1. Cloud Forensics and Privacy
Keyun Ruan
keyun.ruan@ucd.ie
Center for Cybersecurity and Cyber Crime Investigation
University College Dublin
National Library of Wales, Aberystwyth
Sep 6 2012
2. Cloud Forensics: an Overview
• Cloud computing
- Essential characteristics
- Service models
- Deployment models
- Cloud actors
- Service Level Agreement
• Digital Forensics
• Multiple Dimensions
- Technical
- Legal
- Organizational
15. Public Cloud
Forensic Case 1: Cloud Consumers Forensic Case 2: Cloud Consumers
accessing the Cloud over a network Accessing the Cloud from within the
enterprise network
Figure 12. Public Cloud Deployment (Liu et al. 2011)
16. Private Cloud
Forensic Case 1: On‐site Forensic Case 2:
Private Cloud Out‐sourced Private Cloud
Figure 13. Private Cloud Deployment (Liu et al. 2011)
17. Community Cloud
Forensic Case 1: On‐site Forensic Case 2: Outsourced
Community Cloud Community Cloud
Figure 14. Community Cloud Deployment (Liu et al. 2011)
19. Cloud Forensics: Challenges
• Forensic acquisition • Identity and anonymity
• Evidence segregation management
• Virtualized environment • Data recovery
• Data location • Proliferation of endpoints
• Forensic staffing • Time synchronization
• External dependency • Log management
chains • Encryption and key
• Service Level Agreement management
• Multiple jurisdiction,
multiple tenancy, multiple
ownership
20. Cloud Forensics: Opportunities
• Cost effectiveness
• Data abundance
• Overall robustness
• Scalability and flexibility
• Policies and standards
• Forensic‐as‐a‐Service (FaaS)
21. Survey on Cloud Forensics and Critical
Criteria for Cloud Forensic Capability
• 257 respondents
Figure 16. Impact of Cloud Computing on Forensics
22. Top Challenges
• Jurisdiction (89.43% significant or very significant, 59.62%
very significant)
• Lack of international collaboration and legislative
mechanism in cross - nation data access and exchange
(84.77% significant or very significant)
• Investigating external chain of dependencies of the cloud
provider (e.g., a cloud provider can use the service from
another provider) (80.96% significant or very significant)
• Decreased access to and control over forensic data at all
levels from customer side (78.3% significant or very
significant)
• Lack of law/regulation and law advisory (76.19% significant
or very significant)
23. Key Terms for the Service Level Agreement
• Cloud offering
• Technical dimension
• Organizational dimension
• Legal dimension
• Auditing
24. ISO Series
Source: Marshall A.M. (2011) Standards, regulation & quality in digital
investigations: The state we are in, Digital Investigation 8 p141-‐‐144