Cloud Forensics

Cloud forensics deals with the process of performing a structured investigation by collecting and analysing digital information to reconstruct security events while also protecting the privacy rights of cotenants in a cloud infrastructure. Cloud forensics is an essential element of security transparency by enabling the identification, collection, preservation and analysis of data so that it can be effectively used to establish the integrity of data. New techniques and methodologies are being developed for cloud forensics.

Virtual Machine Introspection (VMI) is one of the techniques used for providing evidence in cloud forensics (Pape, 2017). VMI leverages the capabilities of a hypervisor to examine the virtual machine at runtime for intrusion detection activities (e.g. malware detection on introspected VM). Deshpande et al. (Deshpande et al., 2018) proposed a logging and replay system that analyses intrusions, which runs in a VM, performs logging in the host OS and replays the whole VM process for analysis and improving the transparency of VM runtime.

Borisaniya et al. (Borisaniya and Patel, 2019) argued that VM monitoring is a promising technique for activity detection at the hypervisor level. The authors proposed a VMI security framework that leverages derivation-based approach to monitor activities running inside a VM, which utilises the hardware-based system call tracing tool to extract system call traces of VM processes. It uses a derivation-based approach to monitor activities running inside the VM from outside by extracting system call traces of each process and detect any potential malicious activity.

In Lauren et al. (Laurén and Leppänen, 2018), a web-based monitoring system for VM called Nitro Web is presented. Nitro Web is capable real-time of data collection, detection and visualisation of call activities taking place within a VM, which is built on top of Nitro, a python-based VMI framework for analysing VM state. The authors maintained that the Nitro Web provides a transparency VM monitoring capabilities because it does not require involvement or cooperation from the guest OS being monitored. A Cloning and Injection based VM Inspection in Cloud (CIVIC) is proposed by (Suneja et al., 2017). CIVIC is a mechanism that enables inspection of production VMs by creating a replica of the VMs

17

runtime state in a spate isolated sandbox environment. It then uses a runtime code inject to introduce userspace-level functionality for over the replicated VM state to avoid guest modification. CIVIC enables VM introspection based monitoring and inspection solutions.

Jia et (Jia et al., 2017) proposed an architecture (T-MVI) that prevents the malicious access to VM data and subversion of regular VM routine. The technique guarantees VM integrity by monitoring the contents of a virtual machine in real-time from the hypervisor level. Their architecture examines and eliminates the risks of privacy leakage and security bypass through isolating the core code for virtual machines to an isolated environment within the hardware component. The authors maintained that the proposed architecture could prevent attackers from hijacking the data emanating from VM or falsify information to gain illegitimate access to the computing node. However, the work failed to demonstrate how captured information about VM is communicated or analysed for identifying security lapses and vulnerabilities to the VM.

In Deshpande (Deshpande and Ainapure, 2016), the authors contend that virtual machine introspection serves as a right solution for monitoring malicious activities in VMs such as taking control of host privileges through software loopholes or attacks on virtual machines in the same cloud platform. To mitigate the problem, they proposed an intelligent real-time virtualisation monitoring system that continuously checks the status of guest VMs in both static and dynamic modes to identify and prevent cloud resources from attacks. The approach aims to achieve reasonable efficiency and security by ensuring that VM is protected from various forms of attacks and to add intelligence to VM introspection by embedding a pattern recognition algorithm for identifying threats. The authors used a system call tracing tool which monitors the status of virtual machines. However, the work is mainly built on static threat pattern recognition that is not dynamic enough to identify emerging threats

Tovarnak et al. (Tovarňák et al., 2014) identified the lack of multi-tenant monitoring support and limited access to provider controlled monitoring information prohibits cloud customer from determining the status of resources of their interests adequately. To address this problem, they proposed a distributed event-driven monitoring model for enabling multiple simultaneous consumers a real-time collection and analysis of monitoring data related to the behaviour and state of many distributed entities. The contribution emphasises the use of behaviour monitoring that includes the collection and analysis of data related to the actions and changes to the state of the resources monitored to detect behaviour deviations and their patterns.

The most important aspect of cloud forensics as proposed by the literature, as mentioned above involves the heterogeneity and availability of evidence, and access to evidence sources, which are vital to ensuring security transparency. However, the application of VMI for cloud forensics faces many challenges. For example, the legal authority and time synchronisation due to the distributed nature of cloud services, as well as the preservation of evidence integrity, chain of custody and availability of

18

sufficient storage capacity are some of the significant drawbacks in the proposed approaches. Other challenges include the protection of privacy rights in a multitenant environment when investigators collect evidence. For instance, if a VM that runs in a cloud server becomes the object of interest in a forensic investigation, the entire server may be seized by the law enforcement, and this may result in co-located VMs owned by other tenants to be affected. In particular, the CSP may be unwilling to provide an investigator with the required access to physical machines, and in some cases, such as where multiple jurisdictions are involved, the CSP may not be obligated to do so. Furthermore, another major problem is dynamicity, i.e. cloud forensics does not mainly focus on the areas of security that are of significant importance to the cloud customer. The failure to appropriately harbour customer expectations amounts to ineffectiveness to dispense transparency unless otherwise done differently.