A Review: Network Forensic Analysis Framework in Infrastructure as a Services
(IaaS) Cloud Computing Environment
Samsiah Ahmad 1 and Zalikha Zulkifli 2
Department of Computer Sciences, Faculty of Computer and Mathematical Sciences, UiTM Perak, 35400 Tapah Road, Perak, Malysia1,2
E-mail: [email protected] and [email protected]2
ABSTRACT
Cloud computing technology offers new way in providing computing resources and applications on demand. This is exacerbated with the limitations in collecting forensic data from different geographical locations and environment in the IaaS (Infrastructure as a Service) Cloud. Therefore, the previous forensic frameworks need to be reviewed with the extended technique to ensure that the forensic investigator can be adapted in IaaS environment. Thus, this paper will review the current forensic framework that can be adapted in network forensic analysis in IaaS cloud computing environment.
KEYWORDS
Network forensic analysis, framework, cloud computing.
1 INTRODUCTION
Cloud Computing has been defined in many ways based on the researcher’s perspective and how the cloud operated. Therefore, cloud can be defined as computer paradigm that pooling of the abstraction, virtualization, dynamic, scalable, managing, computing, power storage
of platform, and services delivery through the internet [1]. The Cloud Computing can be managed or implement at private level, enterprise level and also public level. The federation of the cloud may also be implemented through the virtualization normally operated in private cloud. The Cloud Computing use a hypervisor technology by adapting virtualization in which they can be managed dynamically via web service. Normally the CSP (Cloud Service Provider) use identity distribution and trusted management of data mechanism that client will be charged based on virtual machine, time of computing and also the use of bandwidth. Amazon Compute Cloud Enterprise Cloud Computing (EC2), Google AppEngine and Microsoft Azure are leading this Cloud Computing service provider by offering a low cost with the ease of scalability which suits users’ needs.
Besides, Cloud Computing have provide three types of services models including Software as Service (SaaS) model which allows customers to use services for developing their software via web. Infrastructure as a Service (IaaS) offers user to install system at the CSP using virtual environment. Platform as a Service (PaaS) is a type of cloud that allows the customer to deploy their application using virtualization developed by the CSP. Since the Cloud Computing has
transformative development in computing history, it is also exposed to cybercrime either intentionally or unintentionally. It not only exacerbated problem in digital forensic but also makes cybercrime investigation more challenging. Therefore, the investigators not only need to enhance their knowledge on digital forensic but also require more tools for Cloud Computing environment. This could help cloud organizations including both CSP and client-side to ensure forensic investigators are capable in reducing risk in cloud environment.
2 PROBLEM STATEMENT
Since the Cloud Computing has transformative development in computing history, it is also exposed to cybercrime either intentionally or unintentionally. It not only exacerbated problem in digital forensic but also makes cybercrime investigation more challenging. Therefore, the investigators not only required to enhance their knowledge on digital forensic but also tools in operating Cloud Computing environment. This could assist cloud organizations including both CSP and client-side to ensure forensic investigators are capable in reducing risk in cloud environment.
Cloud Computing environment has also exposed to cybercrime where the attacker used the Cloud Computing environment as platform for launching their attack either with or without on purpose. This exacerbated when the Cloud Computing is being used as tool to conduct or plan a crime. For example the evidence related to the crime can be stored and shared by the attacker in the cloud and used this cloud to attack another cloud which has been described by Ruan, K. [2] as dark Cloud.
Therefore, it becomes more challenges for the forensic investigator in collecting the forensic evidence in IaaS Cloud Computing environment. It is because the forensic investigator has no ability in acquiring evidences in these virtual environments where the disks, memory, and networks are being shared by different geographical locations with no boundaries. Hence, the current operational landscape of incident handling and method of forensic investigations need to be revised and changed with the evolution of the Cloud Computing environment.
Until today, there are still lack numbers of research related to forensic framework in IaaS Cloud Computing environment which can be used in conducting forensic investigation. Therefore, in this project will focus on analyzing the previous forensic framework which then can be applied by forensic investigator in handling forensic investigation on IaaS cloud based environment.
2.1 Objective
The objective of this paper is to identify the existing forensic framework that being applied during forensic investigation. Besides, to analyze the existing forensic framework that can be adapted in forensic IaaS Cloud environment.
2.2 Scope
The scope for this paper will focus on analyzing current framework of network forensic which can be adapted in IaaS Cloud Computing environment.
3 LITERATURE REVIEW
Cloud Computing provide three different types service model. There are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service. The Figure 1 presented the cloud service delivery model and their provided services which has been introduced by Antoniou. A [3]. The highest level abstraction of service model is Software as a Service (SaaS) which delivers their services in specialized software to the consumers via the Internet. It is typically involves a usage-based pricing scheme, in which the cost increases in relation to the number of users and the used application features. The example of SaaS cloud is Customer Relationship Management (CRM) software services which deliver software to the consumer via the internet.
Platform as a Service (PaaS) is another service model which is located at a lower level. This PaaS pertains to the provisioning of an integrated environment which can be used for the development, testing and deployment of applications. Users in this service model are not occupied with deploying and managing the underlying hardware and software. An example of a PaaS provider is Google AppEngine which
provides Java and Python run-time
environments with automatic load-based scaling.
Figure 1-The Cloud Computing service model (Source: Antoniou, [3])
The lowest level is of service model which is IaaS that refers as on-demand provisioning of the virtualized resources such as computer servers, storage and networking. Users can lease virtual machine (VM) instances which encapsulate a provider specified amount of resources and can execute the user-specified operating system enriched with application and libraries. Clients have full control and configure their access resources. For example of IaaS is Amazon Web services which provide resources to consumer via web services.
3.1 Deploying Model of Cloud
Computing
Deploying Cloud Computing can differ depending on the requirements, which have four type of deploying model that have been identified. Each model has specific characteristics that support the needs of the services and users of the cloud service model. There are four type of deployment model in the Cloud Computing environment which includes [4]:-
a) Private Cloud
The cloud infrastructure has been deployed, maintained and operated for specific organization. The operation may be in-house or
third party on the premises. This type of deployment will be main research area on this project which offers more challenges for conducting forensic investigation in IaaS Cloud Computing environment. The challenges for the cloud forensic will be discussed further in the next section.
b) Community Cloud
In this cloud, infrastructure is shared among a number of organization with similar interest and requirements. This may help limit the capital expenditure costs for establishment as the costs are shared among the community or organization. The operation may be in-house or third party on the premises.
c) Public Cloud
This type of deployment model is available to the public on a commercial basis by cloud service provider. This enables a consumer to develop and deploy a service in the cloud with very little financial outlay compared to the capital expenditure requirements normally associated with other deployment options. This type of deployment model have security, legal and trust issues. This type of model has limited in collecting forensic evidence from Cloud IaaS provider.
d) Hybrid Cloud
The cloud infrastructure consists of a number of clouds of any type with the clouds having the ability through their interfaces to allow data and/or application to be moved from one to another. This can be a combination of private and public clouds that support the requirement
to retain some data in the organization and also the need to offer services in the cloud.
3.2 The Evolution of Cloud Computing
Cloud Computing has been invented since 1995s, where the grid computing technology used to allow customer to share their computing resources. During this time, the idea of Cloud Computing had been started recognized in computing technology [5].The grid and Cloud Computing had similarities in terms of the vision which can reduce the cost of computing [1]. However, both are using different approach in implementation where grid computing used clustering mechanism whereas cloud used visualization technology which more low cost than grid computing.
Then, in 1999 until the year of 2006 the application as a service has been developed by using Web service 2.0. It has been used widely through internet as mechanism in delivering the services to the customer. After year 2007, Cloud Computing has been commercialized and became popular by introducing IaaS, SaaS, PaaS as a model in the Cloud Computing environment. In 2008, Google Application Engine has been introduced by Google by offering platform as a service to the client. This Google Application Engine is offered to the customer to build up their own application in provided platform. Then, in year 2009, Amazon and Microsoft has introduced Microsoft Azure and Amazon Web service which offer the Software as a Service to the developer in running their own program or application via web services. During the year 2010, there is no major improvement, only the Amazon has upgraded their services by offering Amazon EC2 using cluster computing and they had
certified for ISO 27001. Based on the information that has been read about the Cloud Computing technology, author had managed to conceptualize the evolution of Cloud Computing through graphically shown in the Figure 2 below.
Figure 2 - Evolution of Cloud Computing 3.3 Challenges of Cloud Forensic
Cloud Computing, also known as grid computing, is not a new technology but it is a new approach on providing computing resources and application on service delivery. It can be divided into three service delivery models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). The increasing use of Cloud Computing services has created a new way for cybercrime because the Cloud Computing can act as a platform to conduct crime on other victim or as a target by an attacker. It also has exacerbated the problem for the forensic investigator to investigate in normal practices. There are three sources which evidence can be extracted in a cloud, either at the client side, the network layer, and the cloud service provider [6]. Of these sources, the cloud service provider is the most difficult sources to gather the
evidence because the provider is usually outside the jurisdiction of the forensic investigators. Cloud forensics can be define as application of digital forensics in Cloud Computing as a subset of network forensics [2], as can be shown in Figure 3 that shows the cloud forensic as a cross-discipline between Cloud Computing and digital forensics. Then, cloud forensic is part of network forensic that deals with forensic investigation in any kind of public networks, and Cloud Computing which is based on broad network access[7].
Figure 3- Location of Cloud Forensic (Source: Ruan [2])
Therefore, the main phase of cloud forensic process should follow the same process as forensic analysis, with the extension in technique that was tailored for Cloud Computing environment. However, currently there is no research on forensic framework that was specifically used in Cloud Computing environment. As a result, there are various challenges in conducting investigation in Cloud Computing. The challenges includes forensic data collection, forensic in cloud environment, challenges in virtualization, challenges in internal staffing, challenges in SaaS, PaaS and IaaS environment. The brief explanation on the challenges for the forensic investigator in cloud will be discussed in the next sub section.
3.4 Forensic Data Collection
Since Cloud Computing used a combination of cloud services and deployment model, the cloud customer will be having problem with limited access in forensic data. This is because accessing cloud service depends on the cloud model, for example, IaaS customer can easily have access to all data that are used for forensic investigation whereas SaaS customer may have no access to data required. Decreasing access to data forensic means that the cloud customer need has no control or knowledge on physical location of their data. It may be because the Cloud Service Provider (CSP) has intentionally hidden the location of data from customer to facilitate data movement and replication. Many CSPs do not provide services or interfaces for the customers to gather forensic data. For example, in SaaS, providers do not provide access to the IP logs of client accessing their content. Therefore the cloud customer has low access to their relevant log files or metadata in all levels as well as having limited ability to audit the operation of network CSP and conduct real-time monitoring on their own network. Besides that, the Cloud Computing is more ethereal and dynamic with none or semi-permanent data [8]. For example, traditionally the data from the application that been accessed in Cloud Computing system will write to the operating system such as registry entry or temporary internet profiles that resides and stored in the virtual environment and will be lost when the user exist. Therefore, the process of collecting evidence in hard drive using traditional approach is unrecoverable. This will provide challenges for the forensic investigator in conducting investigation in the cloud environment.
In addition, traditionally the chain of custody would be taken starting from the time that the data is preserved for analysis or is seized. Unfortunately, this approach may not possible in the Cloud Computing environment. It is because, the forensic investigator have difficulty in accessing the data and the nature of the operation of the cloud computer system which have difficulty to go back to the original state of the data especially on the public cloud environment. Other than that, cloud resources could be utilized during the investigation in resolving the computational loading issue which is associated with large-scale data set searches. For example, distributed resources could search small parts of a much larger data set in tandem to form in virtual supercomputer where the scalability could be achieved.
3.5 Challenges in Virtualization
Cloud Computing provide data and compute redundancy by replicating and distributing resources. However, in reality most CSPs implement instances of cloud computer environment in a virtualized environment. For example servers run on virtual machines, monitored and provisioned by hypervisor. This hypervisor in cloud used kernel in the traditional operating system. Therefore the attacker will focus their target on this hypervisor, and compromised of the hypervisor will be used as an attack as many computer resources rely on its security. Therefore in cloud environment there is a huge lack of policies, procedure and techniques on hypervisor level to facilitate investigation. Besides that, virtualizations are being used in the IaaS Cloud Computing are not permanently used by the consumer. It is because the lifetime of the virtual machine depends on the
consumer, whereby once it has been terminated the virtual image will no longer be available or accessible for the consumer. Figure 4 show the stages of virtual machine life cycle when it is deployed in IaaS cloud environment. Initially, the consumer is requested (Stage 1) feasibility assess of the IaaS cloud environment, and then it’s placed on the pending state (State 2). During the pending state, the Virtual Machine (VM) will wait until it is scheduled to physical resource. The scheduling decision relies on the cloud environment. Thus, for this project, the schedule has been decided based on the consumer.
Figure 4-The VM life-cycle (Source: Antoniou,[3])
After the VM has been assigned to a host, the user will provide root of virtual image including the operating system of the VM by the cloud provider. The cloud subsequently transfers the VM images that have been created to the required host. Then, contextualization process takes place before and after transferring the disk image. During this process, the disk images are modified so that they work in a specific environment, for example VM host-name and network that is being setup. When all required files are located on the selected host, the hypervisor boots the virtual machine. The VM enters booting stage (Stage 3). When the
operating system is up, then the VM proceeds to running state (Stage 4) where the user can operate their system as normal environment. The shutdown request will force the VM to progress to a corresponding shutting-down state (Stage 5). The virtual image might or might not be saved depending on the cloud service provider policy and user preference. The data will be saved and stored locally or transferred to a storage server. Finally the VM will reach the termination stage (Stage 6) where the consumer exits the virtual machine.
Therefore, this VM life-cycle gives more challenges in conducting forensic investigation whereby it needs to be investigated live during which the consumer or user is in the running state for collecting the forensic evidence. The data or image from the VM might not be saved when user terminated. Due to this, the live forensic process needs to be performed by the forensic investigator while users remain in the virtual environment.
3.6 Related Review
Traditionally, the digital forensic framework will involve identification, preservation, collection, examination, analysis, presentation and decision [9]. This model acts as an important model and has been used in conducting forensic investigation including the network forensic. It is because many researchers used this model as reference and guidance in order to develop their framework. Then, this framework has been improvised by adding preparation and approaching strategy phases[10]. The author found the digital forensic model is not depending solely on technology or crime. In this model, they recommend the evidence will return back to original place for decision making. However, at
the time being this model could not be used because the changes of technology have been evolved rapidly.
Then, a simple and accurate incident response methodology has been introduced. by adding incident response phase that collected and analyzed evidence included in this phase[11]. They also recommend the report and problem resolve phase to be presented in this phase in the long term basis. This framework will take longer period of time to solve the problem. In order to reduce the number of mistake during forensic investigation, [12] by encouraging an investigation process more becoming firmly including handling the evidence. Besides, the other common phases, they were proposed for assessment phases by validating the incident before continuing the investigation process. They also recommend having persuasion and testimony to represent as a report. Meanwhile, the readiness phases in forensic investigation for gathering and processing [13], which is not applicable in the IaaS environment. An awareness model has been introduced as first step in forensic investigation process[14]. The policies and strategic planning had evolved in
this model. They also recommend
disseminating the guidance for the next future
investigation and procedures. This
framework[14] could not be applicable to IaaS environment because of difficulties on authorizing the data collection.
As times goes by, the digital forensic model has evolved with the technology changes. This is very important for the forensic investigator in order to develop tools, standard or procedure and techniques. The digital forensic process model then has been enhanced by providing sub-phase such as investigation, authorization,
reconstruction and communication to the major phases [15]. This model take longer time in conducting the forensic investigation until the hierarchical model has been introduced [16]. This model is based on the objectives which is in contrast with the based framework whereby there consists of first tier and sub-phases included in second tier [16]. However, their models mainly focus on specific and granularity environment that is guided by the principles and objectives. The first general process model for network forensics that includes capture, copy, transfer, analysis, investigation and presentation has been introduced [17]. However, this process model do not cover the overall process investigation because it only focused on developing network analysis tools in collecting the evidence.
Therefore, a new generic framework for network forensic was derived from the digital forensic model that was involved such as collect, fuse, identify, examine, correlate, analyze and documentation [18]. Their generic network forensic framework which shown on Figure 5 include preparation and authorization, detection of incident or crime, incident response, collection of network traces, protection and preservation, examination, analysis, investigation and attribution and finally presentation and review phases. Even though all the previous model that were mentioned above can be applied generally to the network forensic, this framework is only applicable with traditional network investigation practices and not in the Cloud Computing technology which is the main area of this study. In this paper, this framework will be analyzed and tailored with the cloud environment whereby all the software or application, infrastructure and the platform are being shared. In addition, this framework has
difficulty in classifying successful or failed of attack during process of forensic investigation. Therefore the process of forensic investigation needs to be reviewed depending on type of cloud environment, services and also deployment model. Therefore, the process of investigation will be potentially treated differently depending on type of cloud environment, services and also deployment model.
Figure 5- Generic Network Forensic Model (Source:Pilli [18])
Since most of the virtual servers in IaaS cloud environment will be placed in different geographical locations, therefore the malicious activities will be logged at the various locations. In wide area network, the logs collection will be using centralized server. Besides that, this phase will use network forensic system based on client-server architecture [19]. In this approach, the server will capture network traffic, mapping topology of database, filtering, and transforming the network traffic into database values, mines forensic and replaying network behavior. It also have capabilities to do the network surveying
and statistical attack analysis and also visualization. The main objective of this research is to understand the misbehavior packet based by filtering the rules adaptively and also to gain the misbehavior of the potential attack. Thus, the attacker will understand the attacker’s behavior and at the same time obtaining the clue for the investigation. This model has been extended whereby the network intrusion forensic system will be based on the agent-based distribution in real-time basis [17]. This framework will allow all information including system log, application log are gathered, able to capture network adaptively, actively response to forensic investigation, integrate forensic data and store network misuse pattern. By using this model, the emergency responses are able to improve and increase the process of investigation of the incident.
Besides a framework which is more simple for forensic in distributed networks [20]. It provides techniques by integrating platform automatic collection evidence with the efficiency of data storage. In this method, it integrates between known attribute and attack attribute by using graph mechanism. It used data collection, storing, reducing and processing and also analyzing data through the agent. This framework is able to automatically derive the evidence and response quickly when the attack occurred. Therefore, these techniques may necessarily be used in conducting forensic investigation in IaaS cloud environment. The network forensic framework is based on JADE mobile agent model [21]. In this model the server will act as a node that hosted a number of forensic agents in order to monitor large location of the network in real-time basis. In
this model, all network traffic logs will be collected and examined and the results displayed in user interface. It is very scalable, able in reducing the network traffic and addressing any single point of failed [22]. Other than that, a dynamical network forensic model using multi-agent theory has been introduced which allows the logs to be collected and stored simultaneous in real-time basis [23]. This will result in collecting the evidence automatically and quickly response when the crimes occurred. In this model, they allocate three types of agent which is detector agent, forensic agent, and response agent that have their own task in collecting the evidence [23]. However, this technique does not require classification of the collected evidence according to the level of possibility and required a large of space for data storage. Thus, the technique of classification is necessary in producing the high possibility of the evidence in the IaaS cloud environment.
However, the entire framework that reviewed of the previous researchers in this paper used client-server or architecture of agent-proxy in which provide ways on how to attack features being collected and analyzed. Nevertheless, this framework has its own limitation especially on how the features are being correctly identified. Besides that, some of the agent components are still being developed by the researchers. The previous research framework has summarized in Table 1. In this table, the advantages and limitation has been identified which is useful as the components in developing proposed forensic framework for IaaS Cloud Computing environment.
No Year Author Method Findings\Limitation 1 2003 Prosise and
Mandia Formulation It required time to resolve
2 2003 Casey and
Palmer Assessment Persuasion and testimony represent as report 3 2003 Carrier and
Spafford Survey Not applicable for the cloud environment because it based on physical investigation. 4 2003 Shanmugasunda
ram, et al. Using tools Fortnet and SysApp
It suitable for centralization in distributed network
5 2004 Ren and Jin Using
comparative study and survey It used in client based architecture that applicable for distributed networks. 6 2004 Seamus
Ciardhuain Comparative study from existing model Not applicable to the cloud because of the difficulties on authorized the data collection 7 2005 Baryamureebha
and Tushabe Comparative study from existing model It take a time to conduct the forensic investigation 8 2005 Tang and
Daniels Known attribution method and attack attribution graph Automatically derive the evidence and response quickly when incident occurred.
9 2005 Ren and Jin Survey and
formali-zation Focusing on developing network forensic tools for collecting evidence
10 2007 Wang et al. Used
immune theory and multi agent theory The collected evidence not classified and require a large number of space for data storage 11 Survey and Comparative study Unable to classify the successful and
Table- 1 Limitation of previous researcher’s framework 4 INITIAL FINDINGS
Although the number of forensic frameworks that can be specifically used in IaaS Cloud Computing environment is currently very limited, there have already been many arising issues that are still not clear. Even though the traditional forensic frameworks have been researched on for several years, the specific framework that can be used in IaaS Cloud has still not been identified. The independent and dependent variables used in previous frameworks that may be used in formulating the proposed framework for forensic investigation in IaaS Cloud-based environment are reviewed. Therefore the initial finding from this paper has compared between the existing frameworks against digital forensic model by identifying the independent and dependent variables in each phase of forensic framework as shown on Table 2. This result will assist author in identifying the features used in proposing framework that can be adapted in IaaS Cloud Computing environment.
Table 2- Comparison existing framework against digital forensic model
5 CONCLUSION AND FUTURE WORKS In this paper, the network forensic framework from previous researchers and its limitations has been analyzed and reviewed. From this study, there are several issues on their framework which need to be improvised such as techniques in collecting evidence, capturing and analyzing of evidence in IaaS environment through agent. This is to ensure the collected evidence is of high quality and as hastily as possible and assist in developing the proposed
forensic framework for IaaS cloud
environment. Besides, the evolution technology of Cloud Computing in computing history was discussed in this paper had reviewed from technology of the grid computing to the Cloud Computing technology being introduced. Moreover, the challenges and problem in cloud forensic were also discussed in this chapter whereby the different types of cloud environment may have different challenges and
problem in conducting the forensic investigation. Therefore, the previous forensic framework has been reviewed and shows that they have different process has involved in conducting forensic investigation. However, their strength and weakness of each forensic framework has been identified which can useful in formulating proposed network forensic framework as the future works for this paper. REFERENCES
[1] Foster, I., Z. Yong, Raicu, I. and Lu, S. (2008). Cloud Computing and Grid Computing 360-Degree Compared. Grid Computing Environments
Workshop, 2008. IEEE Grid Computing
Environment workshop (GCE '08) . 12-16
November. Texas, 1-10, ISBN 978-1-4244-2860. [2] Ruan, K., Carthy, P. J. , Kechadi, T., and Crosbie,
M. (2011). Cloud forensic: An overview. 7th Annual
IFIP (International Federation for Information Processing) Working Group 11.9 International Conference on Digital Forensic. 30 January
-2 February. Florida, USA, pp 1-16.
[3] Antoniou. A. (2011). Performance Evaluation of
Cloud Infrastructure Using Complex Workloads.
Master of Computer Science, Deflt University of Technology, Netherlands.
[4] Voorsluys, W., Broberg, J. and Buyya, R. (2011).
Introduction to Cloud Computing,. In Buyya,
R., Brosberg, J. and Goscinski A.M. (Ed.) Cloud
Computing: Principles and Paradigms New Jersey:
John Wiley & Sons, Inc. (pp.1–41).
[5] Banerjee. U (2011, March 8). The Evolution of Cloud Computing. Cloud Expo: Blog Feed Post, Retrieved 1 December 2011, from http://udayanbanerjee.sys-con.com/node/1744132 [6] Birk, D. and Wegener, C. (2011). Technical
Challenges of Forensic Investigation in Cloud Computing Environments. 6th International
Workshop on Systematic Approaches to Digital Forensic Engineering (in conjunction with IEEE Security and Privacy Symposium.26 May. Oakland,
USA:IEEE, pp1-6.
[7] Beebe N.L. (2009) The Digital forensic research: The good, the bad and the unaddressed.5th
Annual IFIP (International Federation for Information Processing) Working Group 11.9 International Conference on Digital Forensic. 26-27 January.
Orlando, Florida, pp 17-36
[8] Mell, P. and Grance, T. (2010). The NIST Definition of Cloud Computing ( Draft ) Recommendations of the National Institute of Standards and Technology. NIST Special
Publication.145(6),7:National Institute of Standards
and Technology, Information Technology Laboratory.
[9] Palmer, G. (2001). A Road Map for Digital Forensic Research. The MITRE Corporation 1st Digital
Forensic Research Workshop(DFRWS) Technical Report. 7-8 August. Utica, New York,pp 1-48.
[10] Reith, M., Carr, C., and Gunsch,G. (2002). An Examination of Digital Forensic Models.
International Journal of Digital Evidence 1(3),1-12.
[11] Prosise, C., and Mandia, K. (2003). Incident
Response and Computer Forensics. (2nd
ed.). Osborne. New York:Mcgraw-Hill.
[12] Casey, E. and Palmer, G. (2004) The investigative
process in Casey. Digital Evidence and
Computer Crime, Elsevier Academic Press. United State.
[13] Carrier, B. and Spafford E. H. (2003). Getting
Physical with the Digital Investigation Process.
International Journal of Digital Evidence. 2(2),
pp1-20.
[14] Ciardhuáin, S. Ó. (2004). An Extended Model of Cybercrime Investigations International Journal of Digital Evidence,3(1),pp 1-22.
[16] Baryamureeba, V. and Tushabe, F. (2004). The enhanced digital investigation process model. 4th Digital Forensic Research Workshop. 11-13 August. Maryland,USA:Digital Forensic Research Workshop, pp 20-29.
[17] Beebe N.L. (2009) The Digital forensic research: The good, the bad and the unaddressed.5th
IFIP (International Federation for Information Processing) Working Group 11.9 International Conference on Digital Forensic. 26-27 January.
Orlando, Florida, pp 17-36.
[18] Ren, W. and Jin, H. (2005). Modeling the network forensics behavior. 1st International Conference
Security and privacy for Emerging Areas in Communication Network. 12-18 December. Athens,
Greece: IEEE, pp 1-8.
[19] Pilli, E. S. , Joshi, R. C, and Niyogi, R. (2010). A Generic Framework for Network Forensics.International Journal of Computer
Applications 1(11), pp 1-6.
[20] Ren, W. (2004a). On the Reference Model of Distributed Cooperative Network Forensic System.
6th International Conference on Information Integration and Web Application and Services (iiWAS2004), 27-29 September 2004. Jakarta,
Indonesia, pp 771-775.
[21] Tang, Y. and Daniels, T. E. (2005). A Simple Framework for Distributed Forensics 25th IEEE
International Conference in Distributed Computing System, 6-10 June Columbus.: IEEE, pp 1-6.
[22] Nagesh, A. (2007) Distributed Network forensics using JADE Mobile Agent Framework. Department of Computing Studies Arizona, Arizona State University.
[23] Wang, D.T., Liu, L. S., Zhang, J. and Liu, C. (2007). Dynamical Forensic Analysis. Third
International Conference. Natural Computation, ( ICNC 2007). 24-27 August. Haikou, pp 651 - 656.
