Digital forensics in the cloud: the reliability and integrity of the evidence gathering process
Identifying and acquiring data stored in a cloud environment is a complicated and challenging process. Much of the current academic forensic literature focuses on conventional digital forensic principles and meticulous chain of custody processes. Conventional computer forensics focuses upon having physical access to the media that stores the data of potential interest. However, in a cloud computing environment it is often not possible or feasible to access the physical media. The client's data may be stored on virtual servers on physical devices located in numerous data farms across various geographical locations making jurisdictional access also problematic. This research paper identifies the key aspects of cloud computing and analyses the reliability and integrity of the evidence gathering process during a digital investigation in a cloud environment. Case studies are presented in support of the research designed to assess whether existing digital forensics techniques are applicable to cloud investigations. The research examines technical and trust concerns that practitioners and law enforcement agencies (LEA) encounter in acquiring forensic evidence from a cloud. Research testing involved creating a simulated 'Infrastructure as a Service' (IaaS) cloud environment to evaluate the evidence gathering process between the cloud client and the Cloud Service Provider (CSP). The IaaS cloud environment was created in Microsoft Server 2012 Datacentre, Hyper-V. A Domain Controller was created in Active Directory and populated with user accounts and virtual machines (VMs); client VMs have Microsoft Windows 7 operating system installed. The primary aim of the research is to test the integrity and reliability of evidential data acquired during a digital forensic investigation in a cloud using existing forensic tools, methods and techniques. Research testing was conducted in a controlled home laboratory environment based on an exploratory approach. Microsoft Network Monitor 3.4, Hyper-V SnapShot and Forensic Tool Kit (FTK) were used to capture forensic data along with client and server side log files. Internet Explorer and Firefox were installed on a client-side VM and were used to extract user activity.
The research findings demonstrate that although it may be technically possible to extract forensic evidence from the 'cloud' the investigative process presents significant jurisdictional and chain of custody challenges in the identification and seizure of evidential data by practitioners and law enforcement agencies (LEA) in criminal investigations and by businesses in civil litigation cases. It is also important that the evidential data collected can withstand rigorous scrutiny in a court of law.