Evidence Detection In Cloud Forensics

Cloud forensics is different than digital forensics because of the architectural implementation of the cloud. In an Infrastructure as a Service (IaaS) cloud model. Virtual Machines (VM) deployed over the cloud can be used by adversaries to carry out a cyber-attack using the cloud as an environment. Investigation of such a crime requires sufficient evidence data to prove the attack in the court of law. Electronic evidence (EE) is any data that produce information relevant to the investigation. Identifying evidence from the data generated in a cloud environment is a tedious and manual process. Adhering to RFC 3227 the evidence collection can be carried out once the evidence data is detected with appropriate triage.

Cyber attack originating from a VM leaves its trails on the resource that it utilizes. These patterns of attacks on the resource and its properties can be used to detect and acquire evidence data generated in a cloud.

We have generated a dataset using the following settings:

To generate the dataset a private cloud was set up. The system configuration included Intel® CoreTM i5-4590 Processor with 12 GB of RAM with 1TB of HDD. The private cloud setup was done using a KVM type-1 hypervisor along with OpenNebula (version 5.12) as a cloud management platform. To simulate the real-time cloud environment a script generating synthetic workload was deployed on the virtual machines of the cloud. An attack was carried out. The dataset is manually tagged with the known state of attack or normal to respective VM.