ContentslistsavailableatScienceDirect

Computers and Electrical Engineering

journalhomepage:www.elsevier.com/locate/compeleceng

Forensics framework for cloud computing ^R

M. Edington Alex

^a,∗

, R. Kishore

^b

aDepartment of Information Technology, Rajalakshmi Engineering College, Chennai, India

bDepartment of Electronics & Communication Engineering, SSN college of Engineering, Chennai, India

a r t i c l e i n f o

Article history:

Received 14 June 2016 Revised 6 February 2017 Accepted 6 February 2017 Available online xxx Keywords:

Cloud computing Cloud forensics Digital forensics Cloud forensics model Cloud forensics challenges Forensic solutions

a b s t r a c t

Thepopularityofcloudcomputinghasbeenontheriseinrecentyears,ascloudresources arenotonlysharedbymanyusersbutcanbeallocatedondemand.Arecentsurveyre- portssuccessofthecybercriminalsinusingcloudcomputingtechnologyforfraudulent activities,duetoitsessentialcharacteristicsandthelackofsuitabledigitalforensictech- niquesforthecloudenvironment.Whilemitigatingcloudcrime,investigatorsfaceseveral challengesandissuesdealingwithcloudforensics.Inthispaper,thechallengesfacedby forensicinvestigators arehighlighted. Most oftheresearch work dealswiththe identi- ficationofchallengesincloudforensicsandtheproposedsolutionsreportedinliterature dependsonCloudServiceProvider(CSP)forforensicinvestigation.ThedependenceonCSP includesthecollectionofdatafortheforensicsprocessandtheremaybeachanceofal- teringdatathataffectstheentireinvestigationprocess.Formitigatingthedependencyon CSP,anewmodelforcollectingforensicevidenceoutsidethecloudenvironmentisdevel- oped.

© 2017ElsevierLtd.Allrightsreserved.

1. Introduction 1.1. Cloudforensics

NationalInstituteofStandardsandTechnology(NIST)[1]definescloudcomputingas“Cloudcomputingforensicscience istheapplicationofscientificprinciples,technologicalpracticesandderivedandprovenmethodstoreconstructpastcloud computingevents.Thisisdone throughidentification,collection,preservation,examination,andinterpretationandreport- ingofdigitalevidence”.Ruanetal.[2]havedefinedcloudforensicsas“theapplicationofdigitalforensicscience incloud environments asa subset ofnetwork forensics”,asshown inFig.1. Here,the authors highlightthe significanceofcloud forensicsin three differentaspects, namely, technical, organizationaland legal.Technical aspects are engagedin forensic tools,mechanisms,andprocedures.Organizationalaspectsincorporatetheinteractionbetweencloudactorsforforensicin- vestigation.Legalaspectsdealwithmulti-jurisdictionalandmulti-tenantsituations.Theauthorsalsoidentifycloudforensics asanassociateofcloudcomputinganddigitalforensics.

R Reviews processed and recommended for publication to the Editor-in-Chief by Guest Editor Dr. M. D. Selvaraj.

∗ Corresponding author.

E-mail addresses: edingtonalexm@ssn.edu.in (M.E. Alex),kishorer@ssn.edu.in (R. Kishore).

http://dx.doi.org/10.1016/j.compeleceng.2017.02.006 0045-7906/© 2017 Elsevier Ltd. All rights reserved.

Pleasecitethisarticleas:M.E.Alex,R.Kishore,Forensicsframeworkforcloudcomputing,ComputersandElectricalEngi-

Fig. 1. Cloud forensics [2] .

Fig. 2. NIST cloud model [3] .

1.2. Cloudcomputing

Thetermcloudcomputingmeanssharingofcomputerresourcesamongdifferentusers.AsperNIST[3]“Cloudcomput- ing isa model forenablingubiquitous,convenient,on-demand network accesstoa shared poolof configurablecomput- ingresources (e.g.,networks, servers,storage,applicationsandservices)thatcanbe rapidlyprovisionedandreleasedwith minimalmanagement effortorserviceproviderinteraction”.Thecloud modelconsistsoffiveessentialcharacters,namely, on-demandself-service,broadnetworkaccess,resourcepooling,rapidelasticity,measuredservice,andthreeservicemodels, namely:SoftwareasaService(SaaS),Platformasa Service(PaaS),InfrastructureasaService(IaaS),andfourdeployment modelssuchasPublicCloud,PrivateCloud,HybridCloud,CommunityCloud[3]asdepictedinFig.2.

1.3. Digitalforensics

Digital Forensicsrefers to“anappliedscience toidentifyan incident,collection,examination,andanalysisofevidence data”[1].Thedifferentphasesofdigitalforensicsare:

• Identification: Two major steps are involved in this phase, (i.e.) identification of malicious activity and isolating the evidencetowardsmaliciousactivity.

• Collection:Evidencesrelatedtothemaliciousactivityfromdifferentdigitalmediaarecollectedandtheintegrityofthe evidenceismaintained.

• Organization:Inthisphase,theexaminerinvestigatesthecollectedevidencewhichformstheexaminationphaseandall identifiedevidencearecorrelatedinthecontextofthemaliciousactivity.

• Presentation:The investigatorproduces anorganizedreportto thejury inthecontextofhisinvestigation towardsthe case.

Fig. 3. Access control to the service models [23] .

Therestofthepaperisorganizedasfollows.ChallengesfacedincloudforensicsarediscussedinSection2.Thevarious relevantsolutionsintheliteraturearehighlightedinSection3.Thelimitationincurrentsolutionsandtheproposedsolution formitigatingthosechallengesarediscussedinSection4.Experimentalsetupfortheproposedworkandtheinferencesare depictedinSections5and6respectively.Finally,conclusionsarediscussedinSection7.

2. Challengesincloudforensics 2.1. Dataacquisition

Thisisthefundamentalandvital stepintheforensicprocedure.Anyflaw inthisphase ispassedon tothesuccessive phases,resultingintransformationofthecourse oftheinvestigationprocess.Indigital forensics,investigators getholdof theaffectedcomputer(digitalequipment)andcarryouttheinvestigationprocessbyapplyingforensicprinciplesinsearchof evidencetowardsmaliciousactivity,toensurenoalterationintheevidence.But,incloudforensics,grabbingtheequipment isinfeasibleowing tothe multi-tenancyandremote nature ofcloudcomputing. Birk [4]indicates thatthe evidencemay beinthreedifferentstatesincloud,namely,atrest,inmotion,andinexecution. Thiswillcomplicate thedataacquisition compared to traditionalforensics. Some ofthe challenges faced by the investigators towards data acquisition in a cloud environmentareasfollows.

2.1.1. Physicalinaccessibility

Evidences are scattered and saved in different locationsdue to the significant characteristics of cloud. This leads to inaccessibilitytowardsthecollectionofdataandaffectsthedataacquisitionprocess.

2.1.2. Lesscontrolincloud

Incloud,bothusersandinvestigatorshaverestrictedaccess,unlike digitalforensicsseizingofdigitalequipmentisun- certaininthecloud.Thiscomplicatesthedataacquisitionprocessinthecloudenvironment.Theaccesscontroltothecloud variesbyservicemodelsasshowninFig.3.

OnlylogsrelatedtotheapplicationcanbeaccessedbytheinvestigatorintheSaaSandPaaSmodels.InPaaS,application can be built by customers for getting certain additional forensics information compared to SaaS model, which has very limitedaccess.CustomerscanmoveuptotheoperatingsystemlevelintheIaaSmodel.IaaShasmoreprivilegescompared totheothertwomodels.Eventhoughaccesscontrolisavailableforvariouslevelsinthecloud,forensicsinvestigatorshave toanticipateCloudServiceProvider(CSP)forcollectingdata.J.DykstraandA.Shermanquotethedataacquisitionproblem byahypotheticalcasestudyofchildpornography[5].Inthiscasestudy,theauthorshaveaddressedthewarrantissue,i.e.

thelocationmustbespecifiedinthewarrant,butthedataisscatteredandstoredinvariouslocationsinthecloud.Acloud servercannotbeseizedbytheinvestigatordespitereachingthelocationduetoitsmulti-tenantnature.

2.1.3. Volatiledata

VirtualMachines(VM)areusedbyserviceprovidersforprovisioningtheircustomers.InthisVM,volatiledatalikereg- istryentriesor temporaryinternet fileswillbe lostifit isnot synchronizedwithstoragedeviceslike AmazonS3, i.e.all informationinVMiserasedwhenVMgetsrestartedorshutdown[6].

2.1.4. Trustissue

Another serious problem is the dependenceon the third party for collecting evidence in the cloud [8]. This issueis pointedoutinachildPornographycaseafterasearchwarrantwasissued.Theinvestigatorneedsaninternalstaff toassist himin collectingdata.Sometimes thispersonmaybefromthe sameCSPormaynot be acertifiedinvestigator andthis mayaffecttheintegrityofdatatobeproducedinlaw.

2.1.5. Multi-tenancy

In cloud computing, differentclients share individual resources. While acquiring evidence fromcloud, two issues are addressedbythe investigator.Tostartwith, hehastoprovethat theextracteddataisnotmingledwithother’sdataand hastomaintaintheintegrityoftheotheruser’sdata.

2.2. Logging

Analysisoflogsisthefirststepindigitalforensics.Thelogsmaybeprocesslogs,applicationlogs,systemlogsornetwork logs. These are the key for the investigation process, but getting thislog data from the cloud is a crucial one. Several challengesthatarerecognizedwhileobtaininglogsareasfollows[7–9].

2.2.1. Decentralization

Incloud,thelogsarespreadalloverthenetwork.Duetothisphenomenon,thegatheringoflogsfromvarioussources becomesdifficultforcloudinvestigators.

2.2.2. Thevolatilityoflogs

Virtual Machinesare usedby CSPsfor providingserviceto their customers.In thecase ofVMs, thevolatile datalike temporaryinternetfiles,registrydataiscompletelylostonceVMgetsrestartedorshutdown.

2.2.3. Accessibilityoflogs

Thereisnoprocedureormethodforaccessinglogsindistinctplacesandthelogsareusedfortroubleshooting,debug- ging,etc.

2.3. DependenceonCSP

LogsarecollectedandstoredatCSPpremisesrequiringtheneedfortheinvestigatorsandtheuserstodependonCSPs foraccessingnetworklogsandserverlogs.Inthispoint,CSPmaytamperlogs.

2.4. Chainofcustody

Chain ofcustodyis“thechronologyoftheownership, custodyorlocationofa historicalobject,documentorgroupof documents” [10]. Thisisone ofthemostsignificant issuesin forensicinvestigation,clearlyindicatingwhen andhowthe evidencewascollected,analyzed,organizedandpresentedincourt[11].Applicationofthisprocedureindigitalforensicsis easierthanthat ofcloudforensicssinceseizingofequipmentispossibleindigitalforensics.Inthecaseofcloud forensics, this is not applicable because of its multi-jurisdictional laws andprocedures. Hence a chain of custody produces many challenges[12,13] incloud forensics.Ina hypotheticalcasestudyofcompromisedcloud-based website,J.DykstraandA.

Sherman havehighlighted theaccessavailableformultipleuserstoevidence.So,investigators havetodependonCSP for acquiringthechainofcustody[5].Birketal.queriedthereliabilityofhypervisorforachainofcustody[4].

2.5. Crimescenereconstruction

Crime scenereconstruction is infeasibleina cloud environment asdata inVM getserased completely whenVM gets poweroff orrebooted[14].

2.6. Crossborderlaw

Data centers afforded by cloud providers are distributed worldwide, so the cross-borderlawis an important issuein cloud forensics.Theinvestigationprocess shouldbe carriedunderthelawsinthespecificjury,whereas themeasures for preservingdataandchainofcustodydifferaccordingtothejuryandtheentireinvestigationprocesswillbeaffectedbythe cross-borderlaw.

2.7. Lawpresentation

Presentationunderjury isthefinalstepinbothdigitalandcloudforensics.Ina cloudenvironment,thousandsofVMs run in cloud data centers and hundreds of users are accessing simultaneously. This createsa serious challenge in cloud forensicsthandigitalforensics[14].

3. Relatedworks

Thissectionhighlights,thevarioussolutionsdiscussedbyresearchersformitigatingthechallengesincloudforensicsare highlighted.

Dykstraet al. [5] have projected the use of cloud management plane in IaaS model. In this model cloud users and investigators haveto trust the management plane to obtain data forinvestigation. Management plane in cloud premises makestheinvestigationprocesscomplex,butitmitigatesthedependenceofCSP.

Briketal.[6]haverecommendedthe useofapplicationprogramminginterface (API) toenableaccessloginformation tocustomersbyread-onlyAPI,andthecustomercanprovideinformationfortheforensicinvestigation.Trustedthirdparty issuewassolvedbythissolutionsincecustomersaredirectlyinvolvedincontinuoussynchronization.Butthedependencyof CSPstillexistsandtheauthorshavealsosuggestedtheencryptionoflogsbeforesendingtotheAPIfordefendingexternal breaches.

Marty[9]hassuggestedsome guidelinesforgatheringlogs whichareusedforforensicsinvestigation.Theauthorpro- poseda loggingframework tosolveloggingissuesthat helpindevelopingbusinessorientedlogframeworkwhichwillbe usedbyvariousITprofessionals.SaaSmodelgetsbenefitedbythisframework.

Dykstraetal.[15]haveofferedasixlayertrustmodelformitigatingthedependencyofCSPandtopreservethetrust.In thismodel,investigatorshavetotrustresultantlayersalone.IaaSmodelgetsbenefitedfromthismodel.Trustinindividual layersandPaaSmodelisnotdiscussed.

Wolthusen[16]suggestinteractingevidencepresentationandvisualizationmechanismformitigatingthedependenceon CSPbygrantingconfidenceandtrust.ThismodeldependsonCSPforgettingaccesstothecollecteddataasitisoperated withinthecloudandworksforIaaSandPaaSmodels.

Zafarullahet al. [17] have proposed a solution inside cloud premises in IaaS model for getting OS logs and security logs. In thissolution, distributed denial of service (DDoS) attack is launched in an eucalyptus environment. The service type andattackingmachine IP areidentified by logs intheeucalyptus. Dependence onCSP still exists sincethe solution isimplementedinside thecloud premises.TheauthorsconcludethattheCSPshavetoadopta newmechanismfortaking cloudforensicstoanewextent.

Biggsetal.[18]havepresentedauniversallawcalledglobalunitysolutionforcloudforensicsinvestigation.Thissolution facilitatestheinvestigationprocess,whichsolvesCross-Borderlawissue.Forimplementingthissolution,allcloudproviders havetoadoptglobalunitysolution.

Shahetal.[19]havehighlightedthechallengesandapossiblemaliciousactivityincloudcomputing.Theauthorspropose athree-layerarchitectureforcloudforensics.Inthisapproach,theinvestigatorhastodependonCSPforgettingdata.

Khorshedet al.[20] havehighlighted the major threats incloud computingandproposed a Support VectorMachine (SVM)technique performance basedon kernels. Theyhavecreated an attack set andcompared itwith other convenient machine learningtechniques.Possible threatsin thecloud are identified by thismodel,but predefinedattacks are alone detectedbythismethod.

Hale[21]hashighlighteddigital artifactsandprocedures forforensicinvestigation thathaveto befollowedby thein- vestigatorinAmazoncloud.DependenceonCSPexistsforcollectingevidencefortheinvestigation.

Ruenetal.[22] havesuggestedthenecessarythings tobefocused oncloud computingafterconductingasurvey over 257respondents.Definitionofcloudcomputing,cloud forensics,thesignificanceofcloud,challenges,andopportunitiesof cloudforensicsandresearchdirectionsareincludedinthissurvey.ForensicsasaServiceissuggestedby55%ofrespondents andrecommendedby87%ofrespondents.

4. Proposedsolution

AllpreviouslyidentifiedsolutionscanbeimplementedonlyincloudpremisesandinvestigatorsmustdependonCSPfor collectingforensicdataforinvestigation.Toovercometheselimitationstheproposedsolutionis implementedoutsidethe cloudpremises.

Theproposed solutionaddressesthedatacollectionissues discussedinliterature by introducingacentralized forensic serverandaforensiclayercalledforensicmonitoringplane(FMP)outsidethecloudInfrastructure,afterobtainingpermis- sionfromtheinternationaltelecommunicationunion(ITU).So,theinvestigatorsneednotdependontheCSPforcollecting data.

Theproposed model[24] forcloud forensicsisshownin Fig.4.1,whereforensicmonitoringplane (FMP)andforensic serverareintroduced forenhancingcloud forensics.Theforensicstool suchasforensictoolkit(FTK) analyzer,E-Detection running atthe top ofthe FMP will monitor entire inbound andoutbound connections ina cloud environment and the monitoreddataareforensicallyimaged(i.e.)bitbybitstreamencryptionandisstoredinseparateforensicsserverwhichis locatedincybercrimepremises.Theforensictool alsomonitorstheactionsofcloudservicemodels.Thetool automatically acquires aforensicimage ofa currentstate incloud servicemodelswhich includeVMandstoresitinseparate forensics server.

Hencealltheactions,includingnetworktrafficinthespecificcloudareforensicallyimagedwheneveraneventoccurs,or therequestprocessedinthecloudisacquiredandisagainencryptedandstoredintheforensicservertoenablereduction inthetrust amountonCSP.The forensically imageddataisunalteredsince bitby bitstreamimagingisdone duringthe

Fig. 4.1. Proposed model for cloud forensics.

Fig. 4.2. Sequence diagram for proposed model.

forensicimageprocess. Thecapturedforensicimagesarenot rawdataandcan beprocessedonlythrough forensicstools.

Networklogs arealsoacquired fromadjacent networkdevices(routers) andare imagedinforensicsserver thatwill give highproofforfindingouttheattacker.

Inthecaseofanymaliciousactivity,theinvestigatorcandirectlylogintotheforensicserverwiththeirusercredentials andcan acquire forensicdatawithin a time frame ofthe event. Meanwhile,upon suspicion,the investigator canrequest datafromCSP andcanverifyitwiththedataobtainedfromtheforensicserver.Forensictoolsarerunningintheforensic

server,andittakestheforensicimageoftheforensicserverinthecaseofanyunexpectedeventsincethereisalsoachance ofasuspect loggingasa forensicinvestigatorandtamper thedata.The sequenceofoperation inour proposed modelis depictedintheFig.4.2byasequencediagramforbetterunderstanding.

Stepsinvolvedintheproposedmodel:

• Theclientinitiatestherequesttothecloudserviceprovider.

• The request and response are intercepted by FMP monitoring tool which forwards the request to theserver and the responsetotheclient,andatthesametime,itforensicallyimagestherequestandsavesitintheforensicserver.

• Forensicinvestigatorlogsintotheforensicserverforanalyzingtheevidencecollected.

• Actionsinthe forensicserver alsogetforensicallyimagedandsavedinthe forensicserver. Iftheinvestigatorsuspects theCSP,heinitiatestherequestforevidencesourcesfromCSPandcompareswithoneanother,andhencetheintegrity ofthecollecteddataalsogetsverified.

Fromtheproposed solution,itis evidentthat dependenceonCSPforacquiringdataisreduced.The loggingchallenge isalso reducedby storinglogfilesseparately ina centralized manner. Thenewproposed forensic modelwilltake cloud forensicstothenextlevel.

5. Experimentalsetup

Avirtual prototypewascreated forthisresearch work inthe labwithfoursystems which includecloud server(own cloud),forensicmanagementplane(FMP),agentsystem(i.e.)compromisedsysteminthatnetworkandmastersystem(Orig- inalAttacker) whichisshowninFig.5hereFMPisvalidatedby initiatingdistributeddenial ofservice(DDoS) attackand verifiedthatallnecessaryinformation’sarecapturedinCMP.TheDDoSattacksetupisassumedtobeworkingasaMaster- Handlersystemwhichincludesanagentsysteminthenetwork.TheattackerplacesanHTTPDDoSattackcodeontheagent andcommandstheagentsthrough aremote connection,forlaunchingan attack onthevictimcloud server.However the scaleoftheprototypeissmall,itdoesbringtheessentialarchitectureofDDoSattack. Weusedourattacklaunchcodeas wellasDDoStoolssuchassprut[25]tobringdowntheserver.

Fig. 5. Prototype setup.

Fig. 6.1. Server logs- owncloud.

6. Resultsanddiscussions

Forensicsprocedure startswithtracing backfromserverlogs inthecloud server.The attacktime isthemain cluefor tracingtheattacker,butserverlogsarelocatedwithinthecloudserviceproviderandtheproposedmodelcollectstheentire evidenceoutside thecloud environment.So,a remote loganalyzerisused forcapturinglogsfromthe serverandpacket sniffer is used to collect information inFMP. During verificationof datacollected in FMP,server logs identify similar IP addressesatthetimeoftheattack.ThisisshowninFig.6.1.

Furtheranalysisonthe capturedpacketshowsHTTPpackets floodedtowardsthe cloudserver andPsExec servicewas executed asshowninFig.6.2.Tracing agentfromthevictimiscarriedoutbysome existingIP tracebackmechanism.The focusistotracebacktotheoriginoftheattack.

Uponsuccessfullylocatingtheagentsystem,theuseofDDoSattackisidentified.Whenthesearchiscarriedoutonthe basisofthetimeofattackintheeventlogs,PsExecapplicationisfoundrunningontheagentthatcorrelateswithanattack time.ThisisshowninFig.6.3.Theeventlogsinagentsdonotdiscloseanyexplicitinformationaboutthemaster-handler.

Event logs reveal only thename ofthe process related to attack time andare insufficient fortracing master. Further analysisonagentusingforensicstoolkitanalyzer(FTK) revealsthefilewhich usesPsExecservice, anditishighlightedin theFig.6.4.

Fig. 6.2. FMP-data.

Fig. 6.3. Agent – event logs.

Fig. 6.4. Agent FTK.

Fig. 6.5. FMP – master to agent (attack initiation).

Theearlierinvestigation indicates that PsExec servicewasstartedduringtheattack time asshown inFig.6.3,butan in-depthanalysisonagentsystemusingforensictoolkit(FTK)confirmsthatagentsystemisusedforattackingtheserver andiscontrolledremotelyasshowninFig.6.4.

FurtheranalysisofnetworklogcollectedinFMPindicates that PsExecservicewasstartedremotelyby remoteuseras highlightedintheFig.6.5.AnalysisonCMPdataclearlyindicatesthatthesourceoftheremoteprocessisnottheagentsys- tembuttheattackcodeislaunchedremotelyfromtheagent.Eventhoughtheinvestigationhascollectedenoughevidence againsttheagentandmasteroftheattack,itrevealslittleinformationaboutthemastersystem.OnfurtheranalysisofFMP networklogs,themasterplacingattackcodesintheagentsystemcanbeidentifiedasdepictedinFig.6.6.

Fig. 6.6. Master placing attack (dos.bat) file.

Fig. 6.7. Event logs – master.

Forcreatingadditionalevidenceagainstthemaster,theinvestigatormovesintoeventlogsinthemasterasdoneinthe agentsystemanditindicatesthatPsExecserviceisstartedwhichcorrelateswithattackscenarioasshowninFig.6.7.

Further analysisonthe master systemusingFTKanalyzer revealsthe attack codeused forinitializing theagentcode thatattackstheserver.Thiscreatesadditionalevidenceagainstthemaster,leadingtotheinvestigator’sconclusionthatthe correspondingmasteristheoriginalattacker.ThisisdepictedinFig.6.8.

7. Conclusionsandfuturework

Theneedforcloudforensicsisontherise,becauseofitsrapidgrowthincloudcomputingandduetothepossibilityof cloud-relatedcrimeoccurringinthedigitalworld.Therearemanychallengesincloudforensicsandonlyafewresearchers haveaddressedthesechallenges.Inthispaper,thechallengesfacedincloudforensicsandcorrespondingsolutionsaddressed bytheresearchershavebeenhighlightedindepth.Anewmodelformitigatingthechallengesincloud forensicshasbeen proposedandvalidatedwithDDoSattacktocheckwhethertheproposedFMPcollectsallnecessaryinformationrelatedto fraudulentactivities required forforensicsanalysis.Infuture, theentireattack scenario willbe modeled insidethe cloud

Fig. 6.8. FTK analysis - master.

environmentforcheckingwhethertheproposedFMPcollectsall necessaryinformationrelatedtofraudulentactivities.On completion,othermodulesintheproposedsolutionwillbeimplemented.

References

[1] Kent K , Chevalier S , Grance T , Dang H . Guide to integrating forensic techniques into incident response. NIST Special Publication; August 2006.

p. 800–86 .

[2] Ruan K , Carthy J , Kechadi T , Crosbie M . Cloud forensics. IFIP advances in information and communication technology advances in digital forensics January 2011;vol. 361:35–46 .

[3] Mell PM , Grance T . SP 800-145. The NIST definition of cloud computing. Gaithersburg, MD: National Institute of Standards & Technology; September 2011 .

[4] Birk D . Technical challenges of forensic investigations in cloud computing environments. In: Workshop on cryptography and security in clouds, March;

2011. p. 1–6 .

[5] Dykstra J , Sherman A . Understanding issues in cloud forensics: two hypothetical case studies. J Network Forensics 2011;b(3):19–31 .

[6] Birk D , Wegener C . Technical challenges of forensics investigation in cloud computing environment. In: Proceedings of the 6th international workshop on systematic approaches to digital forensic engineering (SADFE); May 2011. p. 1–10 .

[7] Guo H , Jing B . Forensic investigations in cloud environments. In: International conference on computer science and information processing (CSIP);

2012. p. 248–51 .

[8] Ludwig Slusky MD , Partow-Navid P . Cloud computing and computer forensics for business applications. J Technol Res July 2012;3:1 . [9] Marty R . Cloud application logging for forensics. In: Proceedings of the 2011 ACM symposium on applied computing. ACM; 2011. p. 178–84 . [10] http://en.wikipedia.org/wiki/Chain _ of _ custody (accessed on 12/5/2014).

[11] Vacca JR . Computer forensics: computer crime scene investigation. Charles River Media, Inc.; 2002 .

[12] Taylor M , Haggerty J , Gresty D , Hegarty R . Digital evidence in cloud computing systems. Comput Law Secur Rev 2010;26(3):304–8 .

[13] Grispos G , Storer T , Glisson WB . Calm before the storm: the challenges of cloud. In: Emerging digital forensics applications for crime detection, prevention, and security, vol.4; 2013. p. 28–48 .

[14] Reilly D , Wren C , Berry T . Cloud computing: pros and cons for computer forensic investigations. Int J Multimedia Image Process 2011;1(March (1)):26–34 .

[15] Dykstra J , Sherman AT . Acquiring forensic evidence from infrastructure-as-a-service cloud computing: exploring and evaluating tools, trust, and tech- niques. Digital Invest 2012;9(Supplement):S90–8 .

[16] Wolthusen S . Overcast: forensic discovery in cloud environments. In: Proceedings of the fifth international conference on IT security incident manage- ment and IT forensics (IMF). IEEE; 2009. p. 3–9 .

[17] Zafarullah , Anwar F , Anwar Z . Digital forensics for eucalyptus. In: Frontiers of information technology (FIT). IEEE; 2011. p. 110–16 .

[18] Biggs S , Vidalis S . Cloud computing: the impact on digital forensic investigations. In: Proceedings of the international conference for internet technol- ogy and secured transactions, ICITST. IEEE; 2009. p. 1–6 .

[19] Shah JJ , Malik LG . An approach towards digital forensic framework for cloud. In: IEEE international advance computing conference (IACC); 2014.

p. 798–801 .

[20] Khorshed MT , Ali ABM , Wasimi SA . A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud com- puting. Future Gen Comput Syst 2012;28(June (6)):833–51 .

[21] Hale JS . Amazon cloud drive forensic analysis. Digital Invest 2013;10(3):259–65 .

[22] Ruan K , Carthy J , Kechadi T , Baggili I . Cloud forensics definitions and critical criteria for cloud forensic capability: an overview of survey results. Digital Invest 2013;10:34–43 .

[23] Almulla S, Iraqi Y, Jones A. Cloud forensics: a research perspective. In: Innovations in information technology (IIT), 2013 9th international conference on, 17-19 March; 2013 66,71. .

[24] Alex ME , Rajendiran K . Forensic model for cloud computing: an overview. In: IEEE international conference on wireless communications, signal pro- cessing and networking (WiSPNET) 23-25 March; 2016. p. 1334–8 .

[25] http://ihackers.co/sprut- dos- tool- dos- attack- tool/ (accessed on 12/5/2014).

Edington Alex. M, graduated from Francis Xavier Engineering College in Information Technology. He obtained his Master degree in Computer and Com- munication from SSN College of Engineering, Chennai, during the year 2011. At present he is working as Assistant Professor at Rajalakshmi Engineering College, Chennai. Research interests include Cloud forensics, digital forensics, cloud computing, network security, digital forensics and cryptography.

Kishore Rajendiran , graduated from Madras University, in Electronics and Communication Engineering. He obtained his Master degree in Communication Systems from Pondicherry Engineering College and Ph.D. from Anna University, Chennai. At present he is working as Associate Professor in the Department of ECE, SSN College of Engineering, Chennai. He has 15 years of teaching experience. His research interest includes security issues, Cloud computing.