A Novel Cloud Forensic Readiness Service Model

Abstract

The ubiquity of the cloud has accelerated an abundance of modern Information and Communication Technology (ICT)-based technologies to be built based on the cloud infrastructures. This has increased the number of internet users, and has led to a substantial increase in the number of incidents related to information security in the recent past, in both the private and public sectors. This is mainly because criminals have increasingly used the cloud as an attack vector due to its prevalence, scalability and open nature. Such attacks have made it necessary to perform regular digital forensics analysis in cloud computing environments. Digital Forensics (DF) plays a significant role in information security by providing a scientific way of uncovering and interpreting evidence from digital sources that can be used in criminal, civil or corporate cases. It is mainly concerned with the investigation of crimes that are supported by digital evidence. Furthermore, DF is conducted for purposes of uncovering a potential security incident through Digital Forensic Investigations (DFIs). There is always some degree of uncertainty when cyber-security incidents occur in an organisation. This is because the investigation of cyber-security incidents, as compared to the investigation of physical crimes, is generally still in its infancy. Unless there are proper post-incident response and investigating strategies in place, there will always be questions about the level of trust and the integrity of digital forensic evidence in the cloud environment. The impact of cyber-security incidents can be enormous. Much damage has already been experienced in many organisations and a disparity between cyber-security incidents and digital investigations lies at the origin of where an incident is detected. Organisations need to reach a state of Digital Forensic Readiness (DFR), which implies that digital forensic planning, preparation must be in place, and that organisations can implement proper post-incident response mechanisms. However, research study on science and theories focused on the legal analysis of cloud computing has come under scrutiny because there are several constitutional and statutory provisions with regard to how digital forensic evidence can be acquired from Cloud Service Providers (CSPs). Nevertheless, for Digital Forensic Evidence (DFE) to satisfy admissibility conditions during legal proceedings in a court of law, acceptable DF processes should be systematically followed. Similarly, to enable digital forensic examination in cloud computing environments, it is paramount to understand the technology that is involved and the issues that relate to electronic discovery. At the time when this research thesis was being written, no forensic readiness model existed yet that focused on the cloud environment and that could help cloud-computing environments to plan and prepare to deal with cyber-security-related incidents. The aim of this research study is therefore to determine whether it is possible to achieve DFR in the cloud environment without necessarily having to modify the functionality and/or infrastructure of existing cloud architecture and without having to impose far-reaching architectural changes and incur high implementation costs. Considering the distributed and elastic nature of the cloud, there is a need for an easy way of conducting DFR by employing a novel software application as a prototype. In this research thesis, therefore, the researcher proposes a Cloud Forensic Readiness as a Service (CFRaaS) model and develops a CFRaaS software application prototype. The CFRaaS model employs the functionality of a malicious botnet, but its functionalities are modified to harvest digital information in the form of potential evidence from the cloud. The model digitally preserves such information and stores it in a digital forensic database for DFR purposes. The experiments conducted in this research thesis showed promising results because both the integrity of collected digital information and the constitutional and statutory conditions for digital forensic evidence acquisition have been maintained. Nevertheless, the CFRaaS software application prototype is important because it maximises the use of digital evidence while reducing the time and the cost needed to perform a DFI. The guidelines that have been used while conducting this process comply with ISO/IEC 27043:2015, namely Information Technology - Security techniques - Incident investigation principles and processes. The ISO/IEC 27043 international standard was used in this context to set the guidelines for common incident investigation processes. Based on this premise, the researcher was able to prove that DFR can be achieved in the cloud environment using this novel model. Nevertheless, the proposed CFRaaS concept prepares the cloud to be forensically ready for digital forensic investigations, without having to change the functionality and/or infrastructure of the existing cloud architecture. Several CFRaaS prototype implementation challenges have been discussed in this research thesis from a general, technical and operational point of view. Additionally, the researcher could relate the challenges to existing literature and eventually contributed by proposing possible high-level solutions for each associated challenge.