Automated Forensic Data Acquisition in the Cloud

摘要

Movement of businesses and individuals to the cloud has posed many new complications for digital forensic investigators. This is due to a multi-tenant environment on cloud servers, chain of custody problems, globalization of data, and the inability of the Cloud Service Provider (CSP) to keep logs of everything within their network. This paper proposes a practical solution that can be implemented to mitigate the challenges with minimal to no CSP upkeep. Our model builds upon and adds to existing models and solutions including network monitoring for Infrastructure as a Service and snapshot capabilities to provide forensic evidence. We propose to utilize the automation of snapshots and an open-source tool, Google Rapid Response (GRR), set off by a hypervisor-based intrusion detection system in order to collect forensic evidence. Finally, we discuss the ideal implementation of our model and the future research direction.