need to understand the forensic capabilities of the parties they are interacting with and the segregation of duties among these parties regarding forensic investigation. IT Professionals: this group includes system, network, and security administrators, ethical hackers, cloud security architect, and technical support staff in the cloud organization. They contribute to the investigation with their expertise, facilitate the investigators in accessing the crime scene, and may also perform data collection for the investigators. Incident Handlers: this group responds to a variety of specific security incidents in the Cloud, such as unauthorized data access, accidental data leakage and data loss, breach of tenant confidentiality, inappropriate system usage, malicious code infections, malicious insider attack, (distributed) denial of service sttacks, etc. It is wise for a cloud organization to have a written plan with categorized security incidents on different levels of the Cloud and respective incident handlers to be referred to in cases of forensic investigations. Legal Advisors: It is crucial to include legal advisors in forensic staffing who are familiar with multi-jurisdiction and multi-tenant issues in the Cloud so that any forensic activities will not violate regulations under respective jurisdiction(s) or confidentialities of other tenant(s) sharing the same resource(s). Service Level Agreements (SLAs) must be written with clauses that explain the procedures to follow in the event of a forensic investigation. An internal legal advisor should be involved in drafting these clauses so that they respect the law across all jurisdictions in which the CSP operates. Internal legal advisors are also responsible to communicate and collaborate with external law enforcement during the course of a forensic investigation. External Assistance: in most cases, it is wise for the cloud organizations to rely on a combination of its own staff and external parties to perform forensic tasks such as e-discovery, investigations on civil cases, investigations on external chain of dependencies. It is important for cloud organizations to determine in advance, which actions should be performed by external assistance regaring forensic activities, and make it clear in relevant policies, guidelines and agreements which are transparent to its service customers and law enforcement when necessary. 2.2.2.2 Chain of Dependencies CSPs and most cloud applications oftern have dependencies on other CSP(s). The dependencies in a (discrete) chain of CSP(s)/customer(s) can be highly dynamic. In such a situation investigation in the Cloud may depend on the investigations of each one of the links in the chain and level of complexity of the dependencies. Any interruption or corruption in the chain or a lack of coordination of responsibilities

between all the parties involved can lead to problems. Essential communications and collaborations regarding forensic activities through this chain need to be facilitated by organizational policies and legally binded in the SLAs. The chain of CSP(s)/cloud customer(s), taking into consideration the chain of dependencies between them, has to communicate and collaborate with the following parties in order to facilitate effective and efficient forensic activities. Law enforcement: the top priority for cloud organizations is the availability of service and the top priority for law enforcement is the prosecution of criminals (DFRWS, 2001). These two different priorities often clash in situations such as evidence collection. Cloud organizations need to work closely with law enforcement to improve mutual understanding, and collaborate much further in the cases such as resource confiscation. Third parties: cloud organizations need to work closely with third parties for auditing and compliance purposes regarding cloud forensics. Academia: cloud organizations need to work closely with academia on cloud forensic research and education in order to contribute to the knowledge of the area, and also to receive up-to-date training for their internal forensic staff. 2.2.3 The legal dimension

2.2.3.1 Multi-jurisdiction and multi-tenancy Multi-jurisdiction and multi-tenancy challenges have been identified as the top legal concerns among digital forensics experts (Broadhurst, 2006; Liles et al., 2009) and these two issues are both exacerbated in the Cloud. Regulations and agreements have to be developed in the legal dimension of cloud forensics, to secure that forensic activities will not breach any laws or regulations under any jurisdiction(s) where the data resides in, and the confidentiality of other tenants sharing the same infrastructure will not be compromised, throughout the investigation. 2.2.3.2 Service Level Agreement SLA defines the terms of use between a pair of CSP and cloud customer. The following terms regarding forensic investigations are not in place at the moment and have to be included into the SLA. (1) Service provided, techniques supported, access granted by the CSP to the customer regarding forensic investigation (2) Trust boundaries, roles and responsibilities between the CSP and the cloud customer regarding forensic investigation (3) How forensic investigations are secured in a multi-jurisdictional environment in terms of legal regulations, confidentiality of customer data, and privacy policies (4) How forensic investigations are secured in a multi-tenant environment in terms of legal regulations, confidentiality of customer data and privacy policies

2.3 Cloud crime

We extend the definition of computer crime by Casey (2000) to cloud crime. Cloud crime is any crime that involves cloud computing. The Cloud can be the object, subject or tool of crimes. The Cloud is the object of the crime when the CSP is the target of the crime and is directly affected by the criminal act, e.g. DDOS (Distributed Denial of Service) attacks targeting part(s) of the Cloud or even the entire cloud. The Cloud is the subject of the crime when it is the environment where the crime is committed, e.g., unauthorized modification or deletion of data residing in the Cloud, identity theft of users of the Cloud. The Cloud can also be the tool used to conduct or plan a crime, e.g., evidence related to the crime can be stored and shared in the Cloud and a Cloud that is used to attack other Clouds is called a dark Cloud.

2.4 Usage of cloud forensics

There are various usages of cloud forensics. We summarize them as follows: (1) Investigation Investigation on cloud crime and policy violation in multi-jurisdictional and multi-tenant cloud environments Investigation on suspect transactions, operations and systems in the Cloud for incident response Event reconstruction in the Cloud Providing admissible evidence to the court Collaboration with law enforcement in resource confiscation

(2) Troubleshooting Locating data file and hosts virtually and physically in cloud environments. To determine the root cause for single events or trends spanning multiple events over time, and to develop new strategies to help prevent recurrence of similar incidents. Tracing an event and assessing the current state of an event in the Cloud Resolving functional issues in cloud applications and cloud services Resolving operational issues in cloud systems Security incident handling in the Cloud

(3) Log Monitoring Collecting, analyzing and correlating log entries across multiple systems in the Cloud, assisting in auditing, due diligence, regulatory compliance and other efforts (4) Data and System Recovery Recovering data in the Cloud, that has been accidentally or intentionally deleted or modified Recovering encrypted data in the Cloud, when the encryption key has been lost. Recovering systems from accidental damage or attacks Acquiring data from the Cloud that are being redeployed, retired or need to be sanitized

(5) Due Diligence/Regulatory Compliance

Helping organizations exercise due diligence and comply with requirements such as protecting sensitive information, maintaining certain records for audit purposes, notifying impacted parties when protected information is exposed, etc.

3. Challenges
In order to establish a forensic capability for cloud organizations in all three-dimensions defined above, we are facing enormous challenges. In the technical dimension, we have very limited tools and procedures in all five major components that we emphasize in this paper. In the legal dimension there is currently no agreement among cloud organizations on collaborative investigation, and no terms and conditions are present in SLAs on segregation of duties between CSP and cloud customer. International cyber law and policies must progress to help resolve the issues surrounding multi-jurisdiction investigations. 3.1 Challenges in forensic data collection In all combinations of cloud service and deployment models, the cloud customer faces the challenge of decreased access to forensic data. Access to forensic data varies dependent on the cloud model; IaaS customers enjoy relatively easy access to all data required for a forensic investigation, while SaaS customers may have little to no access to data required. Decreased access to forensic data means the cloud customer generally has no control or knowledge over the exact physical location of their data, and may only be able to specify location at a higher level of abstraction, typically as an object or container identified. CSPs intentionally hide the location of data from customers to facilitate data movement and replication. Moreover, there is a lack of appropriate terms of use in the SLA (Service Level Agreement) to enable general forensic readiness in the Cloud. Many CSPs do not provide services or interfaces for the customers to gather forensic data. For example, SaaS (Software as a Service) providers may not provide access to the IP logs of clients accessing content; IaaS (Infrastructure as a Service) providers may not provide forensic data such as recent VM (Virtual Machine) and disk images. In the Cloud, the customers have decreased access to relevant log files and metadata in all levels as well as a limited ability to audit the operations of the network of their CSP and conduct real-time monitoring on their own networks. 3.2 Challenges in elastic, static and live forensics The proliferation of endpoints, especially mobile endpoints, is a challenge for data discovery and evidence collection. The impact of crimes and the workload of investigation can be exacerbated in cloud computing simply because of the sheer number of resources connected to the Cloud. Time synchronization is crucial to the audit logs that are used as source of evidence in the investigation. Accurate time synchronization has been always an issue in network forensics, and is made all the more challenging in a cloud environment as timestamps must be synchronized across multiple physical machines spread in multiple geographical regions, between cloud infrastructure and remote web clients including numerous end points. Similar to time synchronization, unification of log formats has been a traditional issue in network forensics and the challenge is exacerbated in the Cloud because it is extremely difficult to unify the log formats or make them convertible to each other from the massive resources available in the

Cloud. Furthermore, proprietary or unusual log formats of one party can become major roadblocks in joint investigations. In computer forensics, recovered deleted data is an important source of evidence, so it is in the Cloud. In AWS (Amazon Web Service) the right to alter or delete the original snapshot is explicitly reserved for the AWS account that created the volume. When item and attribute data are deleted within a domain, removal of the mapping within the domain starts immediately, and is also generally complete within seconds. Once the mapping is removed, there is no remote access to the deleted data. Storage space occupied by the data elements deleted is made available for future write operations and the it is likely that storage space will be overwritten by newly stored data. However, some deleted data might be still present in the snapshot after deletion (Amazon, 2010). A simple challenge is: how to recover deleted data, identify the ownership of deleted data, and use deleted data as sources of event reconstruction in the Cloud? 3.3 Challenges in evidence segregation In the Cloud, different instances running on the same physical machine are logically isolated from each other via hypervisor. An instances neighbours have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. Customer instances have no access to raw disk devices, but instead are presented with virtualized disks. On the physical level system audit logs of shared resources and other forensic data are shared among multiple tenants. Currently, the provisioning and de-provisioning technologies still need to be much improved in the Cloud (CSA, 2009), and it remains a challenge for the CSP and law enforcement to keep the same segregating in the whole process of investigation without breaching the confidentiality of other tenants sharing the same infrastructure and ensure the admissibility of the evidence. Another issue is that the easy-to-use feature of cloud models results in a weak registration system, facilitating anonymity that is easy to be abused and making it easier for cloud criminals to conceal their identities and harder for investigators to identify and trace suspects as well as segregate evidence. Moreover, encryption is used in the Cloud to separate data hosting of the CSPs and data usage of the cloud customers and most of the major CSPs encourage customers to encrypt their sensitive data before uploading to the Cloud if encryption is not provided by the CSP by default (Amazon, 2010; Force.com, 2010; Google, 2010). Unencrypted data in the Cloud can be considered lost from a strict security perspective. A chain of separation is required to segregate key management from the CSP hosting the data and needs to be standardized in contract language. Agreement has to be made among the law enforcement, the cloud customer and the CSP on granting access to keys of forensic data, otherwise evidence can be easily compromised when encryption key is destoryed. 3.4 Challenges in virtualized environments Cloud computing claims to provide data and compute redundancy by replicating and distributing resources. However in reality most CSPs implement instances of a cloud computer environment in a virtualized environment. Instances of servers run as virtual machines, monitored and provisioned by a hypervisor. The hypervisor in a Cloud is analogous to a kernel in the traditional operating

system. Attackers will aim to focus their attacks against the hypervisor; compromise of the hypervisor amplifies any attack as many compute resources rely on its security. For law enforcement and cloud investigators, however, there is a huge lack of policies, procedures and techniques on hypervisor level to facilitate investigation. In the Cloud, mirroring data for delivery by edge networks, its redundant storage in multiple jurisdictions and the lack of transparent real-time information about where data is stored introduces difficulties for investigation. Investigators may unknowingly violate regulations, especially if clear information is not provided about the jurisdiction of storage (ENISA,2009). The CSPs cannot provide tools for the customer to locate at a given time, or trace at a given period of time, precisely and physically the multiple locations of a piece of data across all the geographical regions where the Cloud resides. Furthermore, the distributed nature of cloud computing forces a stronger international collaboration between law enforcement and industry, in cases such as confiscating a Cloud since the agency of a single nation cannot manage it when the physical servers are spread across different countries. 3.5 Challenges in internal staffing Today most cloud organizations are dealing with investigations with traditional network forensic tools and staffing, or are simply neglecting the issue. The major challenge in establishing a cloud forensic organizational structure is the lack of forensic expertise and relevant legal experience. The deep-rooted reasons for this challenge, which is also a challenge for the whole discipline of digital forensics, are firstly, the relative slow progress of forensic research compare to the rapidly evolving technology and secondly, the slow progress of relevant laws and international regulations. With only a decade of research and development, the discipline of digital forensics is still in its infancy, new forensic research areas in non-standard systems (Beebe, 2009), such as cloud computing, need to be explored, techniques need to be developed, regulations need to catch up, law advisors need to be trained, staff need to be equipped with new knowledge and skills to deal with the new grounds for cyber crimes created by the rapid rise of new models such as cloud computing. 3.6 Challenges in external chain of dependency As mentioned in the organizational dimension of cloud forensics, CSPs and most cloud applications often have dependencies on other CSPs. For example, a CSP providing an email application (SaaS) may depend on a 3rd party provider to host log-files (PaaS), who in turn may rely on a partner to provide infrastructure to store log files (IaaS). Although many predict the industry is moving towards federated or integrated Cloud in the near future, today every CSP has a different approach to solving this problem. Correlation of activities across CSPs is a big challenge. Investigation in the chain of dependencies between CSPs may depend on the investigations of each one of the links in the chain and level of complexity of the dependencies. Any interruption or corruption in the chain or a lack of coordination of responsibilities between all the parties involved can lead to problems. Currently threre are no tool, procedure, policy or agreement regarding crossprovider forensic investigations. 3.7 Challenges regarding SLA

Important terms regarding forensic investigations are not included in the SLA at the moment. This is because there is a lack of customer awareness, a lack of CSP transparency and a lack of international regulations. Most cloud customers are still not aware of the potential issues that might rise regarding forensic investigations in the Cloud and their significance. The consequence is that they might end up not knowing anything at all about what has happened in the Cloud in cases when their data is lost in criminal activities and has no right to claim any compensation. CSPs are not willing to ensure transparency to the customers regarding forensic investigations because they either do not know how to investigate cloud crimes themselves or the methods and techniques they are using are likely to be problematic in the highly complex and dynamic multi-jurisdiction and multi-tenancy cloud environment. The progress of any law and regulations including law and regulations of cyber crimes is very slow, while cloud computing is rapidly emerging as a new battlefield of cyber crimes for hackers who are equipped by the most updated techniques, investigators, law enforcement and various cloud organizations. 3.8 Challenges regarding Multi-Jurisdiction and multi-tenancy The legal challenges of multi-jurisdiction and multi-tenancy concern the differences among legislations in all the countries (states) the Cloud and its customers reside in. The differences between jurisdictions affects on issues such as what kind of data can be accessed and retrieved in the jurisdiction(s) where the physical machine(s) from which data is accessed and retrieved, how to conduct evidence retrieval without breaching privacy or privilege rights of tenants according to the privacy policis and regulations in the organizations and specific jurisdiction where multiple tenants data is located, what kind of evidence is admissible to the court in the specific jurisdiction, what kind of chain of custody is needed in the evidence preservation in the jurisdiction(s) where forensic data has passed during an investigation in the Cloud. Multi-jurisdiction issues also concern lack of legislative mechanism that facilitates collaboration between industry and law enforcement around the world, in cases such as resource seizure, cloud confiscation, evidence retrieval, data exhchange between countries, etc.

4. Opportunities
4.1 Cost Effectiveness Everything is less expensive when implemented on a larger scale, including security and forensic services. Cloud computing is currently very attractive to SMEs (Small and Medium Enterprises) due to the cost advantage which also applies to forensic implementations. SMEs that cannot afford dedicated internal or external forensics implementations or services may have an upgrade at relatively low cost when adopting cloud computing. 4.2 Data Abundance Amazon S3 and Amazon Simple DB ensure object durability by storing objects multiple times across multiple Availability Zones on the initial write and then actively doing further replication in the event of device unavailability or detected bit-rot to reduce the risk of single point of failure (Amazon, 2010). Data abundance generated in the Cloud is helpful to investigations as full data deletion cannot be guaranteed and investigators can take advantage of it to recover data as evidence. Scaled up to the Cloud, when a request to delete a cloud resource is made it actually

technically can never result in true wiping of the data. Full data deletion may only be guaranteed by destroying the resource that is shared with other cloud tenants. Thus pieces or segments of data that is crucial to investigation are very likely to remain somewhere in the Cloud for the investigators to discover. 4.3 Overall Robustness Some of the cloud technologies help to improve the overall robustness of forensics in the Cloud. For example, Amazon S3 generates an MD5 hash automatically when you store an object. So theoretically, the cloud customers do not need to look for external tools to generate timeconsuming MD5 checksums. IaaS offerings support on-demand cloning of virtual machines. As a result, in the event of a suspected security breach, the customer can take an image of a live virtual machine for offline forensic analysis, leading to less downtime for analysis. Multiple clones can also be created and analysis activities parallelized to reduce investigation time. This improves the analysis of security incidents and increases the probability of tracking attackers and patching weaknesses. Amazon S3 allows customer to use Versioning to preserve, retrieve, and restore every version of every object stored in the S3 bucket. An Amazon S3 bucket can be configured to log access to the bucket and objects within it. The access log contains details about each access request including request type, the request resource, the requestors IP, and the time and date of the request (Amazon, 2010). All of these can be used to investigate abnormal incidents and application failures. 4.4 Scalability and Flexibility Cloud computing allows scalable and flexible usage of resources which also applies to forensic services. For example, it can provide unlimited pay-per-use storage of logs, allowing more comprehensive logging without compromising performance. It can also massively increase the efficiency of indexing, searching and various queries of the logs. Cloud instances can be scaled as needed based on the logging load. Furthermore, forensic activities only take place when incidents happen which can largely take advantage of the cost-effectiveness of cloud computing. Customers have the choice to build their own dedicated forensic server(s) in the Cloud, ready to use only in need. 4.5 Standards and Policies Forensics has often been an after-thought when technology develops, creating many so-called bandage solutions and ad-hoc solutions (Meyers and Rogers, 2004). Cloud computing is a transformative technology which is changing the way IT is managed and generating a new wave of innovations. Cloud computing is still at its early stage and this is a unique opportunity to lay a foundation of standards and policies for cloud forensics that will evolve together with the technology until it matures. 4.6 Forensics-as-a-Service The concept of Security as a Service is emerging in cloud computing. For example, research has shown the advantages of a cloud platform for large-scale forensic computing (Roussev et al.,2009) and cloud-based anti-virus software (Oberheide et al., 2008). The emerging delivery models include established information security vendors changing their delivery methods to include

services delivered through the Cloud, and start-up information security companies play as pure CSPs and provide security only as a cloud service and do not provide traditional client/server security products for networks, hosts, and/or applications. Likewise, Forensics as a [Cloud] Service can be developed in the same way to make use of the massive computing power to facilitate cyber criminal investigations on all levels.

5. Future work and conclusions

The rise of cloud computing is pushing digital forensics into a new horizon. Many existing challenges are exacerbated in the Cloud, including jurisdictional issue and the lack of international collaboration, while the new environment also brings unique opportunities for foundational standards and policies. Cloud computing is a new battlefield of cyber crime, as well as a new ground for novel investigative approaches. Cloud forensics is a new area of research, much has to be done and this paper merely signposts the way forward.

6. References
Amazon (2010) Amazon Web Services: Overview of Security Processes. Beebe, N. (2009) Digital forensic research: The good, the bad and the unaddressed. Advances in Digital Forensics V: p17-37. Casey, E. (2000) Digital Evidence and Computer Crime. Academic Press. Cloud Security Alliance [CSA] 2009 Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. Digital Forensic Research Workshop [DFRWS] 2001 A Road Map for Digital Forensic Research. EurActiv (2011) Cloud computing: A legal maze for Europe. EurActiv February 11. European Network and Information Security Agency [ENISA] 2009 Cloud Computing: Benefits, risks and recommendations for information security. F5 Networks and Applied Research West (2009) The 2009 F5 cloud computing survey. Federal Bureau of Investigation [FBI] 2008 Regional Computer Forensics Laboratory (RCFL) Program Annual Report for Fiscal Year 2007. Foley, J., (2010) Federal agencies shift into cloud adoption. Information Week June 14. Force.com (2010) Secure, private, and trustworthy: enterprise cloud computing with Force.com. Gartner (2009) Worldwide Cloud service revenue will grow 21.3 percent in 2009. Google (2010) Security Whitepaper: Google Apps Messaging and Collaboration Products.

Broadhurst, R. (2006) Developments in the global law enforcement of cyber-crime, Policing: International Journal of Police Strategies and Management, Vol.20, No 3: p.408-433 Gens, F. (2008) IT Cloud services forecast 2008 to 2012: A key driver of new growth. IDC INPUT (2009) Evolution of the Cloud: The future of cloud computing in government. Kent, K., Chevalier, S., Grance, T., Dang, H. (2006) NIST Guide to Integrating Forensic Techniques into Incident Response. NIST. Mell, P., Grance, T. (2009) The NIST Definition of Cloud Computing Version 15. NIST Merrill Lynch (2008) The Cloud wars: $100+ billion at stake. Meyers, M., Rogers, M. (2004) Computer forensics: The need for standardization and certification. International Journal of Digital Evidence, Vol 3 No 2. Liles, S., Rogers, M., Hoebich, M. (2009) A survey of the legal issues facing digital forensic experts, Advances in Digital Forensics V: p.267-277 Oberheide, J., Cooke, E., Jahanian, F. (2008) CloudAV:N-Version Antivirus in the Network Cloud. In Proceedings of USENIX Security 2008: p91-106. July, 2008. San Jose. Perry, R., Hatcher, E., Mahowald, R.P., Hendrick, S.D. (2009) Force.com Cloud platform drives huge time to market and cost savings. IDC Roussev, V., Wang, L., Richard, G., Marziale, L. (2009) A cloud computing platform for large-scale forensic computing, Advances in Digital Forensics V: p. 201-215.