Trustworthy Digital Forensics in the Cloud - IEEE Xplore

CLOUD COVER

Trustworthy Digital Forensics in the Cloud Shams Zawoad and Ragib Hasan, University of Alabama at Birmingham

Digital forensics is used to help investigate cybercrime. Because of its characteristics and rapid adoption, the cloud requires its own form of forensics, which must be reliable. The authors have developed the Open Cloud Forensics (OCF) model and FECloud architecture, which would enable effective cloud forensics.

C

loud-based applications and services have changed the nature of computing. Individuals, businesses, industries, and governments are increasingly adopting the cloud because of its scalability and its capacity to let customers of cloud-based providers buy only the services and resources they need at any given time without having to invest in an extensive computing infrastructure. Unfortunately, these features also motivate hackers to use the cloud for malicious activities, such as launching botnet attacks from machines in the cloud,1,2 using cloud-based command-and-control systems for mobile bots,3 and utilizing the cloud to store stolen intellectual

78

CO M PUTE R PUBLISHED BY THE IEEE COMPUTER SOCIET Y

property4 or child pornography.5 For instance, to launch distributed denial-of-service (DDoS) attacks, hackers have placed the new Backdoor.Linux.Mayday.g Linux DDoS Trojan in compromised Amazon Elastic Compute Cloud virtual machines (VMs) and have launched attacks from them.1 To investigate, address, and prevent such activities, we must execute digital forensics procedures in the cloud, which requires cloud forensics techniques.

CLOUD FORENSICS

Digital forensics is an applied science for the identification, collection, organization, and presentation of evidence. Cloud forensics applies these four procedures in the cloud, in which evidence includes stored fi les, network and process logs, and registry fi les of VMs running in the cloud. Many of traditional digital forensics’ assumptions, such as physical access to evidence, aren’t valid in the cloud, particularly in public, virtual private, and community clouds. In cloud forensics, the identification, collection, and organization of evidence largely depend on 0018-9162/16/$33.00 © 2016 IEEE

EDITOR SAN MURUGESAN BRITE Professional Services; [email protected]

cloud service providers (CSPs) supplying forensic data (evidence).6 Because of the cloud’s black-box nature, forensic investigators can’t verify the validity of such evidence or guarantee a CSP’s integrity in court. For instance, hackers could collude with a dishonest CSP employee to hide traces of their illegal activities by, for example, providing incomplete logs, removing documents, tampering with the system clock, and altering provenance information. To ensure evidence trustworthiness, a CSP must preserve evidence securely so that the court can determine its authenticity.

ISSUES WITH CLOUD FORENSICS

Cloud architectures often lack support for reliable digital-forensic investigations because of several major issues.

Dependency on cloud providers

The evidence-acquisition process in software-as-a-service (SaaS), platformas-a-service (PaaS), and infrastructureas-a-service (IaaS) implementations varies because access and data control by investigators and users in these cloud models differ. With an SaaS model, investigators depend on CSPs to get application logs because users don’t have access to them. With an IaaS system, investigators can acquire VM images from CSP customers and thus can start organizing evidence without CSP assistance. With a PaaS cloud, investigators, like users, can acquire only a high level of logging information—such as how much bandwidth an application is using (but not who is using it)—without CSP help.

Volatile data

CSPs don’t provide persistent storage to VM instances, which is very expensive, in order to be able to offer on-demand computational and storage services.

Therefore, after a user terminates use of a VM, crucial information it contains—such as network, OS, and registry logs, as well as documents—are unavailable to investigators. Cloud-based hackers could exploit this by terminating VMs after an attack to destroy their digital footprints.

Multitenancy

Multiple users share cloud-based computing or storage resources. Thus, the same physical infrastructures could be utilized for legitimate and illicit purposes simultaneously. For example, Dropbox could store one user’s legitimate fi les and another’s stolen intellectual property in the same disk drive. Thus, it can be challenging for CSPs to provide evidence to investigators without violating honest tenants’ privacy.

Distributed, heterogeneous infrastructures

In the cloud, a single user’s data might be in hundreds of physically dispersed servers, in systems using different cloud architectures. In addition, there are no standard formats for the various types of logs or the information they must contain. All this can make collecting evidence challenging.

Legal issues

Several legal issues hinder the digitalforensics process in clouds. For example, in public, distributed clouds, it might not be possible to identify a piece of evidence’s physical location, which is often required to obtain a search warrant.6 In addition, the evidence collection process can’t violate privacy laws, which vary in different jurisdictions. Chain of custody, required to prove authorities’ unbroken control of evidence, could also be a problem in the cloud because hypervisor trustworthiness can be questionable.7 Hackers could attack a hypervisor, or

a CSP could be dishonest. They could then manipulate evidence’s access history, which would compromise the chain of custody.

OPEN CLOUD FORENSICS MODEL

Current cloud architectures must be enhanced to address digital forensics’ challenges. In addition, a trust model is necessary to preserve the reliability of evidence from CSPs. With this in mind, our proposed Open Cloud Forensics (OCF) model8 provides a guideline for designing trustworthy forensics-enabled cloud architectures. The model, shown in Figure 1, facilitates continuous forensics, necessary because the cloud usage’s generation of electronically stored information (ESI) and translation to verifiable ESI is a continuous process. The OCF cloud would also enable the court to verify the integrity of the evidence collected from clouds. In the OCF model, any CSPprovided service—such as applications, storage, or computing— generate ESI, which the system must preserve securely so that the court can verify its authenticity. The CSP must perform these processes on an ongoing basis to ensure the security and availability of evidence. Investigators collect verifiable ESI securely from the cloud via read-only APIs or a Web console. They then extract the required evidence from the verifiable ESI, organize it, and present it to the court. The system must segregate data while extracting the ESI and must assure user privacy via cryptographic schemes such as hashing.

FORENSIC-ENABLED CLOUD

Our FECloud9 forensic-enabled cloud architecture—shown in Figure 2— supports the OCF model. We built it on top of OpenStack, a widely used open source cloud-computing platform. FECloud has several key components. MARCH 2016

79

CLOUD COVER

Cloud services Application

Verification Storage

Evidence

Computing …

Court Presentation

Generate

Collection Investigator

Organization

Translation

Verifiable ESI

Extract evidence

ESI

Figure 1. Open Cloud Forensics model for making cloud-based cybercrime investigations more effective. The process begins when cloud-based services generate electronically stored information (ESI), which is translated via a cryptographic scheme to a verifiably tamper-proof version. The investigator extracts and organizes evidence from the information and presents it to the court for trustworthiness verification.

Identity (Keystone)

Provenance manager

Data-possesion manager

Logger

Time-stamp manager

Virtual machine Object storage

Block storage

Compute

Network

Authentication

Horizon dashboard (UI)

Proof publisher

Image

Figure 2. FECloud components. This architecture, built on top of the OpenStack cloud-computing platform, facilitates the use of digital forensics in the cloud. The various elements communicate with virtual machines and system modules that contain information relevant to the integrity of evidence in a cyberinvestigation, such as logs and time stamps. The components then collect and secure the data. UI: user interface.

The logger module communicates with various OpenStack compute modules and all running VMs to collect activity logs. Our proposal adds a log provider module to the existing OpenStack modules and the VM image so that they can communicate with the logger module. Logs available only from the VM are sent directly to the logger. Logs from other entities are sent to the logger via the Log API and placed in persistent storage. The data possession manager collects information about data ownership from OpenStack block storage and object storage modules and 80

COMPUTER 

securely stores it in a proof-of-pastdata-­possession (PPDP) database. The time-stamp manager incorporates a tamper-evident scheme to protect against alterations of a VM’s or a Nova OpenStack compute node’s time stamp. A secure time-stamp verification protocol runs between the compute node, the running VMs, and the time-stamp manager. Each entity verifies the others’ time stamps so that they can detect alteration. The system stores this information in a proof-oftime-stamp database. The provenance manager extracts and collects provenance records of

data, application, and VM state from the log database, and the running VMs. We propose adding a provenance layer to the Nova compute node from which the provenance manager could also extract information. The provenance manager applies a cryptographic scheme10 to preserve the records’ integrity. To ensure that a malicious CSP cannot modify the records, they are stored periodically in our proof-of-chain database. The proof publisher module periodically and publicly publishes the proofs of logs, data possession, timestamp verification, and provenance on the Web. The proofs verify all the stored ESI. When a proof is publicly available, CSPs or investigators can’t alter any ESI or provide fake evidence without it being detected. We added modules for collecting log, data possession, time-stamp, and provenance information to the OpenStack Horizon dashboard to provide a user interface that enables access to cloud-based ESI. To support our FECloud architecture, we developed cryptographic frameworks for our data-possession manager, logger,11 PPDP,12 and secure-­ litigation-hold systems.13 The latter flags and stores certain documents within organizations deemed relevant to anticipated litigation. We also developed cryptographic schemes for time-stamp verification and provenance management for cloud-based storage-as-a-service implementations, and are integrating them with OpenStack. We plan to evaluate FECloud’s overhead and stability using standard OpenStack benchmark tools, which will determine the feasibility of using the proposed architecture in a real cloud.

C

loud-based computing’s and storage services’ rapid adoption demands reliable cloud forensics. We argue that CSPs must adopt forensics-friendly cloud architectures such as FECloud. A collaborative effort W W W.CO M P U T E R .O R G /CO M P U T E R

by public and private organizations, researchers, and academics is necessary to overcome the challenges that cloud forensics faces because of the cloud’s basic characteristics.

6.

REFERENCES 1. “DDoS-ers launch attacks from Amazon EC2,” Infosecurity Magazine, 30 July 2014; www.infosecurity -magazine.com/news/ddos-ers -launch-attacks-from-amazon-ec2. 2. D. Goodin, “Amazon Cloud Hosts Nasty Banking Trojan,” The Register, 29 July 2011; www.theregister.co.uk /2011/07/29/amazon_hosts_spyeye. 3. S. Zhao et al., “Cloud-Based PushStyled Mobile Botnets: A Case Study of Exploiting the Cloud to Device Messaging Service,” Proc. 28th Ann. Computer Security Applications Conf. (ACSAC 12), 2012, pp. 119–128. 4. Quantlab Technologies Ltd. v. Godlevsky et al., Federal Supplement, 2nd Series, vol. 719, 2010, pg. 156 (US District Court for the Southern District of Texas, Houston Division). 5. “Lostprophets’ Ian Watkins: ’Tech savvy’ web haul,” BBC News, 18

7.

8.

9.

10.

December 2013; www.bbc.com/news /uk-wales-25435751, 18 December 2013. J. Dykstra and A.T. Sherman, “Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies,” Proc. 11th Ann. ADSFL Conf. Digital Forensics, Security, and Law (ADSFL 11), 2011, pp. 45–54. D. Birk, “Technical Challenges of Forensic Investigations in Cloud Computing Environments,” Proc. Work. Cryptography and Security in Clouds, 2011, pp. 1–6. S. Zawoad, R. Hasan, and A. Skjellum, “OCF: An Open Cloud Forensics Model for Reliable Digital Forensics,” Proc. 8th IEEE Int’l Conf. Cloud Computing (CLOUD 15), 2015, pp. 437–444. S. Zawoad and R. Hasan, “FECloud: A Trustworthy Forensics-Enabled Cloud Architecture,” Proc. 11th Ann. Int’l Fed. Info. Processing WG 11.9 Int’l Conf. Digital Forensics, 2015, pp. 271–285. R. Hasan, R. Sion, and M. Winslett, “The Case of the Fake Picasso: Preventing History Forgery with Secure Provenance,” Proc. 7th USENIX Conf. File and Storage Technologies (FAST 09), 2009, pp. 1–14.

Keeping YOU at the Center of Technology

11. S. Zawoad, A. Dutta, and R. Hasan, “Towards Building Forensics Enabled Cloud Through Secure Logging-asa-Service,” IEEE Trans. Dependable and Secure Computing, preprint, doi:10.1109/TDSC.2015.2482484. 12. S. Zawoad and R. Hasan, “Towards Building Proofs of Past Data Possession in Cloud Forensics,” ASE Science J., vol. 1, no. 4, 2012, pp. 195–207. 13. S. Zawoad and R. Hasan, “LINCS: Towards Building a Trustworthy Litigation Hold Enabled Cloud Storage System,” Digital Investigation, vol. 14, supplement 1, 2015, pp. S55–S67.

SHAMS ZAWOAD is a graduate research assistant in the Secure and Trustworthy Computing Lab (SECRETLab) and a PhD candidate at the University of Alabama at Birmingham (UAB). Contact him at [email protected]. RAGIB HASAN is an assistant professor in UAB’s Department of Computer and Information Sciences and SECRETLab’s founding director. Contact him at [email protected].

Publications your way, when you want them. The future of publication delivery is now. Check out myCS today! • Mobile-friendly—Looks great on any device—mobile, tablet, laptop, or desktop • Customizable—Whatever your e-reader lets you do, you can do on myCS • Personal Archive—Save all your issues and search or retrieve them quickly on your personal myCS site.

Stay relevant with the IEEE Computer Society

More at www.computer.org/myCS MARCH 2016

81