Acquiring Forensic Evidence from Infrastructure-as-a-Service Cloud Computing: Exploring and Evaluating Tools, Trust, and Techniques
Loading...
Permanent Link
Author/Creator
Author/Creator ORCID
Date
2012-08-06
Type of Work
Department
Program
Citation of Original Publication
Rights
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Abstract
We expose and explore technical and trust issues that arise in acquiring forensic evidence from infrastructure-as-aservice
cloud computing and analyze some strategies for addressing these challenges. First, we create a model to show the
layers of trust required in the cloud. Second, we present the overarching context for a cloud forensic exam and analyze
choices available to an examiner. Third, we provide for the first time an evaluation of popular forensic acquisition
tools including Guidance EnCase and AccesData Forensic Toolkit, and show that they can successfully return volatile
and non-volatile data from the cloud. We explain, however, that with those techniques judge and jury must accept a
great deal of trust in the authenticity and integrity of the data from many layers of the cloud model. In addition, we
explore four other solutions for acquisition—Trusted Platform Modules, the management plane, forensics as a service,
and legal solutions, which assume less trust but require more cooperation from the cloud service provider. Our work lays
a foundation for future development of new acquisition methods for the cloud that will be trustworthy and forensically
sound. Our work also helps forensic examiners, law enforcement, and the court evaluate confidence in evidence from the
cloud.