Issues Impacting Digital Forensics In The Cloud

Cloud Computing Overview

Cloud computing is a model for enabling convenient, on-demand network access to a multi-tenant pool of configurable computing resources. These resources may consist of networks, servers, storage, applications and services. The resources should be able to be rapidly provisioned and released with minimal Cloud Service Provider (CSP) interaction, based upon demand, which is a concept known as rapid elasticity. However, the CSP may control and optimize resource in accordance with the contracted upon levels of service, which typically are on a pay-per-use basis.

Furthermore, in terms of geo-location of the cloud, the entity typically has no control or knowledge of the exact location of the provided resources, though they may be able to choose a general location such as country, state so as to reduce network latency. The CSP must also provide network access to a broad and heterogeneous array of thin or thick clients such as mobile phones, tablets, laptops, and workstations.  (Mell & Grance, 2011)

Service models

Cloud computing providers typically offer their services in one of three ways. The first of the core model types is Infrastructure as a service (IaaS) where the entity outsources its’ operational equipment such as storage, hardware, servers and networking components. In this model the CSP retains ownership of those resources, and the entity will typically pay on a per-use basis. Platform as a service (PaaS) contrasts with IaaS, in that infrastructure resources are sold in conjunction with hosted software applications that the entity may use to develop business solutions. While the afore-mentioned may seem quite similar to Software as a service (SaaS), the distinction is that the CSP provides pre-configured applications to the entity, such as billing systems, project management, ERP, CRM solutions, et cetera.

In Monitoring as a Service (MaaS), the CSP provides business state monitoring capabilities, such as instantaneous violation detection, and system performance monitoring.  (Meng & Liu, 2012)  In the closely related Forensics as a Service (FaaS), we find that security as a service is being introduced to the cloud. With it, companies are delivering anti-virus solutions, and making use of the massive computing power of the cloud for forensic analysis. Indeed, one major CSP, Terremark, offers forensic-as-a-service. (Terremark, 2013) However, potential downsides to a forensic support service may be response time, which may be predicated on the Service Level Agreement (SLA) and the providers’ lack of knowledge on how the entity is using the cloud to meet its’ business goals. (Dykstra & Sherman, 2012)

 And finally, there is the catch-all X as a Service (XaaS), which encompasses the above-mentioned (Lineage, 2011); as well as Communication as a Service (CaaS) which entails enterprise level communications solutions such as VoIP, IM, collaboration and videoconference applications. There is also DaaS (Data or Database or Desktop as a Service); in the latter the CSP provisions a virtual desktop to a user, wherever the user has Internet connectivity. (Schaffer, 2009)

Deployment Models

There are four primary means by which the cloud may be deployed, the first is the Private Cloud which makes use of non-shared resources, as the the infrastructure is operated solely for a specific entity.  In this model the cloud may be on or off-site, and may be managed by the entity or a CSP. Conversely, a Public Cloud is offered by the CSP to the general public, and as such it shares its’ resources. Similarly, in a Community Cloud multiple entities will share the clouds’ resources; however these entities will have a concern in common, such as their mission, compliance constraints, or other criteria.  Finally, as the name connotes, a Hybrid Cloud is an amalgam of two or more deployment models that remain distinct entities but that are bound together by standardized or proprietary technology which enables data and application portability.

Cloud Virtualization Methods

Virtual Private Server (VPS)

 Most CSPs implement redundancy by the use of virtualization that is monitored and provisioned by a hypervisor, or virtual machine manager. The hypervisor in a cloud may be likened to the traditional operating system kernel; as such the hypervisor may be prone to malicious attacks. (Ruan et al., 2011)

 Due to user and vendor ambiguity about the definition of “the cloud”, we may see some CSPs offering VPS for cloud deployment. A VPS is a single dedicated server that has been partitioned so that each partition may appear as a virtual server operating in a multi-tenant hypervisor environment.

In this model, each VPS will utilize its’ own finite disk space, bandwidth, and operating system.  As the resources of the VPS are finite, this breaks one of the key tenets of the definition of the cloud, that the resources must be scalable upon demand. Nonetheless, if our forensic analysis is to be conducted on a VPS generated cloud; this may impact the techniques and methodologies we will employ.

 Nested virtualization

In standard virtualization, we use the physical machine as the host hypervisor to install virtual machines termed “guests”. In nested virtualization, we find that the hypervisor is also a guest running inside a virtual environment, and that it too can host virtual machines.  Nested virtualization has many uses, such as architectural research, security, and cloud implementation. As an example, an IaaS provider could give a user the ability to run a user-controlled hypervisor as a virtual machine, which would allow the user to manage their virtual machines directly with their desired hypervisor. (Ben-Yehuda, 2010) Therefore, nested virtualization not only supports the ability to virtualize a hypervisor on top of another hypervisor (Jones, 2012), but it may also present a challenge to forensic analysts when they must deduce the true and accurate specifications of the suspect system