Harvesting digital evidence from an operational cloud environment for digital forensic readiness purposes

Abstract

An increase in organisations’ use of cloud computing technologies has led to cybercriminals targeting cloud environments in order to orchestrate malicious attacks. This led to the need for proactive approaches through the use of digital forensic readiness(DFR). A prototype developed by Kebande et al. (2016) sought to provide a means toattain DFR in a cloud environment without altering the existing cloud functionality. The prototype is presented as a forensic agent that uses modified botnet functionalities in order to amass digital information in a non-malicious operation. The prototype, which was implemented in a simulated environment, is able to harvest digital data like CPU and RAM usage, and keystrokes which are then hashed and stored as information in a database. However, the prototype was never tested on an operational cloud environment, hence this research study, which sought to implement a modified version of the prototype in an operational cloud environment for the purposes of achieving DFR in the cloud. OpenStack is used to provide the operational cloud environment. The prototype is deployed and executed in cloud instances hosted on OpenStack. The experiments performed in this research study show that it is viable to attain DFR in an operational cloud platform through the use of the prototype. Further observations show that the prototype is capable of harvesting digital data from cloud instances and store digital data in a database. The prototype also prepares the operational cloud environment to be forensically prepared for digital forensic investigations to be performed without alternating the functionality of the OpenStack cloud architecture.