Digital forensics in the Cloud: encrypted data evidence tracking
Cloud computing is an emerging model that separates application and information resources from the underlying infrastructure, and the mechanisms used to deliver them. The elastic nature, cost effective price and convenient connectivity make the cloud become more and more attractive as a storage medium for digital forensic investigators. The increasing volumes of data are also a driver for investigators use of a cloud for storing evidence and performing analysis. However, because of the distributed nature of the cloud (Cruz, & Atkison, 2011, p.306), data stored in the cloud may likely be divided into smaller chunks and placed at different data centres all over the globe. Moreover, the dynamic and remote nature of the cloud, make data relocating from data centre to data centre. Hence, data may be constantly compressed and resized. Thus, it is possible that data may be lost during the transmission; or compromised by attacks in the cloud. Furthermore, redundant storage in multiple jurisdictions (Yan, 2011, p.612) and the lack of transparent real-time information about where data is stored introduces judicial issues and further complications for investigations. Virtualisation also impacts on the privacy of other users (Dahbur, & Mohammad, 2011, p.2) of the cloud. To maintain information security, organisations can encrypt data before storing them in the Cloud; and then decrypt after retrieving the data from the Cloud.
The key challenges that a digital investigator is facing before committing to the cloud, is how to ensure that the security of evidence data will be maintained; and privacy will be protected in order to fulfil digital forensic investigation principles. Although solutions such as Hou, Uehara, Yiu, & Hui (2011, p.378) have been proposed to use homomorphic encryption to protect innocent evidence data from being exposed; they are, however, more suited in a relatively static database environment, and the feasibility and performance of such solutions in a public cloud are still yet to be studied and evaluated.
To maintain information security, organisations can encrypt data before storing them in the Cloud; and decrypt after retrieving the data from the Cloud. The research will identify, analyse and evaluate whether or not modern encryption algorithms can be used in providing data security and persevering privacy for digital forensic investigation evidence data stored in the cloud.
To conduct the proposed research, a trial system was created in a lab controlled environment to simulate commercial situations where data will be relocated and distributed. The normal operation of the trial system was documented as the semi-trusted Storage-as-a-service cloud, in which stored digital forensic investigation data were scattered. Hence, the integrity, confidentiality and availability of digital forensic investigation data were stressed. Then experimental data generated during the research were collected and analysed, in order to test the robustness and performances of selected encryption tools.
The methodology used in a simulated environment was based on descriptive methods in which the case scenario of simulated attack on the cloud by redistributing encrypted sample file data from one storage medium to another. To investigate the robustness and performances of selected encryption tools, a customized cloud simulation were created using VMmare. The descriptive mythology allowed the elaboration of precise details relevant to the research question.
The purpose of the main research question was to evaluate whether or not modern encryption algorithms can be used in providing security and preserve privacy for digital forensic investigation evidence data stored in the cloud. Consequently, the court evidence admissibility requirement was met according to digital forensic investigation principles and guidelines. The significant findings were found that the selected encryption tools were able to provide security for evidence data in the cloud at a sufficient level. Moreover, the encryption tools examined had reasonably good performance in the cloud. Though, AxCrypt had the overall best performance in terms of security features and data compression result resilience.
To conclude, the research conducted confirms that modern encryption algorithms are able to maintain security and preserve privacy for digital forensic investigation evidence data stored in the cloud. Moreover, using modern encryption algorithms ensures that evidence data do meet confidentiality, availability, privacy preserving, chain-of-custody and eventually court admissibility requirements. Ultimately, digital forensic investigator compliance principles are fulfilled.