Abstract:
Cloud computing underpins many of the current emergent and established
technologies. As a result, cloud computing has an impact on many components
of our daily lives, be it from online shopping and banking to usage of mobile apps.
Because of this ubiquity, crime related to cloud systems is an ongoing concern. There
are, however, many factors that, while enabling cloud systems to function, also make
digital forensic investigations on such systems very challenging. While processes and
standards are defined for digital forensics, these processes often do not work when
applied to cloud systems. Forensic investigations are, by their nature, very disruptive
to the operation of a system. This is often unacceptable in a cloud environment.
One way to mitigate the risk of a forensic investigation is to proactively prepare for
such an event by achieving forensic readiness. This leads to the research conducted
for this dissertation.
The central question is whether it possible to achieve forensic readiness in a cloud
environment, so that a digital forensic investigation can be conducted with minimal
or no disruption to the operation of said cloud environment.
This dissertation examines the background information of cloud computing,
digital forensics and software architecture in order to get a clear understanding
of the various research domains. Five possible models for the acquisition of data in
a cloud environment are proposed, using the NIST cloud reference architecture as
a baseline. A full, technology neutral, architecture for a cloud forensics system is then generated. This architecture allows for the acquisition of forensic data within
a cloud environment. The architecture ensures that the data is kept forensically
stable and enables the proactive analysis of the captured data.
Using one of the acquisition models, a proof of concept implementation is done
of the architecture. Experiments are run to determine whether the system meets
the set functional requirements and quality attributes to enable forensic readiness
in a cloud system. The architecture and implementation are evaluated against the
experimental results and possible improvements are suggested. The research is then
concluded and possible future avenues of research in the field of cloud forensics are
suggested.