Forensic evidence isolation in clouds

Cloud computing is gaining acceptance and also increasing in popularity. Organisations often rely on cloud resources as an effective replacement for their `in-house' computer systems. In the cloud, virtual resources are provided from a larger pool of resources, these resources being availab...

Full description

Bibliographic Details
Main Author: Delport, Waldo
Other Authors: Olivier, Martin S.
Language:en
Published: University of Pretoria 2014
Subjects:
Online Access:http://hdl.handle.net/2263/33490
Delport, L 2013, Forensic evidence isolation in clouds, MSc dissertation, University of Pretoria, Pretoria, viewed yymmdd<http://hdl.handle.net/2263/33490>
id ndltd-netd.ac.za-oai-union.ndltd.org-up-oai-repository.up.ac.za-2263-33490
record_format oai_dc
spelling ndltd-netd.ac.za-oai-union.ndltd.org-up-oai-repository.up.ac.za-2263-334902020-06-02T03:18:13Z Forensic evidence isolation in clouds Delport, Waldo Olivier, Martin S. wdelport@cs.up.ac.za Digital forensics Cloud computing Digital forensics process Isolation UCTD C14/4/60/gm Cloud computing is gaining acceptance and also increasing in popularity. Organisations often rely on cloud resources as an effective replacement for their `in-house' computer systems. In the cloud, virtual resources are provided from a larger pool of resources, these resources being available to multiple different clients. When something suspicious happens within a digital environment, a digital forensic investigation may be conducted to gather information about the event. When conducting such an investigation digital forensic procedures are followed. These procedures involve the steps to be followed to aid in the successful completion of the investigation. One of the possible steps that may be followed involves isolating possible evidence in order to protect it from contamination and tampering. Clouds may provide a multi-tenancy solution across multiple geographical locations. When conducting an investigation into physical equipment the equipment may be isolated. This may be done, for example, by placing a cell phone in a Faraday bag in order to block signals or unplugging a computer's network cable to stop the computer from either sending or receiving of network traffic. However, in the cloud it may not be applicable to isolate the equipment of the cloud because of the multi-tenancy and geographically separated nature of the cloud. There is currently little research available on how isolation can be accomplished inside the cloud environment. This dissertation aims at addressing the need for isolation on the cloud by creating new methods and techniques that may be incorporated into an investigation in order to isolate cloud resources. Isolation can be achieved by moving the unnecessary evidence to a different location and retaining the required evidence or by moving the required evidence in such a manner that the evidence would not be contaminated. If isolated evidence were to be moved to a digital forensic laboratory, the question arises as to whether it would be possible to create such a laboratory on the cloud utilise the benefits of cloud computing and enable the investigation to be conducted on the cloud without moving the isolated evidence from the cloud. The dissertation will develop various models of isolation. These models are then tested in experimental conditions. The experiments were conducted on Nimbula Director 1.0.3 and VMware vSphere 5.0. The models were successfully applied in the experiments. It was found that investigations could benefit from the use of the proposed models for isolation. However, the experiments also highlighted that some of the models are not applicable or that a combination should be used. The experiments also indicated that the methods to be used would depend on the circumstances of the investigation. A preliminary "cloud laboratory" was designed and described in terms of which a digital forensic laboratory can be created on the cloud resources, thus enabling an investigation to be conducted inside the cloud environment. Dissertation (MSc)--University of Pretoria, 2013. Computer Science unrestricted 2014-02-18T06:47:45Z 2014-02-18T06:47:45Z 2014-04-11 2013 Dissertation http://hdl.handle.net/2263/33490 Delport, L 2013, Forensic evidence isolation in clouds, MSc dissertation, University of Pretoria, Pretoria, viewed yymmdd<http://hdl.handle.net/2263/33490> en © 2013 University of Pretoria. All rights reserved. The copyright in this work vests in the University of Pretoria. No part of this work may be reproduced or transmitted in any form or by any means, without the prior written permission of the University of Pretoria. University of Pretoria
collection NDLTD
language en
sources NDLTD
topic Digital forensics
Cloud computing
Digital forensics process
Isolation
UCTD
C14/4/60/gm
spellingShingle Digital forensics
Cloud computing
Digital forensics process
Isolation
UCTD
C14/4/60/gm
Delport, Waldo
Forensic evidence isolation in clouds
description Cloud computing is gaining acceptance and also increasing in popularity. Organisations often rely on cloud resources as an effective replacement for their `in-house' computer systems. In the cloud, virtual resources are provided from a larger pool of resources, these resources being available to multiple different clients. When something suspicious happens within a digital environment, a digital forensic investigation may be conducted to gather information about the event. When conducting such an investigation digital forensic procedures are followed. These procedures involve the steps to be followed to aid in the successful completion of the investigation. One of the possible steps that may be followed involves isolating possible evidence in order to protect it from contamination and tampering. Clouds may provide a multi-tenancy solution across multiple geographical locations. When conducting an investigation into physical equipment the equipment may be isolated. This may be done, for example, by placing a cell phone in a Faraday bag in order to block signals or unplugging a computer's network cable to stop the computer from either sending or receiving of network traffic. However, in the cloud it may not be applicable to isolate the equipment of the cloud because of the multi-tenancy and geographically separated nature of the cloud. There is currently little research available on how isolation can be accomplished inside the cloud environment. This dissertation aims at addressing the need for isolation on the cloud by creating new methods and techniques that may be incorporated into an investigation in order to isolate cloud resources. Isolation can be achieved by moving the unnecessary evidence to a different location and retaining the required evidence or by moving the required evidence in such a manner that the evidence would not be contaminated. If isolated evidence were to be moved to a digital forensic laboratory, the question arises as to whether it would be possible to create such a laboratory on the cloud utilise the benefits of cloud computing and enable the investigation to be conducted on the cloud without moving the isolated evidence from the cloud. The dissertation will develop various models of isolation. These models are then tested in experimental conditions. The experiments were conducted on Nimbula Director 1.0.3 and VMware vSphere 5.0. The models were successfully applied in the experiments. It was found that investigations could benefit from the use of the proposed models for isolation. However, the experiments also highlighted that some of the models are not applicable or that a combination should be used. The experiments also indicated that the methods to be used would depend on the circumstances of the investigation. A preliminary "cloud laboratory" was designed and described in terms of which a digital forensic laboratory can be created on the cloud resources, thus enabling an investigation to be conducted inside the cloud environment. === Dissertation (MSc)--University of Pretoria, 2013. === Computer Science === unrestricted
author2 Olivier, Martin S.
author_facet Olivier, Martin S.
Delport, Waldo
author Delport, Waldo
author_sort Delport, Waldo
title Forensic evidence isolation in clouds
title_short Forensic evidence isolation in clouds
title_full Forensic evidence isolation in clouds
title_fullStr Forensic evidence isolation in clouds
title_full_unstemmed Forensic evidence isolation in clouds
title_sort forensic evidence isolation in clouds
publisher University of Pretoria
publishDate 2014
url http://hdl.handle.net/2263/33490
Delport, L 2013, Forensic evidence isolation in clouds, MSc dissertation, University of Pretoria, Pretoria, viewed yymmdd<http://hdl.handle.net/2263/33490>
work_keys_str_mv AT delportwaldo forensicevidenceisolationinclouds
_version_ 1719316200602730496